Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Align your improvements with business goals and the shift-left strategy.
Record potential improvements in your CSI Register, as you review best practices for each channel.
Streamline your ticket intake process and prioritize opportunities for improvement.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Brainstorm improvements to your systems and processes that will help you optimize.
Develop a single point of contact.
Reduce the time before a technician can start productively working on a ticket.
Enable Tier 1 and end users to complete more tickets.
1.1 Prioritize channels for improvement.
1.2 Optimize the voice channel.
1.3 Identify improvements for self service.
1.4 Improve Tier 1 agents’ access to information.
1.5 Optimize supplementary ticket channels.
Action items to improve the voice channel.
Populated CSI Register for self-service channels.
Identified action items for the knowledgebase.
Populated CSI Register for additional ticket channels.
Create long-term growth by taking a sustainable approach to improvements.
Streamline your overall ticket intake process for incidents and service requests.
2.1 Map out the incident intake processes.
2.2 Identify opportunities to streamline the incident workflow.
2.3 Map out the request processes.
2.4 Identify opportunities to streamline the request workflow.
Streamlined incident intake process.
Streamlined request intake process.
Populated CSI Register for request intake.
The challenges posed by the virus are compounded by the fact that consumer expectations for strong service delivery remain high:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Create a consolidated, updated view of your current customer experience management strategy and identify which elements can be capitalized on to dampen the impact of COVID-19 and which elements are vulnerabilities that the pandemic may threaten to exacerbate.
Create a roadmap of business and technology initiatives through the lens of customer experience management that can be used to help your organization protect its revenue, maintain customer engagement, and enhance its brand integrity.
CIOs today face increasing pressures, disruptive emerging technologies, talent shortages, and a slew of other challenges. What are their top concerns, priorities, and technology bets that will define the future direction of IT?
CIO responses to our Future of IT 2024 survey reveal key insights on spending projects, the potential disruptions causing the most concern, plans for adopting emerging technology, and how firms are responding to generative AI.
Map your organization’s response to the external environment compared to CIOs across geographies and industries. Learn:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Take the pulse of the IT industry and see how CIOs are planning to approach 2024.
| Countries / Regions | Response % |
| United States | 47.18% |
| Canada | 11.86% |
| Australia | 9.60% |
| Africa | 6.50% |
| China | 0.28% |
| Germany | 1.13% |
| United Kingdom | 5.37% |
| India | 1.41% |
| Brazil | 1.98% |
| Mexico | 0.56% |
| Middle East | 4.80% |
| Asia | 0.28% |
| Other country in Europe | 4.52% |
n=354
Half of CIOs hold a C-level position, 10% are VP-level, and 20% are director level
38% of respondents are from an organization with above 1,000 employees
40% of CIOs report an annual budget of more than $10 million
A range of industries are represented, with 29% of respondents in the public sector or financial services
How likely is it that the following factors will disrupt your business in the next 12 months?
Looking ahead to 2024, how will your organization's IT spending change compared to spending in 2023?
Top five technologies for new spending planned in 2024:
Top five technologies for new spending planned after 2024:
n=301
Info-Tech Insight
Three in four CIOs say they have no plans to invest in quantum computing, more than any other technology with no spending plans.
Rate your business interest in adopting the following generative AI applications:
There is interest across all types of generative AI applications. CIOs are least interested in visual media generators, rating it just 2.4 out of 5 on average.
n=251
Info-Tech Insight
Examples of generative AI solutions specific to the legal industry include Litigate, CoCounsel, and Harvey.
Most popular use cases for AI by end of 2024:
Fastest growing uses cases for AI in 2024:
n=218
Info-Tech Insight
The least popular use case for AI is to help define business strategy, with 45% saying they have no plans for it.
Info-Tech Insight
Almost half of CIOs say ChatGPT has been a catalyst for their business to adopt new AI initiatives.
Which of the following best describes your organization's approach to third-party generative AI tools (such as ChatGPT or Midjourney)?
Info-Tech Insight
Business concerns over intellectual property and sensitive data exposure led OpenAI to announce ChatGPT won't use data submitted via its API for model training unless customers opt in to do so. ChatGPT users can also disable chat history to avoid having their data used for model training (OpenAI).
Among organizations that plan to invest in AI in 2024, 30% still say there are no steps in place for AI governance. The most popular steps to take are to publish clear explanations about how AI is used, and to conduct impact assessments (n=170).
Among all CIOs, including those that do not plan to invest in AI next year, 37% say no steps are being taken toward AI governance today (n=243).
If you haven't already contributed to our Future of IT online survey, we are keeping the survey open to continue to collect insights and inform our research reports and agenda planning process. You can take the survey today. Those that complete the survey will be sent a complimentary Tech Trends 2024 report.
If you are receiving this for completing the Future of IT online survey, thank you for your contribution. If you are interested in further participation and would like to provide a complementary interview, please get in touch at brian.Jackson@infotech.com. All interview subjects must also complete the online survey.
If you've already completed an interview, thank you very much, and you can look forward to seeing more impacts of your contribution in the near future.
A CIO focus for the Future of IT
Data in this report represents respondents to the Future of IT online survey conducted by Info-Tech Research Group between May 11 and July 7, 2023.
Only CIO respondents were selected for this report, defined as those who indicated they are the most senior member of their organization's IT department.
This data segment reflects 355 total responses with 239 completing every question on the survey.
Further data from the Future of IT online survey and the accompanying interview process will be featured in Info-Tech's Tech Trends 2024 report this fall and in forthcoming Priorities reports including Applications, Data & EA, CIO, Infrastructure, and Security.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Select the top automation candidates to score some quick wins.
Map and optimize process flows for each task you wish to automate.
Build a process around managing IT automation to drive value over the long term.
Build a long-term roadmap to enhance your organization's automation capabilities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify top candidates for automation.
Plan to achieve quick wins with automation for early value.
1.1 Identify MRW pain points.
1.2 Drill down pain points into tasks.
1.3 Estimate the MRW involved in each task.
1.4 Rank the tasks based on value and ease.
1.5 Select top candidates and define metrics.
1.6 Draft project charters.
MRW pain points
MRW tasks
Estimate of MRW involved in each task
Ranking of tasks for suitability for automation
Top candidates for automation & success metrics
Project charter(s)
Map and optimize the process flow of the top candidate(s).
Requirements for automation of the top task(s).
2.1 Map process flows.
2.2 Review and optimize process flows.
2.3 Clarify logic and finalize future-state process flows.
Current-state process flows
Optimized process flows
Future-state process flows with complete logic
Develop a lightweight process for rolling out automation and for managing the automation program.
Ability to measure and to demonstrate success of each task automation, and of the program as a whole.
3.1 Kick off your test plan for each automation.
3.2 Define process for automation rollout.
3.3 Define process to manage your automation program.
3.4 Define metrics to measure success of your automation program.
Test plan considerations
Automation rollout process
Automation program management process
Automation program metrics
Build a roadmap to enhance automation capabilities.
A clear timeline of initiatives that will drive improvement in the automation program to reduce MRW.
4.1 Build a roadmap for next steps.
IT automation roadmap
Automation can be very, very good, or very, very bad.
Do it right, and you can make your life a whole lot easier.
Do it wrong, and you can suffer some serious pain.
All too often, automation is deployed willy-nilly, without regard to the overall systems or business processes in which it lives.
IT professionals should follow a disciplined and consistent approach to automation to ensure that they maximize its value for their organization.
Derek Shank,
Research Analyst, Infrastructure & Operations
Info-Tech Research Group
Follow our methodology to focus IT automation on reducing toil.
Queues create waste and are extremely damaging. Like a tire fire, once you get started, they’re almost impossible to stamp out!
(Source: Edwards, citing Donald G. Reinersten: The Principles of Product Development Flow: Second Generation Lean Product Development )
Every additional layer of complexity multiplies points of failure. Beyond a certain level of complexity, troubleshooting can become a nightmare.
Today, Operations is responsible for the outcomes of a full stack of a very complex, software-defined, API-enabled system running on infrastructure they may or may not own.
– Edwards
The systems built under each new technology paradigm never fully replace the systems built under the old paradigms. It’s not uncommon for an enterprise to have an accumulation of systems built over 10-15 years and have no budget, risk appetite, or even a viable path to replace them all. With each shift, who bares [SIC] the brunt of the responsibility for making sure the old and the new hang together? Operations, of course. With each new advance, Operations juggles more complexity and more layers of legacy technologies than ever before.
– Edwards
Personnel resources in most IT organizations overlap heavily between “build” and “run.”
Some CIOs see a Sys Admin and want to replace them with a Roomba. I see a Sys Admin and want to build them an Iron Man suit.
– Deepak Giridharagopal, CTO, Puppet
When we automate, we can make sure we do something the same way every time and produce a consistent result.
We can design an automated execution that will ship logs that provide the context of the action for a detailed audit trail.
Because the C-suite relies on upwards communication — often filtered and sanitized by the time it reaches them — executives don’t see the bottlenecks and broken processes that are stalling progress.
– Andi Mann
To get the full ROI on your automation, you need to treat it like an employee. When you hire an employee, you invest in that person. You spend time and resources training and nurturing new employees so they can reach their full potential. The investment in a new employee is no different than your investment in automation.– Edwards
| Example of How to Estimate Dollar Value Impact of Automation | |||
|---|---|---|---|
| Metric | Timeline | Target | Value |
| Hours of manual repetitive work | 12 months | 20% reduction | $48,000/yr.(1) |
| Hours of project capacity | 18 months | 30% increase | $108,000/yr.(2) |
| Downtime caused by errors | 6 months | 50% reduction | $62,500/yr.(3) |
1 15 FTEs x 80k/yr.; 20% of time on MRW, reduced by 20%
2 15 FTEs x 80k/yr.; 30% project capacity, increased by 30%
3 25k/hr. of downtime.; 5 hours per year of downtime caused by errors
Industry Financial Services
Source Interview
An IT infrastructure manager had established DR failover procedures, but these required a lot of manual work to execute. His team lacked the expertise to build automation for the failover.
The manager hired consultants to build scripts that would execute portions of the failover and pause at certain points to report on outcomes and ask the human operator whether to proceed with the next step.
The infrastructure team reduced their achievable RTOs as follows:
Tier 1: 2.5h → 0.5h
Tier 2: 4h → 1.5h
Tier 3: 8h → 2.5h
And now, anyone on the team could execute the entire failover!
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| 1. Select Candidates | 2. Map Process Flows | 3. Build Process | 4. Build Roadmap | |
|---|---|---|---|---|
| Best-Practice Toolkit |
1.1 Identify MRW pain points 1.2 Drill down pain points into tasks 1.3 Estimate the MRW involved in each task 1.4 Rank the tasks based on value and ease 1.5 Select top candidates and define metrics 1.6 Draft project charters |
2.1 Map process flows 2.2 Review and optimize process flows 2.3 Clarify logic and finalize future-state process flows |
3.1 Kick off your test plan for each automation 3.2 Define process for automation rollout 3.3 Define process to manage your automation program 3.4 Define metrics to measure success of your automation program |
4.1 Build automation roadmap |
| Guided Implementations |
Introduce methodology. Review automation candidates. Review success metrics. |
Review process flows. Review end-to-end process flows. |
Review testing considerations. Review automation SDLC. Review automation program metrics. |
Review automation roadmap. |
| Onsite Workshop | Module 1: Identify Automation Candidates |
Module 2: Map and Optimize Processes |
Module 3: Build a Process for Managing Automation |
Module 4: Build Automation Roadmap |
| Phase 1 Results: Automation candidates and success metrics |
Phase 2 Results: End-to-end process flows for automation |
Phase 3 Results: Automation SDLC process, and automation program management process |
Phase 4 Results: Automation roadmap |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Create your minimum viable business architecture.
If there are a handful of capabilities that your business needs to focus on right now, what are they?
Identify business opportunities.
Enrich your capability model.
Organizations need to understand their value-added reseller (VAR) portfolio and the greater VAR landscape to better:
VARs typically charge more for products because they are in some way adding value. If you’re not leveraging any of the provided value, you’re likely wasting money and should use a basic commodity-type reseller for procurement.
This project will provide several benefits to Vendor Management and Procurement:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Organize all your VARs and create a manageable portfolio detailing their value, specific, product, services, and certifications.
Create an in-depth evaluation of the VARs’ capabilities.
Assess each VAR for low performance and opportunity to increase value or consolidate to another VAR and reduce redundancy.
Micro-manage your primary VARs to ensure performance to commitments and maximize their value.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use Info-Tech’s best practices for setting out a selection roadmap and evaluative criteria for narrowing down vendors – both enterprise and specialized providers.
Cut through Gen AI buzzwords to achieve market clarity.
The urge to be fast-moving to leverage the potential benefits of Gen AI is understandable. There are plenty of opportunities for Gen AI to enrich an organization’s use cases – from commercial to R&D to entertainment. However, there are requisites an organization needs to get right before Gen AI can be effectively applied. Part of this is ensuring data and AI governance is well established and mature within the organization. The other part is contextualizing Gen AI to know what components of this market the organization needs to invest in.
Owing to its popularity surge, OpenAI’s ChatGPT has become near synonymous with Gen AI. However, Gen AI is an umbrella concept that encompasses a variety of infrastructural architecture. Organizations need to ask themselves probing questions if they are looking to work with OpenAI: Does ChatGPT rest on the right foundational model for us? Does ChatGPT offer the right modalities to support our organization’s use cases? How much fine-tuning and prompt engineering will we need to perform? Do we require investment in on-premises infrastructure to support significant data processing and high-volume events? And do we require FTEs to enable all this infrastructure?
Use this market primer to quickly get up to speed on the elements your organization might need to make the most of Gen AI.
Advisory Director, Info-Tech Research Group
Your Challenge
|
Common Obstacles
|
Info-Tech's SolutionThis market primer for Gen AI will help you:
|
“We are entering the era of generative AI.
This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive with co-pilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduces risks that need to be planned for.”
Bill Wong, Principal Research Director – Data and BI, Info-Tech Research Group
Organizations with (1) FTEs devoted to making Gen AI work (including developers and business intelligence analysts), (2) trustworthy and regularly updated data, and (3) AI governance are just now reaching PoC testing.
Gen AI platforms will be built on different foundational models, be trained in different ways, and provide varying modalities. Do not expect to compare Gen AI platforms to the same parameters in a vendor quadrant.
While Gen AI success will be heavily reliant on the quality of data it is fine-tuned on, there are independent risks organizations must prepare for: from Gen AI hallucinations and output reliability to infrastructure feasibility to handle high-volume events.
If you plan to use Gen AI in a commercial setting, review your sales team’s KPIs. They are rewarded for sales velocity; if they are the human-in-the-loop to check for hallucinations, you must change incentives to ensure quality management.
If your organization is unsure about where to start with Gen AI, the secure route is to examine what your enterprise providers are offering. Use this as a learning platform to confidently navigate which specialized Gen AI provider will be viable for meeting your use cases.
The market trend has been for organizations to move to cloud-based products. Yet, for Gen AI, effective data processing and fine-tuning may call for organizations to invest in on-premises infrastructure (such as more GPUs) to enable their Gen AI to function effectively.
Phase Steps |
1. Contextualize the Gen AI marketplace
|
2. Prepare for and understand Gen AI platform offerings
|
Phase Outcomes |
|
|
Phase 1 |
Phase 2 |
|
|
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
The Gen AI market evaluation process should be broken into segments:
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful"
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Five advisory calls over a five-week period to accelerate your selection process
Click here to book your selection engagement.
40 hours of advisory assistance delivered online.
Select better software, faster.
Click here to book your workshop engagement.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn about what causes data quality issues, how to measure data quality, what makes a good data quality practice in relation to your data and business environments.
Determine your business unit priorities to create data quality improvement projects.
Revisit the root causes of data quality issues and identify the relevant root causes to the highest priority business unit, then determine a strategy for fixing those issues.
Identify strategies for continuously monitoring and improving data quality at the organization.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Evaluate the maturity of the existing data quality practice and activities.
Assess how data quality is embedded into related data management practices.
Envision a target state for the data quality practice.
Understanding of the current data quality landscape
Gaps, inefficiencies, and opportunities in the data quality practice are identified
Target state for the data quality practice is defined
1.1 Explain approach and value proposition
1.2 Detail business vision, objectives, and drivers
1.3 Discuss data quality barriers, needs, and principles
1.4 Assess current enterprise-wide data quality capabilities
1.5 Identify data quality practice future state
1.6 Analyze gaps in data quality practice
Data Quality Management Primer
Business Capability Map Template
Data Culture Diagnostic
Data Quality Diagnostic
Data Quality Problem Statement Template
Define improvement initiatives
Define a data quality improvement strategy and roadmap
Improvement initiatives are defined
Improvement initiatives are evaluated and prioritized to develop an improvement strategy
A roadmap is defined to depict when and how to tackle the improvement initiatives
2.1 Create business unit prioritization roadmap
2.2 Develop subject areas project scope
2.3 By subject area 1 data lineage analysis, root cause analysis, impact assessment, and business analysis
Business Unit Prioritization Roadmap
Subject area scope
Data Lineage Diagram
Define improvement initiatives
Define a data quality improvement strategy and roadmap
Improvement initiatives are defined
Improvement initiatives are evaluated and prioritized to develop an improvement strategy
A roadmap is defined to depict when and how to tackle the improvement initiatives
3.1 Understand how data quality management fits in with the organization’s data governance and data management programs
3.2 By subject area 2 data lineage analysis, root cause analysis, impact assessment, and business analysis
Data Lineage Diagram
Root Cause Analysis
Impact Analysis
Determine a strategy for fixing data quality issues for the highest priority business unit
Strategy defined for fixing data quality issues for highest priority business unit
4.1 Formulate strategies and actions to achieve data quality practice future state
4.2 Formulate a data quality resolution plan for the defined subject area
4.3 By subject area 3 data lineage analysis, root cause analysis, impact assessment, and business analysis
Data Quality Improvement Plan
Data Lineage Diagram
Plan for continuous improvement in data quality
Incorporate data quality management into the organization’s existing data management and governance programs
Sustained and communicated data quality program
5.1 Formulate metrics for continuous tracking of data quality and monitoring the success of the data quality improvement initiative
5.2 Workshop Debrief with Project Sponsor
5.3 Meet with project sponsor/manager to discuss results and action items
5.4 Wrap up outstanding items from the workshop, deliverables expectations, GIs
Data Quality Practice Improvement Roadmap
Data Quality Improvement Plan (for defined subject areas)
Regardless of the driving business strategy or focus, organizations are turning to data to leverage key insights and help improve the organization’s ability to realize its vision, key goals, and objectives.
Poor quality data, however, can negatively affect time-to-insight and can undermine an organization’s customer experience efforts, product or service innovation, operational efficiency, or risk and compliance management. If you are looking to draw insights from your data for decision making, the quality of those insights is only as good as the quality of the data feeding or fueling them.
Improving data quality means having a data quality management practice that is sustainably successful and appropriate to the use of the data, while evolving to keep pace with or get ahead of changing business and data landscapes. It is not a matter of fixing one data set at a time, which is resource and time intensive, but instead identifying where data quality consistently goes off the rails, and creating a program to improve the data processes at the source.
Crystal Singh
Research Director, Data and Analytics
Info-Tech Research Group
Your organization is experiencing the pitfalls of poor data quality, including:
Poor data quality hinders successful decision making.
Not understanding the purpose and execution of data quality causes some disorientation with your data.
Organizations tend to adopt a project mentality when it comes to data quality instead of taking the strategic approach that would be all-around more beneficial in the long term.
Address the root causes of your data quality issues by forming a viable data quality program.
It is important to sustain best practices and grow your data quality program.
Info-Tech Insight
Fix data quality issues as close as possible to the source of data while understanding that business use cases will each have different requirements and expectations from data quality.
Reliable data is needed to facilitate data consumers at all levels of the enterprise.
Insights, knowledge, and information are needed to inform operational, tactical, and strategic decision-making processes. Data and information are needed to manage the business and empower business processes such as billing, customer touchpoints, and fulfillment.
Data should be at the foundation of your organization’s evolution. The transformational insights that executives are constantly seeking can be uncovered with a data quality practice that makes high-quality, trustworthy information readily available to the business users who need it.
98% of companies use data to improve customer experience. (Experian Data Quality, 2019)
Info-Tech Insight
As data is ingested, integrated, and maintained in the various streams of the organization's system and application architecture, there are multiple points where the quality of the data can degrade.
Insight:
Proper application of data quality dimensions throughout the data pipeline will result in superior business decisions.
Data quality issues can occur at any stage of the data flow.
Therefore, if there are problems with the organization’s underlying data, this can have a domino effect on many downstream business functions.
Let’s use an example to illustrate the domino effect of poor data quality.
Organization X is looking to migrate their data to a single platform, System Y. After the migration, it has become apparent that reports generated from this platform are inconsistent and often seem wrong. What is the effect of this?
30% Poor data quality
30% Method of interaction changing
30% Legacy systems or lack of new technology
95% Of organizations indicated that poor data quality undermines business performance.
(Source: Experian Data Quality, 2019)
Business decisions should be made with a strong rationale. Data can provide insight into key business questions, such as, “How can I provide better customer satisfaction?”
89% Of CIOs surveyed say lack of quality data is an obstacle to good decision making. (Larry Dignan, CIOs juggling digital transformation pace, bad data, cloud lock0in and business alignment, 2020)
Improve marketing and the customer experience by using the right data from the system of record to analyze complete customer views of transactions, sentiments, and interactions.
94% Percentage of senior IT leaders who say that poor data quality impinges business outcomes. (Clint Boulton, Disconnect between CIOs and LOB managers weakens data quality, 2016)
Gain insights on your products, services, usage trends, industry directions, and competitor results to support decisions on innovations, new products, services, and pricing.
20% Businesses lose as much as 20% of revenue due to poor data quality. (RingLead Data Management Solutions, 10 Stats About Data Quality I Bet You Didn’t Know)
Make sure the right solution is delivered rapidly and consistently to the right parties for the right price and cost structure. Automate processes by using the right data to drive process improvements.
10-20% The implementation of data quality initiatives can lead to reductions in corporate budget of up to 20%. (HaloBI, 2015)
Info-Tech Insight
Data quality suffers most at the point of entry. This is one of the causes of the domino effect of data quality – and can be one of the most costly forms of data quality errors due to the error propagation. In other words, fix data ingestion, whether through improving your application and database design or improving your data ingestion policy, and you will fix a large majority of data quality issues.
(Source: DAMA International)
Build a Robust and Comprehensive Data Strategy
Create a Data Management Roadmap
| Phase Steps | 1. Define Your Organization’s Data Environment and Business Landscape | 2. Analyze Your Priorities for Data Quality Fixes | 3. Establish Your Organization’s Data Quality Program | 4. Grow and Sustain Your Data Quality Practice |
|---|---|---|---|---|
| Phase Outcomes | This step identifies the foundational understanding of your data and business landscape, the essential concepts around data quality, as well as the core capabilities and competencies that IT needs to effectively improve data quality. | To begin addressing specific, business-driven data quality projects, you must identify and prioritize the data-driven business units. This will ensure that data improvement initiatives are aligned to business goals and priorities. | After determining whose data is going to be fixed based on priority, determine the specific problems that they are facing with data quality, and implement an improvement plan to fix it. | Now that you have put an improvement plan into action, make sure that the data quality issues don’t keep cropping up. Integrate data quality management with data governance practices into your organization and look to grow your organization’s overall data maturity. |
Info-Tech Insight
“Data Quality is in the eyes of the beholder.”– Igor Ikonnikov, Research Director
Data from Info-Tech’s CIO Business Vision Diagnostic, which represents over 400 business stakeholders, shows that data quality is very important when satisfaction with data quality is low.
However, when data quality satisfaction hit a threshold, it became less important.
Respondents were asked “How satisfied are you with the quality, reliability, and effectiveness of the data you use to manage your group?” as well as to rank how important data quality was to their organization.
When the business satisfaction of data quality reached a threshold value of 71-80%, the rated importance reached its lowest value.
Info-Tech Insight
Data needs to be good, but truly spectacular data may go unnoticed.
Provide the right level of data quality, with the appropriate effort, for the correct usage. This blueprint will help you to determine what “the right level of data quality” means, as well as create a plan to achieve that goal for the business.
Data Strategy Data Strategy should contain Data Quality as a standard component. ← Data Quality issues can occur throughout at any stage of the data flow → |
||||
DQ Dimensions Timeliness – Representation – Usability – Consistency – Completeness – Uniqueness – Entry Quality – Validity – Confidence – Importance |
||||
Source System Layer
|
Data Transformation Layer
|
Consumption Layer
|
||
| Data Creation → | [SLA] Data Ingestion [ QA] | →Data Accumulation & Engineering → | [SLA] Data Delivery [QA] | →Reporting & Analytics |
| Fix Data Quality root causes here… | → | to prevent expensive cures here. | ||
Industry: Healthcare
Source: Primary Info-Tech Research
A healthcare insurance agency faced data quality issues in which a key business use case was impacted negatively. Business rules were not well defined, and default values instead of real value caused a concern. When dealing with multiple addresses, data was coming from different source systems.
The challenge was to identify the most accurate address, as some were incomplete, and some lacked currency and were not up to date. This especially challenged a key business unit, marketing, to derive business value in performing key activities by being unable to reach out to existing customers to advertise any additional products.
For this initiative, this insurance agency took an economic approach by addressing those data quality issues using internal resources.
Without having any MDM tools or having a master record or any specific technology relating to data quality, this insurance agency used in-house development to tackle those particular issues at the source system. Data quality capabilities such as data profiling were used to uncover those issues and address them.
“Data quality is subjective; you have to be selective in terms of targeting the data that matters the most. When getting business tools right, most issues will be fixed and lead to achieving the most value.” – Asif Mumtaz, Data & Solution Architect
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
|
|
|
|
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between eight to twelve calls over the course of four to six months.
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Define Your Organization’s Data Environment and Business Landscape | Create a Strategy for Data Quality Project 1 | Create a Strategy for Data Quality Project 2 | Create a Strategy for Data Quality Project 3 | Create a Plan for Sustaining Data Quality | |
| Activities |
|
|
|
|
|
| Deliverables |
|
|
|
|
|
A comprehensive data quality practice includes appropriate business requirements gathering, planning, governance, and oversight capabilities, as well as empowering technologies for properly trained staff, and ongoing development processes.
Some common examples of appropriate data management methodologies for data quality are:
Effective data quality practices coordinate with other overarching data disciplines, related data practices, and strategic business objectives.
“You don’t solve data quality with a Band-Aid; you solve it with a methodology.” – Diraj Goel, Growth Advisor, BC Tech
Similar to measuring the acidity of a substance with a litmus test, the quality of your data can be measured using a simple indicator test. As you learn about common root causes of data quality problems in the following slides, think about these four quality indicators to assess the quality of your data:
Info-Tech Insight
Quality is a relative term. Data quality is measured in terms of tolerance. Perfect data quality is both impossible and a waste of time and effort.
Follow these steps to convince leadership of the value of data quality:
“You have to level with people, you cannot just start talking with the language of data and expect them to understand when the other language is money and numbers.” – Izabela Edmunds, Information Architect at Mott MacDonald
1. Data Culture Diagnostic
Use this report to understand where your organization lies across areas relating to data culture.
While the Quality & Trust area of the report might be most prevalent to this blueprint, this diagnostic may point out other areas demanding more attention.
Please speak to your account manager for access
2. Business Capability Map Template
Perform this process to understand the capabilities that enable specific value streams. The output of this deliverable is a high-level view of your organization’s defined business capabilities.
Info-Tech Insight
Understanding your data culture and business capabilities are foundational to starting the journey of data quality improvement.
Key deliverable:
3. Data Quality Diagnostic
The Data Quality Report is designed to help you understand, assess, and improve key organizational data quality issues. This is where respondents across various areas in the organization can assess Data Quality across various dimensions.
If there are data elements that are considered of high importance and low confidence, then they must be prioritized.
After you get to know the properties of good quality data, understand the underlying causes of why those indicators can point to poor data quality.
If you notice that the usability, completeness, timeliness, or accessibility of the organization’s data is suffering, one or more of the following root causes are likely plaguing your data:
Common root causes of poor data quality, through the lens of Info-Tech’s Five-Tier Data Architecture:
These root causes of poor data quality are difficult to avoid, not only because they are often generated at an organization’s beginning stages, but also because change can be difficult. This means that the root causes are often propagated through stale or outdated business processes.
Application design plays one of the largest roles in the quality of the organization’s data. The proper design of applications can prevent data quality issues that can snowball into larger issues downstream.
Proper ingestion is 90% of the battle. An ounce of prevention is worth a pound of cure. This is true in many different topics, and data quality is one of them. Designing an application so that data gets entered properly, whether by internal staff or external customers, is the single most effective way to prevent data quality issues.
Some common causes of data quality problems at the application/system level include:
Database design also affects data quality. How a database is designed to handle incoming data, including the schema and key identification, can impact the integrity of the data used for reporting and analytics.
The most common type of database is the relational database. Therefore, we will focus on this type of database.
When working with and designing relational databases, there are some important concepts that must be considered.
Referential integrity is a term that is important for the design of relational database schema, and indicates that table relationships must always be consistent.
For table relationships to be consistent, primary keys (unique value for each row) must uniquely identify entities in columns of the table. Foreign keys (field that is defined in a second table but refers to the primary key in the first table) must agree with the primary key that is referenced by the foreign key. To maintain referential integrity, any updates must be propagated to the primary parent key.
Info-Tech Insight
Other types of databases, including databases with unstructured data, need data quality consideration. However, unstructured data may have different levels of quality tolerance.
Databases and People:
Even though database design is a technology issue, don’t forget about the people.
A lack of training employees on database permissions for updating/entering data into the physical databases is a common problem for data quality.
Data ingestion is another category of data-quality-issue root causes. When moving data in Tier 2, whether it is through ETL, ESB, point-to-point integration, etc., the integrity of the data during movement and/or transformation needs to be maintained.
Tier 2 (the data ingestion layer) serves to move data for one of two main purposes:
This ensures the data is pristine throughout the process and improves trustworthiness of outcomes and speed to task completion.
Data policies and procedures are necessary for establishing standards around data and represent another category of data-quality-issue root causes. This issue spans across all five of the 5 Tier Architecture.
Data policies are short statements that seek to manage the creation, acquisition, integrity, security, compliance, and quality of data. These policies vary amongst organizations, depending on your specific data needs.
Business processes can impact data quality. How data is entered into systems, as well as employee training and knowledge about the correct data definitions, can impact the quality of your organization’s data.
These problematic business process root causes can lead to:
Duplicate records
Incomplete data
Improper use of data
Wrong data entered into fields
These data quality issues will result in costly and inefficient manual fixes, wasting valuable time and resources.
1. Data Quality Understanding
2. Phase 0 Deliverables
Introduced foundational tools to help you throughout this blueprint:
3. Common Root Causes
Addressed where multiple root causes can occur throughout the flow of your data.
Analyzed the following common root causes of data quality:
Business Vision
Business Goals
Business Drivers
Business Differentiators
Understanding where data lives can be challenging as it is often in motion and rarely resides in one place. There are multiple benefits that come from taking the time to create a data flow diagram.
Info-Tech’s Four-Column Model of Data will help you to identify the essential aspects of your data:
Business Use Case →Used by→Business Unit →Housed in→Systems→Used for→Usage of the Data
To prioritize your business units for data quality improvement projects, you must analyze the relative importance of the data they use to the business. The more important the data is to the business, the higher the priority is of fixing that data. There are two measures for determining the importance of data: business value and business impact.
Business value of data can be evaluated by thinking about its ties to revenue generation for the organization, as well as how it is used for productivity and operations at the organization.
The business value of data is assessed by asking what would happen to the following parameters if the data is not usable (due to poor quality, for example):
Business impact of data should take into account the effects of poor data on both internal and external parties.
The business impact of data is assessed by asking what the impact would be of bad data on the following parameters:
Value + Impact = Data Priority Score
Before you can identify a solution, you must identify the problem with the business unit’s data.
Use Info-Tech’s Data Quality Problem Statement Template to identify the symptoms of poor data quality and articulate the problem.
Info-Tech’s Data Quality Problem Statement Template will walk you through a step-by-step approach to identifying and describing the problems that the business unit feels regarding its data quality.
Before articulating the problem, it helps to identify the symptoms of the problem. The following W’s will help you to describe the symptoms of the data quality issues:
What
Define the symptoms and feelings produced by poor data quality in the business unit.
Where
Define the location of the data that are causing data quality issues.
When
Define how severe the data quality issues are in frequency and duration.
Who
Define who is affected by the data quality problems and who works with the data.
Info-Tech Best Practice
Symptoms vs. Problems. Often, people will identify a list of symptoms of a problem and mistake those for the problem. Identifying the symptoms helps to define the problem, but symptoms do not help to identify the solution. The problem statement helps you to create solutions.
1 hour
A defined problem helps you to create clear goals, as well as lead your thinking to determine solutions to the problem.
A problem statement consists of one or two sentences that summarize a condition or issue that a quality improvement team is meant to address. For the improvement team to fix the problem, the problem statement therefore has to be specific and concise.
Instructions
MathWorks
Industry
Software Development
Source
Primary Info-Tech Research
As part of moving to a formalized data quality practice, MathWorks leveraged an incremental approach that took its time investigating business cases to support improvement actions. Establishing realistic goals for improvement in the form of a roadmap was a central component for gaining executive approval to push the project forward.
Roadmap Creation
In constructing a comprehensive roadmap that incorporated findings from business process and data analyses, MathWorks opted to document five-year and three-year overall goals, with one-year objectives that supported each goal. This approach ensured that the tactical actions taken were directed by long-term strategic objectives.
In presenting their roadmap for executive approval, MathWorks placed emphasis on communicating the progression and impact of their initiatives in terms that would engage business users. They focused on maintaining continual lines of communication with business stakeholders to demonstrate the value of the initiatives and also to gradually shift the corporate culture to one that is invested in an effective data quality practice.
“Don’t jump at the first opportunity, because you may be putting out a fire with a cup of water where a fire truck is needed.” – Executive Advisor, IT Research and Advisory Firm
Assess IT’s capabilities and competencies around data quality and plan to build these as the organization’s data quality practice develops. Before you can fix data quality, make sure you have the necessary skills and abilities to fix data quality correctly.
The following IT capabilities are developed on an ongoing basis and are necessary for standardizing and structuring a data quality practice:
Data Handling and Remediation Competencies:
After these capabilities and competencies are assessed for a current and desired target state, the Data Quality Practice Assessment and Project Planning Tool will suggest improvement actions that should be followed in order to build your data quality practice. In addition, a roadmap will be generated after target dates are set to create your data quality practice development strategy.
1 hour
Use the Data Quality Practice Assessment and Project Planning Tool to evaluate the baseline and target capabilities of your practice in terms of how data quality is approached and executed.
Instructions
These results will set the baseline against which you will monitor performance progress and keep track of improvements over time.
Info-Tech Insight
Focus on early alignment. Assessing capabilities within specific people’s job functions can naturally result in disagreement or debate, especially between business and IT people. Remind everyone that data quality should ultimately serve business needs wherever possible.
To enable deeper analysis on the results of your practice assessment, Tab 3: Data Quality Practice Scorecard in the Data Quality Practice Assessment and Project Planning Tool creates visualizations of the gaps identified in each of your practice capabilities and related data management practices. These diagrams serve as analysis summaries.
Gap assessment of “Meeting Business Needs” capabilities
Visualization of gap assessment of data quality practice capabilities
This means that before engaging IT in data quality projects to fix the business units’ data in Phase 2, IT must assess feasibility of the data quality improvement plan. A feasibility analysis is typically used to review the strengths and weaknesses of the projects, as well as the availability of required skills and technologies needed to complete them. Use the following workflow to guide you in performing a feasibility analysis:
Project evaluation process:
Present capabilities
Info-Tech Best Practice
While the PMO identifies and coordinates projects, IT must determine how long and for how much.
1 hour
Instructions
1 hour
Generating Your Roadmap
Use the Practice Roadmap to plan and improve data quality capabilities
Info-Tech Best Practice
To help get you started, Info-Tech has provided an extensive list of data quality improvement initiatives that are commonly undertaken by organizations looking to improve their data quality.
2 hours
Create practice-level metrics to monitor your data quality practice.
Instructions:
| Metric | Current | Goal |
|---|---|---|
| Usage (% of trained users using the data warehouse) | ||
| Performance (response time) | ||
| Performance (response time) | ||
| Resource utilization (memory usage, number of machine cycles) | ||
| User satisfaction (quarterly user surveys) | ||
| Data quality (% values outside valid values, % fields missing, wrong data type, data outside acceptable range, data that violates business rules. Some aspects of data quality can be automatically tracked and reported) | ||
| Costs (initial installation and ongoing, Total Cost of Ownership including servers, software licenses, support staff) | ||
| Security (security violations detected, where violations are coming from, breaches) | ||
| Patterns that are used | ||
| Reduction in time to market for the data | ||
| Completeness of data that is available | ||
| How many "standard" data models are being used | ||
| What is the extra business value from the data governance program? | ||
| How much time is spent for data prep by BI & analytics team? |
As you improve your data quality practice and move from reactive to stable, don’t rest and assume that you can let data quality keep going by itself. Rapidly changing consumer requirements or other pains will catch up to your organization and you will fall behind again. By moving to the proactive and predictive end of the maturity scale, you can stay ahead of the curve. By following the methodology laid out in Phase 1, the data quality practices at your organization will improve over time, leading to the following results:
Before Data Quality Practice Improvements
Year 1
Year 2
Year 3
(Global Data Excellence, Data Excellence Maturity Model)
It is important to understand the various data that exist in the business unit, as well as which data are essential to business function and require the highest degree of quality efforts.
Visualize your databases and the flow of data. A data lineage diagram can help you and the Data Quality Improvement Team visualize where data issues lie. Keeping the five-tier architecture in mind, build your data lineage diagram.
Reminder: Five-Tier Architecture
Use the following icons to represent your various data systems and databases.
2 hours
Map the flow and location of data within a business unit by creating a system context diagram.
Gain an accurate view of data locations and uses: Engage business users and representatives with a wide breadth of knowledge-related business processes and the use of data by related business operations.
Sample Data Lineage Diagram
1 hour
Develop goals and align them with specific objectives to set the framework for your data quality initiatives.
In the context of achieving business vision, mission, goals, and objectives and sustaining differentiators and key drivers, think about where and how data quality is a barrier. Then brainstorm data quality improvement objectives that map to these barriers. Document your list of objectives in Tab 5. Prioritize business units of the Data Quality Practice Assessment and Project Planning Tool.
Establishing Business Context Example Healthcare Industry |
|
|---|---|
| Vision | To improve member services and make service provider experience more effective through improving data quality and data collection, aggregation, and accessibility for all the members. |
| Goals | Establish meaningful metrics that guide to the improvement of healthcare for member effectiveness of health care providers:
|
| Differentiator | Connect service consumers with service providers, that comply with established regulations by delivering data that is accurate, trusted, timely, and easy to understand to connect service providers and eliminate bureaucracy and save money and time. |
| Key Driver | Seamlessly provide a healthcare for members. |
30 minutes
Instructions
To prioritize your business units for data quality improvement projects, you must analyze the relative importance of the data they use to the business. The more important the data is to the business, the higher the priority is of fixing that data. There are two measures for determining the importance of data: business value and business impact.
Business value of data can be evaluated by thinking about its ties to revenue generation for the organization, as well as how it is used for productivity and operations at the organization.
The business value of data is assessed by asking what would happen to the following parameters if the data is not usable (due to poor quality, for example):
Business impact of data should take into account the effects of poor data on both internal and external parties.
The business impact of data is assessed by asking what the impact would be of bad data on the following parameters:
Value + Impact = Data Priority Score
2 hours
Instructions
Instructions In Tab 5: Prioritize Business Units of the Data Quality Practice Assessment and Project Planning Tool, assess business value and business impact of the data within each documented business unit.
Use the ratings High, Medium, and Low to measure the financial, productivity, and efficiency value and impact of each business unit’s data.
In addition to these ratings, assess the number of help desk tickets that are submitted to IT regarding data quality issues. This parameter is an indicator that the business unit’s data is high priority for data quality fixes.
1 hour
Instructions
After assessing the business units for the business value and business impact of their data, the Data Quality Practice Assessment and Project Planning Tool automatically assesses the prioritization of the business units based on your ratings. These prioritizations are then summarized in a roadmap on Tab 6: Data Quality Project Roadmap. The following is an example of a project roadmap:
On Tab 6, insert the timeline for your data quality improvement projects, as well as the starting date of your first data quality project. The roadmap will automatically update with the chosen timing and dates.
As you improve the data quality for specific business units, measuring the benefits of data quality improvements will help you demonstrate the value of the projects to the business.
Use the following table to guide you in creating business-aligned metrics:
| Business Unit | Driver | Metrics | Goal |
|---|---|---|---|
| Sales | Customer Intimacy | Accuracy of customer data. Percent of missing or incomplete records. | 10% decrease in customer record errors. |
Marketing |
Customer Intimacy | Accuracy of customer data. Percent of missing or incomplete records. | 10% decrease in customer record errors. |
| Finance | Operational Excellence | Relevance of financial reports. | Decrease in report inaccuracy complaints. |
| HR | Risk Management | Accuracy of employee data. | 10% decrease in employee record errors. |
| Shipping | Operational Excellence | Timeliness of invoice data. | 10% decrease in time to report. |
Info-Tech Insight
Relating data governance success metrics to overall business benefits keeps executive management and executive sponsors engaged because they are seeing actionable results. Review metrics on an ongoing basis with those data owners/stewards who are accountable, the data governance steering committee, and the executive sponsors.
Industry: Government
Source: Environment Development of Canada (EDC)
Environment Development Canada (EDC) would initially identify data elements that are important to the business purely based on their business instinct.
Leadership attempted to tackle the enterprise’s data issues by bringing a set of different tools into the organization.
It didn’t work out because the fundamental foundational layer, which is the data and infrastructure, was not right – they didn't have the foundational capabilities to enable those tools.
Leadership listened to the need for one single team to be responsible for the data persistence.
Therefore, the data platform team was granted that mandate to extensively execute the data quality program across the enterprise.
A data quality team was formed under the Data & Analytics COE. They had the mandate to profile the data and to understand what quality of data needed to be achieved. They worked constantly with the business to build the data quality rules.
EDC tackled the source of their data quality issues through initially performing a data quality management assessment with business stakeholders.
From then on, EDC was able to establish their data quality program and carry out other key initiatives that prove the ROI on data quality.
Now that you have a prioritized list for your data quality improvement projects, identify the highest priority business unit. This is the business unit you will work through Phase 3 with to fix their data quality issues.
Once you have initiated and identified solutions for the first business unit, tackle data quality for the next business unit in the prioritized list.
1 hour
The Data Quality Improvement Plan is a concise document that should be created for each data quality project (i.e. for each business unit) to keep track of the project.
Instructions
| Team role | Assigned to |
|---|---|
| Data Owner | [Name] |
| Project Manager | [Name] |
| Business Analyst/BRM | [Name] |
| Data Steward | [Name] |
| Data Analyst | [Name] |
1 hour
Data quality initiatives have to be relevant to the business, and the business context will be used to provide inputs to the data improvement strategy. The context can then be used to determine exactly where the root causes of data quality issues are, which will inform your solutions.
Instructions
The business context of the data quality improvement plan includes documenting from previous activities:
Info-Tech Best Practice
While many organizations adopt data quality principles, not all organizations express them along the same terms. Have multiple perspectives within your organization outline principles that fit your unique data quality agenda. Anyone interested in resolving the day-to-day data quality issues that they face can be helpful for creating the context around the project.
You previously fleshed out the problem with data quality present in the business unit chosen as highest priority. Now it is time to figure out what is causing those problems.
In the table below, you will find some of the common categories of causes of data quality issues, as well as some specific root causes.
| Category | Description |
|---|---|
| 1. System/Application Design | Ineffective, insufficient, or even incorrect system/application design accepts incorrect and missing data elements to the source applications and databases. The data records in those source systems may propagate into systems in tiers 2, 3, 4, and 5 of the 5-tier architecture, creating domino and ripple effects. |
| 2. Database design | Database is created and modeled in an incorrect manner so that the management of the data records is incorrect, resulting in duplicated and orphaned records, and records that are missing data elements or records that contain incorrect data elements. Poor operational data in databases often leads to issues in tiers 2, 3, 4, and 5. |
| 3. Enterprise Integration | Data or information is improperly integrated, transformed, masked, and aggregated in tier 2. In addition, some data integration tasks might not be timely, resulting in out-of-date data or even data that contradicts with other data. Enterprise integration is a precursor of loading a data warehouse and data marts. Issues in this layer affect tier 3, 4 and 5 on the 5-tier architecture. |
| 4. Policies and Procedures | Policies and procedures are not effectively used to reinforce data quality. In some situations, policy gaps are found. In others, policies are overlapped and duplicated. Policies may also be out-of-date or too complex, affecting the users’ ability to interpret the policy objectives. Policies affect all tiers in the 5-tier architecture. |
| 5. Business Processes | Improper business process design introduces poor data into the data systems. Failure to create processes around approving data changes, failure to document key data elements, and failure to train employees on the proper uses of data make data quality a burning problem. |
A root cause analysis is a systematic approach to decompose a problem into its components. Use fishbone diagrams to help reveal the root causes of data issues.
Info-Tech recommends five root cause categories for assessing data quality issues:
Application Design. Is the issue caused by human error at the application level? Consider internal employees, external partners/suppliers, and customers.
Database Design. Is the issue caused by a particular database and stems from inadequacies in its design?
Integration. Data integration tools may not be fully leveraged, or data matching rules may be poorly designed.
Policies and Procedures. Do the issues take place because of lack of governance?
Business Processes. Do the issues take place due to insufficient processes?
For Example:
When performing a deeper analysis of your data issues related to the accuracy of the business unit’s data, you would perform a root cause analysis by assessing the contribution of each of the five categories of data quality problem root causes:
Including all attributes of the key subject area in your data profiling activities may produce too much information to make sense of. Conduct data profiling primarily at the table level and undergo attribute profiling only if you are able to narrow down your scope sufficiently.
Data profiling extracts a sample of the target data set and runs it through multiple levels of analysis. The end result is a detailed report of statistics about a variety of data quality criteria (duplicate data, incomplete data, stale data, etc.).
Many data profiling tools have built-in templates and reports to help you uncover data issues. In addition, they quantify the occurrences of the data issues.
This supplements a profiling tool. For Example, use a BI tool to create a custom grouping of all the invalid states (e.g. “CAL,” “AZN,” etc.) and visualize the percentage of invalid states compared to all states.
This supplements a profiling tool. For example, use a SQL statement to group the customer data by customer segment and then by state to identify which segment–state combinations contain poor data.
2 hours
Instructions
Example:
1 hour
Now that you have data quality issues classified according to the data quality attributes, map these issues onto four fishbone diagrams.
Suboptimal system/application design provides entry points for bad data.
| Business Process | |||||
|---|---|---|---|---|---|
| Usually found in → | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
| Issue | Root Causes | Usability | Completeness | Timeliness | Accessibility |
|---|---|---|---|---|---|
| Insufficient data mask | No data mask is defined for a free-form text field in a user interface. E.g. North American phone number should have 4 masks – country code (1-digit), area code (3-digit), and local number (7-digit). | X | X | ||
| Too many free-form text fields | Incorrect use of free-form text fields (fields that accept a variety of inputs). E.g. Use a free-form text field for zip code instead of a backend look up. | X | X | ||
| Lack of value lookup | Reference data is not looked up from a reference list. E.g. State abbreviation is entered instead of being looked up from a standard list of states. | X | X | ||
| Lack of mandatory field definitions | Mandatory fields are not identified and reinforced. Resulting data records with many missing data elements. E.g. Some users may fill up 2 or 3 fields in a UI that has 20 non-mandatory fields. | X |
Improper database design allows incorrect data to be stored and propagated.
| Business Process | |||||
|---|---|---|---|---|---|
| Usually found in → | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
| Issue | Root Causes | Usability | Completeness | Timeliness | Accessibility |
|---|---|---|---|---|---|
| Incorrect referential integrity | Referential integrity constraints are absent or incorrectly implemented, resulting in child records without parent records, or related records are updated or deleted in a cascading manner. E.g. An invoice line item is created before an invoice is created. | X | X | ||
| Lack of unique keys | Lack of unique keys creating scenarios where record uniqueness cannot be guaranteed. E.g. Customer records with the same customer_ID. | X | X | ||
| Data range | Fail to define a data range for incoming data, resulting in data values that are out of range. E.g. The age field is able to store an age of 999. | X | X | ||
| Incorrect data type | Incorrect data types are used to store data fields. E.g. A string field is used to store zip codes. Some users use that to store phone numbers, birthdays, etc. | X | X |
Improper data integration or synchronization may create poor analytical data.
| Business Process | |||||
|---|---|---|---|---|---|
| Usually found in → | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
| Issue | Root Causes | Usability | Completeness | Timeliness | Accessibility |
|---|---|---|---|---|---|
| Incorrect transformation | Transformation is done incorrectly. A wrong formula may have been used, transformation is done at the wrong data granularity, or aggregation logic is incorrect. E.g. Aggregation is done for all customers instead of just active customers. | X | X | ||
| Data refresh is out of sync | Data is synchronized at different intervals, resulting in a data warehouse where data domains are out of sync. E.g. Customer transactions are refreshed to reflect the latest activities but the account balance is not yet refreshed. | X | X | ||
| Data is matched incorrectly | Fail to match records from disparate systems, resulting in duplications and unmatched records. E.g. Unable to match customers from different systems because they have different cust_ID. | X | X | ||
| Incorrect data mapping | Fields from source systems are not properly matched with data warehouse fields. E.g. Status fields from different systems are mixed into one field. | X | X |
Suboptimal policies and procedures undermine the effect of best practices.
| Business Process | |||||
|---|---|---|---|---|---|
| Usually found in → | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
| Issue | Root Causes | Usability | Completeness | Timeliness | Accessibility |
|---|---|---|---|---|---|
| Policy Gaps | There are gaps in the policy landscape in terms of some missing key policies or policies that are not refreshed to reflect the latest changes. E.g. A data entry policy is absent, leading to inconsistent data entry practices. | X | X | ||
| Policy Communications | Policies are in place but the policies are not communicated effectively to the organization, resulting in misinterpretation of policies and under-enforcement of policies. E.g. The data standard is created but very few developers are aware of its existence. | X | X | ||
| Policy Enforcement | Policies are in place but not proactively re-enforced and that leads to inconsistent application of policies and policy adoption. E.g. Policy adoption is dropping over time due to lack of reinforcement. | X | X | ||
| Policy Quality | Policies are written by untrained authors and they do not communicate the messages. E.g. A non-technical data user may find a policy that is loaded with technical terms confusing. | X | X |
Ineffective and inefficient business processes create entry points for poor data.
| Business Process | |||||
|---|---|---|---|---|---|
| Usually found in → | Tier 1 | Tier 2 | Tier 3 | Tier 4 | Tier 5 |
| Issue | Root Causes | Usability | Completeness | Timeliness | Accessibility |
|---|---|---|---|---|---|
| Lack of training | Key data personnel and business analysts are not trained in data quality and data governance, leading to lack of accountability. E.g. A data steward is not aware of downstream impact of a duplicated financial statement. | X | X | ||
| Ineffective business process | The same piece of information is entered into data systems two or more times. Or a piece of data is stalled in a data system for too long. E.g. A paper form is scanned multiple times to extract data into different data systems. | X | X | ||
| Lack of documentation | Fail to document the work flows of the key business processes. A lack of work flow results in sub-optimal use of data. E.g. Data is modeled incorrectly due to undocumented business logic. | X | X | ||
| Lack of integration between business silos | Business silos hold on to their own datasets resulting in data silos in which data is not shared and/or data is transferred with errors. E.g. Data from a unit is extracted as a data file and stored in a shared drive with little access. | X | X |
As you worked through the previous step, you identified the root causes of your data quality problems within the business unit. Now, it is time to identify solutions.
The following slides provide an overview of the solutions to common data quality issues. As you identify solutions that apply to the business unit being addressed, insert the solution tables in Section 4: Proposed Solutions of the Data Quality Improvement Plan Template.
All data quality solutions have two components to them:
For the next five data quality solution slides, look for the slider for the contributions of each category to the solution. Use this scale to guide you in creating solutions.
When designing solutions, keep in mind that solutions to data quality problems are not mutually exclusive. In other words, an identified root cause may have multiple solutions that apply to it.
For example, if an application is plagued with inaccurate data, the application design may be suboptimal, but also the process that leads to data being entered may need fixing.
Restrict field length – Capture only the characters you need for your application.
Leverage data masks – Use data masks in standardized fields like zip code and phone number.
Restrict the use of open text fields and use reference tables – Only present open text fields when there is a need. Use reference tables to limit data values.
Provide options – Use radio buttons, drop-down lists, and multi-select instead of using open text fields.
Validate data before committing – Use simple validation to ensure the data entered is not random numbers and letters.
Track history – Keep track of who entered what fields.
Cannot submit twice – Only design for one-time submission.
Data-entry training – Training that is related to data entry, creating, or updating data records.
Data resolution training – Training data stewards or other dedicated data personnel on how to resolve data records that are not entered properly.
Standards – Develop application design principles and standards.
Field testing – Field data entry with a few people to look for abnormalities and discrepancies.
Detection and resolution – Abnormal data records should be isolated and resolved ASAP.
Thorough testing – Application design is your first line of defence against poor data. Test to ensure bad data is kept out of the systems.
HMS
Industry: Healthcare
Source: Informatica
Healthcare Management Systems (HMS) provides cost containment services for healthcare sponsors and payers, and coordinates benefits services. This is to ensure that healthcare claims are paid correctly to both government agencies and individuals. To do so, HMS relies on data, and this data needs to be of high quality to ensure the correct decisions are made, the right people get the correct claims, and the appropriate parties pay out.
To improve the integrity of HMS’s customer data, HMS put in place a framework that helped to standardize the collection of high volume and highly variable data.
Working with a data quality platform vendor to establish a framework for data standardization, HMS was able to streamline data analysis and reduce new customer implementations from months to weeks.
| Before improving data quality processes | After improving data quality processes |
| Data Ingestion | Data Ingestion |
| Many standards of ingestion. | Standardized data ingestion |
| Data Storage | Data Storage |
| Lack of ability to match data, creating data quality errors. | |
| Data Analysis | Data Analysis |
| = | = |
| Slow Customer Implementation Time | 50% Reduction in Customer Implementation Time |
Referential integrity – Ensure parent/child relationships are maintained in terms of cascade creation, update, and deletion.
Primary key definition – Ensure there is at least one key to guarantee the uniqueness of the data records, and primary key should not allow null.
Validate data domain – Create triggers to check the data values entered in the database fields.
Field type and length – Define the most suitable data type and length to hold field values.
Explore solutions – Where to fix the data issues? Is there a case to fix the issues?
Running profiling tools to catch errors – Run scans on the database with defined criteria to identify occurrences of questionable data.
Fix a sample before fixing all records – Use a proof-of-concept approach to explore fix options and evaluate impacts before fixing the full set.
Perform key tasks in pairs – Take a pair approach to perform key tasks so that validation and cross-check can happen.
Skilled DBAs – DBAs should be certified and accredited.
Competence – Assess DBA competency on an ongoing basis.
Preparedness – Develop drills to stimulate data issues and train DBAs.
Cross train – Cross train team members so that one DBA can cover another DBA.
Info-Tech’s 5-Tier Architecture – When doing transformations, it is good practice to persist the integration results in tier 3 before the data is further refined and presented in tier 4.
Timing, timing, and timing – Think of the sequence of events. You may need to perform some ETL tasks before other tasks to achieve synchronization and consistence.
Historical changes – Ensure your tier 3 is robust enough to include historical data. You need to enable type 2 slowly, changing dimension to recreate the data at a point in time.
Standardize – Leverage data standardization to standardize name and address fields to improve matching and integration.
Fuzzy matching – When there are no common keys between datasets. The datasets can only be matched by fuzzy matching. Fuzzy matching is not hard science; define a confidence level and think about a mechanism to deal with the unmatched.
Business data glossary and data lineage – Define a business data glossary to enhance findability of key data elements. Document data mappings and ETL logics.
Create data quality reports – Many ETL platforms provide canned data quality reports. Leverage those quality reports to monitor the data health.
Create data quality reports – Many ETL platforms provide canned data quality reports. Leverage those quality reports to monitor the data health.
ARB (architectural review board) – All ETL codes should be approved by the architectural review board to ensure alignment with the overall integration strategy.
Data quality reports – Leverage canned data quality reports from the ETL platforms to monitor data quality on an on-going basis. When abnormalities are found, provoke the right policies to deal with the issues.
Store policies in a central location that is well known and easy to find and access. A key way that technology can help communicate policies is by having them published on a centralized website.
Make the repository searchable and easily navigable. myPolicies helps you do all this and more.
myPolicies helps you do all this and more.
Policy review – Create a schedule for reviewing policies on a regular basis – invite professional writers to ensure polices are understandable.
Policy training – Policies are often unread and misread. Training users and stakeholders on policies is an effective way to make sure those users and stakeholders understand the rationale of the policies. It is also a good practice to include a few scenarios that are handled by the policies.
Policy hotline/mailbox – To avoid misinterpretation of the policies, a policy hotline/mailbox should be set up to answer any data policy questions from the end users/stakeholders.
Simplified communications – Create handy one-pagers and infographic posters to communicate the key messages of the polices.
Policy briefing – Whenever a new data project is initiated, a briefing of data policies should be given to ensure the project team follows the policies from the very beginning.
Data Lineage – Leverage a metadata management tool to construct and document data lineage for future reference.
Documentations Repository – It is a best practice to document key project information and share that knowledge across the project team and with the stakeholder. An improvement understanding of the project helps to identify data quality issues early on in the project.
“Automating creation of data would help data quality most. You have to look at existing processes and create data signatures. You can then derive data off those data codes.” – Patrick Bossey, Manager of Business Intelligence, Crawford and Company
Info-Tech’s 4-Column Model – The datasets may exist but the business units do not have an effective way of communicating the quality needs. Use our four-column model and the eleven supporting questions to better understand the quality needs. See subsequent slides.
I don’t know what the data means so I think the quality is poor – It is not uncommon to see that the right data presented to the business but the business does not trust the data. They also do not understand the business logic done on the data. See our Business Data Glossary in subsequent slides.
Understand the business workflow – Know the business workflow to understand the manual steps associated with the workflow. You may find steps in which data is entered, manipulated, or consumed inappropriately.
“Do a shadow data exercise where you identify the human workflows of how data gets entered, and then you can identify where data entry can be automated.” – Diraj Goel, Growth Advisor, BC Tech
4 hours
After walking through the best-practice solutions to data quality issues, propose solutions to fix your identified issues.
Instructions
| Solution Approaches |
|---|
| Technology Approach |
| People Approach |
X crossover with
| Problematic Areas |
|---|
| Application/System Design |
| Database Design |
| Data Integration and Synchronization |
| Policies and Procedures |
| Business Processes |
Quality data is the ultimate outcome of data governance and data quality management. Data governance enables data quality by providing the necessary oversight and controls for business processes in order to maintain data quality. There are three primary groups (at right) that are involved in a mature governance practice. Data quality should be tightly integrated with all of them.
Define an effective data governance strategy and ensure the strategy integrates well with data quality with Info-Tech’s Establish Data Governance blueprint.
This council establishes data management practices that span across the organization. This should be comprised of senior management or C-suite executives that can represent the various departments and lines of business within the organization. The data governance council can help to promote the value of data governance, facilitate a culture that nurtures data quality, and ensure that the goals of the data governance program are well aligned with business objectives.
Identifying the data owner role within an organization helps to create a greater degree of accountability for data issues. They often oversee how the data is being generated as well as how it is being consumed. Data owners come from the business side and have legal rights and defined control over a data set. They ensure data is available to the right people within the organization.
Conflict can occur within an organization’s data governance program when a data steward’s role is confused with that of the steering committee’s role. Data stewards exist to enforce decisions made about data governance and data management. Data stewards are often business analysts or power users of a particular system/dataset. Where a data owner is primarily responsible for access, a data steward is responsible for the quality of a dataset.
Ongoing and regular data quality management is the responsibility of the data governance bodies of the organization.
The oversight of ongoing data quality activities rests on the shoulders of the data governance committees that exist in the organization.
There is no one-size-fits-all data governance structure. However, most organizations follow a similar pattern when establishing committees, councils, and cross-functional groups. They strive to identify roles and responsibilities at a strategic, tactical, and operational level:
2 hours
A crucial aspect of data quality and governance is the Business Data Glossary. The Business Data Glossary helps to align the terminology of the business with the organization’s data assets. It allows the people who interact with the data to quickly identify the applications, processes, and stewardship associated with it, which will enhance the accuracy and efficiency of searches for organization data definitions and attributes, enabling better access to the data. This will, in turn, enhance the quality of the organization’s data because it will be more accurate, relevant, and accessible.
Use the Business Data Glossary Template to document key aspects of the data, such as:
Data Element
Info-Tech Insight
The Business Data Glossary ensures that the crucial data that has key business use by key business systems and users is appropriately owned and defined. It also establishes rules that lead to proper data management and quality to be enforced by the data owners.
Integrating your data quality strategy into the organization’s data governance program requires passing the strategy over to members of the data governance program. The data steward role is responsible for data quality at the business unit level, and should have been involved with the creation and implementation of the data quality improvement project. After the data quality repairs have been made, it is the responsibility of the data steward to regularly monitor the quality of the business unit’s data.
| Create Improvement Plan ↓ |
|
| Implement Improvement Plan ↓ |
|
| Sustain Improvement Plan |
|
See Info-Tech’s Data Steward Job Description Template for a detailed understanding of the roles and responsibilities of the data steward.
Responsible for sustaining
One tool that the data steward can take advantage of is the data quality dashboard. Initiatives that are implemented to address data quality must have metrics defined by business objectives in order to demonstrate the value of the data quality improvement projects. In addition, the data steward should have tools for tracking data quality in the business unit to report issues to the data owner and data governance steering committee.
Notes on chart:
General improvement in billing address quality
Sudden drop in touchpoint accuracy may prompt business to ask for explanations
Data quality is a program that requires continual care:
→Maintain→Good Data →
Data quality management is a long-term commitment that shifts how an organization views, manages, and utilizes its corporate data assets. Long-term buy-in from all involved is critical.
“Data quality is a process. We are trying to constantly improve the quality over time. It is not a one-time fix.” – Akin Akinwumi, Manager of Data Governance, Startech.com
2 hours
As a data steward, you are responsible for ongoing data quality checks of the business unit’s data. Define an improvement agenda to organize the improvement activities. Organize the activities yearly and quarterly to ensure improvement is done year-round.
Info-Tech Insight
Do data quality diagnostic at the beginning of any improvement plan, then recheck health with the diagnostic at regular intervals to see if symptoms are coming back. This should be a monitoring activity, not a data quality fixing activity. If symptoms are bad enough, repeat the improvement plan process.
Consider… “Garbage in, garbage out.”
Lay a solid foundation by addressing your data quality issues prior to investing heavily in an AI solution.
Get Started With Artificial Intelligence
Build a Data Architecture Roadmap
Izabela Edmunds
Information Architect Mott MacDonald
Akin Akinwumi
Manager of Data Governance Startech.com
Diraj Goel
Growth Advisor BC Tech
Sujay Deb
Director of Data Analytics Technology and Platforms Export Development Canada
Asif Mumtaz
Data & Solution Architect Blue Cross Blue Shield Association
Patrick Bossey
Manager of Business Intelligence Crawford and Company
Anonymous Contributors
Ibrahim Abdel-Kader
Research Specialist Info-Tech Research Group
Ibrahim is a Research Specialist at Info-Tech Research Group. In his career to date he has assisted many clients using his knowledge in process design, knowledge management, SharePoint for ECM, and more. He is expanding his familiarity in many areas such as data and analytics, enterprise architecture, and CIO-related topics.
Reddy Doddipalli
Senior Workshop Director Info-Tech Research Group
Reddy is a Senior Workshop Director at Info-Tech Research Group, focused on data management and specialized analytics applications. He has over 25 years of strong industry experience in IT leading and managing analytics suite of solutions, enterprise data management, enterprise architecture, and artificial intelligence–based complex expert systems.
Andy Neill
Practice Lead, Data & Analytics and Enterprise Architecture Info-Tech Research Group
Andy leads the data and analytics and enterprise architecture practices at ITRG. He has over 15 years of experience in managing technical teams, information architecture, data modeling, and enterprise data strategy. He is an expert in enterprise data architecture, data integration, data standards, data strategy, big data, and development of industry standard data models.
Crystal Singh
Research Director, Data & Analytics Info-Tech Research Group
Crystal is a Research Director at Info-Tech Research Group. She brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.
Igor Ikonnikov
Research Director, Data & Analytics Info-Tech Research Group
Igor is a Research Director at Info-Tech Research Group. He has extensive experience in strategy formation and execution in the information management domain, including master data management, data governance, knowledge management, enterprise content management, big data, and analytics.
Andrea Malick
Research Director, Data & Analytics Info-Tech Research Group
Andrea Malick is a Research Director at Info-Tech Research Group, focused on building best practices knowledge in the enterprise information management domain, with corporate and consulting leadership in enterprise architecture and content management (ECM).
Natalia Modjeska
Research Director, Data & Analytics Info-Tech Research Group
Natalia Modjeska is a Research Director at Info-Tech Research Group. She advises members on topics related to AI, machine learning, advanced analytics, and data science, including ethics and governance. Natalia has over 15 years of experience in developing, selling, and implementing analytical solutions.
Rajesh Parab
Research Director, Data & Analytics Info-Tech Research Group
Rajesh Parab is a Research Director at Info-Tech Research Group. He has over 20 years of global experience and brings a unique mix of technology and business acumen. He has worked on many data-driven business applications. In his previous architecture roles, Rajesh created a number of product roadmaps, technology strategies, and models.
Amidon, Kirk. "Case Study: How Data Quality Has Evolved at MathWorks." The Fifth MIT Information Quality Industry Symposium. 13 July 2011. Web. 19 Aug. 2015.
Boulton, Clint. “Disconnect between CIOs and LOB managers weakens data quality.” CIO. 05 February 2016. Accessed June 2020.
COBIT 5: Enabling Information. Rolling Meadows, IL: ISACA, 2013. Web.
Cohen, Ira. “The End to a Never-Ending Story? Improve Data Quality with AI Analytics.” anodot. 2020.
“DAMA Guide to the Data Management Body of Knowledge (DAMA-DMBOK Guide).” First Edition. DAMA International. 2009. Digital. April 2014.
"Data Profiling: Underpinning Data Quality Management." Pitney Bowes. Pitney Bowes - Group 1 Software, 2007. Web. 18 Aug. 2015.
Data.com. “Data.com Clean.” Salesforce. 2016. Web. 18 Aug. 2015.
“Dawn of the CDO." Experian Data Quality. 2015. Web. 18 Aug. 2015.
Demirkan, Haluk, and Bulent Dal. "Why Do So Many Analytics Projects Fail?" The Data Economy: Why Do so Many Analytics Projects Fail? Analytics Magazine. July-Aug. 2014. Web.
Dignan, Larry. “CIOs juggling digital transformation pace, bad data, cloud lock-in and business alignment.” ZDNet. 11 March 2020. Accessed July.
Dumbleton, Janani, and Derek Munro. "Global Data Quality Research - Discussion Paper 2015." Experian Data Quality. 2015. Web. 18 Aug. 2015.
Eckerson, Wayne W. "Data Quality and the Bottom Line - Achieving Business Success through a Commitment to High Quality Data." The Data Warehouse Institute. 2002. Web. 18 Aug. 2015.
“Infographic: Data Quality in BI the Costs and Benefits.” HaloBI. 2015 Web.
Lee, Y.W. and Strong, D.M. “Knowing-Why About Data Processes and Data Quality.” Journal of Management Information Systems. 2004.
“Making Data Quality a Way of Life.” Cognizant. 2014. Web. 18 Aug. 2015.
"Merck Serono Achieves Single Source of Truth with Comprehensive RIM Solutions." www.productlifegroup.com. ProductLife Group. 15 Apr. 2015. Web. 23 Nov. 2015.
Myers, Dan. “List of Conformed Dimensions of Data Quality.” Conformed Dimensions of Data Quality (CDDQ). 2019. Web.
Redman, Thomas C. “Make the Case for Better Data Quality.” Harvard Business Review. 24 Aug. 2012. Web. 19 Aug. 2015.
RingLead Data Management Solutions. “10 Stats About Data Quality I Bet You Didn’t Know.” RingLead. Accessed 7 July 2020.
Schwartzrock, Todd. "Chrysler's Data Quality Management Case Study." Online video clip. YouTube. 21 April. 2011. Web. 18 Aug. 2015
“Taking control in the digital age.” Experian Data Quality. Jan 2019. Web.
“The data-driven organization, a transformation in progress.” Experian Data Quality. 2020. Web.
"The Data Quality Benchmark Report." Experian Data Quality. Jan. 2015. Web. 18 Aug. 2015.
“The state of data quality.” Experian Data Quality. Sept. 2013. Web. 17 Aug. 2015.
Vincent, Lanny. “Differentiating Competence, Capability and Capacity.” Innovation Management Services. Web. June 2008.
“7 ways poor data quality is costing your business.” Experian Data Quality. July 2020. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This tool will help you identify where your Agile teams are experiencing the most pain so you can create your Agile challenges hit list.
While each organization/team will struggle with its own individual challenges, many members find they face similar organizational/systemic challenges when adopting Agile. Review these typical challenges and learn from what other members have discovered.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine whether an Agile playbook is right for you.
Broadly survey your teams to identify Agile challenges and success factors in your organization.
Better understanding of common Agile challenges and success factors
Identification of common Agile challenges and success factors are prevalent in your organization
1.1 Distribute survey and gather results.
1.2 Consolidate survey results.
Completed survey responses from across teams/organization
Consolidated heat map of your Agile challenges and success factors
Examine consolidated survey results.
Identify your most pressing challenges.
Create a hit list of challenges to be resolved.
Identification of the most serious challenges to your Agile transformation
Attention focused on those challenge areas that are most impacting your Agile teams
2.1 Analyze and discuss your consolidated heat map.
2.2 Prioritize identified challenges.
2.3 Select your hit list of challenges to address.
Your Agile challenges hit list
Address each challenge in your hit list to eliminate or improve it.
Better Agile team performance and effectiveness
3.1 Work with Agile mentor to problem solve each challenge in your hit list.
3.2 Apply these to your project in real time.
Capture the findings and lessons learned while problem solving your hit list.
Strategies and tactics for being successful with Agile in your organization which can be applied to future projects
4.1 For each hit list item, capture the findings and lessons learned in Module 3.
4.2 Document these in your Agile Playbook.
Your Agile Playbook deliverable
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use Info-Tech’s licensing best practices to avoid the common mistakes of overspending on IBM licensing or failing an IBM audit.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Obtain organizational buy-in and build a standardized and formal AI blueprint.
Assess your people, process, and technology for AI readiness and realize areas for improvement.
Fill the required AI-related roles to meet business requirements
Assess the appropriateness of AI in your organization and identify gaps in people, processes, and technology as it relates to AI.
Compile the important information and artifacts to include in the AI blueprint.
Keep a record of services and interfaces to reduce waste.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Uncover current and future AI business drivers, and assess current capabilities.
Perform a current state assessment and create a future vision.
1.1 Identify Current and Future Business Drivers
1.2 AI Readiness Assessment
1.3 Integration Service Catalog Template
High-level groupings of AI strategy business drivers.
Determine the organization’s readiness for AI, and identify areas for improvement.
Create a record of services and interfaces to reduce waste.
Identify building blocks, common patterns, and decompose them.
Develop an AI Architecture.
2.1 Integration Principles
2.2 High-level Patterns
2.3 Pattern decomposition and recomposition
Set general AI architecture principles.
Categorize future and existing interactions by pattern to establish your integration framework.
Identification of common functional components across patterns.
Analyze the gaps between the current and future environment in people, process, and technology.
Uncover gaps between current and future capabilities and determine if your ideal environment is feasible.
3.1 Gap Analysis
Identify gaps between the current environment and future AI vision.
Define strategic initiatives, know your resource constraints, and use a timeline for planning AI.
Create a plan of strategic initiatives required to close gaps.
4.1 Identify and prioritize strategic initiatives
4.2 Distribute initiatives on a timeline
Use strategic initiatives to build the AI strategy roadmap.
Establish when initiatives are going to take place.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Describe your application vision and set the right modernization expectations with your stakeholders.
Focus your modernization efforts on the business opportunities that your stakeholders care about.
Describe your modernization initiatives and build your modernization tactical roadmap.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss the goals of your application modernization initiatives
Define your digital application vision and priorities
List your modernization principles
Clear application modernization objectives and high priority value items
Your digital application vision and attributes
Key principles that will guide your application modernization initiatives
1.1 State Your Objectives
1.2 Characterize Your Digital Application
1.3 Define Your Modernization Principles
Application modernization objectives
Digital application vision and attributes definitions
List of application modernization principles and guidelines
Identify the value streams and business capabilities that will benefit the most from application modernization
Conduct a change tolerance assessment
Build your modernization strategic roadmap
Understanding of the value delivery improvements modernization can bring
Recognizing the flexibility and tolerance of your organization to adopt changes
Select an approach that best fits your organization’s goals and capacity
2.1 Identify the Opportunities
2.2 Define Your Modernization Approach
Value streams and business capabilities that are ideal modernization opportunities
Your modernization strategic roadmap based on your change tolerance and modernization approach
Identify the most appropriate modernization technique and the scope of changes to implement your techniques
Develop an actionable tactical roadmap to complete your modernization initiatives
Clear understanding of what must be changed to the organization and application considering your change tolerance
An achievable modernization plan
3.1 Shortlist Your Modernization Techniques
3.2 Roadmap Your Modernization Initiatives
Scope of your application modernization initiatives
Your modernization tactical roadmap
COVID-19 is driving the need for quick technology solutions, including some that require personal data collection. Organizations are uncertain about the right thing to do.
Data equity approaches personal data like money, putting the owner in control and helping to protect against unethical systems.
There are some key considerations for businesses grappling with digital ethics:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Determine the stakeholders for an IT department of a singular initiative.
Use the guidance of this section to analyze stakeholders on both a professional and personal level.
Use Info-Tech’s guiding principles of stakeholder management to direct how to best engage key stakeholders.
Use real-life experiences from Info-Tech’s analysts to understand how to use and apply stakeholder management techniques.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify benefits of shared services to your organization and define implementation challenges.
Identify your process and staff capabilities and discover which services will be transitioned to shared services plan. It will also help you to figure out the best model to choose.
Discuss an actionable plan to implement shared services to track the project. Walk through a communication plan to document the goals, progress, and expectations with customer stakeholders.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish the need for change.
Set a clear understanding about benefits of shared services to your organization.
1.1 Identify your organization’s main drivers for using a shared services model.
1.2 Define if it is beneficial to implement shared services.
Shared services mission
Shared services goals
Become aware of challenges to implement shared services and your capabilities for such transition.
Discover the primary challenges for transitioning to shared services, eliminate resistance factors, and identify your business potentials for implementation.
2.1 Identify your organization’s resistance to implement shared services.
2.2 Assess process and people capabilities.
Shared Services Business Case
Shared Services Assessment
Determine the shared services model.
Identify the core services to be shared and the best model that fits your organization.
3.1 Define core services that will be moved to shared services.
3.2 Assess different models of shared services and pick the one that satisfies your goals and needs.
List of services to be transferred to shared services
Shared services model
Define and communicate the tasks to be delivered.
Confidently approach key stakeholders to make the project a reality.
4.1 Define the roadmap for implementing shared services.
4.2 Make a plan to communicate changes.
List of initiatives to reach the target state, strategy risks, and their timelines
Draft of a communication plan
Attractive a target, I do not make, hmmm? Yoda-speak with a slightly inquisitive tone, indicating that he means the opposite. And many (small) business owners also feel they are no target. But 61% of SMBs were attacked already. And large corporations also still have a ways to go.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use the Info-Tech templates to identify and document your requirements, plan your project, and prepare to engage with vendors.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define and align your team on target persona, outline steps to capture and document a robust buyer persona and journey, and capture current team buyer knowledge.
Hold initial buyer interviews, test initial results, and continue with interviews.
Consolidate interview findings, present to product, marketing, and sales teams. Work with them to apply to product design, marketing launch/campaigning, and sales and customer success enablement.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Organize, drive alignment on target persona, and capture initial views.
Steering committee and project team roles and responsibilities clarified.
Product, marketing, and sales aligned on target persona.
Build initial team understanding of persona.
1.1 Outline a vision for buyer persona and journey creation and identify stakeholders.
1.2 Identify buyer persona choices and settle on an initial target.
1.3 Document team knowledge about buyer persona (and journey where possible).
Documented steering committee and working team
Executive Brief on personas and journey
Personas and initial targets
Documented team knowledge
Build list of buyer interviewees, finalize interview guide, and validate current findings with analyst input.
Interview efficiently using 75-question interview guide.
Gain analyst help in persona validation, reducing workload.
2.1 Share initial insights with covering industry analyst.
2.2 Hear from industry analyst their perspectives on the buyer persona attributes.
2.3 Reconcile differences; update “current understanding.”
2.4 Identify interviewee types by segment, region, etc.
Analyst-validated initial findings
Target interviewee types
Validate current persona hypothesis and flush out those attributes only derived from interviews.
Get to a critical mass of persona and journey understanding quickly.
3.1 Identify actual list of 15-20 interviewees.
3.2 Hold interviews and use interview guides over the course of weeks.
3.3 Hold review session after initial 3-4 interviews to make adjustments.
3.4 Complete interviews.
List of interviewees; calls scheduled
Initial review – “are you going in the right direction?”
Completed interviews
Summarize persona and journey attributes and provide activation guidance to team.
Understanding of product market fit requirements, messaging, and marketing, and sales asset content.
4.1 Summarize findings.
4.2 Create action items for supporting team, e.g. messaging, touch points, media spend, assets.
4.3 Convene steering committee/executives and working team for final review.
4.4 Schedule meetings with colleagues to action results.
Complete findings
Action items for team members
Plan for activation
Measure results, adjust, and improve.
Activation of outcomes; measured results.
5.1 Review final copy, assets, launch/campaign plans, etc.
5.2 Develop/review implementation plan.
5.3 Reconvene team to review results.
Activation review
List of suggested next steps
B2B marketers without documented personas and journeys often experience the following:
Without a deeper understanding of buyer needs and how they buy, B2B marketers will waste time and precious resources targeting the incorrect personas.
Despite being critical elements, organizations struggle to build personas due to:
In today’s Agile development environment, combined with the pressure to generate revenues quickly, high tech marketers often skip the steps necessary to go deeper to build buyer understanding.
With a common framework and target output, clients will:
Clients who activate findings from buyer personas and journeys will see a 50% results improvement.
SoftwareReviews Insight:
Buyer personas and buyer journeys are essential ingredients in go-to-market success, as they inform for product, marketing, sales, and customer success who we are targeting and how to engage with them successfully.
Jeff Golterman, Managing Director, SoftwareReviews Advisory
“44% of B2B marketers have already discovered the power of Personas.”
– Hasse Jansen, Boardview.io!, 2016
“It’s easier buying gifts for your best friend or partner than it is for a stranger, right? You know their likes and dislikes, you know the kind of gifts they’ll have use for, or the kinds of gifts they’ll get a kick out of. Customer personas work the same way, by knowing what your customer wants and needs, you can present them with content targeted specifically to their wants and needs.”
– Emma Bilardi, Product Marketing Alliance, 2020
“Marketing eutopia is striking the all-critical sweet spot that adds real value and makes customers feel recognized and appreciated, while not going so far as to appear ‘big brother’. To do this, you need a deep understanding of your audience coming from a range of different data sets and the capability to extract meaning.”
– Plexure, 2020
SoftwareReviews Advisory Insight:
Marketers developing buyer personas and journeys that lack agreement among Marketing, Sales, and Product of personas to target will squander precious time and resources throughout the customer targeting and acquisition process.
| 1. Document Team Knowledge of Buyer Persona and Drive Alignment | 2. Interview Target Buyer Prospects and Customers | 3. Create Outputs and Apply to Marketing, Sales, and Product | |
|---|---|---|---|
| Phase Steps |
|
|
|
| Phase Outcomes |
|
|
|
Our methodology will enable you to align your team on why it’s important to capture the most important attributes of buyer persona including:
| Functional – “to find them” | ||||||
| Job Role | Title | Org. Chart Dynamics | Buying Center | Firmographics | ||
| Emotive – “what they do and jobs to be done” | ||||||
| Initiatives: What programs/projects the persona is tasked with and their feelings and aspirations about these initiatives. Motivations? Build credibility? Get promoted? | Challenges: Identify the business issues, problems, and pain points that impede attainment of objectives. What are their fears, uncertainties, and doubts about these challenges? | Buyer Need: They may have multiple needs; which need is most likely met with the offering? | Terminology: What are the keywords/phrases they organically use to discuss the buyer need or business issue? | |||
| Decision Criteria – “how they decide” | ||||||
| Buyer Role: List decision-making criteria and power level. The five common buyer roles are champion, influencer, decision maker, user, and ratifier (purchaser/negotiator). | Evaluation and Decision Criteria: Which lens – strategic, financial, or operational – does the persona evaluate the impact of purchase through? | |||||
| Solution Attributes – “what does the ideal solution look like” | ||||||
| Steps in “Jobs to Be Done” | Elements of the “Ideal Solution” | Business outcomes from ideal solution | Opportunity scope; other potential users | Acceptable price for value delivered | Alternatives that see consideration | Solution sourcing: channel, where to buy |
| Behavioral Attributes – “how to approach them successfully” | ||||||
| Content Preferences: List the persona’s content preferences – blog, infographic, demo, video – vs. long-form assets (e.g. white paper, presentation, analyst report). | Interaction Preferences: Which are preferred among in-person meetings, phone calls, emails, videoconferencing, conducting research via Web, mobile, and social? | Watering Holes: Which physical or virtual places do they go to network or exchange info with peers (e.g. LinkedIn)? | ||||
“~2/3 of [B2B] buyers prefer remote human interactions or digital self-service.” And during Aug. ‘20 to Feb. ‘21, use of digital self-service to interact with sales reps leapt by more than 10% for both researching and evaluating new suppliers.”
– Liz Harrison, Dennis Spillecke, Jennifer Stanley, and Jenny Tsai McKinsey & Company, 2021
SoftwareReviews Advisory Insight:
Marketers are advised to update their buyer journey annually and with greater frequency when the human vs. digital mix is affected due to events such as COVID-19 and as emerging media such as AR shifts asset-type usage and engagement options.
Because marketing leaders need to reach buyers through the right channel with the right message at the right time during their decision cycle, you’ll benefit by using questionnaires that enable you to build the below easily and quickly.
Buyer personas and buyer journeys are essential ingredients in go-to-market success, as they inform for product, marketing, sales, and customer success who we are targeting and how to engage with them successfully.
Marketers developing buyer personas and journeys that lack agreement among Marketing, Sales, and Product of personas to target will squander precious time and resources throughout the customer targeting and acquisition process.
Marketing leaders leverage the buyer persona knowledge not only from in-house experts in areas such as sales and executives but from analysts that speak with their buyers each and every day.
While leaders will get a fast start by interviewing sellers, executives, and analysts, you will fail to craft the right messages, build the right marketing assets, and design the best buyer journey if you skip buyer interviews.
Leaders will update their buyer journey annually and with greater frequency when the human vs. digital mix is effected due to events such as COVID-19 and as emerging media such as AR and VR shifts the way buyers engage.
Digital marketers that ramp up lead gen engine capabilities to capture “wins” and measure engagement back through the lead gen and nurturing engines will build a more data-driven view of the buyer journey. Target to build this advanced capability in your initial design.
This blueprint is accompanied by supporting deliverables to help you gather team insights, interview customers and prospects, and summarize results for ease in communications.
To support your buyer persona and journey creation, we’ve created the enclosed tools
A PowerPoint template to aid the capture and summarizing of your team’s insights on the buyer persona.
For interviewing customers and prospects, this tool is designed to help you interview personas and summarize results for up to 15 interviewees.
A PowerPoint template into which you can drop your buyer persona and journey interviewees list and summary findings.
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
The "do-it-yourself" step-by-step instructions begin with Phase 1.
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
A Guided Implementation is a series of analysts inquiries with you and your team.
Diagnostics and consistent frameworks are used throughout each option.
A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization.
For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst.
Your engagement managers will work with you to schedule analyst calls.
Drive an Aligned Initial Draft of Buyer Persona
Interview Buyers and Validate Persona and Journey
Prepare Communications and Educate Stakeholders
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
| Day1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Align Team, Identify Persona, and Document Current Knowledge | Validate Initial Work and Identify Buyer Interviewees | Schedule and Hold Buyer interviews | Summarize Findings and Provide Actionable Guidance to Colleagues | Measure Impact and Results | |
| Activities |
1.1 Outline a vision for buyer persona and journey creation and identify stakeholders. 1.2 Identify buyer persona choices and settle on an initial target. 1.3 Document team knowledge about buyer persona (and journey where possible). |
2.1 Share initial insights with covering industry analyst. 2.2 Hear from industry analyst their perspectives on the buyer persona attributes. 2.3 Reconcile differences; update “current understanding.” 2.4 Identify interviewee types by segment, region, etc. |
3.1 Identify actual list of 15-20 interviewees. A gap of up to a week for scheduling of interviews. 3.2 Hold interviews and use interview guides (over the course of weeks). 3.3 Hold review session after initial 3-4 interviews to make adjustments. 3.4 Complete interviews. |
4.1 Summarize findings. 4.2 Create action items for supporting team, e.g. messaging, touch points, media spend, assets. 4.3 Convene steering committee/exec. and working team for final review. 4.4 Schedule meetings with colleagues to action results. |
5.1 Review final copy, assets, launch/campaign plans, etc. 5.2 Develop/review implementation plan. A period of weeks will likely intervene to execute and gather results. 5.3 Reconvene team to review results. |
| Deliverables |
|
|
|
|
|
This Phase walks you through the following activities:
This Phase involves the following stakeholders:
Review the Create a Buyer Persona Executive Brief (Slides 3-14)
Download the Buyer Persona Creation Template
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
This Phase walks you through the following activities:
This Phase involves the following stakeholders:
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
Test that you are on the right track:
| Functional – “to find them” | ||||||
| Job Role | Title | Org. Chart Dynamics | Buying Center | Firmographics | ||
| Emotive – “what they do and jobs to be done” | ||||||
| Initiatives: What programs/projects the persona is tasked with and their feelings and aspirations about these initiatives. Motivations? Build credibility? Get promoted? | Challenges: Identify the business issues, problems, and pain points that impede attainment of objectives. What are their fears, uncertainties, and doubts about these challenges? | Buyer Need: They may have multiple needs; which need is most likely met with the offering? | Terminology: What are the keywords/phrases they organically use to discuss the buyer need or business issue? | |||
| Decision Criteria – “how they decide” | ||||||
| Buyer Role: List decision-making criteria and power level. The five common buyer roles are champion, influencer, decision maker, user, and ratifier (purchaser/negotiator). | Evaluation and Decision Criteria: Which lens – strategic, financial, or operational – does the persona evaluate the impact of purchase through? | |||||
| Solution Attributes – “what does the ideal solution look like” | ||||||
| Steps in “Jobs to Be Done” | Elements of the “Ideal Solution” | Business outcomes from ideal solution | Opportunity scope; other potential users | Acceptable price for value delivered | Alternatives that see consideration | Solution sourcing: channel, where to buy |
| Behavioral Attributes – “how to approach them successfully” | ||||||
| Content Preferences: List the persona’s content preferences – blog, infographic, demo, video – vs. long-form assets (e.g. white paper, presentation, analyst report). | Interaction Preferences: Which are preferred among in-person meetings, phone calls, emails, videoconferencing, conducting research via Web, mobile, and social? | Watering Holes: Which physical or virtual places do they go to network or exchange info with peers (e.g. LinkedIn)? | ||||
Because marketing leaders need to reach buyers through the right channel with the right message at the right time during their decision cycle, you’ll benefit by using questionnaires that enable you to build the below easily and quickly.
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
This Phase walks you through the following activities:
This Phase involves the following stakeholders:
Download the Buyer Persona and Journey Interview Guide and Data Capture Tool
Download the Buyer Persona and Journey Summary Template
Download the Buyer Persona and Journey Summary Template
Activation of key learnings to drive:
Present final persona and journey results to each stakeholder team. Key presentations include:
Download the Buyer Persona and Journey Summary Template
With the help of this blueprint, you have deepened your and your colleagues’ buyer understanding at both the persona “who they are” level and the buyer journey “how do they buy” level. You are among the minority of marketing leaders that have fully documented a buyer persona and journey – congratulations!
The benefits of having led your team through the process are significant and include the following:
And by capturing and documenting your buyer persona and journey even for a single buyer type, you have started to build the “institutional strength” to apply the process to other roles in the decision-making process or for when you go after new and different buyer types for new products. And finally, by bringing your team along with you in this process, you have also led your team in becoming a more customer-focused organization – a strategic shift that all organizations should pursue.
Contact your account representative for more information.
info@softwarereviews.com
1-888-670-8889
Optimize Lead Generation With Lead Scoring
Bilardi, Emma. “How to Create Buyer Personas.” Product Marketing Alliance, July 2020. Accessed Dec. 2021.
Harrison, Liz, Dennis Spillecke, Jennifer Stanley, and Jenny Tsai. “Omnichannel in B2B sales: The new normal in a year that has been anything but.” McKinsey & Company, 15 March 2021. Accessed Dec. 2021.
Jansen, Hasse. “Buyer Personas – 33 Mind Blowing Stats.” Boardview.io!, 19 Feb. 2016. Accessed Jan. 2022.
Raynor, Lilah. “Understanding The Changing B2B Buyer Journey.” Forbes Agency Council, 18 July 2021. Accessed Dec. 2021.
Simpson, Jon. “Finding Your Audience: The Importance of Developing a Buyer Persona.” Forbes Agency Council, 16 May 2017. Accessed Dec. 2021.
“Successfully Executing Personalized Marketing Campaigns at Scale.” Plexure, 6 Jan. 2020. Accessed Dec 2020.
Ulwick, Anthony W. JOBS TO BE DONE: Theory to Practice. E-book, Strategyn, 1 Jan. 2017. Accessed Jan. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand Workday’s business model, competitive options, and what to know when conducting due diligence and requirements gathering.
Review product options and licensing rules. Determine negotiation points. Evaluate and finalize the contract.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Review current licensing options and models to determine which cloud products will most appropriately fit the organization's environment.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This phase helps the VMI stay focused and aligned by reviewing existing materials, updating the existing maturity assessment, and ensuring that the foundational elements of the VMI are up to date. The main outcomes from this phase are a current maturity assessment and updated or revised Plan documents.
This phase helps you configure, create, and understand the tools and templates used to elevate the VMI. The main outcomes from this phase are a clear understanding of the tools that identify which vendors are important to you, tools and concepts to help you take key vendor relationships to the next level, and tools to help you evaluate and improve the VMI and its personnel.
This phase helps you begin integrating the new tools and templates into the VMI’s operations. The main outcomes from this phase are guidance and the steps required to continue your VMI’s maturation and evolution.
This phase helps the VMI stay aligned with the overall organization, stay current, and improve its strategic value as it evolves. The main outcomes from this phase are ways to advance the VMI’s strategic impact.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Review existing tools and templates and configure new tools and templates.
Updated Maturity Assessment and configured tools and templates.
1.1 Existing Plan document review and new maturity assessment.
1.2 Optional classification models.
1.3 Customer positioning model.
1.4 Two-way scorecards.
Updated Plan documents.
New maturity assessment.
Configured classification model.
Customer positioning for top five vendors.
Configured scorecard and feedback form.
Configure VMI Tools and Templates.
Configured Tools and Templates for the VMI.
2.1 Performance improvement plans (PIPs).
2.2 Relationship improvement plans (RIPs).
2.3 Vendor-at-a-Glance reports.
2.4 VMI Personnel Competency Evaluation Tool.
Configured Performance Improvement Plan.
Configured Relationship Assessment and Relationship Improvement Plan.
Configured 60-Second Report and completed Vendor Calendar for one vendor.
Configured VMI Personnel Competency Evaluation Tool.
Continue configuring VMI Tools and Templates and enhancing VM competencies.
Configured Tools and Templates for the VMI and market intelligence to gather.
3.1 Internal feedback tool.
3.2 VMI ROI calculation.
3.3 Vendor recognition program.
3.4 Assess the Relationship Landscape.
3.5 Gather market intelligence.
3.6 Improve professional skills.
Configured Internal Feedback Tool.
General framework for a vendor recognition program.
Completed Relationship Landscape Assessment (representative sample).
List of market intelligence to gather for top five vendors.
Improve the VMI’s brand awareness and impact on the organization; continue to maintain alignment with the overall organization.
Raising the organization’s awareness of the VMI, and ensuring the VMI Is becoming more strategic.
4.1 Expand professional knowledge.
4.2 Create brand awareness.
4.3 Investigate potential alliances.
4.4 Continue increasing the VMI’s strategic value.
4.5 Review and update (governances, policies and procedures, lessons learned, internal alignment, and leading practices).
Branding plan for the VMI.
Branding plan for individual VMI team members.
EXECUTIVE BRIEF
|
By the time you start using this blueprint, you should have established a solid foundation for your vendor management initiative (VMI) and implemented many or all of the principles outlined in Info-Tech’s blueprint Jump Start Your Vendor Management (the Jump Start blueprint). This blueprint (the Elevate blueprint) is meant to continue the evolutionary or maturation process of your VMI. Many of the items presented here will build on and refer to the elements from the Jump Start blueprint. The goal of the Elevate blueprint is to assist in the migration of your VMI from transactional to strategic. Why? Simply put, the more strategic the VMI, the more value it adds and the more impact it has on the organization as a whole. While the day-to-day, transactional aspect of running a VMI will never go away, getting stuck in transactional mode is a horrible place for the VMI and its team members:
To prevent these tragic things from happening, transform the VMI into a strategic contributor and partner internally. This Elevate blueprint provides a roadmap and guidance to get your journey started. Focus on expanding your understanding of customer/vendor dynamics, improving the skills, competencies, and knowledge of the VMI’s team members, contributing value beyond the savings aspect, and building a solid brand internally and with your vendors. This requires a conscious effort and a proactive approach to vendor management…not to mention treating your internal “clients” with respect and providing great customer service. At the end of the day, ask yourself one question: If your internal clients had to pay for your services, would they? If you can answer yes, you are well on your way to being strategic. If not, you still have some work to do. Long live the strategic VMI! |
|
Phil Bode |
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|
Each year, IT organizations “outsource” tasks, activities, functions, and other items. During 2021:
This leads to more spend, less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively. |
As new contracts are negotiated and existing contracts are renegotiated or renewed, there is a perception that the contracts will yield certain results, output, performance, solutions, or outcomes. The hope is that these will provide a measurable expected value to IT and the organization. Often, much of the expected value is never realized. Many organizations don’t have a VMI to help:
|
Vendor Management is a proactive, cross-functional lifecycle. It can be broken down into four phases:
The Info-Tech process addresses all four phases and provides a step-by-step approach to configure and operate your VMI. The content in this blueprint helps you and the VMI evolve to add value and impact to the organization that was started with the Info-Tech blueprint Jump Start Your VMI. |
The VMI must continue to mature and evolve, or it will languish, atrophy, and possibly be disbanded.
Spend on managed service providers and as-a-service providers continues to increase. In addition, IT services vendors continue to be active in the mergers and acquisitions arena. This increases the need for a VMI to help with the changing IT vendor landscape.
|
38% 2021 |
16% 2021 |
47% 2021 |
|
Spend on As-a-Service Providers |
Spend on Managed Services Providers |
IT Services Merger & Acquisition Growth (Transactions) |
When organizations execute, renew, or renegotiate a contract, there is an “expected value” associated with that contract. Without a robust VMI, most of the expected value will never be realized. With a robust VMI, the realized value significantly exceeds the expected value during the contract term.
A sound, cyclical approach to vendor management will help ensure your VMI meets your needs and stays in alignment with your organization as they both change (i.e. mature and evolve).
|
Phase 1 - Plan |
Phase 2 - Build |
Phase 3 - Run |
Phase 4 – Review |
|
|---|---|---|---|---|
|
Phase Steps |
1.1 Review and Update Existing Plan Materials |
2.1 Vendor Classification Models 2.2 Customer Positioning Model 2.3 Two-Way Scorecards 2.4 Performance Improvement Plan (PIP) 2.5 Relationship Improvement Plan (RIP) 2.6 Vendor-at-a-Glance Reports 2.7 VMI Personnel Competency Evaluation Tool 2.8 Internal Feedback Tool 2.9 VMI ROI Calculation 2.10 Vendor Recognition Program |
3.1 Classify Vendors & Identify Customer Position 3.2 Assess the Relationship Landscape 3.3 Leverage Two-Way Scorecards 3.4 Implement PIPs and RIPs 3.5 Gather Market Intelligence 3.6 Generate Vendor-at-a-Glance Reports 3.7 Evaluate VMI Personnel 3.8 Improve Professional Skills 3.9 Expand Professional Knowledge 3.10 Create Brand Awareness 3.11 Survey Internal Clients 3.12 Calculate VMI ROI 3.13 Implement Vendor Recognition Program |
4.1 Investigate Potential Alliances 4.2 Continue Increasing the VMI’s Strategic Value 4.3 Review and Update |
|
Phase Outcomes |
This phase helps the VMI stay focused and aligned by reviewing existing materials, updating the existing maturity assessment, and ensuring that the foundational elements of the VMI are up-to-date. |
This phase helps you configure, create, and understand the tools and templates used to elevate the VMI. |
This phase helps you begin integrating the new tools and templates into the VMI’s operations. |
This phase helps the VMI stay aligned with the overall organization, stay current, and improve its strategic value as it evolves. |
|
Insight 1 |
An organization’s vendor management initiative must continue to evolve and mature to reach its full strategic value. In the early stages, the vendor management initiative may be seen as transactional, focusing on the day-to-day functions associated with vendor management. The real value of a VMI comes from becoming strategic partner to other functional groups (departments) within your organization. |
|---|---|
|
Insight 2 |
Developing vendor management personnel is critical to the vendor management initiative’s evolution and maturation. For the VMI to mature, its personnel must mature as well. Their professional skills, competencies, and knowledge must increase over time. Failure to accentuate personal growth within the team limits what the team can achieve and how the team is perceived. |
|
Insight 3 |
Vendor management is not about imposing your will on vendors; it is about understanding the multifaceted dynamics between your organization and your vendors and charting the appropriate path forward. Resource allocation and relationship expectations flow from these dynamics. Each critical vendor requires an individual plan to build the best possible relationship and to leverage that relationship. What works with one vendor may not work or even be possible with another vendor – even if both vendors are critical to your success. |
The four phases of maturing and evolving your vendor management initiative are supported with configurable tools, templates, and checklists to help you stay aligned internally and achieve your goals.
VMI Tools and Templates
Continue building your foundation for your VMI and configure tools and templates to help you manage your vendor relationships.
Info-Tech’s
A suite of tools and templates to help you upgrade and evolve your vendor management initiative.
|
IT Benefits |
Business Benefits |
|---|---|
|
|
|
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
|---|---|---|---|
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
| Phase 1 | Phases 2 and 3 | Phase 4 | |
|---|---|---|---|
|
Call #1: Review status of existing plan materials. Call #2: Conduct a new maturity assessment. |
Call #3: Review optional classification models. Call #4: Determine customer positioning for top vendors. Call #5: Configure vendor Scorecards and vendor feedback forms. Call #6: Discuss PIPs, RIPs, and vendor-at-a-glance reports. |
Call #7: VMI personnel competency evaluation tool. Call #8: Create internal feedback tool and discuss ROI. Call #9: Identify vendor recognition program attributes and assess the relationship landscape. Call #10: Gather market intelligence and create brand awareness. |
Call #11: Identify potential vendor alliances, review the components of a strategic VMI, and discuss the continuous improvement loop. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 6 to 12 calls over the course of 3 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
|
Day 1 |
Day 2 |
Day 3 |
Day 4 |
|
|---|---|---|---|---|
|
Plan/Build Run |
Build/Run |
Build/Run |
Run/Review |
|
|
Activities |
1.1 Existing Plan document review and new maturity assessment. 1.2 Optional classification models. 1.3 Customer positioning model. 1.4 Two-way scorecards. |
2.1 Performance improvement plans (PIPs). 2.2 Relationship improvement plans (RIPs). 2.3 Vendor-at-a-glance reports. 2.4 VMI personnel competency evaluation tool. |
3.1 Internal feedback tool. 3.2 VMI ROI calculation. 3.3 Vendor recognition program. 3.4 Assess the relationship landscape. 3.5 Gather market intelligence. 3.6 Improve professional skills. |
4.1 Expand professional knowledge. 4.2 Create brand awareness. 4.3 Investigate potential alliances. 4.4 Continue increasing the VMI’s strategic value. 4.5 Review and update (governances, policies and procedures, lessons learned, internal alignment, and leading practices). |
|
Deliverables |
|
|
|
|
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
| 1.1 Review and update existing Plan materials | 2.1 Vendor classification models 2.2 Customer positioning model 2.3 Two-way scorecards 2.4 Performance improvement plan (PIP) 2.5 Relationship improvement plan (RIP) 2.6 Vendor-at-a-glance reports 2.7 VMI personnel competency evaluation tool 2.8 Internal feedback tool 2.9 VMI ROI calculation 2.10 Vendor recognition program | 3.1 Classify vendors and identify customer position 3.2 Assess the relationship landscape 3.3 Leverage two-way scorecards 3.4 Implement PIPs and RIPs 3.5 Gather market intelligence 3.6 Generate vendor-at-a-glance reports 3.7 Evaluate VMI personnel 3.8 Improve professional skills 3.9 Expand professional knowledge 3.10 Create brand awareness 3.11 Survey internal clients 3.12 Calculate VMI ROI 3.13 Implement vendor recognition program | 4.1 Investigate potential alliances 4.2 Continue increasing the VMI’s strategic value 4.3 Review and update |
This phase will walk you through the following activities:
This phase helps the VMI stay focused and aligned by reviewing existing materials, updating the existing maturity assessment, and ensuring that the foundational elements of the VMI are up-to-date. The main outcomes from this phase are a current maturity assessment and updated or revised Plan documents.
This phase involves the following participants:
Phase 1 – Plan revisits the foundational elements from the Info-Tech blueprint Jump Start Your Vendor Management Initiative. As the VMI continues to operate and mature, looking backward periodically provides a new perspective and helps the VMI move forward:
Keep an eye on the past as you begin looking toward the future.
At this point, the basic framework for your VMI should be in place. However, now is a good time to correct any oversights in your foundational elements. Have you:
If any of these elements is missing, revisit the Info-Tech blueprint Jump Start Your Vendor Management Initiative to complete these components. If they exist, review them and make any required modifications.
Download the Info-Tech blueprint Jump Start Your Vendor Management Initiative
1 – 6 Hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech blueprint Jump Start Your Vendor Management Initiative
Download the Jump - Phase 1 Tools and Templates Compendium
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
| 1.1 Review and update existing Plan materials | 2.1 Vendor classification models 2.2 Customer positioning model 2.3 Two-way scorecards 2.4 Performance improvement plan (PIP) 2.5 Relationship improvement plan (RIP) 2.6 Vendor-at-a-glance reports 2.7 VMI personnel competency evaluation tool 2.8 Internal feedback tool 2.9 VMI ROI calculation 2.10 Vendor recognition program | 3.1 Classify vendors and identify customer position 3.2 Assess the relationship landscape 3.3 Leverage two-way scorecards 3.4 Implement PIPs and RIPs 3.5 Gather market intelligence 3.6 Generate vendor-at-a-glance reports 3.7 Evaluate VMI personnel 3.8 Improve professional skills 3.9 Expand professional knowledge 3.10 Create brand awareness 3.11 Survey internal clients 3.12 Calculate VMI ROI 3.13 Implement vendor recognition program | 4.1 Investigate potential alliances 4.2 Continue increasing the VMI’s strategic value 4.3 Review and update |
This phase will walk you through the following activities:
This phase helps you configure, create, and understand the tools and templates used to elevate the VMI. The main outcomes from this phase are a clear understanding of the tools that identify which vendors are important to you, tools and concepts to help you take key vendor relationships to the next level, and tools to help you evaluate and improve the VMI and its personnel.
This phase involves the following participants:
Phase 2 – Build is similar to its counterpart in the Info-Tech blueprint Jump Start Your Vendor Management Initiative; this phase focuses on tools, templates, and concepts that help the VMI increase its strategic value and impact. The items referenced in this phase will require your customization or configuration to integrate them within your organization and culture for maximum effect.
One goal of this phase is to provide new ways of looking at things and alternate approaches. (For example, two methods of classifying your vendors are presented for your consideration.) You don’t live in a one-size-fits-all world, and options allow you (or force you) to evaluate what’s possible rather than running with the herd. As you review this phase, keep in mind that some of the concepts presented may not be applicable in your environment…or it may be that they just aren’t applicable right now. Timing, evolution, and maturity will always be factors in how the VMI operates.
Another goal of this phase is to get you thinking about the value the VMI brings to the organization, and just as important, how to capture and report it. Money alone may be at the forefront of most people’s minds when return on investment is brought up, but there are many ways to measure a VMI’s value and impact. This Phase will help you in your pursuit.
Lastly, a VMI must focus on its internal clients, and that starts with the VMI’s personnel. The VMI is a reflection of its team members – what they do, say, and know will determine how the VMI is perceived…and used.
The classification model in the Info-Tech blueprint Jump Start Your Vendor Management Initiative is simple and easy to use. It provides satisfactory results for the first one or two years of the VMI’s life. After that, a more sophisticated model should be used, one with more parameters or flexibility to accommodate the VMI’s new maturity.
Two models are presented on the following pages. The first is a variation of the COST model used in the Jump Start Your Vendor Management Initiative blueprint. The second is the MVP model, which segments vendors into three categories instead of four and eliminates the 50/50 allocation constraint inherent in a 2x2 model.
|
If you used the COST classification model in the Jump Start Your Vendor Management Initiative blueprint, you are familiar with its framework: vendors are plotted into a 2x2 matrix based on their spend and switching costs and their value to your operation. The simple variation of this model uses three variables to assess the vendor’s value to your operation and two variables to determine the vendor’s spend and switching cost implications. The COST classification model presented here sticks to the same basic tenets but adds to the number of variables used to plot a vendor’s position within the matrix. Six variables are used to define a vendor’s value and three variables are used to set the spend and switching cost. This provides greater latitude in identifying what makes a vendor important to you. |
|
Another option for classifying vendors is the MVP classification model. In this model, vendors fall into one of three categories: minor, valued, or principal. Similar to the COST vendor classification model, the MVP classification model requires a user to evaluate statements or questions to assess a vendor’s importance to the organization. In the MVP approach, each question/statement is weighted, and the potential responses to each question/statement are assigned points (100, 33, or 10) based on their impact. Multiplying the weight (expressed as a percentage) for each question/statement by the response points for each question/statement yields a line-item score. The total number of points obtained by a vendor determines its classification category. A vendor receiving a score of 75 or greater would be a principal vendor (similar to a strategic vendor under the COST model); 55 to 74 points would be a valued vendor (similar to operational or tactical vendor); less than 55 points would be a minor vendor (similar to a commodity vendor). |
By now, you may be asking yourself, “Which model should I use? What is the advantage of the MVP model?” Great questions! Both models work well, but the COST model has a limitation inherent in any basic 2x2 model. Since two axes are used in a 2x2 approach, the effective weighting for each axis is 50%. As a result, the weights assigned to an individual element are reduced by 50%. A simple but extreme example will help clarify this issue (hopefully).
Suppose you wanted to use an element such as How integrated with our business processes are the vendor's products/services? and weighted it 100%. Under the 2x2 matrix approach, this element only moves the X-axis score; it has no impact on the Y-axis score. The vendor in this hypothetical could max out the X-axis under the COST model, but additional elements would be needed for the vendor to rise from the tactical quadrant to the strategic quadrant. In the MVP model, if the vendor maxed out the score on that one element (at 100%), the vendor would be at the top of the pyramid and would be a principal vendor.
One model is not necessarily better than the other. Both provide an objective way for you to determine the importance of your vendors. However, if you are using elements that don’t fit neatly into the two axes of the COST model, consider using the MVP model. Play with each and see which one works best in your environment, knowing you can always switch at a later point.
15 – 45 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate - COST Model Vendor Classification Tool
15 – 45 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – MVP Model Vendor Classification Tool
|
Now that you have configured your choice of vendor classification model (or decided to stick with your original model), it’s time to think about the other side of the coin: How do your vendors view your organization. Why is this important? Because the VMI will have only limited success if you are trying to impose your will on your vendors without regard for how they view the relationship from their perspective. For example, if the vendor is one of your strategic (COST Model) or principal (MVP Model) vendors, but you don’t spend much money with them, you are difficult to work with, and there is no opportunity for future growth, you may have a difficult time getting the vendor to show up for BAMs (business alignment meetings), caring about scorecards, or caring about the relationship period. Our experience at Info-Tech interacting with our members through vendor management workshops, guided implementations, and advisory calls has led us to a significant conclusion on this topic: Most customers tend to overvalue their importance to their vendors. To open your eyes about how your vendors actually view your account, use Info-Tech’s OPEN Model Customer Positioning Tool. (It is based on the supplier preferencing model pioneered by Steele & Court in 1996 in which the standard 2x2 matrix tool for procurement [and eventually vendor management] was repurposed to provide insights from the vendor’s perspective.) For our purposes, think of the OPEN model for customer positioning as a mirror’s reflection of the COST model for vendor classification. The OPEN model provides a more objective way to determine your importance to your vendors. Ultimately, your relationship with each vendor will be plotted into the 2x2 grid, and it will indicate whether your account is viewed as an opportunity, preferred, exploitable, or negligible. |
|
As with the vendor classification models discussed in Step 2.1, the two-way scorecards presented here are an extension of the scorecard and feedback material from the Jump Start Your Vendor Management Initiative blueprint. The vendor scorecard in this blueprint provides additional flexibility and sophistication for your scorecarding approach by allowing the individual variables (or evidence indicators) within each measurement category to be evaluated and weighted. (The prior version only allowed the evaluation and weighting at the category level.) On the vendor feedback side, the next evolution is to formalize the feedback and document it in its own scorecard format rather than continuing to list questions in the BAM agenda. The vendor feedback template included with this blueprint provides a sample approach to quantifying the vendor’s feedback and tracking the information. The fundamentals of scorecarding remain the same:
|
15 – 60 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
15 – 60 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
It is not uncommon to see performance dips from even the best vendors. However, when poor performance becomes a trend, the vendor manager can work with the vendor to create and implement a performance improvement plan (PIP).
Performance issues can come from a variety of sources:
PIPs should focus on at least a few key areas:
PIPs are most effective when the vendor is an operational, strategic, or tactical vendor (COST model) or a principal or valued vendor (MVP model) and when you are an opportunity or preferred customer (OPEN model).
15 – 30 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
Relationships are often taken for granted, and many faulty assumptions are made by both parties in the relationship: good relationships will stay good, bad relationships will stay bad, and relationships don’t require any work. In the vendor management space, these assumptions can derail the entire VMI and diminish the value added to your organization by vendors.
To complicate matters, relationships are multi-faceted. They can occur:
Improving or maintaining a relationship will not happen by accident. There must be a concerted effort to achieve the desired results (or get as close as possible). A relationship improvement plan can be used to improve or maintain a relationship with the vendor and the individuals who make up the vendor’s organization.
Improving relationships (or even maintaining them) requires a plan. The first step is to understand the current situation: Is the relationship good, bad, or somewhere in between? While the analysis will be somewhat subjective, it can be made more objective than merely thinking about relationships emotionally or intuitively. Relationships can be assessed based on the presence and quality of certain traits, factors, and elements. For example, you may think communication is important in a relationship. However, that is too abstract and subjective; to be more objective, you would need to identify the indicators or qualities of good communication. For a vendor relationship, they might include (but wouldn’t necessarily be limited to):
Evaluating these statements on a predefined and consistent scale establishes the baseline necessary to conduct a gap analysis. The second half of the equation is the future state. Using the same criteria, what would or should the communication component look like a year from now? After that is determined, a plan can be created to improve the deficient areas and maintain the acceptable areas.
Although this example focused on one category, the same methodology can be used for additional categories. It all starts with the simple question that requires a complex answer, “What traits are important to you and are indicators of a good relationship?”
15 – 60 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Relationship Assessment and Improvement Plan tool
Executives and stakeholders (“E&S”) discuss vendors during internal meetings and often meet directly with vendors as well. Having a solid working knowledge of all the critical vendors used by an organization is nearly impossible for E&S. Without situational awareness, though, E&S can appear uninformed, can be at the mercy of others with better information, and can be led astray by misinformation. To prevent these and other issues from derailing the E&S, two essential vendor-at-a-glance reports can be used.
The first report is the 60-Second Report. As the name implies, the report can be reviewed and digested in roughly a minute. The report provides a lot of information on one page in a combination of graphics, icons, charts, and words.
The second report is a vendor calendar. Although it is a simple document, the Vendor Calendar is a powerful communication tool to keep E&S informed of upcoming events with a vendor. The purpose is not to replace the automated calendaring systems (e.g. Outlook), but to supplement them.
Combined, the 60-Second Report and the Vendor Calendar provide E&S with an overview of the information required for any high-level meeting with a vendor or to discuss a vendor.
30 – 90 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
15 – 30 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
|
By now, you have built and begun managing the VMI’s 3-year roadmap and 90-day plans to help you navigate the VMI’s day-to-day operational path. To complement these plans, it is time to build a roadmap for the VMI’s personnel as well. It doesn’t matter whether VMI is just you, you and some part-time personnel, a robust and fully staffed vendor management office, or some other point on the vendor management spectrum. The VMI is a reflection of its personnel, and they must improve their skills, competencies, and knowledge (“S/C/K”) over time for the VMI to reach its potential. As the adage says, “What got you here won’t get you there.” To get there requires a plan that starts with creating an inventory of the VMI’s team members’ S/C/K. Initially, focus on two items:
Conducting an assessment of and developing an improvement plan for each team member will be addressed later in this blueprint. (See steps 3.7 – Evaluate VMI Personnel, 3.8 – Improve Professional Skills, and 3.9 - Expand Professional Knowledge.) |
15 – 60 Minutes
| Input | Output |
|
An assessment and inventory of competencies, skills, knowledge, and other intellectual assets by VMI team member |
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium.
|
*Adapted from “Best Practices for Every Step of Survey Creation” from surveymonkey.com and “The 9 Most Important Survey Design Tips & Best Practices” by Swetha Amaresan. |
As part of the vendor management lifecycle, the VMI conducts an annual review to assesses compliance with policies and procedures, to incorporate changes in leading practices, to ensure that lessons learned are captured and leveraged, to validate that internal alignment is maintained, and to update governances as needed. As the VMI matures, the annual review process should incorporate feedback from those the VMI serves and those directly impacted by the VMI’s efforts. Your internal clients and others will be able to provide insights on what the VMI does well, what needs improvement, what challenges arise when using the VMI’s services, and other issues. A few best practices for creating surveys are set out below:*
|
|
4. Pay attention to your vocabulary and phrasing; use simple words. The goal is to communicate effectively and solicit feedback, and that all starts with the respondents being able to understand what you are asking or seeking. 5. Use response scales and keep the answer choices balanced. You want the respondents to find an answer that matches their feedback. For example, potential answers such as “strongly agree, agree, neutral, disagree, strongly disagree” are better than “strongly agree, agree, other.” 6. To improve your response rate, keep your survey short. Most people don’t like surveys, but they really hate long surveys. Make every question count, and keep the average response time to a maximum of a couple of minutes. 7. Watch out for “absolutes;” they can hurt the quality of your responses. Avoid using language such as always, never, all, and every in your questions or statements. They tend to polarize the evaluation and make it feel like an all-or-nothing situation. 8. Ask one question at a time or request evaluation of one statement at a time. Combining two topics into the same question or statement (double-barreled questions or statements) makes it difficult for the respondent to determine how to answer if both parts require different answers, for example, “During your last interaction with the VMI, how would you rate our assistance and friendliness?” |
15 – 60 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate –Tools and Templates Compendium
After the VMI has been operating for a year or two, questions may begin to surface about the value the VMI provides. “We’re making an investment in the VMI. What are we getting in return?” “Does the VMI provide us with any tangible benefits, or is it another mandatory area like Internal Audit?” To keep the naysayers at bay, start tracking the value the VMI adds to the organization or the return on investment (ROI) provided.
The easy thing to focus on is money: hard-dollar savings, soft-dollar savings, and cost avoidance. However, the VMI often plays a critical role in vendor-facing activities that lead to saving time, improving performance, and managing risk. All of these are quantifiable and trackable. In addition, internal customer satisfaction (step 2.8 and step 3.11) can provide examples of the VMI’s impact beyond the four pillars of money, time, performance, and risk.
VMI ROI is a multifaceted and complex topic that is beyond the scope of this blueprint. However, you can do a deep (or shallow) dive on this topic by downloading and reading Info-Tech’s blueprint Capture and Market the ROI of Your VMO to plot your path for tracking and reporting the VMI’s ROI or value.
Download the Info-Tech blueprint Capture and Market the ROI of Your VMO
2 – 4 Hours
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech blueprint Capture and Market the ROI of Your VMO
A vendor recognition program can provide many benefits to your organization. Obtaining those benefits requires a solid plan and the following foundational elements:
As with any project, there are advantages and disadvantages with implementing and operating a vendor recognition program.
Advantages:
Just as a coin has two sides, there are two sides to a vendor recognition program. Advantages must be weighed against disadvantages, or at the very least, you must be aware of the potential disadvantages.
Disadvantages:
There is no one-size-fits-all approach to creating a vendor recognition program. Your program should align with your goals. For example, do you want to drive performance and collaboration, or do you want to recognize vendors that exceed your expectations? While these are not mutually exclusive, the first step is to identify your goals. Next, focus on whether you want a formal or informal program. An informal program could consist of sending thank-you emails or notes to vendor personnel who go above and beyond; a formal program could consist of objective criteria announced and measured annually, with the winners receiving plaques, publicity, and/or recognition at a formal award ceremony with your executives. Once you have determined the type of program you want, you can begin building the framework.
Take a “crawl, walk, run” approach to designing, implementing, and running your vendor recognition program. Start small and build on your successes. If you try something and it doesn’t work the way you intended, regroup and try again.
The vendor recognition program may or may not end up residing in the VMI. Regardless, the VMI can be instrumental in creating the program and reinforcing it with the vendors. Even if the program is run and operated by the VMI, other departments will need to be involved. Seek input from the legal and marketing departments to build a durable program that works for your environment and maximizes its impact.
Lastly, don’t overlook the simple gestures…they go a long way to making people feel appreciated in today’s impersonal world. A simple (but specific) thank-you can have a lasting impact, and not everything needs to be about the vendor’s organization. People make the organization “go,” not the other way around.
30 – 90 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
|
Phase 1 |
Phase 2 |
Phase 3 |
Phase 4 |
|---|---|---|---|
| 1.1 Review and update existing Plan materials |
2.1 Vendor classification models 2.2 Customer positioning model 2.3 Two-way scorecards 2.4 Performance improvement plan (PIP) 2.5 Relationship improvement plan (RIP) 2.6 Vendor-at-a-glance reports 2.7 VMI personnel competency evaluation tool 2.8 Internal feedback tool 2.9 VMI ROI calculation 2.10 Vendor recognition program |
3.1 Classify vendors and identify customer position 3.2 Assess the relationship landscape 3.3 Leverage two-way scorecards 3.4 Implement PIPs and RIPs 3.5 Gather market intelligence 3.6 Generate vendor-at-a-glance reports 3.7 Evaluate VMI personnel 3.8 Improve professional skills 3.9 Expand professional knowledge 3.10 Create brand awareness 3.11 Survey internal clients 3.12 Calculate VMI ROI 3.13 Implement vendor recognition program |
4.1 Investigate potential alliances 4.2 Continue increasing the VMI’s strategic value 4.3 Review and update |
This phase will walk you through the following activities:
This phase helps you begin integrating the new tools and templates into the VMI’s operations. The main outcomes from this phase are guidance and the steps required to continue your VMI’s maturation and evolution.
This phase involves the following participants:
The review and assessment conducted in Phase 1 – Plan and the tools and templates created and configured during Phase 2 – Build are ready for use and incorporation into your operations. As you trek through Phase 3 – Run, a couple of familiar concepts will be reviewed (vendor classification and scorecarding), and additional details on previously introduced concepts will be provided (customer positioning, surveying internal clients); in addition, new ideas will be presented for your consideration:
The methodology used to classify your vendors in the blueprint Jump Start Your Vendor Management Initiative applies here as well, regardless of whether you use the COST model or the MVP model. Info-Tech recommends using an iterative approach initially to validate the results from the model you configured in step 2.1.
Remember to share the results with executives and stakeholders. Switching from one classification model to another may lead to concerns or questions. As always, obtain their buy-in on the final results.
If you use the MVP model, the same features will be applicable and the same processes will be followed after classifying your vendors, despite the change in nomenclature. (Strategic vendors are the equivalent of principal vendors; high operational and high tactical vendors are the equivalent of valued vendors; and all other vendors are the equivalent of minor vendors.)
|
|
After classifying your vendors, run your top 25 vendors through the OPEN Model Customer Positioning Tool. The information you need can come from multiple sources, including:
At first blush, the results can run the emotional and logical gamut: shocking, demeaning, degrading, comforting, insightful, accurate, off-kilter, or a combination of these and other reactions. To a certain extent, that is the point of the activity. As previously stated, customers often overestimate their importance to a vendor. To be helpful, your perspective must be as objective as possible rather than the subjective view painted by the account team and others within the vendor (e.g. “You’re my favorite client,” “We love working with you,” “You’re one of our key accounts,” or “You’re one of our best clients.”) The vendor often puts customers on a pedestal that is nothing more than sales puffery. How a vendor treats you is more important than them telling you how great you are. Use the OPEN model results and the material on the following pages to develop a game plan as you move forward with your vendor-facing VMI activities. The outcomes of the OPEN model will impact your business alignment meetings, scorecards, relationships, expectations, and many other facets of the VMI. |
The OPEN Model Customer Positioning Tool can be adapted for use at the account manager level to determine how important your account is to the account manager.
Opportunity
Low value and high attractiveness
Characteristics and potential actions by the vendor
Customer strategies
Preferred
High value and high attractiveness
Characteristics and potential actions by the vendor
Customer strategies
Exploitable
High value and low attractiveness
Characteristics and potential actions by the vendor
Customer strategies
Negligible
Low value and low attractiveness
Characteristics and potential actions by the vendor
Customer strategies
In summary, vendor actions are understandable and predictable. Learning about how they think and act is invaluable. As some food for thought, consider this snippet from an article aimed at vendors:
“The [customer positioning] grid or matrix is, in itself, a valuable snapshot of the portfolio of customers. However, it is what we do with this information that governs how effective the tool is. It can be used in many ways:
After classifying your vendors (COST or MVP model) and identifying your positioning for the top vendors via the OPEN Model Customer Positioning Tool, the next step is to assess the relationship landscape. For key vendors (strategic, high operational, and high tactical under the COST model and principal and valued under the MVP model), look closer at the relationships that currently exist:
This information will provide a more holistic view of the dynamics at work (or just beneath the surface) beyond the contract and operational relationships. It will also help you understand any relationship leverage that may be in play…now or in the future…from each party’s perspective.
10 - 30 Minutes per vendor
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate – Tools and Templates Compendium
As you roll out your new, enhanced scorecards, the same principles apply. Only a couple of modifications need to be made to your processes.
For the vendor scorecards, the VMI will still be driving the process, and internal personnel will still be completing the scorecards. An email or short orientation meeting for those involved will ease the transition from the old format to the new format. Consider creating a FAQ (frequently asked questions) for the new template, format, and content; you’ll be able to leverage it via the email or meeting to answer questions such as: What changed? Why did it change? Why are we doing this? In addition, making a change to the format and content may generate a need for new or additional internal personnel to be part of the scorecarding process. A scorecarding kick-off meeting or orientation meeting will ensure that the new participants buy into the process and acclimate to the process quickly.
For the vendor feedback, the look and feel is completely new. The feedback questions that were part of the BAM agenda have been replaced by a more in-depth approach that mirrors the vendor scorecards. Consider conducting a kick-off meeting with each participating vendor to ensure they understand the importance of the feedback form and the process for completing it. Remember to update your process to remind the vendors to submit the feedback forms three to five business days prior to the BAM (and update your BAM agenda). You will want time to review the feedback and identify any questions or items that need to be clarified. Lastly, set aside some extra time to review the feedback form in the first BAM after you shift to the formal format.
Underperforming vendors are similar to underperforming employees. There can be many reasons for the lackluster performance, and broaching the subject of a PIP may put the vendor on the defensive. Consider working with the human resources department (or whatever it is called in your organization) to learn some of the subtle nuances and best practices from the employee PIP realm that can be used in the vendor PIP realm.
When developing the PIP, make sure you:
Not all performance issues require a PIP; some can be addressed one-on-one with the vendor’s account manager, project manager, or other personnel. The key is to identify meaningful problems and use a PIP to resolve them when other measures have failed or when more formality is required.
A PIP is a communication tool, not a punishment tool. When used properly, PIPs can improve relationships, help avoid lawsuits, and prevent performance issues from having a significant impact on your organization.
After assessing the relationship landscape in step 3.2 and configuring the Relationship Assessment and Improvement Plan Tool in step 2.5, the next step is to leverage that information: 1) establish a relationship baseline for each critical vendor; and 2) develop and implement a plan for each to maintain or improve those relationships.
The Relationship Assessment and Improvement Plan Tool provides insights into the actual status of your relationships. It allows you to quantify and qualify those relationships rather than relying on intuition or instinct. It also pinpoints areas that are strong and areas that need improvement. Identify your top seven relationship priorities and build your improvement/maintenance plan around those to start. (This number can be expanded if some of your priorities are low effort or if you have several people who can assist with the implementation of the plan.) Decide which relationship indicators need a formal plan, which ones require only an informal plan, and which ones involve a hybrid approach. Remember to factor in the maintenance aspect of the relationship – if something is going well, it can still be a top priority to ensure that the relationship component remains strong.
Similar to a PIP, your RIP can be very formal with action items and deadlines. Unlike a PIP, the RIP is typically not shared with the vendor. (It can be awkward to say, “Here are the things we’re going to do to improve our relationship, vendor.”)
The level of formality for your plan will vary. Customize your plan for each vendor. Relationships are not formulaic, although they can share traits. Keep in mind what works with one person or one vendor may not work for another. It’s okay to revisit the plan if it is not working and make adjustments.
What is market intelligence?
Market intelligence is a broad umbrella that covers a lot of topics, and the breadth and depth of those topics depend on whether you sit on the vendor or customer side of the equation. Even on the customer side, the scope and meaning of market intelligence are defined by the role served by those gathering market intelligence. As a result, the first step for the VMI is to set the boundaries and expectations for its role in the process. There can be some overlap between IT, procurement/sourcing, and the VMI, for example. Coordinating with other functional areas is a good idea to avoid stepping on each other’s toes or expending duplicate resources unnecessarily.
For purposes of this blueprint, market intelligence is defined as gathering, analyzing, interpreting, and synthesizing data and information about your critical vendors (high operational, high tactical, and strategic under the COST model or valued and principal under the MVP model), their competitors, and the industry. Market intelligence can be broken into two basic categories: individual vendors and the industry as a whole. For vendors, it generally encompasses data and information about products and services available, each vendor’s capabilities, reputation, costs, pricing, advantages, disadvantages, finances, location, risks, quality ratings, standard service level agreements (SLAs) and other metrics, supply chain risk, total cost of ownership, background information, and other points of interest. For the industry, it can include the market drivers, pressures, and competitive forces; each vendor’s position in the industry; whether the industry is growing, stable, or declining; whether the industry is competitive or led by one or two dominant players; and the potential for disruption, trends, volatility, and risk for the industry. This represents some of the components of market intelligence; it is not intended to be an exhaustive list.
Market intelligence is an essential component of a VMI as it matures and strives to be strategic and to provide significant value to the organization.
What are the benefits of gathering market intelligence?
Depending on the scope of your research, there are many potential uses, goals, and benefits that flow from gathering market intelligence:
What are some potential sources of information for market intelligence?
For general information, there are many places to obtain market intelligence. Here are some common resources:
Keep in mind the source of the information may be skewed in favor of the vendor. For example, vendor marketing materials may paint a rosier picture of the vendor than reality. Using multiple sources to validate the data and information is a leading practice (and common sense).
For specific information, many VMIs use a third-party service. Third-party services can dedicate more resources to research since that is their core function. However, the information obtained from any third party should be used as guidance and not as an absolute. No third-party service has access to every deal, and market conditions can change often and quickly.
Some additional thoughts on market intelligence
Much of the guidance provided on reports in the blueprint Jump Start Your Vendor Management Initiative holds true for the 60-Second Report and the Vendor Calendar.
These reports should be kept confidential. Consider using a “confidential” stamp, header, watermark, or other indicator to highlight that the materials are sensitive and should not be disclosed outside of your organization without approval.
Using the configured VMI personnel assessment tool (Elevate – Tools and Templates Compendium tab 2.7.1 or 2.7.2), evaluate each VMI employee’s skills, competencies, and knowledge (S/C/K) against the established minimum level required/desired field for each. Use this tool for full-time and part-time team members to obtain a complete inventory of the VMI’s S/C/K.
After completing the assessment, you will be able to identify areas where personnel exceed, meet, or fail to meet the minimum level required/desired using the included dashboards. This information can be used to create a development plan for areas of deficiency or areas where improvement is desired for career growth.
As an alternative, you can assess VMI personnel using their job descriptions. Tab 2.7.3 of the Tools and Templates Compendium is set up to perform this type of analysis and create a plan for improvement when needed. Unlike Tabs 2.7.1 and 2.7.2, however, the assessment does not provide a dashboard for all employee evaluations. Tab 2.7.3 is intended to focus on the different roles and responsibilities for each employee versus the VMI as a whole.
Lastly, you can use Tab 2.7.4 to evaluate potential VMI personnel during the interview process. Load the roles and responsibilities into the template, and evaluate all the candidates on the same criteria. A dashboard at the bottom of the template quantifies the number of instances each candidate exceeds, meets, and fails to meet the criteria. Used together, the evaluation matrix and dashboard will make it easier to identify each candidate’s strengths and weaknesses (and ultimately select the best new VMI team member).
|
To be an effective member of the VMI requires proficiency in many areas. Some basic skills like computer skills, writing, and time management are straightforward. Others are more nebulous. The focus of this step is on a few of the often-overlooked skills lurking in the shadows:
For the VMI to be viewed as a strategic and integral part of the organization, these skills (and others) are essential. Although this blueprint cannot cover all of them, some leading practices, tips, and techniques for each of the skills listed above will be shared over the next several pages. |
Communication is the foundational element for the other professional skills covered in this Step 3.8. By focusing on seven key areas, you can improve your relationships, influence, emotional intelligence quotient, diplomacy, and impact when interacting with others. The concepts for the seven focal points presented here are the proverbial tip of the iceberg. Continue learning about these areas, and recognize that mastering each will require time and practice.
2. Speaking
3. Body Language.
4. Personality.
5. Style.
6. Learning
7. Actions and inactions.
Diplomacy can be defined many ways, but this one seems to fit best for the purposes of vendor management: The ability to assert your ideas or opinions, knowing what to say and how to say it without damaging the relationship by causing offense.1 At work, diplomacy can be about getting internal or external parties to work together, influencing another party, and conveying a message tactfully. As a vendor manager, diplomacy is a necessary skill for working with your team, your organization, and vendors.
To be diplomatic, you must be in tune with others and understand many things about them such as their feelings, opinions, ideas, beliefs, values, positions, preferences, and styles. To achieve this, consider the following guidance:2
Whenever things get tense, take a deep breath, take a break, or stop the communication (based on the situation and what is appropriate). Being diplomatic can be taxing, and it is better to step back than to continue down a wrong path due to stress, emotion, being caught off guard, etc.
Relationship building and networking cannot be overvalued. VMI personnel interact with many areas and people throughout the organization, and good relationships are essential. Building and maintaining relationships requires hard work and focusing on the right items. Although there isn’t a scientific formula or a mathematical equation to follow, key elements are present in all durable relationships.
Focus on building relationships at all levels within your organization. People at every level may have data or information you need, and your relationship with them may be the deciding factor in whether you get the information or not. At other times, you will have data and information to give, and the relationship may determine how receptive others are to your message. Some relationship fundamentals are provided below and continue on the next page.1,2
Most people don’t get excited about meetings, but they are an important tool in the toolbox. Unfortunately, many meetings are unnecessary and unproductive. As a result, meeting invites often elicit an audible groan from invitees. Eliminating meetings completely is not a practical solution, which leaves one other option: improving them.
You may not be in charge of every meeting, but when you are, you can improve their productivity and effectiveness by making a few modifications to your approach. Listed below are ten ideas for getting the most out of your meetings:*
5. Use video when anyone is attending virtually. This helps prevent anonymity and increases engagement.
6. Start and end meetings on time. Running over impacts other meetings and commitments; it also makes you look ineffective and increases stress levels for attendees.
7. If longer meetings are necessary, build in a short break or time for people to stand up and stretch. Don’t say, “If you need a break or to stand up during the meeting, feel free.” Make it a planned activity.
8. Keep others engaged by facilitating and drawing specific people into the conversation; however, don’t ask people to contribute on topics that they know nothing about or ask generally if anyone has any comments.
9. Leverage technology to help with the meeting; have someone monitor the chat for questions and concerns. However, the chat should not be for side conversations, memes, and other distractions.
10. End the meeting with a short recap, and make sure everyone knows what was decided/accomplished, what next steps are, and which action items belong to which people.
Emotional intelligence (otherwise known as emotional intelligence quotient or EQ) is the ability to understand, use, and manage your own emotions in positive ways to relieve stress, communicate effectively, empathize with others, overcome challenges and defuse conflict.1 This is an important set of skills for working with vendors and internal personnel. Increasing your EQ will help you build better relationships and be seen as a valuable teammate…at all levels within your organization.
Improving this skill dovetails with other skills discussed in this step 3.8, such as communication and diplomacy. Being well versed in the concepts of EQ won’t be enough. To improve requires a willingness to be open – open to feedback from others and open to new ideas. It also requires practice and patience. Change won’t happen overnight, but with some hard work and perseverance, your EQ can improve.
There are many resources that can help you on your journey, and here are some tips to improve your EQ:2
Tips to improve your EQ (continued from previous page):
Things to avoid:1
Skills such as influence and persuasion are important (even necessary) for vendor managers. (Don’t confuse this with the dark arts version – manipulation.) A good working definition is provided by the Center for Creative Leadership: Influence is the ability to affect the behavior of others in a particular direction, leveraging key tactics that involve, connect, and inspire them.* Influence and persuasion are not about strongarming or blackmailing someone to get your way. Influence and persuasion are about presenting issues, facts, examples, and other items in a way that moves people to align with your position. Sometimes you will be attempting to change a person’s mind, and other times you will be moving them from a neutral stance to agreeing to support your position.
Building upon the basic communication skills discussed at the start of this step, there are some ways to improve your ability to influence and persuade others. Here are some suggestions to get you started:*
3. Build and maintain trust – trust has two main components: competency and character. In item 2 on the previous page, competency trust was discussed from the perspective of knowledge and expertise. For character trust, you need to be viewed as being above reproach. You are honest and ethical; you follow through and honor your commitments. Once both types of trust are in place, eyes and ears will be open and more receptive to your messages. Bottom line: You can’t influence or persuade people if they don’t trust you.
4. Grow and leverage networks – the workplace is a dynamic atmosphere, and it requires almost constant networking to ensure adequate contacts throughout the organization are maintained. Leveraging your network is an artform, and it must be used wisely. You don’t want to wear out your welcome by asking for assistance too often.
As you prepare your plan to influence or persuade someone, ask yourself the following questions:*
To function in their roles, VMI personnel must be well versed in the concepts and terminology associated with vendor management. To be strategic and to develop relationships with other departments, divisions, agencies, and functional groups, VMI personnel must also be familiar with the concepts and terminology for functions outside the VMI. Although a deep dive is beyond the scope of this blueprint, understanding basic concepts within each of the topics below is critical:
It isn’t necessary to be an expert in these subjects, but VMI personnel must be able to talk with their peers intelligently. For example, a vendor manager needs to have a general background in contract terms and conditions to be able to discuss issues with legal, finance, procurement, and project management groups. A well-rounded and well-versed VMI team member can rise to the level of trusted advisor and internal strategic partner rather than wallowing in the operational or transactional world.
Finance and accounting terms and concepts are commonplace in every organization. They are the main language of business – they are the way for-profit businesses keep score. Regardless of whether your organization is a for-profit, non-profit, governmental, or other entity, finance and accounting run through the veins of your organization as well. In addition to the customer side of the equation, there is the vendor side of the equation: Every vendor you deal with will be impacted financially by working with you.
Having a good grasp of finance and accounting terms and concepts will improve your ability to negotiate, talk to finance and accounting personnel (internal and external), conduct ongoing due diligence on your critical vendors, review contracts, and evaluate vendor options, to name just a few of the benefits.
The concepts listed on the following pages are some of the common terms applicable to finance and accounting. It is not intended to be an exhaustive list. Continue to learn about these concepts and identify others that allow you to grow professionally.
Finance and accounting terms and concepts
|
Finance and accounting terms and concepts (cont’d) |
|
|---|---|
|
|
|
Whether your organization has a formal project management office (PMO) or not, project management practices are being used by those tasked with making sure software and software as a service implementations go smoothly, technology refreshes are rolled out without a hitch, and other major activities are successful. Listed below are some common competencies/skills used by project managers to make sure the job gets done right.
|
|
|
The concepts listed below are common project management terms and concepts.1, 2 This list is not intended to be exhaustive. Look internally at your project management processes and operations to identify the concepts applicable in your environment and any that are missing from this list. | |
|
|
|
Contracts and contract lifecycle management (CLM) are two separate but related topics. It is possible to have contracts without a formal CLM process, but you can’t have CLM without contracts. This portion of step 3.9 provides some general background on each topic and points you to blueprints that cover each subject in more detail.
IT contracts tend to be more complicated than other types of contracts due to intellectual property (IP) rights being associated with most IT contracts. As a result, it is necessary to have a basic understanding of IP and common IT contract provisions.
There are four main areas of IP: copyrights, patents, trademarks, and trade secrets. Each has its own nuances, and people who don’t work with IP often mistake one for another or use the terms interchangeably. They are not interchangeable, and each affords a different type of protection when available (e.g. something may not be capable of being patented, but it can be copyrighted).
For contract terms and conditions, vendor managers are best served by understanding both the business side and the legal side of the provisions. In addition, a good contract checklist will act as a memory jogger whether you are reviewing a contract or discussing one with legal or a vendor. For more information on contract provisions, checklists, and playbooks, download the Info-Tech blueprints identified to the left.
Download the Info-Tech blueprint Understand Common IT Contract Provisions to Negotiate More Effectively
Download the Info-Tech blueprint Improve Your Statements of Work to Hold Your Vendors Accountable
CLM is a process that helps you manage your agreements from cradle to grave. A robust CLM process eases the challenges of managing hundreds or even thousands of contracts that affect the day-to-day business and could expose your organization to various types of vendor-related risk.
Managing a few contracts through the contracting process is easy, but as the number of contracts grows, managing each step of the process for each contract becomes increasingly difficult and time consuming. That’s where CLM and CLM tools can help. Here is a high-level overview of the CLM process:
For more information on CLM, download the Info-Tech blueprint identified to the left.
Download the Info-Tech Blueprint Design and Build an Effective Contract Lifecycle Management Process
Almost every organization has a procurement or sourcing department. Procurement/sourcing is often the gatekeeper of the processes used to buy equipment and services, lease equipment, license software, and acquire other items. There are many different types of procurement/sourcing departments and several points of maturity within each type. As a result, the general terms listed on the next page may or may not be applicable within your organization. (Or your organization may not have a procurement/sourcing department at all!)
Identifying your organization’s procurement/sourcing structure is the best place to start. From there, you can determine which terms are applicable in your environment and dive deeper on the appropriate concepts as needed.
|
Procurement sourcing terms and concepts |
|
|
|
Whether you consider conflict management a skill, knowledge, or something in between, there is no denying that vendor managers are often engaged to resolve conflicts and disputes. At times, the VMI will be a “disinterested third party,” sitting somewhere between the vendor and an internal department, line of business, agency, or other functional designation. The VMI also may be one of the parties involved in the dispute or conflict. As a result, a little knowledge and a push in the right direction will help you learn more about how to handle situations where two parties don’t agree.
To begin with, there are four levels of “formal” dispute resolution. You may be intimately aware of all of them or only have cursory knowledge of how they work and the purpose they serve:
Their use often can be controlled or limited either contractually or by your organization’s preferences. They may be exclusive or used in combination with one another (e.g. negotiation first, and if things aren’t resolved, arbitration). Look at your contracts and legal department for guidance. It’s important to understand when and how these tools are used and what is expected (if anything) from the VMI.
|
Another factor in the conflict management and informal dispute resolution process is the people component. Perhaps the most famous or well-known model on this topic is the Thomas-Kilmann conflict resolution model. It attempts to bring clarity to the five different personality types you may encounter when resolving differences. As the graphic indicates, it is not purely a black-and-white endeavor; it is comprised of various shades of grey. The framework presented by Mr. Thomas and Mr. Kilmann provides insights into how people behave and how to engage them based on personality characteristics and attributes. The model sorts people into one of five categories:
Although it is not an absolute science since people are unpredictable at times, the Thomas-Kilmann model provides great insights into human behavior and ways to work with the personality types listed. |
Although the topic is vastly greater than being presented here, the last consideration is a sound process to follow when the conflict or dispute will be handled informally (at least to start). The simple process presented below works with vendors, but it can be adapted to work with internal disputes as well. The following process assumes that the VMI is attempting to facilitate a dispute between an internal party and a vendor.
Step 1. Validate the person and the issue being brought to you; don’t discount the person, their belief, or their issue. Show genuine interest and concern.
Step 2. Gather and verify data; not all issues brought forward can be pursued or pursued as presented. For example, “The vendor is always late with its reports” may or may not be 100% accurate as presented.
Step 3. Convert data gathered into useful and relatable information. To continue the prior example, you may find that the vendor was late with the reports on specified dates, and this can be converted into “the vendor was late with its reports 50% of the time during the last three months.”
Step 4. Escalate findings internally to the appropriate stakeholders and executives as necessary so they are not blindsided if a vendor complains or goes around you and the process. In addition, they may want to get involved if it is a big issue, or they may tell you to get rid of it if it is a small issue.
Step 5. Engage the vendor once you have your facts and present the issues without judgment. Ask the vendor to do its own fact gathering.
Step 6. Schedule a meeting to review of the situation and hear the vendor’s version of the facts…they may align, or they may not.
Step 7. Resolve any differences between your facts/information and the vendor’s. There may be extenuating circumstances, oversights, different data, or other items that come to light.
Step 8. Attempt to resolve the problem and prevent further occurrences through root cause analysis and collaborative problem-solving techniques.
Develop your own process and make sure it stays neutral. The process should not put the vendor (or any party) on the defensive. The process is to help the parties reach resolution…not to assign blame.
Working with the account or sales team from your critical vendors can be challenging. A basic understanding of account team operations and customer/vendor dynamics will go a long way to improving your interactions (and even vendor performance) over time.
Sales basics
Improving sales and account team dynamics with your organization
Improving sales and account team dynamics with your organization (continued)
For more information on this topic, download the Info-Tech blueprint Evaluate Your Vendor Account Team to Optimize Vendor Relations.
Branding isn’t just for companies. It is for departments (or whatever you call them at your place of employment) and individuals working in those departments. With a little work and even less money, you can create a meaningful brand for the VMI. While you are at it, you may want to encourage the VMI’s team members to focus a little attention on their personal brands since the VMI and its personnel are intertwined. First, let's define “brand.”
Ask 50 people, “How do you define ‘brand’?” and you are likely to get 50 different answers. For the purposes of this blueprint, the following definition provides some guiderails by describing what a brand is and isn’t: “A brand is not a logo. A brand is not an identity. A brand is not a product. A brand is a person’s gut feeling about a product, service, or organization.”1 Let’s expand the definition of “a brand is…” to include departments and individuals since that’s the focus of this step, and it doesn’t violate the spirit of the original definition. A further expansion could include the goodwill associated with the product, service, organization, department, or individual.
Dedicating time and other resources to proactively creating and nurturing the VMI’s brand has many advantages:
As you embark on creating a brand for the VMI and raising awareness, here are a few considerations to keep in mind:
As previously mentioned, brands are for individuals as well. In fact, everybody has a brand associated with them…for better or worse...whether they have consciously created and molded it or not. Focusing on the individual brand at this point offers the VMI and its team members the opportunity to enhance the brand for both. After all, the VMI is a reflection of its personnel.
Here are some things VMI team members can do to enhance their brand:
30 – 90 Minutes
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Info-Tech Elevate - Tools and Templates Compendium
As you deploy your surveys, timing must be considered. For annual surveys, avoid busy seasons such as mid to late December (especially if your organization’s fiscal year is a calendar year). Give people time to recover from any November holidays, and survey them before they become distracted by December holidays (if possible). You may want to push the annual survey until January or February when things have settled back into a normal routine. Your needs for timing and obtaining the results must be balanced against the time constraints and other issues facing the potential respondents.
For recency surveys, timing can work to your advantage or disadvantage. Send the survey almost immediately after providing assistance. If you wait more than a week or two, memories will begin to fade, and the results will trend toward the middle of the road.
Regardless of whether it is an annual survey or a recency survey, distributing the surveys to a big enough sample size will be tough. Combine that with low response rates and the results may be skewed. Take what you can get and look for trends over time. Some people may be tough critics; if possible, send the survey to the same people (and incorporate new ones) to see if the tough graders’ responses are remaining true over time. Another way to mitigate some of the tough critics is to review their answers to the open-ended questions. For example, a tough grader may respond with a “4 – helpful” when you were expecting a “5 – very helpful;” the narrative portion of the survey may be consistent with that answer, or it may provide what you were looking for: “The VMI was great to work with on this project.” When confined to a scale, some respondents won’t give the top value/assessment no matter what, but they will sing your praises in a question that requires a narrative response. Taken together, you may get a slightly different picture – one that often favors you.
|
After you have received a few responses to your surveys (recency and annual), review the results against your expectations and follow up with some of the respondents. Were the questions clear? Were the answer choices appropriate? Ultimately, you have to decide if the survey provided the meaningful feedback you were looking for. If not, revise the questions and answers choices as needed. (Keep in mind, you are not looking for “feelgood fluff.” You are looking for feedback that will reinforce what you are doing well and show areas for improvement.) Once you have the results, it’s time to share them with the executives and stakeholders. When creating a report, consider the following guidance:
|
Calculating ROI begins with establishing baselines: what is the current situation? Once those are established, you can begin tracking the impact made by the VMI by looking at the differences between the baseline and the end result. For example, if the VMI is tracking money saved, it is critical to know the baseline amounts (e.g. the initial quote from the vendor, the budgeted amount). If time is being measured, it is important to understand how much time was previously spent on items (e.g. vendor meetings to address concerns, RFPs).
The blueprint Capture and Market the ROI of Your VMO will lead you through the process, but there are a couple of key things to remember: 1) some results will be quick and easy – the low-hanging fruit, things that have been ignored or not done well, eliminating waste, and streamlining inefficiencies; and 2) other things may take time to come to fruition. Be patient and make sure you work with finance or others to bring credibility to your calculations.
When reporting the ROI, remember to include the results of the survey from step 3.11. They are not always quantifiable, but they help executives and stakeholders see the complete picture, and the stories or examples make the ROI “personal” to the organization.
Reporting can be a challenge. VMIs often underestimate their value and don’t like self-promotion. While you don’t want to feel like you operate in justification mode, many eyes will be on the VMI. The ROI report helps validate and promote the VMI, and it helps build brand awareness for the VMI.
As indicated in step 2.10, take a “crawl, walk, run” approach to your vendor recognition program. Start off small and grow the program over time. Based on the scope of the program, decide how you’ll announce and promote it. Work with marketing, IT, and others to ensure a consistent message, to leverage technology (e.g. your website), and to maximize awareness.
For a formal program, you may want to hold a kickoff meeting to introduce the program internally and externally. The external kickoff can be handled in a variety of ways depending on available resources and the extent of the program. For example, a video can be produced and shared with eligible vendors, an email from the VMI or an executive can be used, or the program can be rolled out through BAMs if only BAM participants are eligible for the program. If you are taking an informal approach to the vendor recognition program, you may not need an external kickoff at all.
For a formal program, collect information periodically throughout the year rather than waiting until the end of the year; however, some data may not be available or relevant until the end of the measurement period. For subjective criteria, the issue of recency may be an issue, and memories will fade over time. (Be careful the subjective portion doesn’t turn into a popularity contest.)
If the vendor recognition program is not meeting your goals adequately, don’t be afraid to modify it or even scrap it. At some point, you may have to do a partial or total reboot of the program. Creating and maintaining a “lessons learned” document will make a reboot easier and better if it is necessary. Remember: While a vendor recognition program has many potential benefits, your main goals must be achieved or the program adds little or no value.
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
| 1.1 Review and update existing Plan materials | 2.1 Vendor classification models 2.2 Customer positioning model 2.3 Two-way scorecards 2.4 Performance improvement plan (PIP) 2.5 Relationship improvement plan (RIP) 2.6 Vendor-at-a-glance reports 2.7 VMI personnel competency evaluation tool 2.8 Internal feedback tool 2.9 VMI ROI calculation 2.10 Vendor recognition program | 3.1 Classify vendors and identify customer position 3.2 Assess the relationship landscape 3.3 Leverage two-way scorecards 3.4 Implement PIPs and RIPs 3.5 Gather market intelligence 3.6 Generate vendor-at-a-glance reports 3.7 Evaluate VMI personnel 3.8 Improve professional skills 3.9 Expand professional knowledge 3.10 Create brand awareness 3.11 Survey internal clients 3.12 Calculate VMI ROI 3.13 Implement vendor recognition program | 4.1 Investigate potential alliances 4.2 Continue increasing the VMI’s strategic value 4.3 Review and update |
This phase will walk you through the following activities:
This phase helps the VMI stay aligned with the overall organization, stay current, and improve its strategic value as it evolves. The main outcomes from this phase are ways to advance the VMI’s strategic impact.
This phase involves the following participants:
The emphasis of this final phase is on the VMI’s continued evolution.
Chances are you’ve seen a marketing or business alliance at work in your personal life. If you’ve visited a Target store or a Barnes and Noble store, you’ve more than likely walked past the Starbucks counter. The relationship is about more than the landlord-tenant agreement, and the same business concept can exist in non-retail settings. Although they may not be as common in the customer-IT vendor space, alliances can work here as well.
Definition
For vendor management purposes, an alliance is a symbiotic relationship between two parties where both benefit beyond the traditional transactional (i.e. buyer-seller) relationship.
Characteristics
Benefits
Risks
Keys to success
The purpose of this step is not to make you an expert on alliances or to encourage you to rush out of your office, cubicle, bedroom, or other workspace looking for opportunities. The purpose is to familiarize you with the concepts, to encourage you to keep your eyes open, and to think about relationships from different angles. How will you make the most of your vendors’ expertise, resources, market, and other things they bring to the table?
Although they are not synonymous concepts, increasing the VMI’s maturity and increasing the VMI’s strategic value can go hand in hand. Evolving the VMI to be strategic allows the organization to receive the greatest benefit for its investment. This isn’t to say that all work the VMI does will be strategic. It will always live in two places – the transactional world and the strategic world – even when it is fully mature and operating strategically. Just like any job, there are transactional tasks and activities that must be done, and some of them are foundational elements for being strategic (e.g. conducting research, preparing reports, and classifying vendors). The VMI must evolve and become strategic for many reasons: staying in the transactional world limits the VMI’s contributions, results, influence and impact; team members will have less job satisfaction and enjoyment and lower salaries; ultimately, the justification for the VMI could disappear.
To enhance the VMI’s (and, as applicable, its personnel’s) strategic value, continue:
|
Indicators of a transactional VMI: |
Indicators of a strategic VMI: |
|---|---|
|
|
The vendor management lifecycle is continuous and more chaotic than linear, but the chaos mostly stays within the boundaries of the “plan, build, run, and review” framework outlined in this blueprint and the blueprint Jump Start Your Vendor Management Initiative. Two of the goals of managing the lifecycle are: 1) to adapt to a changing world; and 2) to improve the VMI and its impact over time. To do this, keep following the guidance in this phase, but don’t forget about the direction provided in phase 4 of the blueprint Jump Start Your Vendor Management Initiative:
Continue reviewing and updating the VMI’s risk footprint. Add risk categories and scope as needed (measurement, monitoring, and reporting). Review Info-Tech’s vendor management-based series of risk blueprints for further information (Identify and Manage Reputational Risk Impacts on Your Organization and others).
It is easy for business owners to lose sight of things. There is a saying among entrepreneurs about remembering to work on the business rather than working exclusively in the business. For many entrepreneurs, it is easy to get lost in the day-to-day grind and to forget to look at the bigger picture. A VMI is like a business in that regard – it is easy to focus on the transactional work and lose sight of maturing or evolving the VMI. Don’t let this happen!
Leverage the tools and templates from this blueprint and adapt them to your environment as needed. Unlike the blueprint Jump Start Your Vendor Management Initiative, some of the concepts presented here may take more time, resources, and evolution before you are ready to deploy them. Continue using the three-year roadmap and 90-day plans from the Jump Start Your Vendor Management Initiative blueprint, and add components from this blueprint when the time is right. The two blueprints are designed to work in concert as you move forward on your VMI journey.
Lastly, focus on getting a little better each day, week, month, or year: better processes, better policies and procedures, better relationships with vendors, better relationships with internal clients, better planning, better anticipation, better research, better skills, competencies, and knowledge for team members, better communication, better value, and better impact. A little “better” goes a long way, and over time it becomes a lot better.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
Jump Start Your Vendor Management Initiative
IT (and the organization as a whole) are more reliant on vendors than ever before, and vendor management has become increasingly necessary to manage the relationships and manage the risks. Implementing a vendor management initiative is no longer a luxury...it is a necessity.
Capture and Market the ROI of Your VMO
Calculating the impact or value of a vendor management office (VMO) can be difficult without the right framework and tools. Let Info-Tech’s tools and templates help you account for the contributions made by your VMO.
Evaluate Your Vendor Account Team to Optimize Vendor Relations
Understanding your vendor team’s background, experience, and strategic approach to your account is key to the management of the relationship, the success of the vendor agreement, and, depending on the vendor, the success of your business.
Identify and Manage Financial Risk Impacts on Your Organization
Vendors’ failure to perform, including security and compliance violations, can have significant financial consequences. Good vendor management practices help organizations understand the costs of those actions.
Amaresan, Swetha. “The 9 Most Important Survey Design Tips & Best Practices.” HubSpot. Accessed 13 July 2022.
“Best Practices for Every Step of Survey Creation.” Survey Monkey. Accessed 13 July 2022.
Brevig, Armand. ”Here Is a Quicker Way of Getting Better Supply Market Insights.” Procurement Cube, 30 July 2020. Accessed 19 May 2022.
Cain, Elna. “9 Simple Ways on How to Improve Your Writing Skills.” Elna Cain, 20 Nov. 2018. Accessed 5 June 2020.
Colwell, Tony. “How to Select Strategic Suppliers Part 1: Beware the Supplier's Perspective.” Accuity Consultants, 7 Feb 2012. Accessed 19 May 2022.
“50 Tips for Improving Your Emotional Intelligence.” RocheMartin, 12 Jan. 2022. Accessed 25 July 2022.
“4 Ways to Strengthen Your Ability to Influence Others.” Center for Creative Leadership, 24 Nov. 2020. Accessed 20 July 2022.
Ferreira, Nicole Martins. “10 Personal Branding Tips That’ll Elevate Your Business In 2022.” Oberlo, 21 Mar. 2022. Accessed 24 May 2022.
Gartlan, Dan. “4 Essential Brand Components.” Stevens & Tate, 25 Nov. 2019. Accessed 24 May 2022.
Geller & Company. “World-Class Procurement — Increasing Profitability and Quality.” Spend Matters, 2003. Accessed 4 March 2022.
Gumaste, Pavan. “50 Project Management Terms You Should Know.” Whiz Labs, 2018. Accessed 22 July 2022.
Hertzberg, Karen. “How to Improve Writing Skills in 15 Easy Steps.” Grammarly, 15 June 2017. Accessed 5 June 2020.
“Improving Emotional Intelligence (EQ).” HelpGuide, 2022. Accessed 25 July 2022.
“ISG Index 4Q 2021.” Information Services Group, Inc., 2022. Web.
Lehoczky, Etelka. “How To Improve Your Writing Skills At Work.” Forbes, 9 Mar. 2016. Accessed 5 June 2020.
Liu, Joseph. “5 Ways To Build Your Personal Brand At Work.” Forbes, 30 Apr. 2018. Accessed 24 May 2022.
Lloyd, Tracy. “Defining What a Brand Is: Why Is It So Hard?” Emotive Brand, 18 June 2019. Accessed 28 July 2022.
Nielson, Megan. “The Basic Tenants of Diplomatic Communication.” Communiqué PR, 22 October 2020. Accessed 23 May 2022
“Positioning Yourself in the Market.” New Zealand Ministry of Business, Innovation & Employment, 2021. Accessed 19 May 2022.
Rogelberg, Steven G. “The Surprising Science Behind Successful Remote Meetings.” sloanreview.mit.edu. 21 May 2020. Accessed 19 July 2022.
“Rule No 5: All Customers/Suppliers Have a Different Value to You.” newdawnpartners.com. Accessed 19 May 2022.
Shute, Benjamin. “Supplier Relationship Management: Is Bigger Always Better?” Comprara, 24 May 2015. Accessed 19 May 2022.
Steele, Paul T. and Brian H. Court. Profitable Purchasing Strategies: A Manager's Guide for Improving Organizational Competitiveness Through the Skills of Purchasing. McGraw-Hill, 1996.
“Take the Thomas-Kilmann Conflict Mode Instrument (TKI).” Kilmann Diagnostics, 2018. Accessed 20 Aug. 2020.
Tallia, Alfred F. MD, MPH, et al. ”Seven Characteristics of Successful Work Relationships.” Fam Pract Manag. 2006 Jan;13(1):47-50.
“The Art of Tact and Diplomacy.” skillsyouneed.com. Accessed 23 May 2022.
“13 Key Traits of Strong Professional Relationships.” success.com. Accessed 4 Feb. 2022.
Wilson, Fred. “Top 40 Project Management Terms and Concepts of 2022.” nTask, 25 Feb. 2019. Accessed 24 July 2022.
Organizations are joining the wave and adopting machine learning and artificial intelligence (AI) to unlock the value in their data and power their competitive advantage. But to succeed with these complex analytics programs, they need to begin by looking at their data – empowering their people to realize and embrace the valuable insights within the organization’s data.
The key to achieve becoming a data-driven organization is to foster a strong data culture and equip employees with data skills through an organization-wide data literacy program.
Data literacy is critical to the success of digital transformation and AI analytics. Info-Tech’s approach to creating a sustainable and effective data literacy program is recognizing it is:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Data literacy as part of the data governance strategic program should be launched to all levels of employees that will help your organization bridge the data knowledge gap at all levels of the organization. This research recommends approaches to different learning styles to address data skill needs and helps members create a practical and sustainable data literacy program.
Kick off a data awareness program that explains the fundamental understanding of data and its lifecycle. Explore ways to create or mature the data literacy program with smaller amounts of information on a more frequent basis.
“Digital transformation” and “data driven” are two terms that are inseparable. With organizations accelerating in their digital transformation roadmap implementation, organizations need to invest in developing data skills with their people. Talent is scarce and the demand for data skills is huge, with 70% of employees expected to work heavily with data by 2025. There is no time like the present to launch an organization-wide data literacy program to bridge the data knowledge gap and foster a data-driven culture.
Data literacy training is as important as your cybersecurity training. It impacts all levels of the organization. Data literacy is critical to success with digital transformation and AI analytics.
Principal Advisory Director, Data & Analytics Practice
Info-Tech Research Group
Your ChallengeOrganizations are joining the wave and adopting machine learning (ML) and artificial intelligence (AI) to unlock the value in their data and power their competitive advantage. But to succeed with these complex analytics programs, they need to begin by empowering their people to realize and embrace the valuable insights within the organization’s data. The key to becoming a data-driven organization is to foster a strong data culture and equip people with data skills through an organization-wide data literacy program. |
Common ObstaclesChallenges the data leadership is likely to face as digital transformation initiatives drive intensified competition:
|
Info-Tech's ApproachWe interviewed data leaders and instructors to gather insights about investing in data:
|
By thoughtfully designing a data literacy training program for the audience's own experience, maturity level, and learning style, organizations build the data-driven and engaged culture that helps them to unlock their data's full potential and outperform other organizations.
“Data literacy is the ability to read, work with, analyze, and communicate with data. It's a skill that empowers all levels of workers to ask the right questions of data and machines, build knowledge, make decisions, and communicate meaning to others.” – Qlik, n.d.
Source: Accenture, 2020.
Source: Qlik, 2022.
“[Data debt is] when you have undocumented, unused, incomplete, and inconsistent data,” according to Secoda (2023). “When … data debt is not solved, data teams could risk wasting time managing reports no one uses and producing data that no one understands.”
Signs of data debt when considering investing in data literacy:
of organizations say a backlog of data debt is impacting new data management initiatives.
of organizations say individuals within the business do not trust data insights.
of organizations are unable to become data-driven.
Source: Experian, 2020
Image source: Welocalize, 2020.
Data represents a discrete fact or event without relation to other things (e.g. it is raining). Data is unorganized and not useful on its own.
Information organizes and structures data so that it is meaningful and valuable for a specific purpose (i.e. it answers questions). Information is a refined form of data.
When information is combined with experience and intuition, it results in knowledge. It is our personal map/model of the world.
Knowledge set with context generates insight. We become knowledgeable as a result of reading, researching, and memorizing (i.e. accumulating information).
Wisdom means the ability to make sound judgments. Wisdom synthesizes knowledge and experiences into insights.
Data-driven culture refers to a workplace where decisions are made based on data evidence, not on gut instinct.
Phase Steps |
1. Define Data Literacy Objectives1.1 Understand organization’s needs 1.2 Create vision and objective for data literacy program |
2. Assess Learning Style and Align to Program Design2.1 Create persona and identify audience 2.2 Assess learning style and align to program design 2.3 Determine the right delivery method |
3. Socialize Roadmap and Milestones3.1 Establish a roadmap 3.2 Set key performance metrics and milestones |
Phase Outcomes |
Identify key objectives to establish and grow the data literacy program by articulating the problem and solutions proposed. |
Assess each audience’s learning style and adapt the program to their unique needs. |
Show a roadmap with key performance indicators to track each milestone and tell a data story. |
– Miro Kazakoff, senior lecturer, MIT Sloan, in MIT Sloan School of Management, 2021
By thoughtfully designing a data literacy training program personalized to each audience's maturity level, learning style, and experience, organizations can develop and grow a data-driven culture that unlocks the data's full potential for competitive differentiation.
We can learn a lot from each other. Literacy works both ways – business data stewards learn to “speak data” while IT data custodians understand the business context and value. Everyone should strive to exchange knowledge.
Avoid traditional classroom teaching – create a data literacy program that is learner-centric to allow participants to learn and experiment with data.
Aligning program design to those learning styles will make participants more likely to be receptive to learning a new skill.
A data literacy program isn’t just about data but rather encompasses aspects of business, IT, and data. With executive support and partnership with business, running a data literacy program means that it won’t end up being just another technical training. The program needs to address why, what, how questions.
A lot of programs don’t include the fundamentals. To get data concepts to stick, focus on socializing the data/information/knowledge/wisdom foundation.
Many programs speak in abstract terms. We present case studies and tangible use cases to personalize training to the audience’s world and showcase opportunities enabled through data.
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of the project."
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Session 1 | Session 2 | Session 3 | Session 4 | |
Activities | Define Data Literacy Objectives1.1 Review Data Culture Diagnostic results 1.2 Identify business context: business goals, initiatives 1.3 Create vision and objective for data literacy program | Assess Learning Style and Align to Program Design2.1 Identify audience 2.2 Assess learning style and align to program design 2.3 Determine the right delivery method | Build a Data Literacy Roadmap and Milestones3.1 Identify program initiatives and topics 3.2 Determine delivery methods 3.3 Build the data literacy roadmap | Operational Strategy to implement Data Literacy4.1 Identify key performance metrics 4.2 Identify owners and document RACI matrix 4.3 Discuss next steps and wrap up. |
Deliverables |
|
|
|
|
Foster Data-Driven Culture With Data Literacy
Input
|
Output
|
Materials
|
Participants
|
Contact your Info-Tech Account Representative for details on launching a Data Culture Diagnostic.
Input
| Output
|
Materials
| Participants
|
Data collected through Info-Tech’s Data Culture Diagnostic suggests three ways to improve data literacy:
think more can be done to define and document commonly used terms with methods such as a business data glossary.
think they can have a better understanding of the meaning of all data elements that are being captured or managed.
feel that they can have more training in terms of tools as well as on what data is available at the organization.
Source: Info-Tech Research Group's Data Culture Diagnostic, 2022; N=2,652
Start with real business problems in a hands-on format to demonstrate the value of data.
Treat data as a strategic asset to gain insight into our customers for all levels of organization.
"According to Forrester, 91% of organizations find it challenging to improve the use of data insights for decision-making – even though 90% see it as a priority. Why the disconnect? A lack of data literacy."
– Alation, 2020
Info-Tech provides various topics suited for a data literacy program that can accommodate different data skill requirements and encompasses relevant aspects of business, IT, and data.
Use discovery and diagnostics to understand users’ comfort level and maturity with data.
Foster Data-Driven Culture With Data Literacy
feel that training was too long to remember or to apply in their day-to-day work.
find training had insufficient follow-up to help them apply on the job.
Source: Grovo, 2018.
Input
| Output
|
Materials
| Participants
|
IT and data professionals need to understand the business as much as business needs to talk about data. Bidirectional learning and feedback improves the synergy between business and IT.
Choose a data role (e.g. data steward, data owner, data scientist).
Describe the persona based on goals, priorities, tenures, preferred learning style, type of work with data.
Identify data skill and level of skills required.
Tailor your data literacy program to meet your organization’s needs, filling your range of knowledge gaps and catering to different levels of users.
When it comes to rolling out a data literacy program, there is no one-size-fits-all solution. Your data literacy program is intended to spread knowledge throughout your organization. It should target everyone from executive leadership to management to subject matter experts across all functions of the business.
The imaginative learner group likes to engage in feelings and spend time on reflection. This type of learner desires personal meaning and involvement. They focus on personal values for themselves and others and make connections quickly.
For this group of learners, their question is: why should I learn this?
The analytical learner group likes to listen, to think about information, and to come up with ideas. They are interested in acquiring facts and delving into concepts and processes. They can learn effectively and enjoy doing independent research.
For this group of learners, their question is: what should I learn?
The common sense learner group likes thinking and doing. They are satisfied when they can carry out experiments, build and design, and create usability. They like tinkering and applying useful ideas.
For this group of learners, their question is: how should I learn?
The dynamic learner group learns through doing and experiencing. They are continually looking for hidden possibilities and researching ideas to make original adjustments. They learn through trial and error and self-discovery.
For this group of learners, their question is: what if I learn this?
There are four common ways to learn a new skill: by watching, conceptualizing, doing, and experiencing. The following are some suggestions on ways to implement your data literacy program through different delivery methods.
Foster Data-Driven Culture With Data Literacy
For the Gantt chart:
Input
| Output
|
Materials
| Participants
|
Name |
Position |
| Andrea Malick | Advisory Director, Info-Tech Research Group |
| Andy Neill | AVP, Data and Analytics, Chief Enterprise Architect, Info-Tech Research Group |
| Crystal Singh | Research Director, Info-Tech Research Group |
| Imad Jawadi | Senior Manager, Consulting Advisory, Info-Tech Research Group |
| Irina Sedenko | Research Director, Info-Tech Research Group |
| Reddy Doddipalli | Senior Workshop Director, Info-Tech Research Group |
| Sherwick Min | Technical Counselor, Info-Tech Research Group |
| Wayne Cain | Principal Advisory Director, Info-Tech Research Group |
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Session 1 |
Session 2 |
Session 3 |
Session 4 |
|
Activities |
Understand the WHY and Value of Data1.1 Business context, business objectives, and goals 1.2 You and data 1.3 Data journey from data to insights 1.4 Speak data – common terminology |
Learn about the WHAT Through Data Flow2.1 Data creation 2.2 Data ingestion 2.3 Data accumulation 2.4 Data augmentation 2.5 Data delivery 2.6 Data consumption |
Explore the HOW Through Data Visualization Training3.1 Ask the right questions 3.2 Find the top five data elements 3.3 Understand your data 3.4 Present your data story 3.5 Sharing of lessons learned |
Put Them All Together Through Data Governance Awareness4.1 Data governance framework 4.2 Data roles and responsibilities 4.3 Data domain and owners |
Deliverables |
|
|
|
|
Deliver measurable business value.
Key to building and fostering a data-driven culture.
Streamline your data management program with our simplified framework.
About Learning. “4MAT overview.” About Learning., 16 Aug. 2001. Web.
Accenture. “The Human Impact of Data Literacy,” Accenture, 2020. Web.
Anand, Shivani. “IDC Reveals India Data and Content Technologies Predictions for 2022 and onwards; Focus on Data Literacy for an Elevated data Culture.” IDC, 14 Mar. 2022. Web.
Belissent, Jennifer, and Aaron Kalb. “Data Literacy: The Key to Data-Driven Decision Making.” Alation, April 2020. Web.
Brown, Sara. “How to build data literacy in your company.” MIT Sloan School of Management, 9 Feb 2021. Web.
---. “How to build a data-driven company.” MIT Sloan School of Management, 24 Sept. 2020. Web.
Domo. “Data Never Sleeps 9.0.” Domo, 2021. Web.
Dykes, Brent. “Creating A Data-Driven Culture: Why Leading By Example Is Essential.” Forbes, 26 Oct. 2017. Web.
Experian. “10 signs you are sitting on a pile of data debt.” Experian, 2020. Accessed 25 June 2021. Web.
Experian. “2019 Global Data Management Research.” Experian, 2019. Web.
Knight, Michelle. “Data Literacy Trends in 2023: Formalizing Programs.” Dataversity, 3 Jan. 2023. Web.
Ghosh, Paramita. “Data Literacy Skills Every Organization Should Build.” Dataversity, 2 Nov. 2022. Web.
Johnson, A., et al., “How to Build a Strategy in a Digital World,” Compact, 2018, vol. 2. Web.
LifeTrain. “Learning Style Quiz.” EMTrain, Web.
Lambers, E., et al. “How to become data literate and support a data-drive culture.” Compact, 2018, vol. 4. Web.
Marr, Benard. “Why is data literacy important for any business?” Bernard Marr & Co., 16 Aug. 2022. Web.
Marr, Benard. “8 simple ways to enhance your data literacy skills.” Bernard Marr & Co., 16 Aug. 2022. Web/
Mendoza, N.F. “Data literacy: Time to cure data phobia” Tech Republic, 27 Sept. 2022. Web.
Mizrahi, Etai. “How to stay ahead of data debt and downtime?” Secoda, 17 April 2023. Web.
Needham, Mass., “IDC FutureScape: Top 10 Predictions for the Future of Intelligence.” IDC, 5 Dec. 2022. Web.
Paton, J., and M.A.P. op het Veld. “Trusted Analytics.” Compact, 2017, vol. 2. Web.
Qlik. “Data Literacy to be Most In-Demand Skill by 2030 as AI Transforms Global Workplaces.” Qlik., 16 Mar 2022. Web.
Qlik. “What is data literacy?” Qlik, n.d. Web.
Reed, David. Becoming Data Literate. Harriman House Publishing, 1 Sept. 2021. Print.
Salomonsen, Summer. “Grovo’s First-Time Manager Microlearning® Program Will Help Your New Managers Thrive in 2018.” Grovos Blog, 5 Dec. 2018. Web.
Webb, Ryan. “More Than Just Reporting: Uncovering Actionable Insights From Data.” Welocalize, 1 Sept. 2020. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assist your employees in setting appropriate development goals.
Review existing and identify new development activities that employees can undertake to achieve their goals.
Establish manager and employee follow-up accountabilities.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Begin strategy development by assigning roles and responsibilities for the team and establishing the initial direction for the strategy.
Create business process maps that incorporate how applications and data are coordinated to support business activities.
Review your integration map to identify improvement opportunities, explore integration solutions, and consolidate activity outputs into a strategy presentation.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss the general approach for creating a holistic enterprise integration strategy.
Define the initial direction and drivers.
Strategy development team with responsibilities identified.
Clear initial direction for the strategy based on senior stakeholder input.
1.1 Define the driving statements for your EI strategy.
1.2 Develop a RACI chart.
1.3 Discuss the current state of enterprise integration.
1.4 Establish the initial direction of your strategy by surveying senior stakeholders.
Vision, mission, and values for enterprise integration
RACI chart for strategy development
Documentation of past integration projects
Chief Enterprise Integration Officer job description template
Build a comprehensive map of what integration looks like for your target business processes.
Clear documentation of the integration environment, encompassing process, data, and applications.
2.1 Develop level-0 and level-1 business capability diagrams.
2.2 Identify the business processes of focus, based on relevance to overall corporate drivers.
2.3 Complete process flow diagrams.
2.4 Begin identifying the applications that are involved in each step of your process.
2.5 Detail the connections/interactions between the applications in your business processes.
2.6 Draw a current state diagram for application integration.
2.7 Identify the data elements created, used, and stored throughout the processes, as well as systems of record.
Business capability maps
Business process flow diagrams
Current state integration diagram
Completed integration map
Review the outputs of the integration mapping activities.
Educate strategy team on the potential integration solutions.
Consolidate the findings of the activities into a compelling strategy presentation.
Integration improvement opportunities are identified.
Direction and drivers for enterprise integration are finalized.
Understanding of the benefits and limitations of some integration solutions.
3.1 Discuss the observations/challenges and opportunities for improvement.
3.2 Refine the focus of the strategy by conducting a more detailed stakeholder survey.
3.3 Review the most common integration solutions for process, applications, and data.
3.4 Create a future state integration architecture diagram.
3.5 Define the IT and business critical success factors for EI.
3.6 Articulate the risks with pursuing (and not pursuing) an EI strategy.
3.7 Quantify the monetary benefits of the EI strategy.
3.8 Discuss best practices for presenting the strategy and organize the presentation content.
Critical success factors and risks for enterprise integration
Monetary benefits of enterprise integration
Completed enterprise integration strategy presentation
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Evaluate what software maintenance you are spending money.
Establish your software M&S requirements and coverage.
Optimize your M&S spend, reduce or eliminate, where applicable.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current prevention, detection, analysis, and response capabilities.
Design your optimized state of operations.
Identify opportunities for collaboration within your security program.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.
Determine why you need a sound security operations program.
Understand Info-Tech’s threat collaboration environment.
Evaluate your current security operation’s functions and capabilities.
1.1 Understand the benefits of refining your security operations program.
1.2 Gauge your current prevention, detection, analysis, and response capabilities.
Security Operations Preliminary Maturity Assessment Tool
Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.
Establish your goals, obligations, scope, and boundaries.
Assess your current state and define a target state.
Develop and prioritize gap initiatives.
Define the cost, effort, alignment, and security benefits of each initiative.
Develop a security strategy operational roadmap.
2.1 Assess your current security goals, obligations, and scope.
2.2 Design your ideal target state.
2.3 Prioritize gap initiatives.
Information Security Strategy Requirements Gathering Tool
Security Operations Maturity Assessment Tool
Identify opportunities for collaboration.
Formalize your operational process flows.
Develop a comprehensive and actionable measurement program.
Understand the current security operations process flow.
Define the security operations stakeholders and their respective deliverables.
Formalize an internal information-sharing and collaboration plan.
3.1 Identify opportunities for collaboration.
3.2 Formalize a security operations collaboration plan.
3.3 Define operational roles and responsibilities.
3.4 Develop a comprehensive measurement program.
Security Operations RACI & Program Plan Tool
Security Operations Collaboration Plan
Security Operations Cadence Schedule Template
Security Operations Metrics Summary
“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”
Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group
This Research Is Designed For:
|
This Research Will Help You:
|
This Research Will Also Assist:
|
This Research Will Help Them
|
Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”) |
 
(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”) |
60% Of organizations say security operation teams have little understanding of each other’s requirements.
40% Of executives report that poor coordination leads to excessive labor and IT operational costs.
38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)
|
“Empower a few administrators with the best information to enable fast, automated responses.” Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: |
| Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization. | ||
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis. |
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. | Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs |
| Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. | Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort. | |
|
Vulnerability Management
Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating. |
Deliverables
|
|
Threat Intelligence
Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization. |
|
|
Operations
Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations. |
|
Develop and Implement a Security Incident Management Program |
Incident Response
Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns. |
|
…better protect your organization with an interdependent and collaborative security operations program.
Phase 01Assess your operational requirements. |
Phase 02Optimize and further mature your security operations processes |
Phase 3aDevelop the process flow and specific interaction points between functions |
Phase 3bTest your current capabilities with a table top exercise |
| Briefly assess your current prevention, detection, analysis, and response capabilities.
Highlight operational weak spots that should be addressed before progressing. |
Develop a prioritized list of security-focused operational initiatives.
Conduct a holistic analysis of your operational capabilities. |
Define the operational interaction points between security-focused operational departments.
Document the results in comprehensive operational interaction agreement. |
Test your operational processes with Info-Tech’s security operations table-top exercise. |
|
|
Effective security operations management will help you do the following:
|
ImpactShort term:
Long term:
|
A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).
| Cost Structure | Cost Estimation ($) for SMB (Small and medium-sized business) |
Cost Estimation ($) for LE (Large enterprise) |
|
| Security controls | Technology investment: software, hardware, facility, maintenance, etc.
Cost of process implementation: incident response, CMBD, problem management, etc. Cost of resource: salary, training, recruiting, etc. |
$0-300K/year | $200K-2M/year |
| Security incidents (if no security control is in place) |
Explicit cost:
|
$15K-650K/year | $270K-11M/year |
Contact your account representative or email Workshops@InfoTech.com for more information.
| Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | Workshop Day 5 | |
| Activities |
|
|
|
|
|
| Deliverables |
|
|
|
All Final Deliverables |
1Assess Operational Requirements |
2Develop Maturity Initiatives |
3Define Interdependencies |
Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Estimated time to completion: 30 minutes
Discussion: Why are we pursuing this project?What are the objectives for optimizing and developing sound security operations? Stakeholders Required:
Resources Required
|
|
Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
Security operations must provide several fundamental functions:
|
 At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events. |
Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.
| Foundational | 
|
Operational |
|
Strategic |
|
|
|
||
| ——Security Operations Capabilities—–› | ||||
| Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
Info-Tech Best PracticeEnsure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next. | |||||
| ||||||
| ||||||
Develop and Implement a Security Incident Management Program |
The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.
|
People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
|
Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
|
|
Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
|
|  At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations. |
| |
| |
Develop and Implement a Security Incident Management Program |
|
Prioritize the component most important to the development of your security operations program. |
|
|
|
||
| Each “security capability” covers a component of the overarching “security function.” | Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) | Document any/all comments for future Info-Tech analyst discussions. |
|
Ad Hoc | ||
| 1 | 
|
Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis. | |
| 2 | 
|
Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis. | |
| 3 | 
|
Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed. | |
| 4 | 
|
Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts. | |
| 5 | 
|
Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand. | |
| Optimized | |||
Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.
|
Review the report cards for each of the respective threat collaboration environment functions.
|
Self-Assessment Questions
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.
|
Frame the importance of your security operations program to Oftentimes resourcing and funding is dependent on the |
Corporate goals and objectives can be categorized into three major buckets:
|
Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!
It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.
|
Ask yourself:
|
The organizational scope and boundaries and can be categorized into four major buckets:
|
This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.
Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.
|
Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS
|
Goals & Obligations
|
|
PROGRAM SCOPE & BOUNDARIES
If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:
|
Program Scope & Boundaries
|
For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.
On tab 1. Goals and Obligations:
|
|
On tab 2. Scope and Boundaries:
|
|
| For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3. | |
A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.
| Define your current and target state
Self-assess your current security operations capabilities and determine your intended state. |
Create your gap initiatives
Determine the operational processes that must be completed in order to achieve the target state. |
Prioritize your initiatives
Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization |
| Build a Gantt chart for your upcoming initiatives
The final output will be a Gantt to action your prioritized initiatives |
||
Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.
|
Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources. |
Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs. |
Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes. |
|
SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value. |
There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost. |
Planning: Narrow the scope of operations to focus on protecting assets of value. |
|
Cross-train employees throughout different silos. Enable them to wear multiple hats. |
Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises. |
Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role. |
| 1. Review:
The heading in blue is the security domain, light blue is the subdomain and white is the specific control. |
2. Determine and Record:
Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier). |
3.
In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items. |
When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.
| Initiatives | Consolidated Initiatives | ||
| Document data classification and handling in AUP | —› | Document data classification and handling in AUP | Keep urgent or exceptional initiatives separate so they can be addressed appropriately. |
| Document removable media in AUP | —› | Define and document an Acceptable Use Policy | Other similar or related initiatives can be consolidated into one item. |
| Document BYOD and mobile devices in AUP | —› | ||
| Document company assets in Acceptable Use Policy (AUP) | —› |
|
After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support. |
|
Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).
Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
|  Info-Tech Best PracticeWhen considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category. |
|  Info-Tech Best PracticeMake sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal. |
You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.
| Identify easy-win tasks and high-value projects worth fighting for. | ||
Categorize the InitiativeSelect the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others. |
Assign CriteriaFor each gap initiative, evaluate it based on your previously defined parameters for each variable.
|
Overall Cost/Effort RatingAn automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first. |
| CASE STUDY |
Industry: Financial Services | Source: Info-Tech Research Group |
| Framework Components | |||||||||||||||||||||||||||||
| Security Domains & Accompanied Initiatives
(A portion of completed domains and initiatives) |
CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains. | ||||||||||||||||||||||||||||
| Current-State Assessment | Context & Leadership | Compliance, Audit & Review | Security Prevention | ||||||||||||||||||||||||||
| Gap Initiatives Created | 12
Initiatives |
14
Initiatives |
45
Initiatives |
||||||||||||||||||||||||||
| Gap Initiative Prioritization |
|
CSC’s defined low, medium, and high for cost and staffing are specific to the organization.
CSC then consolidated its initiatives to create less than 60 concise tasks. *Initiatives and variables have been changed or modified to maintain anonymity |
|||||||||||||||||||||||||||
In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.
|
|
Review considerations
|
This is a living management document
|
| To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. | |||||||
| Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project. |
|
||||||
| If you are not communicating, then you are not secure. | |||||||
Call 1-888-670-8889 or email workshops@infotech.com for more information.
Self-Assessment Questions
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
| Define Strategic Needs and Requirements | Participate in Information Sharing | Communicate Clearly |
|
|
|
Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.
|
|||
| Document your security operations’ functional capabilities and operational tasks to satisfy each capability. | What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. | Identify the affiliated product, service, or output generated from the task/capability. | Determine your escalation protocol. Who are the stakeholders you will be sharing this information with? |
| Capabilities
The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders. |
Tasks
The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability. |
||
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
|
|
Title: Output #1
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
Security Operations Collaboration Plan
Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.
| How to customize
The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:
|
|
Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
Security Operations RACI Chart & Program Plan
Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.
How to customize
|
Download Info-Tech’s Security Operations RACI Chart & Program Plan. |
| Internal Consumers | External Consumers |
|
Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.
|
“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)
Security Operations Program Service & Product Catalog
Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.
| Action/Output | 
|
Frequency |
|
Stakeholders/Function | |
Document the key services and outputs produced by the security operations program. For example:
|
Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. | Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
|
|||
| Remember to include any target-state outputs or services identified in the maturity assessment. | Use this exercise as an opportunity to organize your security operations outputs and services. | ||||
Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.
Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:
Collaboration includes the exchange of:
|
Collaboration can be achieved through:
|
| Isolation prevents businesses from learning from each others’ mistakes and/or successes. | |
Security Operations Program Cadence Schedule Template
Design your meetings around your security operations program’s outputs and capabilities
| How to customize
Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:
|
|
Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.
(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)
Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.
Example: Align your strategic needs with that of management.
Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.
| There are three types of metrics pertaining to security operations: | ||
1) Operations-focusedOperations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them. Examples include, but are not limited to:
|
2) Business-focusedThe evaluation of operational success from a business perspective. Example metrics include:
|
3) Initiative-focusedThe measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics. Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process. |
Info-Tech Best PracticeOperational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective. | Download Info-Tech’s Security Operations Metrics Summary Document. |  |
|
Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures. How to customize
|
This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization. |
Self-Assessment Questions
Insights
|
|
Best Practices
|
| Protect your organization with an interdependent and collaborative security operations program. | ||
“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.
Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.
Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.
Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.
Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.
Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.
“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.
“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.
“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.
Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.
“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.
“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.
“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.
“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.
“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.
Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.
“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.
EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.
Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.
“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.
Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.
Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.
“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.
Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.
“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.
“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.
Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.
Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.
Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.
Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.
Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.
Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.
Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.
Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.
Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.
Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.
Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.
“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.
Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.
Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.
Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.
Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.
Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.
Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.
Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.
Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.
National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.
National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.
National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.
F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.
“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.
“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.
Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.
Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.
Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.
Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.
Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.
Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.
Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.
Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.
Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.
Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.
Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.
SANS Institute. “Incident Handler's Handbook.” 2011. Web.
Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.
Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.
“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.
“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.
“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.
“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.
Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.
Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.
“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.
“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.
“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.
“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.
“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.
Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.
Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.
Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.
Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.
Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.
Complication
Insights
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Reveal the opportunities to heighten the user experience of your website through a deep understanding of the behaviors, emotions, and needs of your end users in order to design a receptive and valuable website.
Design a satisfying and receptive website by leveraging industry best practices and modern UX trends and ensuring the website is supported with reliable and scalable data and infrastructure.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
List the business objectives of your website.
Describe your user personas, use cases, and user workflow.
Identify current UX issues through simulations, website design, and system reviews.
Strong understanding of the business goals of your website.
Knowledge of the behaviors and needs of your website’s users.
Realization of the root causes behind the UX issues of your website.
1.1 Define the business objectives for the website you want to optimize
1.2 Define your end-user personas and map them to use cases
1.3 Build your website user workflow
1.4 Conduct a SWOT analysis of your website to drive out UX issues
1.5 Gauge the UX competencies of your web development team
1.6 Simulate your user workflow to identify the steps driving down UX
1.7 Assess the composition and construction of your website
1.8 Understand the execution of your website with a system architecture
1.9 Pinpoint the technical reason behind your UX issues
1.10 Clarify and prioritize your UX issues
Business objectives
End-user personas and use cases
User workflows
Website SWOT analysis
UX competency assessment
User workflow simulation
Website design assessment
Current state of web system architecture
Gap analysis of web system architecture
Prioritized UX issues
Design wireframes and storyboards to be aligned to high priority use cases.
Design a web system architecture that can sufficiently support the website.
Identify UX metrics to gauge the success of the website.
Establish a website design process flow.
Implementation of key design elements and website functions that users will find stimulating and valuable.
Optimized web system architecture to better support the website.
Website design process aligned to your current context.
Rollout plan for your UX optimization initiatives.
2.1 Define the roles of your UX development team
2.2 Build your wireframes and user storyboards
2.3 Design the target state of your web environment
2.4 List your UX metrics
2.5 Draw your website design process flow
2.6 Define your UX optimization roadmap
2.7 Identify and engage your stakeholders
Roles of UX development team
Wireframes and user storyboards
Target state of web system architecture
List of UX metrics
List of your suppliers, inputs, processes, outputs, and customers
Website design process flow
UX optimization rollout roadmap
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This phase will walk you through the following activities:
This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.
This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.
This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities. It will also help you determine next steps and milestones for the adoption of the new process.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the role of gating and why we need it.
Determine what projects will follow the gating process and how to classify them.
Establish the role of the project sponsor throughout the entire project lifecycle.
Get stakeholder buy-in for the process.
Ensure there is a standard leveling process to determine size, risk, and complexity of requests.
Engage the project sponsor throughout the portfolio and project processes.
1.1 Project Gating Review
1.2 Establish appropriate project levels
1.3 Define the role of the project sponsor
Project Intake Classification Matrix
Project Sponsor Role Description Template
This phase will help you customize Level 1 Project Gates with appropriate roles and responsibilities.
Create a lightweight project gating process for small projects.
2.1 Review level 1 project gating process
2.2 Determine what gates should be part of your custom level 1 gating process
2.3 Establish required artifacts for each gate
2.4 Define the stakeholder’s roles and responsibilities at each gate
Documented outputs in the Project Gating Strategic Template
This phase will help you customize Level 2 Project Gates with appropriate roles and responsibilities.
Create a heavier project gating process for medium projects.
3.1 Review level 2 project gating process
3.2 Determine what gates should be part of your custom level 2 gating process
3.3 Establish required artifacts for each gate
3.4 Define the stakeholder’s roles and responsibilities at each gate
This phase will help you customize Level 3 Project Gates with appropriate roles and responsibilities.
Come up with a roadmap for the adoption of the new project gating process.
Create a comprehensive project gating process for large projects.
4.1 Review level 3 project gating process
4.2 Determine what gates should be part of your custom level 3 gating process
4.3 Establish required artifacts for each gate
4.4 Define the stakeholder’s roles and responsibilities at each gate
4.5 Determine next steps and milestones for process adoption
Documented outputs in the Project Gating Strategic Template
Documented Project Gating Reference Document for all stakeholders
Organizations wishing to mature their IT financial management (ITFM) maturity often face the following obstacles:
No matter where you currently stand in your ITFM practice, there is always room for improvement. Hence, a maturity assessment should be viewed as a self-improvement tool that is only valuable if you are willing to act on it.
A mature ITFM practice leads to many benefits.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This research seeks to support IT leaders and ITFM practitioners in evaluating and improving their current maturity. It will help document both current and target states as well as prioritize focus areas for improvement.
This Excel workbook guides IT finance practitioners to effectively assess their IT financial management practice. Incorporate the visual outputs into your final executive presentation document. Key activities include context setting, completing the assessment, and prioritizing focus areas based on results.
Use this template to document your final ITFM maturity outputs, including the current and target states and your identified priorities.
Technology has been evolving throughout the years, increasing complexity and investments, while putting more stress on operations and people involved. As an IT leader, you are now entrusted to run your outfit as a business, sit at the executive table as a true partner, and be involved in making decisions that best suit your organization. Therefore, you have an obligation to fulfill the needs of your end customers and live up to their expectations, which is not an easy task.
IT financial management (ITFM) helps you generate value to your organization’s clientele by bringing necessary trade-offs to light, while driving effective dialogues with your business partners and leadership team.
This research will focus on Info-Tech’s approach to ITFM maturity, aiming for a state of continuous improvement, where an organization can learn and grow as it adapts to change. As the ITFM practice matures, IT and business leaders will be able to better understand one another and together make better business decisions, driven by data.
This client advisory presentation and accompanying tool seek to support IT leaders and ITFM practitioners in evaluating and improving their current maturity. It will help document both current and target states as well as prioritize focus areas for improvement.
|
Bilal Alberto Saab
Research Director, IT Financial Management Info-Tech Research Group |
ITFM is often discarded and not given enough importance and relevance due to the operational nature of IT, and the specialized skillset of its people, leading to several problems and challenges, such as:
Business-driven conversations around financials (spending, cost, revenue) are a rarity in IT due to several factors, including:
Mature your ITFM practice by activating the means to make informed business decisions.
Info-Tech’s methodology helps you move the dial by focusing on three maturity focus areas:
Influence your organization’s strategic direction by maturing your ITFM practice.
“ITFM embeds technology in financial management practices. Through cost, demand, and value, ITFM brings technology and business together, forging the necessary relationships and starting the right conversations to enable the best decisions for the organization.”
– Monica Braun, Research Director, Info-Tech Research Group
“Value is not the numbers you visualize on a chart, it’s the dialogue this data generates with your business partners and leadership team.”
– Dave Kish, Practice Lead, Info-Tech Research Group
In a technology-driven world, advances come at a price. With greater spending required, more complex and difficult conversations arise.
79% of respondents believe that decisions taking too long to make is either a significant or somewhat of a challenge (Flexera 2022 Tech Spend Pulse; N=501).
81% of respondents believe that ensuring spend efficiency (avoiding waste) is either a challenge or somewhat of a challenge (Flexera 2022 Tech Spend Pulse; N=501).
In today’s world, where organizations are driving customer experience through technology investments, having a seat at the table means IT leaders must be well versed in business language and practice, including solid financial management skills.
However, IT staff across all industries aren’t very confident in how well IT is doing in managing its finances. This becomes evident after looking at three core processes:
Recent data from 4,137 respondents to Info-Tech’s IT Management & Governance Diagnostic shows that while most IT staff feel that these three financial management processes are important, notably fewer feel that IT management is effective at executing on them.
IT leadership’s capabilities around fundamental cost data capture appear to be lagging, not to mention the essential value-added capabilities around optimizing costs and demonstrating IT’s contribution to business value.
Source: Info-Tech Research Group, IT Management & Governance Diagnostic, 2023.
Note: See Appendix A for maturity level definitions and descriptions.
Info-Tech identified three maturity focus areas, each containing three levers.
Identify where you stand across the nine maturity levers, detect the gaps, and determine your priorities as a first step to develop an improvement plan.
Note: See Appendix B for maturity level definitions and descriptions per lever.
Each step of this activity is accompanied by supporting deliverables to help you accomplish your goals.
Build your improvement plan and implement your initiatives to move the dial and climb the maturity ladder.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks used throughout all four options |
|||
3 hours
Input: Understanding your context, objectives, and methodology
Output: ITFM maturity assessment stakeholders and their objectives, ITFM maturity assessment methodology, ITFM maturity assessment takers
Materials: 1a. Prepare for Assessment tab in the ITFM Maturity Assessment Tool
Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to document stakeholders, objectives, and methodology (table range: columns B to G and rows 8 to 15).
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Text | Enter the full name of each stakeholder on a separate row. |
| D | Text | Enter the job title related to each stakeholder. |
| E | Text | Enter the objective(s) related to each stakeholder. |
| F | Text | Enter the agreed upon methodology. |
| G | Text | Enter any notes or comments per stakeholder (optional). |
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to document assessment takers (table range: columns B to E and rows 18 to 25).
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Text | Enter the full name of each assessment taker on a separate row. |
| D | Text | Enter the job title related to each stakeholder to identify which party is being represented per assessment taker. |
| E | Text | Enter any notes or comments per stakeholder (optional). |
Download the IT Financial Management Maturity Assessment Tool
3 hours
Input: Understanding of your ITFM current state and 12-month target state, ITFM maturity assessment results
Output: ITFM current- and target-state maturity levels, average scores, and variance, ITFM current- and target-state average scores, variance, and priority by maturity focus area and maturity lever
Materials: 1b. Glossary, 2a. Assess ITFM Foundation, 2b. Assess Mngt. & Monitoring, 2c. Assess Language, and 3. Assessment Summary tabs in the ITFM Maturity Assessment Tool
Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to complete the survey.
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Formula | Automatic calculation, no entry required: ITFM maturity statement to assess. |
| D, E | Dropdown | Select the maturity levels of your current and target states. One of five maturity levels for each statement, from “1. Nonexistent” (lowest maturity) to “5. Advanced” (highest maturity). |
| F, G, H | Formula | Automatic calculation, no entry required: scores associated with your current and target state selection, along with related variance (column G – column F). |
| I | Text | Enter any notes or comments per ITFM maturity statement (optional). |
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to review your results.
| Column ID | Input Type | Guidelines |
| K | Formula | Automatic calculation, no entry required. |
| L | Formula | Automatic calculation, no entry required: Current State, Target State, and Variance entries. Please ignore the current state benchmark, it’s a placeholder for future reference. |
| M | Formula | Automatic calculation, no entry required: average overall maturity score for your Current State and Target State entries, along with related Variance. |
| N, O | Formula | Automatic calculation, no entry required: maturity level and related name based on the overall average score (column M), where level 1 corresponds to an average score less than or equal to 1.49, level 2 corresponds to an average score between 1.5 and 2.49 (inclusive), level 3 corresponds to an average score between 2.5 and 3.49 (inclusive), level 4 corresponds to an average score between 3.5 and 4.49 (inclusive), and level 5 corresponds to an average score between 4.5 and 5 (inclusive). |
| P, Q | Formula | Automatic calculation, no entry required: maturity definition and related description based on the maturity level (column N). |
Download the IT Financial Management Maturity Assessment Tool
Refer to the example and guidelines below on how to review your results per maturity focus area and maturity lever, then prioritize accordingly.
| Column ID | Input Type | Guidelines |
| B | Formula | Automatic calculation, no entry required. |
| C | Formula | Automatic calculation, no entry required: ITFM maturity focus area or lever, depending on the table. |
| D | Placeholder | Ignore this column because it’s a placeholder for future reference. |
| E, F, G | Formula | Automatic calculation, no entry required: average score related to the current state and target state, along with the corresponding variance per maturity focus area or lever (depending on the table). |
| H | Formula | Automatic calculation, no entry required: preliminary priority based on the average variance (column G), where Low corresponds to an average variance between 0 and 0.5 (inclusive), Medium corresponds to an average variance between 0.51 and 0.99 (inclusive), and High corresponds to an average variance greater than or equal to 1. |
| J | Dropdown | Select your final priority (Low, Medium, or High) per ITFM maturity focus area or lever, depending on the table. |
| K | Whole Number | Enter the appropriate rank based on your priorities; do not use the same number more than once. A whole number between 1 and 3 to rank ITFM maturity focus areas, and between 1 and 9 to rank ITFM maturity levers, depending on the table. |
Download the IT Financial Management Maturity Assessment Tool
3 hours
Input: ITFM maturity assessment results
Output: Customized ITFM maturity assessment report
Materials: 3. Assessment Summary tab in the ITFM Maturity Assessment Tool, ITFM Maturity Assessment Report Template
Participants: CIO/IT director, CFO/finance director, IT finance lead, IT audit lead, Other IT management
Download the IT Financial Management Maturity Assessment Tool
Refer to the example below on charts depicting different views of the maturity assessment results across the three focus areas and nine levers.
Download the IT Financial Management Maturity Assessment Tool
Refer to the example below on slides depicting different views of the maturity assessment results across the three maturity focus areas and nine maturity levers.
Slide 6: Edit levels based on your assessment results. Copy and paste the appropriate maturity level definition and description from slide 4.
Slide 7: Copy related charts from the assessment summary tab in the Excel workbook and remove the chart title. You can use the “Outer Offset: Bottom” shadow under shape effects on the chart.
Slide 8: Copy related charts from the assessment summary tab in the Excel workbook and remove the chart title and legend. You can use the “Outer Offset: Center” shadow under shape effects on the chart.
Download the IT Financial Management Maturity Assessment Report Template
Communicate your maturity results with stakeholders and develop an actionable ITFM improvement plan.
And remember, having informed discussions with your business partners and stakeholders, where technology helps propel your organization forward, is priceless!
|
Dave Kish
Practice Lead, ITFM Practice Info-Tech Research Group |
|
Jennifer Perrier
Principal Research Director, ITFM Practice Info-Tech Research Group |
|
Angie Reynolds
Principal Research Director, ITFM Practice Info-Tech Research Group |
|
Monica Braun
Research Director, ITFM Practice Info-Tech Research Group |
|
Rex Ding
Research Specialist, ITFM Practice Info-Tech Research Group |
|
Aman Kumari
Research Specialist, ITFM Practice Info-Tech Research Group |
|
Amy Byalick
Vice President, IT Finance Info-Tech Research Group |
Amy Byalick is an IT Finance practitioner with 15 years of experience supporting CIOs and IT leaders elevating the IT financial storytelling and unlocking insights. Amy is currently working at Johnson Controls as the VP, IT Finance, previously working at PepsiCo, AmerisourceBergen, and Jacobs. |
|
Carol Carr
Technical Counselor, Executive Services Info-Tech Research Group |
|
|
Scott Fairholm
Executive Counselor, Executive Services Info-Tech Research Group |
|
|
Gokul Rajan
Executive Counselor, Executive Services Info-Tech Research Group |
|
|
Allison Kinnaird
Practice Lead, Infrastructure & Operations Info-Tech Research Group |
|
|
Isabelle Hertanto
Practice Lead, Security & Privacy Info-Tech Research Group |
|
Achieve IT Spending Transparency
Mature your ITFM practice by activating the means to make informed business decisions. |
|
Build Your IT Cost Optimization Roadmap
Develop an IT cost optimization strategy based on your specific circumstances and timeline. |
Eby, Kate. “The Complete Guide to Organizational Maturity: Models, Levels, and Assessments.” Smartsheet, 8 June 2022. Web.
“Financial Management Maturity Model.” National Audit Office, n.d. Accessed 28 Apr. 2023.
“ITFM/TBM Program Maturity Guide.” Nicus Software, n.d. Accessed 28 Apr. 2023.
Jouravlev, Roman. "Service Financial Management: ITIL 4 Practice Guide." Axelos, 2020.
McCarthy, Seamus. “Financial Management Maturity Model: A Good Practice Guide.” Office of the Comptroller & Auditor General, 26 June 2018. Web.
“Principles for Effective Risk Data Aggregation and Risk Reporting.“ Bank for International Settlements, Jan. 2013. Web.
“Role & Influence of the Technology Decision-Maker 2022.” Foundry, 2022. Web.
Stackpole, Beth. “State of the CIO, 2022: Focus turns to IT fundamentals.” CIO, 21 March 2022. Web.
“Tech Spend Pulse.” Flexera, 2022. Web.
Maturity Level |
Definition |
Description |
| Nascent Level 1 |
Inability to consistently deliver financial planning services | ITFM practices are almost inexistent. Only the most basic financial tasks and activities are being performed on an ad hoc basis to fulfill the Finance department’s requests. |
| Cost Operator Level 2 |
Rudimentary financial planning capabilities. | ITFM activities revolve around minimizing the IT budget as much as possible. ITFM practices are not well defined, and IT’s financial view is limited to day-to-day technical operations.
IT is only involved in low complexity decision making, where financial conversations center on general ledger items and IT spending. |
| Trusted Coordinator Level 3 |
Enablement of business through cost-effective supply of technology. | ITFM activities revolve around becoming a proficient and cost-effective technology supplier to business partners.
ITFM practices are in place, with moderate coordination and adherence to execution. Various IT business units coordinate to produce a consolidated financial view focused on business services. IT is involved in moderate complexity decision making, as a technology subject matter expert, where financial conversations center on IT spending in relation to technology services or solutions provided to business partners. |
| Value Optimizer Level 4 |
Effective impact on business performance. | ITFM activities revolve around optimizing existing technology investments to improve both IT and business performance.
ITFM practices are well managed, established, documented, repeatable, and integrated as necessary across the organization. IT’s financial view tie technology investments to lines of business, business products, and business capabilities. Business partners are well informed on the technology mix and drive related discussion. IT is trusted to contribute to complex decision making around existing investments to cost-effectively plan initiatives, as well as enhance business performance. |
| Strategic Partner Level 5 |
Influence on the organization’s strategic direction. | ITFM activities revolve around predicting the outcome of new or potential technology investments to continuously optimize business performance.
ITFM practices are fully optimized, reviewed, and improved in a continuous and sustainable manner, and related execution is tracked by gathering qualitative and quantitative feedback. IT’s financial view is holistic and fully integrated with the business, with an outlook on innovation, growth, and strategic transformation. Business and IT leaders know the financial ramifications of every business and technology investment decision. IT is trusted to contribute to strategic decision making around potential and future investments to grow and transform the business. |
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide any type of financial insight. | ITFM tasks, activities, and functions are not being met in any way, shape, or form. |
| Cost Operator Level 2 | Ability to provide basic financial insights. | There is no dedicated ITFM team.
|
| Trusted Coordinator Level 3 | Ability to provide basic business insights. | A dedicated team is fulfilling essential ITFM tasks, activities, and functions.
|
| Value Optimizer Level 4 | Ability to provide valuable business driven insights. | A dedicated ITFM team with well-defined roles and responsibilities can provide effective advice to IT leaders, in a timely fashion, and positively influence IT decisions. |
| Strategic Partner Level 5 | Ability to influence both technology and business decisions. | A dedicated and highly specialized ITFM team is trusted and valued by both IT and Business leaders.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to ensure any adherence to rules and regulations. | ITFM frameworks, guidelines, policies, and procedures are not developed nor documented. |
| Cost Operator Level 2 | Ability to ensure basic adherence to rules and regulations. | Basic ITFM frameworks, guidelines, policies, and procedures are in place, developed on an ad hoc basis, with no apparent coherence or complete documentation. |
| Trusted Coordinator Level 3 | Ability to ensure compliance to rules and regulations, as well as accountability across ITFM processes. | Essential ITFM frameworks, guidelines, policies, and procedures are in place, coherent, and documented, aiming to (a) comply with rules and regulations, and (b) provide clear accountability. |
| Value Optimizer Level 4 | Ability to ensure compliance to rules and regulations, as well as structure, transparency, and business alignment across ITFM processes. | ITFM frameworks, guidelines, policies, and procedures are well defined, coherent, documented, and regularly reviewed, aiming to (a) comply with rules and regulations, (b) provide clear accountability, and (c) maintain business alignment. |
| Strategic Partner Level 5 | Ability to:
| ITFM frameworks, guidelines, policies, and procedures are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to (a) comply with rules and regulations, (b) provide clear accountability, (c) maintain business alignment, and (d) facilitate the decision-making process.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to deliver IT financial planning and performance output. | ITFM processes and tools are not developed nor documented. |
| Cost Operator Level 2 | Ability to deliver basic IT financial planning output. | Basic ITFM processes and tools are in place, developed on an ad hoc basis, with no apparent coherence or complete documentation. |
| Trusted Coordinator Level 3 | Ability to deliver accurate IT financial output and basic IT performance output in a consistent cadence. | Essential ITFM processes and tools are in place, coherent, and documented, aiming to (a) maintain integrity across activities, tasks, methodologies, data, and reports; (b) deliver IT financial planning and performance output needed by stakeholders; and (c) provide clear accountability. ITFM tools and processes are adopted by the ITFM team and some IT business units but are not fully integrated. |
| Value Optimizer Level 4 | Ability to deliver accurate IT financial planning and performance output at the needed level of detail to stakeholders in a consistent cadence. | ITFM processes and tools are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to (a) maintain integrity across activities, tasks, methodologies, data, and reports; (b) deliver IT financial planning and performance output needed by stakeholders; (c) provide clear accountability; and (d) facilitate decision-making. ITFM tools and processes are adopted by IT and business partners but are not fully integrated. |
| Strategic Partner Level 5 | Ability to:
| ITFM processes and tools are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to (a) maintain integrity across activities, tasks, methodologies, data, and reports; (b) deliver IT financial planning and performance output needed by stakeholders; (c) provide clear accountability; and (d) facilitate decision making.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide transparency across technology spending. | ITFM taxonomy and data model are not developed nor documented. |
| Cost Operator Level 2 | Ability to provide transparency and support IT financial planning data, analysis, and reporting needs of finance stakeholders. | ITFM taxonomy and data model are in place, developed on an ad hoc basis, with no apparent coherence or complete documentation, to comply with, and meet the needs of finance stakeholders. |
| Trusted Coordinator Level 3 | Ability to provide transparency and support IT financial planning and performance data, analysis, and reporting needs of IT and finance stakeholders. | ITFM taxonomy and data model are in place, coherent, and documented to meet the needs of IT and finance stakeholders. |
| Value Optimizer Level 4 | Ability to provide transparency and support IT financial planning and performance data, analysis, and reporting needs of IT, finance, business, and executive stakeholders. | ITFM taxonomy and data model are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to provide (a) a holistic view of IT spending and IT performance, (b) visibility and transparency, (c) flexibility, and (d) valuable insights to facilitate data driven decision making.
|
| Strategic Partner Level 5 | Ability to:
| ITFM taxonomy and data model are complete, well defined, coherent, documented, continuously reviewed, and improved, aiming to provide (a) a holistic view of IT spending and IT performance, (b) visibility and transparency, (c) flexibility, and (d) valuable insights to facilitate data driven decision making.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide accurate and complete across technology spending. | ITFM data needs and requirements are not understood. |
| Cost Operator Level 2 | Ability to provide accurate, but incomplete IT financial planning data to meet the needs of finance stakeholders. | Technology spending data is extracted, transformed, and loaded on an ad hoc basis to meet the needs of finance stakeholders. |
| Trusted Coordinator Level 3 | Ability to provide accurate and complete IT financial planning data to meet the needs of IT and finance stakeholders, but IT performance data remain incomplete. | IT financial planning data is extracted, transformed, and loaded in a regular cadence to meet the needs of IT and finance stakeholders.
|
| Value Optimizer Level 4 | Ability to provide accurate and complete IT financial planning and performance data to meet the needs of IT, finance, business, and executive stakeholders. | ITFM data needs and requirements are understood.
|
| Strategic Partner Level 5 | Ability to provide accurate and complete IT financial planning and performance data real time and when needed by IT, finance, business, and executive stakeholders. | ITFM data needs and requirements are understood.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide any type of financial insight. | ITFM analysis and reports are not developed nor documented. |
| Cost Operator Level 2 | Ability to provide basic financial insights. | IT financial planning analysis is conducted on an ad hoc basis to meet the needs of finance stakeholders. |
| Trusted Coordinator Level 3 | Ability to provide basic financial planning and performance insights to meet the needs of IT and finance stakeholders. | IT financial planning and performance analysis are methodical and rigorous, as defined in related control documents (guideline, policies, procedures, etc.).
|
| Value Optimizer Level 4 | Ability to provide practical insights and useful recommendations as needed by IT, finance, business, and executive stakeholders to facilitate business decision making around technology investments. | ITFM analysis and reports support business decision making around technology investments.
|
| Strategic Partner Level 5 | Ability to provide practical insights and useful recommendations as needed by IT, finance, business, and executive stakeholders to facilitate strategic decision making. | ITFM analysis and reports support strategic decision making.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability of organization stakeholders to communicate and understand each other. | The organization stakeholders including IT, finance, business, and executives do not understand one another, and cannot speak the same language. |
| Cost Operator Level 2 | Ability to understand business and finance requirements. | IT understands and meets business and financial planning requirements but does not communicate in a similar language.
|
| Trusted Coordinator Level 3 | Ability to understand the needs of different stakeholders including IT, finance, business, and executives and take part in decision making around technology spending. | The organization stakeholders including IT, finance, business, and executives understand each other’s needs, but do not communicate in a common language.
|
| Value Optimizer Level 4 | Ability to communicate in a common vocabulary across the organization and take part in business decision making around technology investments. | The organization stakeholders including IT, finance, business, and executives communicate in a common vocabulary and understand one another.
|
| Strategic Partner Level 5 | Ability to communicate in a common vocabulary across the organization and take part in strategic decision making. | The organization stakeholders including IT, finance, business, and executives communicate in a common vocabulary and understand one another.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability of organization stakeholders to acquire knowledge. | Educational resources are inexistent. |
| Cost Operator Level 2 | Ability to acquire financial knowledge and understand financial concepts. | IT leaders have access to educational resources to gain the financial knowledge necessary to perform their duties. |
| Trusted Coordinator Level 3 | Ability to acquire financial and business knowledge and understand related concepts. | IT leaders and their respective teams have access to educational resources to gain the financial and business knowledge necessary to perform their duties.
|
| Value Optimizer Level 4 | Ability to acquire knowledge, across technology, business, and finance as needed by different organization stakeholders, and the leadership understand concepts across these various domains. | Stakeholders including IT, finance, business, and executives have access to various educational resources to gain knowledge in different domains as needed.
|
| Strategic Partner Level 5 | Ability to acquire knowledge, and understand concepts across technology, business, and finance as needed by different organization stakeholders. | The organization promotes continuous learning through well designed programs including training, mentorship, and academic courses. Thus, stakeholders including IT, finance, business, and executives have access to various educational resources to gain knowledge in different domains as needed.
|
Maturity Level | Definition | Description |
| Nascent Level 1 | Inability to provide and foster an environment of collaboration and continuous improvement. | Stakeholders including IT, finance, business, and executives operate in silos, and collaboration between different teams is inexistent. |
| Cost Operator Level 2 | Ability to provide an environment of cooperation to meet the needs of IT, finance, and business leaders. | IT, finance, and business leaders cooperate to meet financial planning requirements as necessary to perform their duties. |
| Trusted Coordinator Level 3 | Ability to provide and foster an environment of collaboration across the organization. | IT, finance, and business collaborate on various initiatives. ITFM employees are trusted and supported by their stakeholders (IT, finance, and business). |
| Value Optimizer Level 4 | Ability to provide and foster an environment of collaboration and continuous improvement, where employees across the organization feel trusted, supported, empowered, and valued. | Stakeholders including IT, finance, business, and executives support and promote continuous improvement, transparency practices, and collaboration across the organization.
|
| Strategic Partner Level 5 | Ability to provide and foster an environment of collaboration and continuous improvement, where leaders are willing to change, and employees across the organization feel trusted, supported, empowered, and valued. | Stakeholders including IT, finance, business, and executives support and promote continuous improvement, transparency practices, and collaboration across the organization.
|
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The focus of this phase is on revealing what designers do during the activity of designing, and on building an understanding of the nature of design ability. We will formally examine the many definitions of design thinking from experts in this field. At the core of this phase are several case studies that illuminate the various aspects of design thinking.
This phase will illustrate the relevance of design in strategy formulation and in service-design. At the core of this phase are several case studies that illuminate these aspects of design thinking. We will also identify the trends impacting your organization and establish a baseline of user-experience with the journeys orchestrated by your organization.
The focus of this phase is to:
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
The focus of this module is on revealing what designers do during the activity of designing, and on building an understanding of the nature of design ability. We will also review the report on the design-centricity of your organization and subsequently, earmark the areas for improvement.
An intimate understanding of the design thinking
An assessment of design-centricity of your organization and identification of areas for improvement
1.1 Discuss case studies on how designers think and work
1.2 Define design thinking
1.3 Review report from Info-Tech’s diagnostic: How design-centric is your organization?
1.4 Earmark areas for improvement to raise the design-centricity of your organization
Report from Info-Tech’s diagnostic: ‘How design-centric is your organization?’ with identified areas for improvement.
In this module, we will discuss the relevance of design in strategy formulation and service design. At the core of this module are several case studies that illuminate these aspects of design thinking. We will also identify the trends impacting your organization. We will establish a baseline of user experience with the journeys orchestrated by your organization.
An in-depth understanding of the relevance of design in strategy formulation and service design
An understanding of the trends that impact your organization
A taxonomy of critical customer journeys and a baseline of customers’ satisfaction with those
2.1 Discuss relevance of design in strategy through case studies
2.2 Articulate trends that impact your organization
2.3 Discuss service design through case studies
2.4 Identify critical customer journeys and baseline customers’ satisfaction with those
2.5 Run a simulation of design in practice
Trends that impact your organization.
Taxonomy of critical customer journeys and a baseline of customers’ satisfaction with those.
The focus of this module is to define an approach for a design program that suits your organization’s specific goals and culture.
An approach for the design program in your organization. This includes aspects of the design program such as its objectives and measures, its model (one of the five archetypes or a hybrid one), and its governance.
3.1 Identify objectives and key measures for your design thinking program
3.2 Structure your program after reviewing five main archetypes of a design program
3.3 Balance between incremental and disruptive innovation
3.4 Review best practices of a design organization
An approach for your design thinking program: objectives and key measures; structure of the program, etc.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Perform a measured value assessment for building and managing a minimum-viable PMO.
Focus on the minimum required to maintain accuracy of portfolio reporting and effectiveness in managing projects.
Emphasize reporting high-level project status as a way to identify and address issues to achieve the best results with the least effort.
Free PMs to focus on actually managing the project while still delivering accurate portfolio metrics.
Ensure project manager compliance with the portfolio reporting process by incorporating activities that create value.
Evaluate success and identify opportunities for further improvement.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define goals and success criteria.
Finalize agenda.
Gather information: update project and resource lists (Info-Tech recommends using the Project Portfolio Workbook).
More efficiently organized and executed workshop.
Able to better customize and tailor content to your specific needs.
1.1 Discuss specific pain points with regards to project manager allocations
1.2 Review project lists, tools and templates, and other documents
1.3 Map existing strategies to Info-Tech’s framework
Understanding of where efforts must be focused in workshop
Assessment of what existing tools and templates may need to be included in zero-allocation workbook
Revisions that need to be made based on existing strategies
Assess current state (including review of project and resource lists).
Discuss and analyze SWOT around project and portfolio management.
Define target state.
Define standards / SOP / processes for project and portfolio management.
Gain perspective on how well your processes match up with the amount of time your project managers have for their PM duties.
Determine the value of the time and effort that your project teams are investing in project management activities.
Begin to define resource optimized processes for zero-allocation project managers.
Ensure consistent implementation of processes across your portfolio.
Establish project discipline and best practices that are grounded in actual project capacity.
2.1 Perform and/or analyze Minimum-Viable PMO Needs Assessment
2.2 SWOT analysis
2.3 Identify target allocations for project management activities
2.4 Begin to define resource optimized processes for zero-allocation project managers
Current state analysis based on Minimum-Viable PMO Needs Assessment
Overview of current strengths, weaknesses, opportunities and threats
Target state analysis based on Minimum-Viable PMO Needs Assessment
A refined Minimum-Viable Project and Portfolio Management SOP
Select and customize project and portfolio management toolkit.
Implement (test/pilot) toolkit and processes.
Customize project manager training plan.
Evaluate and refine toolkit and processes as needed.
Ensure consistent implementation of processes across your portfolio.
Establish project discipline and best practices that are grounded in actual project capacity.
A customized training session that will suit the needs of your project managers.
3.1 Customize the Zero-Allocation Toolkit to accommodate the needs of your projects
3.2 Test toolkit on projects currently underway
3.3 Tweak project manager training to suit the needs of your team
Customized Zero-Allocation Project Management Workbook
A tested and standardized copy of the workbook
A customized training session for your project managers (to take place on Day 4 of Info-Tech’s workshop)
Communicate project and portfolio management SOP to Project Managers.
Deliver project manager training: standards for portfolio reporting and toolkit.
Equip project managers to improve their level of discipline and documentation without spending more time in record keeping and task management.
Execute a successful training session that clearly and succinctly communicates your minimal and resource-optimized processes.
4.1 Project Manager Training, including communication of the processes and standard templates and reports that will be adopted by all project managers
Educated and disciplined project managers, aware of the required processes for portfolio reporting
Debrief from the training session.
Plan for ongoing evaluation and improvement.
Evaluate and refine toolkit and processes if needed.
Answer any remaining questions.
Assess portfolio and project manager performance in light of the strategy implemented.
Understanding of how to keep living documents like the workbook and SOP up to date.
Clearly defined next steps.
5.1 Review the customized tools and templates
5.2 Send relevant documentation to relevant stakeholders
5.3 Schedule review call
5.4 Schedule follow-up call with analysts to discuss progress in six months
Finalized workbook and processes
Satisfied and informed stakeholders
Scheduled review call
Scheduled follow-up call
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Partner with the business to determine goals and establish high-level scope.
Find out what the target organization’s I&O looks like.
Build a plan to achieve a day 1 MVP.
Chart a roadmap for long-term integration.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish goals and conduct discovery.
Alignment with business goals
Documentation of target organization’s current state
0.1 Consult with stakeholders.
0.2 Establish M&A business goals.
0.3 Conduct target discovery.
0.4 Document own environment.
0.5 Clarify goals.
Stakeholder communication plan
M&A business goals
I&O M&A Discovery Template
Current state of organization
Assess risk and value of target organization.
Accurate scope of I&O integration
Risk mitigation plans
Value realization strategies
1.1 Scope I&O M&A project.
1.2 Assess risks.
1.3 Assess value.
I&O M&A Project Napkin
Risk assessment
Value assessment
Establish day 1 integration project plan.
Smoother day 1 integration
2.1 Determine Day 1 minimum viable operating model post M&A.
2.2 Identify gaps.
2.3 Build day 1 project plan.
2.4 Estimate required resources.
Day 1 project plan
Draw long-term integration roadmap.
Improved alignment with M&A goals
Greater realization of the deal’s value
3.1 Set long-term future state goals.
3.2 Create a long-term project plan.
3.3 Consult with business stakeholders on the long-term plan.
Long-term integration project plan
Prepare for organization and culture change.
Refine M&A I&O integration process.
Smoother change management
Improved M&A integration process
4.1 Complete a change management plan.
4.2 Conduct a process post-mortem.
Change management plan
Process improvements action items
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this storyboard to lay the foundation of people and resources management practices in your small enterprise IT department.
Use these concise exercises to analyze your department’s talent current and future needs and create a skill sourcing strategy to fill the gaps.
Work through an activity to discover key knowledge held by an employee and create a plan to transfer that knowledge to a successor.
Assess employees’ development needs and draft a development plan that fits with key organizational priorities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Set project direction and analyze workforce needs.
Planful needs analysis ensures future workforce supports organizational goals.
1.1 Set workforce planning goals and success metrics.
1.2 Identify key roles and competency gaps.
1.3 Conduct a risk analysis to identify future needs.
1.4 Determine readiness of internal successors.
Work with the leadership team to:
Extract key business priorities.
Set your goals.
Assess workforce needs.
Conduct a skill sourcing analysis, and determine competencies to develop internally.
A careful analysis ensures skills are being sourced in the most efficient way, and internal development is highly aligned with organizational objectives.
2.1 Determine your skill sourcing route.
2.2 Determine priority competencies for development.
Create a workforce plan.
2.Determine guidelines for employee development.
Discover knowledge to be transferred, and build a transfer plan.
Ensure key knowledge is not lost in the event of a departure.
3.1 Discover knowledge to be transferred.
3.2 Identify the optimal knowledge transfer methods.
3.3 Create a knowledge transfer plan.
Discover tacit and explicit knowledge.
Create a knowledge transfer roadmap.
Create a development plan for all staff.
A well-structured development plan helps engage and retain employees while driving organizational objectives.
4.1 Identify target competencies & draft development goals
4.2 Select development activities and schedule check-ins.
4.3 Build manager coaching skills.
Assess employees.
Prioritize development objectives.
Plan development activities.
Build management skills.
Research Navigation
Managing the people in your department is essential, whether you have three employees or 300. Depending on your available time, resources, and current workforce management maturity, you may choose to focus on the overall essentials, or dive deep into particular areas of talent management. Use the questions below to help guide you to the right Info-Tech resources that best align with your current needs.
| Question | If you answered "no" | If you answered "yes" |
|---|---|---|
|
Does your IT department have fewer than 15 employees, and is your organization's revenue less than $25 million (USD)? |
Review Info-Tech's archive of research for mid-sized and large enterprise clients. |
Follow the guidance in this blueprint. |
|
Does your organization require a more rigorous and customizable approach to workforce management? |
Follow the guidance in this blueprint. |
Review Info-Tech's archive of research for mid-sized and large enterprise clients. |
It can be tempting to think of workforce planning as a bureaucratic exercise reserved for the largest and most formal of organizations. But workforce planning is never more important than in small enterprises, where every individual accounts for a significant portion of your overall productivity.
Without workforce planning, organizations find themselves in reactive mode, hiring new staff as the need arises. They often pay a premium for having to fill a position quickly or suffer productivity losses when a critical role goes unexpectedly vacant.
A workforce plan helps you anticipate these challenges, come up with solutions to mitigate them, and allocate resources for the most impact, which means a greater return on your workforce investment in the long run.
This blueprint will help you accomplish this quickly and efficiently. It will also provide you with the essential development and knowledge transfer tools to put your plan into action.
Jane Kouptsova
Senior Research Analyst, CIO Advisory
Info-Tech Research Group
52% of small business owners agree that labor quality is their most important problem.1
Almost half of all small businesses face difficulty due to staff turnover.
76% of executives expect the talent market to get even more challenging.2
76% of executives expect workforce planning to become a top strategic priority for their organization.2
But…
30% of small businesses do not have a formal HR function.3
Small business leaders are often left at a disadvantage for hiring and retaining the best talent, and they face even more difficulty due to a lack of support from HR.
Small enterprises must solve the strategic workforce planning problem, but they cannot invest the same time or resources that large enterprises have at their disposal.
A modular, lightweight approach to workforce planning and talent management, tailored to small enterprises
Clear activities that guide your team to decisive action
Founded on your IT strategy, ensuring you have not just good people, but the right people
Concise yet comprehensive, covering the entire workforce lifecycle from competency planning to development to succession planning and reskilling
Every resource counts. When one hire represents 10% of your workforce, it is essential to get it right.
1CNBC & SurveyMonkey. 2ADP. 3Clutch.
Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in today's workforce, including pinpointing the human capital needs of the future.
Linking workforce planning with strategic planning ensures that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.
SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.
|
52% |
of small business owners agree that labor quality is their most important problem.1 |
|---|---|
|
30% |
30% of small businesses have no formal HR function.2 |
|
76% |
of senior leaders expect workforce planning to become the top strategic challenge for their organization.3 |
1CNBC & SurveyMonkey. 2Clutch. 3ADP.
You know that staffing mistakes can cost your department dearly. But did you know the costs are greater for small enterprises?
The price of losing an individual goes beyond the cost of hiring a replacement, which can range from 0.5 to 2 times that employee's salary (Gallup, 2019). Additional costs include loss of productivity, business knowledge, and team morale.
This is a major challenge for large organizations, but the threat is even greater for small enterprises, where a single individual accounts for a large proportion of IT's productivity. Losing one of a team of 10 means 10% of your total output. If that individual was solely responsible for a critical function, your department now faces a significant gap in its capabilities. And the effect on morale is much greater when everyone is on the same close-knit team.
And the threat continues when the staffing error causes you not to lose a valuable employee, but to hire the wrong one instead. When a single individual makes up a large percentage of your workforce, as happens on small teams, the effects of talent management errors are magnified.
One bad hire on a team of 100 is a problem. One bad hire on a team of 10 is a disaster.
People and Resource management is essential for any organization. But depending on your needs, you may want to start at different stages of the process. Use this slide as a quick reference for how the activities in this blueprint fit together, how they relate to other workforce management resources, and the best starting point for you.
Your IT strategy is an essential input to your workforce plan. It defines your destination, while your workforce is the vessel that carries you there. Ensure you have at least an informal strategy for your department before making major workforce changes, or review Info-Tech's guidance on IT strategy.
This blueprint covers the parts of workforce management that occur to some extent in every organization:
You may additionally want to seek guidance on contract and vendor management, if you outsource some part of your workload outside your core IT staff.
Consider these example metrics for tracking people and resource management success
| Project Outcome | Metric | Baseline | Target |
|---|---|---|---|
| Reduced training costs | Average cost of training (including facilitation, materials, facilities, equipment, etc.) per IT employee | ||
| Reduced number of overtime hours worked | Average hours billed at overtime rate per IT employee | ||
| Reduced length of hiring period | Average number of days between job ad posting and new hire start date | ||
| Reduced number of project cancellations due to lack of capacity | Total of number of projects cancelled per year | ||
| Increased number of projects completed per year (project throughput) | Total number of project completions per year | ||
| Greater net recruitment rate | Number of new recruits/Number of terminations and departures | ||
| Reduced turnover and replacement costs | Total costs associated with replacing an employee, including position coverage cost, training costs, and productivity loss | ||
| Reduced voluntary turnover rate | Number of voluntary departures/Total number of employees | ||
| Reduced productivity loss following a departure or termination | Team or role performance metrics (varies by role) vs. one year ago |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| Phase 1 | Phase 2 | Phase 3 | ||
|---|---|---|---|---|
|
Call #1: Scope requirements, objectives, and your specific challenges. |
Call #2: Assess current workforce needs. |
Call #4: Determine skill sourcing route. |
Call #6: Identify knowledge to be transferred. |
Call #8: Draft development goals and select activities. |
|
Call #3: Explore internal successor readiness. |
Call #5:Set priority development competencies. |
Call #7: Create a knowledge transfer plan. |
Call #9: Build managers' coaching & feedback skills. |
|
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 4 to 6 calls over the course of 3 to 4 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
|---|---|---|---|---|---|
| 1.Lay Your Foundations | 2. Create Your Workforce Plan | 3. Plan Knowledge Transfer | 3. Plan Employee Development | Next Steps and Wrap-Up (offsite) | |
| Activities |
1.1 Set workforce planning goals and success metrics 1.2 Identify key roles and competency gaps 1.3 Conduct a risk analysis to identify future needs 1.4 Determine readiness of internal successors |
1.5 Determine your skill sourcing route 1.6 Determine priority competencies for development |
3.1 Discover knowledge to be transferred 3.2 Identify the optimal knowledge transfer methods 3.3 Create a knowledge transfer plan |
4.1 Identify target competencies & draft development goals 4.2 Select development activities and schedule check-ins 4.3 Build manager coaching skills |
|
|
Outcomes |
Work with the leadership team to:
|
Work with the leadership team to:
|
Work with staff and managers to:
|
Work with staff and managers to:
|
Info-Tech analysts complete:
|
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Each onsite day is structured with group working sessions from 9-11 a.m. and 1:30-3:30 p.m. and includes Open Analyst Timeslots, where our facilitators are available to expand on scheduled activities, capture and compile workshop results, or review additional components from our comprehensive approach.
|
Workforce Planning |
Knowledge Transfer |
Development Planning |
|---|---|---|
|
Identify needs, goals, metrics, and skill gaps. Select a skill sourcing strategy. |
Discover critical knowledge. Select knowledge transfer methods. |
Identify priority competencies. Assess employees. Draft development goals. Provide coaching & feedback. |
The Small Enterprise Guide to People and Resource Management
Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in your workforce today and plan for the human capital needs of the future.
Your workforce plan is an extension of your IT strategy, ensuring that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.
SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.
The smaller the business, the more impact each individual's performance has on the overall success of the organization. When a given role is occupied by a single individual, the organization's performance in that function is determined wholly by one employee. Creating a workforce plan for a small team may seem excessive, but it ensures your organization is not unexpectedly hit with a critical competency gap.
Small organizations are 2.2 times more likely to have effective workforce planning processes.1 Be mindful of the opportunities and risks for organizations of your size as you execute the project. How you build your workforce plan will not change drastically based on the size of your organization; however, the scope of your initiative, the size of your team, and the tactics you employ may vary.
|
Small Organization |
Medium Organization |
Large Organization |
|
|---|---|---|---|
|
Project Opportunities |
|
|
|
|
Project Risks |
|
|
|
1 McLean & Company Trends Report 2014
|
Input |
Output |
|---|---|
|
|
|
Materials |
Participants |
|
|
Record this information in the Workforce Planning Workbook for Small Enterprises.
Download the Workforce Planning Workbook for Small Enterprises
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
A risk analysis takes into account two factors: an employee's risk for departure and the impact of departure:
If you are not sure where an employee stands with respect to leaving the organization, consider having a development conversation with them. In the meantime, consider them at medium risk for departure.
Preparation: Your estimation of whether key employees are at risk of leaving the organization will depend on what you know of them objectively (skills, age), as well as what you learn from development conversations. Ensure you collect all relevant information prior to conducting this activity. You may need to speak with employees' direct managers beforehand or include them in the discussion.
Record this information in the Workforce Planning Workbook for Small Enterprises.
Don't be afraid to rank most or all your staff as "high impact of departure." In a small enterprise, every player counts, and you must plan accordingly.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
The characteristics of need steer hiring managers to a preferred choice, while the marketplace analysis will tell you the feasibility of each option.
|
Sourcing Options |
Preferred Options |
Final Choice |
||
|---|---|---|---|---|
|
|
|
|
|
| State of the Marketplace |
State of the Marketplace |
|||
|
Urgency: How soon do we need this skill? What is the required time-to-value? Criticality: How critical, i.e. core to business goals, are the services or systems that this skill will support? Novelty: Is this skill brand new to our workforce? Availability: How often, and at what hours, will the skill be needed? Durability: For how long will this skill be needed? Just once, or indefinitely for regular operations? |
Scarcity: How popular or desirable is this skill? Do we have a large enough talent pool to draw from? What competition are we facing for top talent? Cost: How much will it cost to hire vs. contract vs. outsource vs. train this skill? Preparedness: Do we have internal resources available to cultivate this skill in house? |
Record this information in the Workforce Planning Workbook for Small Enterprises.
Consider developing a pool of successors instead of pinning your hopes on just one person. A single pool of successors can be developed for either one key role that has specialized requirements or even multiple key roles that have generic requirements.
Input | Output |
|---|---|
|
|
Materials | Participants |
|
|
A readiness assessment helps to define not just development needs, but also any risks around the organization's ability to fill a key role.
Input | Output |
|---|---|
|
|
Materials | Participants |
|
|
Alternative work arrangements not only support employees who want to keep working, but more importantly, they allow the business to retain employees that are needed in key roles who are departure risks due to retirement.
Viewing retirement as a gradual process can help you slow down skill loss in your organization and ensure you have sufficient time to train successors. Retiring workers are becoming increasingly open to alternative work arrangements. Among employed workers aged 50-75, more than half planned to continue working part-time after retirement.
Source: Statistics Canada.
Source: McLean & Company, N=44
| Alternative Work Arrangement | Description | Ideal Use | Caveats |
|---|---|---|---|
| Flexible work options | Employees work the same number of hours but have flexibility in when and where they work (e.g. from home, evenings). | Employees who work fairly independently with no or few direct reports. | Employee may become isolated or disconnected, impeding knowledge transfer methods that require interaction or one-on-one time. |
| Contract-based work | Working for a defined period of time on a specific project on a non-salaried or non-wage basis. | Project-oriented work that requires specialized knowledge or skills. | Available work may be sporadic or specific projects more intensive than the employee wants. Knowledge transfer must be built into the contractual arrangement. |
| Part-time roles | Half days or a certain number of days per week; indefinite with no end date in mind. | Employees whose roles can be readily narrowed and upon whom people and critical processes are not dependent. | It may be difficult to break a traditionally full-time job down into a part-time role given the size and nature of associated tasks. |
| Graduated retirement | Retiring employee has a set retirement date, gradually reducing hours worked per week over time. | Roles where a successor has been identified and is available to work alongside the incumbent in an overlapping capacity while he or she learns. | The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement. |
| Alternative Work Arrangement | Description | Ideal Use | Caveats |
|---|---|---|---|
| Part-year jobs or job sharing | Working part of the year and having the rest of the year off, unpaid. | Project-oriented work where ongoing external relationships do not need to be maintained. | The employee is unavailable for knowledge transfer activities for a large portion of the year. Another risk is that the employee may opt not to return at the end of the extended time off with little notice. |
| Increased paid time off | Additional vacation days upon reaching a certain age. | Best used as recognition or reward for long-term service. This may be a particularly useful retention incentive in organizations that do not offer pension plans. | The company may not be able to financially afford to pay for such extensive time off. If the role incumbent is the only one in the role, this may mean crucial work is not being done. |
| Altered roles | Concentration of a job description on fewer tasks that allows the employee to focus on his or her specific expertise. | Roles where a successor has been identified and is available to work alongside the incumbent, with the incumbent's new role highly focused on mentoring. | The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement. |
Workforce Planning | Knowledge Transfer | Development Planning |
|---|---|---|
Identify needs, goals, metrics, and skill gaps. Select a skill sourcing strategy. | Discover critical knowledge. Select knowledge transfer methods. | Identify priority competencies. Assess employees. Draft development goals. Provide coaching & feedback. |
The Small Enterprise Guide to People and Resource Management
|
Define what knowledge needs to be transferred |
Each knowledge source has unique information which needs to be transferred. Chances are you don't know what you don't know. The first step is therefore to interview knowledge sources to find out. |
|---|---|
|
Identify the knowledge receiver |
Depending on who the information is going to, the knowledge transfer tactic you employ will differ. Before deciding on the knowledge receiver and tactic, consider three key factors:
|
|
Identify which knowledge transfer tactics you will use for each knowledge asset |
Not all tactics are good in every situation. Always keep the "knowledge type" (information, process, skills, and expertise), knowledge sources' engagement level, and the knowledge receiver in mind as you select tactics. |
There are two basic types of knowledge: "explicit" and "tacit." Ensure you capture both to get a well-rounded overview of the role.
| Explicit | Tacit | ||
|---|---|---|---|
|
|
||
|
Types of explicit knowledge |
Types of tacit knowledge |
||
| Information | Process | Skills | Expertise |
|
Specialized technical knowledge. Unique design capabilities/methods/models. Legacy systems, details, passwords. Special formulas/algorithms/ techniques/contacts. |
|
|
|
|
e.g. Knowing the lyrics to a song, building a bike, knowing the alphabet, watching a YouTube video on karate. |
e.g. Playing the piano, riding a bike, reading or speaking a language, earning a black belt in karate. |
||
Multiple methods should be used to transfer as much of a person's knowledge as possible, and mentoring should always be one of them. Select your method according to the following criteria:
The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful, and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.
Ensure you consult the employees, and their direct manager, on the way they are best prepared to teach and learn. Some examples of preferences include:
Consider costs beyond the monetary. Some methods require an investment in time (e.g. mentoring), while others require an investment in technology (e.g. knowledge bases).
The good news is that many supporting technologies may already exist in your organization or can be acquired for free.
Methods that cost time may be difficult to get underway since employees may feel they don't have the time or must change the way they work.
Record your plan in the IT Knowledge Transfer Plan Template.
Download the IT Knowledge Identification Interview Guide Template
Download the Knowledge Transfer Plan Template
Wherever possible, ask employees about their personal learning styles. It's likely that a collaborative compromise will have to be struck for knowledge transfer to work well.
Input | Output |
|---|---|
|
|
Materials | Participants |
|
|
| Knowledge Type | ||||
|---|---|---|---|---|
| Tactic | Explicit | Tacit | ||
| Information | Process | Skills | Expertise | |
| Interviews | Very Strong | Strong | Strong | Strong |
| Process Mapping | Medium | Very Strong | Very Weak | Very Weak |
| Use Cases | Medium | Very Strong | Very Weak | Very Weak |
| Job Shadow | Very Weak | Medium | Very Strong | Very Strong |
| Peer Assist | Strong | Medium | Very Strong | Very Strong |
| Action Review | Medium | Medium | Strong | Strong |
| Mentoring | Weak | Weak | Strong | Very Strong |
| Transition Workshop | Strong | Strong | Strong | Weak |
| Storytelling | Weak | Weak | Strong | Very Strong |
| Job Share | Weak | Weak | Very Strong | Very Strong |
| Communities of Practice | Strong | Weak | Very Strong | Very Strong |
This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared against four different knowledge types.
Not all techniques are effective for all types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.
| Level of Engagement | ||
|---|---|---|
| Tactic | Disengaged/ Indifferent | Almost Engaged - Engaged |
| Interviews | Yes | Yes |
| Process Mapping | Yes | Yes |
| Use Cases | Yes | Yes |
| Job Shadow | No | Yes |
| Peer Assist | Yes | Yes |
| Action Review | Yes | Yes |
| Mentoring | No | Yes |
| Transition Workshop | Yes | Yes |
| Storytelling | No | Yes |
| Job Share | Maybe | Yes |
| Communities of Practice | Maybe | Yes |
When considering which tactics to employ, it's important to consider the knowledge holder's level of engagement. Employees who you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.
Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It's essential that motivations for knowledge transfer are communicated effectively.
Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what's in it for them.
Putting disengaged employees in a position where they are mentoring others can be a risk, as their negativity could influence others not to participate, or it could negate the work you're doing to create a positive knowledge sharing culture.
|
Effort by Stakeholder |
||||
|---|---|---|---|---|
|
Tactic |
Business Analyst |
IT Manager |
Knowledge Holder |
Knowledge Receiver |
|
Interviews These tactics require the least amount of effort, especially for organizations that are already using these tactics for a traditional requirements gathering process. |
Medium |
N/A |
Low |
Low |
|
Process Mapping |
Medium |
N/A |
Low |
Low |
|
Use Cases |
Medium |
N/A |
Low |
Low |
|
Job Shadow |
Medium |
Medium |
Medium |
Medium |
|
Peer Assist |
Medium |
Medium |
Medium |
Medium |
|
Action Review These tactics generally require more involvement from IT management and the BA in tandem for preparation. They will also require ongoing effort for all stakeholders. It's important to gain stakeholder buy-in as it is key for success. |
Low |
Medium |
Medium |
Low |
|
Mentoring |
Medium |
High |
High |
Medium |
|
Transition Workshop |
Medium |
Low |
Medium |
Low |
|
Storytelling |
Medium |
Medium |
Low |
Low |
|
Job Share |
Medium |
High |
Medium |
Medium |
|
Communities of Practice |
High |
Medium |
Medium |
Medium |
Workforce Planning | Knowledge Transfer | Development Planning |
|---|---|---|
Identify needs, goals, metrics, and skill gaps. Select a skill sourcing strategy. | Discover critical knowledge. Select knowledge transfer methods. | Identify priority competencies. Assess employees. Draft development goals. Provide coaching & feedback. |
The Small Enterprise Guide to People and Resource Management
Your performance management framework is rooted in organizational goals and defines what it means to do any given role well.
Your organization's priority competencies are the knowledge, skills and attributes that enable an employee to do the job well.
Each individual's development goals are then aimed at building these priority competencies.
|
Mission Statement |
To be the world's leading manufacturer and distributor of widgets. |
|---|---|
|
Business Goal |
To increase annual revenue by 10%. |
|
IT Department Objective |
To ensure reliable communications infrastructure and efficient support for our sales and development teams. |
|
Individual Role Objective |
To decrease time to resolution of support requests by 10% while maintaining quality. |
Without a performance management framework, your employees cannot align their development with the organization's goals. For detailed guidance, see Info-Tech's blueprint Setting Meaningful Employee Performance Measures.
The term "competency" refers to the collection of knowledge, skills, and attributes an employee requires to do a job well.
Often organizations have competency frameworks that consist of core, leadership, and functional competencies.
Core competencies apply to every role in the organization. Typically, they are tied to organizational values and business mission and/or vision.
Functional competencies are at the department, work group, or job role levels. They are a direct reflection of the function or type of work carried out.
Leadership competencies generally apply only to people managers in the organization. Typically, they are tied to strategic goals in the short to medium term
| Generic | Functional |
|---|---|
|
|
S |
Specific: Be specific about what you want to accomplish. Think about who needs to be involved, what you're trying to accomplish, and when the goal should be met. |
|---|---|
M |
Measurable: Set metrics that will help to determine whether the goal has been reached. |
A |
Achievable: Ensure that you have both the organizational resources and employee capability to accomplish the goal. |
R |
Relevant: Goals must align with broader business, department, and development goals in order to be meaningful. |
T |
Time-bound: Provide a target date to ensure the goal is achievable and provide motivation. |
"Learn Excel this summer."
Not specific enough, not measurable enough, nor time bound.
"Consult with our Excel expert and take the lead on creating an Excel tool in August."
Pre-work: Employees should come to the career conversation having done some self-reflection. Use Info-Tech's IT Employee Career Development Workbook to help employees identify their career goals.
Lack of career development is the top reason employees leave organizations. Development activities need to work for both the organization and the employee's own development, and clearly link to advancing employees' careers either at the organization or beyond.
Download the IT Employee Career Development Workbook
Download the Individual Competency Development Plan
Input | Output |
|---|---|
|
|
Materials | Participants |
|
70% |
On providing challenging on-the-job opportunities |
|---|---|
20% |
On establishing opportunities for people to develop learning relationships with others, such as coaching and mentoring |
10% |
On formal learning and training programs |
|
Internal Initiative |
What Is It? |
When to Use It |
|---|---|---|
|
Special Project |
Assignment outside of the scope of the day-to-day job (e.g. work with another team on a short-term initiative). |
As an opportunity to increase exposure and to expand skills beyond those required for the current job. |
|
Stretch Assignment |
The same projects that would normally be assigned, but in a shorter time frame or with a more challenging component. |
Employee is consistently meeting targets and you need to see what they're capable of. |
|
Training Others |
Training new or more junior employees on their position or a specific process. |
Employee wants to expand their role and responsibility and is proficient and positive. |
|
Team Lead On an Assignment |
Team lead for part of a project or new initiative. |
To prepare an employee for future leadership roles by increasing responsibility and developing basic managerial skills. |
|
Job Rotation |
A planned placement of employees across various roles in a department or organization for a set period of time. |
Employee is successfully meeting and/or exceeding job expectations in their current role. |
The next time you assign a project to an employee, you should also ask the employee to think about a development goal for the project. Try to link it back to their existing goals or have them document a new goal in their development plan.
For example: A team of employees always divides their work in the same way. Their goal for their next project could be to change up the division of responsibility so they can learn each other's roles.
"I'd like you to develop your ability to explain technical terms to a non-technical audience. I'd like you to sit down with the new employee who starts tomorrow and explain how to use all our software, getting them up and running."
Employees often don't realize that they are being developed. They either think they are being recognized for good work or they are resentful of the additional workload.
You need to tell your employees that the activity you are asking them to do is intended to further their development.
However, be careful not to sell mundane tasks as development opportunities – this is offensive and detrimental to engagement.
Ensure that the employee makes progress in developing prioritized competencies by defining accountabilities:
|
Tracking Progress |
Checking In |
Development Meetings |
Coaching & Feedback |
|---|---|---|---|
Employee accountability:
Manager accountability:
|
Employee accountability:
Manager accountability:
|
Employee accountability:
Manager accountability:
|
Employee accountability:
Manager accountability:
|
Pre-work: Employees should research potential development activities and come prepared with a range of suggestions.
Pre-work: Managers should investigate options for employee development, such as internal training/practice opportunities for the employee's selected competencies and availability of training budget.
Download the Learning Methods Catalog
Adopt a blended learning approach using a variety of techniques to effectively develop competencies. This will reinforce learning and accommodate different learning styles. See Info-Tech's Learning Methods Catalog for a description of popular experiential, relational, and formal learning methods.
Input | Output |
|---|---|
|
|
Materials | Participants |
|
A conversation in which a manager asks questions to guide employees to solve problems themselves.
Coaching is:
Information conveyed from the manager to the employee about their performance.
Feedback is:
Don't forget to develop your managers! Ensure coaching, feedback, and management skills are part of your management team's development plan.
|
Understand the foundations of coaching to provide effective development coaching: |
||
|---|---|---|
| Knowledge | Mindset | Relationship |
|
|
|
Using a model allows every manager, even those with little experience, to apply coaching best practices effectively.
|
Actively Listen |
Ask |
Action Plan |
Adapt |
|---|---|---|---|
|
Engage with employees and their message, rather than just hearing their message. Key active listening behaviors:
|
Ask thoughtful, powerful questions to learn more information and guide employees to uncover opportunities and/or solutions. Key asking behaviors:
|
Hold employees and managers accountable for progress and results. During check-ins, review each development goal to ensure employees are meeting their targets. Key action planning behaviors:
|
Adapt to individual employees and situations. Key adapting behaviors:
|
The purpose of asking questions is to guide the conversation and learn something you didn't already know. Choose the questions you ask based on the flow of the conversation and on what information you would like to uncover. Approach the answers you get with an open mind.
Avoid the trap of "hidden agenda" questions, whose real purpose is to offer your own advice.
Development is a two-way street. This means that while employees are responsible for putting in the work, managers must enable their development with support and guidance. The latter is a skill, which managers must consciously cultivate.
Anderson, Kelsie. "Is Your IT Department Prepared for the 4 Biggest Challenges of 2017?" 14 June 2017.
Atkinson, Carol, and Peter Sandiford. "An Exploration of Older Worker Flexible Working Arrangements in Smaller Firms." Human Resource Management Journal, vol. 26, no. 1, 2016, pp. 12–28. Wiley Online Library.
BasuMallick, Chiradeep. "Top 8 Best Practices for Employee Cross-Training." Spiceworks, 15 June 2020.
Birol, Andy. "4 Ways You Can Succeed With a Staff That 'Wears Multiple Hats.'" The Business Journals, 26 Nov. 2013.
Bleich, Corey. "6 Major Benefits To Cross-Training Employees." EdgePoint Learning, 5 Dec. 2018.
Cancialosi, Chris. "Cross-Training: Your Best Defense Against Indispensable Employees." Forbes, 15 Sept. 2014.
Cappelli, Peter, and Anna Tavis. "HR Goes Agile." Harvard Business Review, Mar. 2018.
Chung, Kai Li, and Norma D'Annunzio-Green. "Talent Management Practices of SMEs in the Hospitality Sector: An Entrepreneurial Owner-Manager Perspective." Worldwide Hospitality and Tourism Themes, vol. 10, no. 4, Jan. 2018.
Clarkson, Mary. Developing IT Staff: A Practical Approach. Springer Science & Business Media, 2012.
"CNBC and SurveyMonkey Release Latest Small Business Survey Results." Momentive, 2019. Press Release. Accessed 6 Aug. 2020.
Cselényi, Noémi. "Why Is It Important for Small Business Owners to Focus on Talent Management?" Jumpstart:HR | HR Outsourcing and Consulting for Small Businesses and Startups, 25 Mar. 2013.
dsparks. "Top 10 IT Concerns for Small Businesses." Stratosphere Networks IT Support Blog - Chicago IT Support Technical Support, 16 May 2017.
Duff, Jimi. "Why Small to Mid-Sized Businesses Need a System for Talent Management | Talent Management Blog | Saba Software." Saba, 17 Dec. 2018.
Employment and Social Development Canada. "Age-Friendly Workplaces: Promoting Older Worker Participation." Government of Canada, 3 Oct. 2016.
Exploring Workforce Planning. Accenture, 23 May 2017.
"Five Major IT Challenges Facing Small and Medium-Sized Businesses." Advanced Network Systems. Accessed 25 June 2020.
Harris, Evan. "IT Problems That Small Businesses Face." InhouseIT, 17 Aug. 2016.
Heathfield, Susan. "What Every Manager Needs to Know About Succession Planning." Liveabout, 8 June 2020.
---. "Why Talent Management Is an Important Business Strategy." Liveabout, 29 Dec. 2019.
Herbert, Chris. "The Top 5 Challenges Facing IT Departments in Mid-Sized Companies." ExpertIP, 25 June 2012.
How Smaller Organizations Can Use Talent Management to Accelerate Growth. Avilar. Accessed 25 June 2020.
Krishnan, TN, and Hugh Scullion. "Talent Management and Dynamic View of Talent in Small and Medium Enterprises." Human Resource Management Review, vol. 27, no. 3, Sept. 2017, pp. 431–41.
Mann Jackson, Nancy. "Strategic Workforce Planning for Midsized Businesses." ADP, 6 Feb. 2017.
McCandless, Karen. "A Beginner's Guide to Strategic Talent Management (2020)." The Blueprint, 26 Feb. 2020.
McFeely, Shane, and Ben Wigert. "This Fixable Problem Costs U.S. Businesses $1 Trillion." Gallup.com, 13 Mar. 2019.
Mihelič, Katarina Katja. Global Talent Management Best Practices for SMEs. Jan. 2020.
Mohsin, Maryam. 10 Small Business Statistics You Need to Know in 2020 [May 2020]. 4 May 2020.
Ramadan, Wael H., and B. Eng. The Influence of Talent Management on Sustainable Competitive Advantage of Small and Medium Sized Establishments. 2012, p. 15.
Ready, Douglas A., et al. "Building a Game-Changing Talent Strategy." Harvard Business Review, no. January–February 2014, Jan. 2014.
Reh, John. "Cross-Training Employees Strengthens Engagement and Performance." Liveabout, May 2019.
Rennie, Michael, et al. McKinsey on Organization: Agility and Organization Design. McKinsey, May 2016.
Roddy, Seamus. "The State of Small Business Employee Benefits in 2019." Clutch, 18 Apr. 2019.
SHRM. "Developing Employee Career Paths and Ladders." SHRM, 28 Feb. 2020.
Strandberg, Coro. Sustainability Talent Management: The New Business Imperative. Strandberg Consulting, Apr. 2015.
Talent Management for Small & Medium-Size Businesses. Success Factors. Accessed 25 June 2020.
"Top 10 IT Challenges Facing Small Business in 2019." Your IT Department, 8 Jan. 2019.
"Why You Need Workforce Planning." Workforce.com, 24 Oct. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.
Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.
Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.
Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
To assess current risk management maturity, develop goals, and establish IT risk governance.
Identified obstacles to effective IT risk management.
Established attainable goals to increase maturity.
Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.
1.1 Assess current program maturity
1.2 Complete RACI chart
1.3 Create the IT risk council
1.4 Identify and engage key stakeholders
1.5 Add organization-specific risk scenarios
1.6 Identify risk events
Maturity Assessment
Risk Management Program Manual
Risk Register
Identify and assess all IT risks.
Created a comprehensive list of all IT risk events.
Risk events prioritized according to risk severity – as defined by the business.
2.1 Identify risk events (continued)
2.2 Augment risk event list using COBIT 5 processes
2.3 Determine the threshold for (un)acceptable risk
2.4 Create impact and probability scales
2.5 Select a technique to measure reputational cost
2.6 Conduct risk severity level assessment
Finalized List of IT Risk Events
Risk Register
Risk Management Program Manual
Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.
Risk monitoring responsibilities are established.
Risk response strategies have been identified for all key risks.
3.1 Conduct risk severity level assessment
3.2 Document the proximity of the risk event
3.3 Conduct expected cost assessment
3.4 Develop key risk indicators (KRIs) and escalation protocols
3.5 Root cause analysis
3.6 Identify and assess risk responses
Risk Register
Risk Management Program Manual
Risk Event Action Plans
Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.
Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
Authoritative risk response recommendations can be made to senior leadership.
A finalized Risk Management Program Manual is ready for distribution to key stakeholders.
4.1 Identify and assess risk responses
4.2 Risk response cost-benefit analysis
4.3 Create multi-year cost projections
4.4 Review techniques for embedding risk management in IT
4.5 Finalize the Risk Report and Risk Management Program Manual
4.6 Transfer ownership of risk responses to project managers
Risk Report
Risk Management Program Manual
3 Executive Brief
4 Analyst Perspective
5 Executive Summary
19 Phase 1: Review IT Risk Fundamentals & Governance
43 Phase 2: Identify and Assess IT Risk
74 Phase 3: Monitor, Communicate, and Respond to IT Risk
102 Appendix
108 Bibliography
Valence Howden Principal Research Director, CIO Practice |
Brittany Lutes Senior Research Analyst, CIO Practice |
Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.
Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.
This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.
IT has several challenges when it comes to addressing risk management:
Many IT organizations realize these obstacles:
IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.
58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)
|
|
|
By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.
Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)
 |
IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk. |
 Start Here |
PHASE 1Review IT Risk Fundamentals and Governance |
PHASE 2Identify and Assess IT Risk |
PHASE 3Monitor, Report, and Respond to IT Risk |
|||
1.1Review IT Risk Management Fundamentals |
1.2Establish a Risk Governance Framework |
2.1Identify IT Risks |
2.2Assess and Prioritize IT Risks |
3.1Monitor IT Risks and Develop Risk Responses |
3.2Report IT Risk Priorities |
|
Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.
Risk Drivers
|
 |
Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) | 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) | Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) | 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021) |
| 1. Assess Enterprise Risk Maturity | 3. Build a Risk Management Program Plan | 4. Establish Risk Management Processes | 5. Implement a Risk Management Program | ||
| 2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020) |
|||||
| IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.
Governance and related decision making is optimized with integrated and aligned risk data. |
 |
ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types. The program plan is meant to consider all the major risk types in a unified approach. |
 |
Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action. | |
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:Risk Management Program ManualUse the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.  |
Integrated Risk Maturity Assessment
Assess the organization's current maturity and readiness for integrated risk management (IRM). |
 |
Centralized Risk Register
The repository for all the risks that have been identified within your environment. |
 |
| Risk Costing Tool
A potential cost-benefit analysis of possible risk responses to determine a good method to move forward. |
 |
Risk Report & Risk Event Action Plan
A method to report risk severity and hold risk owners accountable for chosen method of responding. |
 |
As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.
|
Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000) |
|
A strong risk management foundation is valuable when building your IT risk management program.This research covers the following IT risk fundamentals:
|
Drivers of Formalized Risk Management: |
|
| Drivers External to IT | ||
| External Audit | Internal Audit | |
| Mandated by ERM | ||
| Occurrence of Risk Event | ||
| Demonstrating IT’s value to the business | Proactive initiative | |
| Emerging IT risk awareness | ||
| Grassroots Drivers | ||
IT Benefits
|
Business Benefits
|
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
| "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 3 to 6 months.
What does a typical GI on this topic look like?
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
| Activities | Review IT Risk Fundamentals and Governance1.1 Assess current program maturity 1.2 Complete RACI chart 1.3 Create the IT risk council 1.4 Identify and engage key stakeholders 1.5 Add organization-specific risk scenarios 1.6 Identify risk events |
Identify IT Risks2.1 Identify risk events (continued) 2.2 Augment risk event list using COBIT5 processes 2.3 Determine the threshold for (un)acceptable risk 2.4 Create impact and probability scales 2.5 Select a technique to measure reputational cost 2.6 Conduct risk severity level assessment |
Assess IT Risks3.1 Conduct risk severity level assessment 3.2 Document the proximity of the risk event 3.3 Conduct expected cost assessment 3.4 Develop key risk indicators (KRIs) and escalation protocols 3.5 Perform root cause analysis 3.6 Identify and assess risk responses |
Monitor, Report, and Respond to IT Risk4.1 Identify and assess risk responses 4.2 Risk response cost-benefit analysis 4.3 Create multi-year cost projections 4.4 Review techniques for embedding risk management in IT 4.5 Finalize the Risk Report and Risk Management Program Manual 4.6 Transfer ownership of risk responses to project managers |
Next Steps and Wrap-Up (offsite)5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
| Outcomes |
|
|
|
|
|
Phase 1
|
Phase 2
|
Phase 3
|
| Step 1.1 | Step 1.2 |
Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:
| Core Responsibilities | With an ERM | Without an ERM |
|
Senior Leadership Team | Senior Leadership Team |
|
ERM | IT Risk Management |
|
IT Risk Management | |
| Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
Con: IT may lack autonomy to implement IT risk management best practices. |
Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
Con: Lack of clear reporting procedures and mechanisms to share accountability with the business. |
Risk Governance
|
 |
Risk Identification
|
Risk Response
|
Risk Assessment
|
| Risk management benefits | To engage the business... |
| IT is compliant with external laws and regulations. | Identify the industry or legal legislation and regulations your organization abides by. |
| IT provides support for business compliance. | Find relevant business compliance issues, and relate compliance failures to cost. |
| IT regularly communicates costs, benefits, and risks to the business. | Acknowledge the number of times IT and the business miscommunicate critical information. |
| Information and processing infrastructure are very secure. | Point to past security breaches or potential vulnerabilities in your systems. |
| IT services are usually delivered in line with business requirements. | Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality. |
| IT related business risks are managed very well. | Make it clear that with no risk tracking process, business processes become exposed and tend to slow down. |
| IT projects are completed on time and within budget. | Point out late or over-budget projects due to the occurrence of unforeseen risks. |
Input: List of IT personnel and business stakeholders
Output: Buy-in from senior leadership for an IT risk management program
Materials: Risk Management Program Manual
Participants: IT executive leadership, Business executive leadership
The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:
Record the results in the Risk Management Program Manual.
Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.
| Integrated Risk Maturity Assessment A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization. |
 |
Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.
Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.
1-4 hours
Input: List of IT personnel and business stakeholders
Output: Maturity scores across four key risk categories
Materials: Integrated Risk Maturity Assessment Tool
Participants: IT executive leadership, Business executive leadership
This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.
How to Use This Assessment:
Record the results in the Integrated Risk Maturity Assessment.
Integrated Risk Maturity Categories |
 |
1 |
Context & Strategic Direction | Understanding of the organization’s main objectives and how risk can support or enhance those objectives. |
2 |
Risk Culture and Authority | Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture. | ||
3 |
Risk Management Process | Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization. | ||
4 |
Risk Program Optimization | Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise. |
Review IT Risk Fundamentals and Governance
| Step 1.1 | Step 1.2 |
Challenges:
|
Key metrics:
|
Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.
| Support and sponsorship from senior leadership
IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative. Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership. |
Risk culture and awareness
A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk. An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization. Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities. |
Organization size
Smaller organizations can often institute a mature risk management program much more quickly than larger organizations. It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management. Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities. |
1-4 hours
Input: Integrated Risk Maturity Assessment
Output: Obstacles and pain points identified
Materials: IT Risk Management Success Factors
Participants: IT executive leadership, Business executive leadership
Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.
Instructions:
Replace the example pain points and opportunities with real scenarios in your organization.
Pain Points/Obstacles
|
Opportunities
|
Risk Tolerant
|
Moderate
|
Risk Averse
|
| One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite. | |
| Risk tolerant
Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks. |
Risk averse
Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk. |
| The other component of risk culture is the degree to which risk factors into decision making. | |
| Risk conscious
Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks. |
Unaware
Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere. |
Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.
1-4 hours
Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities
Output: Goals for the IT risk management program
Materials: Risk Management Program Manual
Participants: IT executive leadership, Business executive leadership
Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.
Instructions:
Record the results in the Risk Management Program Manual.
| Ensure that all success metrics are SMART | Instructions
|
|
| Strong | Make sure the objective is clear and detailed. | |
| Measurable | Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective. | |
| Actionable | Objectives become actionable when specific initiatives designed to achieve the objective are identified. | |
| Realistic | Objectives must be achievable given your current resources or known available resources. | |
| Time-Bound | An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline. | |
Replace the example metrics with accurate KPIs or metrics for your organization.
Sample Metrics| Name | Method | Baseline | Target | Deadline | Checkpoint 1 | Checkpoint 2 | Final |
| Number of risks identified (per year) | Risk register | 0 | 100 | Dec. 31 | |||
| Number of business units represented (risk identification) | Meeting minutes | 0 | 5 | Dec. 31 | |||
| Frequency of risk assessment | Assessments recorded in risk management program manual | 0 | 2 per year | Year 2 | |||
| Percentage of identified risk events that undergo expected cost assessment | Ratio of risks assessed in the risk costing tool to risks assessed in the risk register | 0 | 20% | Dec. 31 | |||
| Number of top risks without an identified risk response | Risk register | 5 | 0 | March 1 | |||
| Cost of risk management program operations per year | Meeting frequency and duration, multiplied by the cost of participation | $2,000 | $5,000 | Dec. 31 |
Responsibilities of the ITRC:
|
Must be on the ITRC:
Must be on the ITRC:
|
1-4 hours
Input: List of IT personnel and business stakeholders
Output: Goals for the IT risk management program
Materials: Risk Management Program Manual
Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations
Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.
Instructions:
Record the results in the Risk Management Program Manual.
| RACI is an acronym made up of four participatory roles: | Instructions
|
|
| Responsible | Stakeholders who undertake the activity. | |
| Accountable | Stakeholders who are held responsible for failure or take credit for success. | |
| Consulted | Stakeholders whose opinions are sought. | |
| Informed | Stakeholders who receive updates. | |
| Stakeholder Coordination | Risk Identification | Risk Thresholds | Risk Assessment | Identify Responses | Cost-Benefit Analysis | Monitoring | Risk Decision Making | |
| ITRC | A | R | I | R | R | R | A | C |
| ERM | C | I | C | I | I | I | I | C |
| CIO | I | A | A | A | A | A | I | R |
| CRO | I | R | C | I | R | |||
| CFO | I | R | C | I | R | |||
| CEO | I | R | C | I | A | |||
| Business Units | I | C | C | C | ||||
| IT | I | I | I | I | I | I | R | C |
| PMO | C | C | C |
| Legend: | Responsible | Accountable | Consulted | Informed |
Phase 1
| Phase 2
| Phase 3
|
| Step 2.1 | Step 2.2 |
|
Key metrics:
|
What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.
Benefits of obtaining business involvement during the risk identification stage:
Executive Participation:
| Prioritizing and Selecting Stakeholders
Info-Tech InsightWhile IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process. |
Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.
A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.
| Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. | Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. | Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples. |
Risk Category |
Risk Scenario |
Risk Event |
| Compliance | Regulatory compliance | Being fined for not complying/being aware of a new regulation. |
| Externally originated attack | Phishing attack on the organization. | |
| Operational | Technology evaluation & selection | Partnering with a vendor that is not in compliance with a key regulation. |
| Capacity planning | Not having sufficient resources to support a DRP. | |
| Third-Party Risk | Vendor management | Vendor performance requirements are improperly defined. |
| Vendor selection | Vendors are improperly selected to meet the defined use case. |
IT Reputational
|
IT Financial
|
IT Strategic
|
Operational
|
Availability
|
Performance
|
Compliance
|
Security
|
Third Party
|
Digital
|
Input: IT risk categories
Output: Risk events identified and categorized
Materials: Risk Register Tool
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)
Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.
Instructions:
Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.
Record the results in the Risk Register Tool.
|
|
| Consider the External Environment – PESTLE Analysis
Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises. Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified. |
Avoid “Groupthink” – Nominal Group Technique
The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.
Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise. |
|
List the following factors influencing the risk event:
|
 |
|
Identify and Assess IT Risk
| Step 2.1 | Step 2.2 |
|
Key metrics:
|
Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.
In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.
| How much you expect a risk event to cost if it were to occur:
Likelihood of Risk Impact e.g. $250,000 or “High” |
X |
Calibrated by how likely the risk is to occur:
Likelihood of Risk Occurrence e.g. 10% or “Low” |
= |
Produces a dollar value or “severity level” for comparing risks:
Risk Severity e.g. $25,000 or “Medium” |
Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.
Risk Tolerance
|
| CBA
Cost-benefit analysis |
|||||
1Engage the Business During Assessment ProcessAsking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO). Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk. |
2Verify the Risk Impact and AssessmentIf IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores. |
3Identify Where the Business Focuses AttentionWhile verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding. Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders. |
If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.
Review the two levels of risk assessment offered in this blueprint.
1 | Information Number of risks: Assess all risk events identified in Phase 1.
| Assess Likelihood Negligible
| X | Assess Likelihood Negligible
| = | Output Moderate |
2 | Information Number of risks: Only assess high-priority risks revealed by severity-level assessment.
| Assess Likelihood15%Moderate | X | Assess Likelihood$100,000High | = | Output $15,000Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business. |
For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.
Why conduct expected cost assessments?
|
Why is expected cost assessment optional?
|
Input: Risk events, Risk appetite
Output: Threshold for risk identified
Materials: Risk Register Tool, Risk Management Program Manual
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
There are times when the business needs to know about IT risks with high expected costs.
This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.
If your organization has ERM, adopt the existing acceptability threshold.
Record this threshold in section 5.3 of the Risk Management Program Manual
1-4 hours
Input: Risk events, Risk threshold
Output: Financial impact scale created
Materials: Risk Register Tool, Risk Management Program Manual
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual
Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.
| Project Overruns |  |
||||
Project |
Time (days)20 days |
Number of employees8 |
Average cost per employee (per day)$300 |
Estimated cost$48,000 |
|
| Service Outages | |||||
Service |
Time (hours)4 hours |
Lost revenue (per hour)$10,000 |
Estimated cost$40,000 |
Impact scaleLow |
|
Reputational cost can take several forms, including the internal and external perception of:
Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment. |
Technique #1 – Use financial indicators:
For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue. If possible, use these measures to put a price on reputational loss:
Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
|
It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
|
Technique #2 – Calculate the value of avoiding reputational cost:
For example: A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:
|
If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.
| Technique #3 – Create a parallel scale for reputational impact:
Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:
Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
|
Example:
 |
1-3 hours
Instructions:
Record the risk impact scale in section 5.3 of the Risk Management Program Manual |
 |
Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.
6-10 hours
Input: Risk events identified
Output: Assessed the likelihood of occurrence and impact for all identified risk events
Materials: Risk Register Tool
Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner
Instructions:
Record results in the Risk Register Tool
Instructions (continued):
|
Tips for Selecting Likelihood Values:
Does ~10% sound right? Test a likelihood estimate by assessing the truth of the following statements:
|
Consider how IT is already addressing key risks.
| Tactical controls
Apply to individual risks only. Example: A tactical control for backup/replication failure is faster WAN lines. |
Tactical risk control | Strategic controls
Apply to multiple risks. Example: A strategic control for backup/replication failure is implementing formal DR plans. |
Strategic risk control | |
| Risk event | Risk event | Risk event | ||
Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.
Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.
| Selecting the Appropriate Risk Owner
Use the following considerations to determine the best owner for each risk:
|
Risk Owner Responsibilities
Risk ownership means that an individual is responsible for the following activities:
|
| Select risks with these characteristics:
Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria. The risk:
|
Determine which risks require a deeper assessment:
Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register. Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business. Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment Record the list of risk events requiring second-level assessment in the Risk Costing Tool.
|
Instructions:
|
Who should participate?
|
| Intersubjective likelihood The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact. By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion. Example: The Delphi MethodThe Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.
| Justifying Your Estimates: When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.
Info-Tech InsightThe underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all. Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important. |
Phase 1
| Phase 2
| Phase 3
|
Monitor, Respond, and Report on IT Risk
| Step 3.1 | Step 3.2 |
| Risk Event Action Plan |  |
Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.
Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.
The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.Instructions:
Note: Examples of KRIs can be found on the following slide. |
What are KRIs?
|
Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.
| Reporting | Risk Event |
| Weekly reports to ITRC |  |
| Bi-weekly reports to ITRC | |
| Monthly reports to ITRC | |
| Report to ITRC only if KRI thresholds triggered | |
| No reports; reassessed bi-annually |
1(Mandatory) | Tool
| Information
|
2(Optional) | Tool
| Information
|
Determine the root cause of IT risksRoot cause analysisUse the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event. Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses. Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue.
|
 |
| What factors matter?
Identify relevant actors and assets that amplify or diminish the severity of the risk. Actors
Assets/Resources
|
Develop risk responses that target contributing factors. | ||
| Root cause:
Business units rely on “real-time” data gathered from latency-sensitive applications Actors: Enterprise App users (Finance, Product Development, Product Management) Asset/resource: Applications, network Risk response:
XDecreasing the use of key apps contradicts business objectives. |
Contributing factors:
Unreliable router software Actors: Network provider, router vendor, router software vendor, IT department Asset/resource: Network, router, router software Risk response:
✓Replacing the vendor would reduce network outages at a relatively low cost. |
Symptoms:
Network outage Actors: All business units, network provider Asset/resource: Network, business operations, employee productivity Risk response:
XReplacing legacy systems would be too costly. |
|
| Instructions:
Complete the following steps for each risk event.
|
Document the following in the Risk Event Action Plan for each risk event:
|
Record the results in the Risk Event Action Plan.
Risk Avoidance
Example Risk event: Information security vulnerability from third-party cloud services provider.
|
 |
| Example 1
Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact. Example Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.
|
Example 2
However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact. Example Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.
|
Example 3
Others will reduce the potential impact without decreasing its likelihood of occurring. Example Mitigation: Use robust encryption for all sensitive data.
|
| Process Improvement
Key processes that would most directly improve the risk profile:
|
Infrastructure Management
|
Personnel
|
Rationalization and Simplification
This is a foundational activity, as complexity is a major source of risk:
|
| Insurance
The most common form of risk transfer is the purchase of insurance.
Not all risks can be insured. Insurable risks typically possess the following five characteristics:
|
Other Forms of Risk Transfer
Other forms of risk transfer include:
|
Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.
You may choose to accept a risk event for one of the following three reasons:
Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.
This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.
Instructions:
|
Record the results in the Risk Costing Tool. |
Instructions:
 |
The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost |
Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.
| Instructions: Calculate expected cost for multiple years using the Risk Costing Tool for:
Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event. |  Record the results in the Risk Costing Tool. |
Monitor, Respond, and Report on IT Risk
| Step 3.1 | Step 3.2 |
Communicate IT risk management in two directions:
|
Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.
Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively. A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication. The two primary goals of upward communication are:
Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication. The two primary goals of downward communication are:
|
| Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.
By receiving a stamp of approval for each key risk from senior management, you ensure that:
|
 |
Task:
All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.
The Risk Report contains:
|
|
The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.
Embed risk management in project planningMake time for discussing project risks at every project kick-off.
|
Embed risk management with employeeTrain IT staff on the ITRC’s planned responses to specific risk events.
|
Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.
If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.
Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.
Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.
Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.
The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.
 |
Risk Management Program Manual |
“Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)
54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)
So you’ve identified the most important IT risks and implemented projects to protect IT and the business.
Unfortunately, your risk assessment is already outdated.
Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.
To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:
Revive Your Risk Management Program With a Regular Health Check
Risk | An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007). |
Threat | An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors). |
Vulnerability | A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes). |
Risk Management | The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007). |
Risk Category | Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks. |
Risk Event | A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks. |
Risk Appetite | An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk. |
Enterprise Risk Management | (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015). |
The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.
Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).
Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).
False Objectivity
While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.
Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.
Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.
Don’t just fixate on the most likely impact – be aware of high-impact outcomes.During assessment, risks are evaluated according to their most likely financial impact.
Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.
While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.
Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).
For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost. |
 |
 | Info-Tech InsightDon’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor. Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences. |
 | Info-Tech InsightSecurity risk management equals cost effectiveness. Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget. |
Sandi Conrad
Christine Coz
Milena Litoiu
Scott Magerfleisch
|
Aadil Nanji
Andy Neill
Daisha Pennie
Ken Piddington
|
Frank Sewell
Andrew Sharpe
Chris Warner
Sterling Bjorndahl
|
Ibrahim Abdel-Kader
Tamara Dwarika
Anne Leroux
|
Ian Mulholland
Michel Fossé
|
Petar Hristov
Steve Woodward
|
*Plus 10 additional interviewees who wish to remain anonymous.
“2021 State of the CIO.” IDG, 28 January 2021. Web.
“4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.
Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.
COBIT 2019. ISACA, 2019. Web.
“Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.
Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.
“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.
Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.
“Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.
Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.
“Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.
“Guidance on Enterprise Risk Management.” COSO, 2022. Web.
Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.
Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.
“Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.
“ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.
ISO 31000 Risk Management. ISO, 2018. Web.
Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.
Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.
Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.
“Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.
Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.
“Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.
Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.
“Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.
“Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.
Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.
Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.
Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.
“What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.
Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This phase will help you define and weigh value drivers based on overarching organizational priorities and goals.
This phase will help you analyze the value sources of your products and services and their alignment to value drivers to produce a value score that you can use for prioritization.
"A meaningful measurable definition of value is the key to effectively managing the intake, prioritization, and delivery of technology-enabled products and services."
Cole Cioran,
Senior Director, Research – Application Development and Portfolio Management
Info-Tech Research Group
38% of spend on IT employees goes to software roles.
Source: Info-Tech’s Staffing Survey
18% of opex is spent on software licenses.
Source: SoftwareReviews.com
33% of capex is spent on new software.
Only 34% of software is rated as both important and effective by users.
Source: Info-Tech’s CIO Business Vision
IT departments have a tendency to measure only their own role-based activities and deliverables, which only prove useful for selling practice improvement services. Technology doesn’t exist for technology's sake. It’s in place to generate specific outcomes. IT and the business need to be aligned toward a common goal of enabling business outcomes, and that’s the important measurement.
"In today’s connected world, IT and business must not speak different languages. "
– Cognizant, 2017
N=469 CxOs from Info-Tech’s CEO/CIO Alignment Diagnostic
Key stakeholders want to know how you and your products or services help them realize their goals.
Often, IT misses the opportunity to become a strategic partner because it doesn’t understand how to communicate and measure its value to the business.
"Price is what you pay. Value is what you get."
– Warren Buffett
Being able to understand the value context will allow IT to articulate where IT spend supports business value and how it enables business goal achievement.
Value is...
Derived from business context
Enabled through governance and strategy
The underlying context for decision making
A measure of achievement
Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of sources of value. Dissecting value by the benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.
Financial Benefits vs. Improved Capabilities
Financial Benefits refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible. Human Benefits refers to how a product or service can deliver value through a user’s experience.Inward vs. Outward Orientation
Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations.Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.
|
Increase Revenue |
Reduce Costs |
Enhance Services |
Reach Customers |
|---|---|---|---|
|
Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue. |
Reduction of overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not been put in place. |
Functions that enable business capabilities that improve the organization’s ability to perform its internal operations. |
Application functions that enable and improve the interaction with customers or produce market information and insights. |
Buy-in for your IT strategy comes from the ability to showcase value. IT needs to ensure it has an aligned understanding of what is valuable to the organization.
Business value needs to first be established by the business. After that, IT can build a partnership with the business to determine what that value means in the context of IT products and services.
|
The Business |
What the Business and IT have in common |
IT |
|---|---|---|
|
Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the products along with those most familiar with the capabilities or processes enabled by technology. |
Business Value of Products and Services |
Technical subject matter experts of the products and services they deliver and maintain. Each IT function works together to ensure quality products and services are delivered up to stakeholder expectations. |
The VMF provides a consistent and less subjective approach to generating a value score for an application, product, service, or individual feature, by using business-defined value drivers and product-specific value metrics.
Value Drivers | Value Sources | Value Fulfillment Metrics |
|---|---|---|
Broad categories of values, weighed and prioritized based on overarching goals | Instances of created value expressed as a “business outcome” of a particular function | Units of measurement and estimated targets linked to a value source |
Reach Customers | Customer Satisfaction | Net Promoter Score |
Customer Loyalty | # of Repeat Visits | |
Create Revenue Streams | Data Monetization | Dollars Derived From Data Sales |
Leads Generation | Leads Conversation Rate | |
Operational Efficiency | Operational Efficiency | Number of Interactions |
Workflow Management | Cycle Time | |
Adhere to regulations & compliance | Number of Policy Exceptions |
The Info-Tech approach to measuring value applies the balanced value scorecard approach.
|
Importance of value source |
X |
Impact of value source |
= Value Score |
|
Which is based on… |
Which is based on… |
||
|
Alignment to value driver |
Realistic targets for the KPI |
||
|
Which is weighed by… |
Which is estimated by… |
||
|
A 1-5 scale of the relative importance of the value driver to the organization |
A 1-5 scale of the application or feature’s ability to fulfill that value source |
|
+ |
Importance of Value Source |
X |
Impact of Value Source |
|
+ |
Importance of Value Source |
+ |
Impact of Value Source |
|
+ |
Importance of Value Source |
+ |
Impact of Value Source |
|
+ |
Importance of Value Source |
+ |
Impact of Value Source |
|
= |
Balanced Business Value Score |
||
Value Score1 + VS2 + … + VSN = Overall Balance Value Score
Estimate the relative value of different product backlog items (i.e. epics, features, etc.) to ensure the highest value items are completed first.
This blueprint can be used as an input into Info-Tech’s Build a Better Backlog.
Estimate the relative value of proposed new applications or major changes or enhancements to existing applications to ensure the right projects are selected and completed first.
This blueprint can be used as an input into Info-Tech’s Optimize Project Intake, Approval, and Prioritization.
Gauge the relative value from the current use of your applications to support strategic decision making such as retirement, consolidation, and further investments.
This blueprint can be used as an input into Info-Tech’s Visualize Your Application Portfolio Strategy With a Business Value-Driven Roadmap.
Gauge the relative value of your existing applications to distinguish your most to least important systems and build tailored support structures that limit the downtime of key value sources.
This blueprint can be used as an input into Info-Tech’s Streamline Application Maintenance.
Transition to Product Delivery
The Value Calculator facilitates the activities surrounding defining and measuring the business value of your products and services.
Use this tool to:
Populate the Value Calculator as you complete the activities and steps on the following slides.
– George E.P. Box, 1979
Value is tricky: Value can be intangible, ambiguous, and cause all sorts of confusion, with the multiple, and often conflicting, priorities any organization is sure to have. You won’t likely come to a unified understanding of value or an agreement on whether one thing is more valuable than something else. However, this doesn’t mean you shouldn’t try. The VMF provides a means to organize various priorities in a meaningful way and to assess the relative value of a product or service to guide managers and decision makers on the right track and keep alignment with the rest of the organization.
Relative value vs. ROI: This assessment produces a score to determine the value of a product or service relative to other products or services. Its primary function is to prioritize similar items (projects, epics, requirements, etc.) as opposed to producing a monetary value that can directly justify cost and make the case for a positive ROI.
Apply caution with metrics: We live in a metric-crazed era, where everything is believed to be measurable. While there is little debate over recent advances in data, analytics, and our ability to trace business activity, some goals are still quite intangible, and managers stumble trying to link these goals to a quantifiable data source.
In applying the VMF Info-Tech urges you to remember that metrics are not a magical solution. They should be treated as a tool in your toolbox and are sometimes no more than a rough gauge of performance. Carefully assign metrics to your products and services and do not disregard the informed subjective perspective when SMART metrics are unavailable.
"One of the deadly diseases of management is running a company on visible figures alone."
– William Edwards Deming, 1982
This blueprint discusses value in a variety of ways. Use our glossary of terms to understand our specific focus.
|
Value Measurement Framework (VMF) |
A method of measuring relative value for a product or service, or the various components within a product or service, through the use of metrics and weighted organizational priorities. |
|
Value Driver |
A board organizational goal that acts as a category for many value sources. |
|
Value Source |
A specific business goal or outcome that business and product or service capabilities are designed to fulfill. |
|
Value Fulfillment |
The degree to which a product or service impacts a business outcome, ideally linked to a metric. |
|
Value Score |
A measurement of the value fulfillment factored by the weight of the corresponding value driver. |
|
Overall Balanced Value Score |
The combined value scores of all value sources linked to a product or service. |
|
Relative Value |
A comparison of value between two similar items (i.e. applications to applications, projects to projects, feature to feature). |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
|
1. Define Your Value Drivers |
2. Measure Value |
|
|
Best-Practice Toolkit |
1.1 Identify your business value authorities. 2.1 Define your value drivers. 2.2 Weigh your value drivers. |
|
|
Guided Implementations |
Identify the stakeholders who should be the authority on business value. Identify, define, and weigh the value drivers that will be used in your VMF and all proceeding value measurements. |
Identify the stakeholders who are the subject matter experts for your products or services. Measure the value of your products and services with value sources, fulfillment, and drivers. |
|
Outcome:
|
Outcome:
|
One of the main aspects of the VMF is to apply consistent and business-aligned weights to the products or services you will evaluate.
This is why we establish your value drivers first:
1.1: Identify Value Authorities
1.2: Define Value Drivers
2.1: Identify Product or Service SMEs
2.2: Measure Value
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
Buy-in for your IT strategy comes from the ability to showcase value. IT needs to ensure it has an aligned understanding of what is valuable to the organization. First, priorities need to be established by the business. Second, IT can build a partnership with the business to determine what that value means in the context of IT products and services.
|
The Business |
What the Business and IT have in common |
IT |
|---|---|---|
|
Keepers of the organization’s mission, vision, and value statements that define IT success. The business maintains the overall ownership and evaluation of the products along with those most familiar with the capabilities or processes enabled by technology. |
Business Value of Products and Services |
Technical subject matter experts of the products and services they deliver and maintain. Each IT function works together to ensure quality products and services are delivered up to stakeholder expectations. |
CEO: Who better holds the vision or mandate of the organization than its leader? Ideally, they are front and center for this discussion.
CIO: IT must ensure that technical/practical considerations are taken into account when determining value.
CFO: The CFO or designated representative will ensure that estimated costs and benefits can be used to manage the budgets.
VPs: Application delivery and mgmt. is designed to generate value for the business. Senior management from business units must help define what that value is.
Evaluators (PMO, PO, APM, etc.): Those primarily responsible for applying the VMF should be present and active in identifying and carefully defining your organization’s value drivers.
Steering Committee: This established body, responsible for the strategic direction of the organization, is really the primary audience.
The objective of this exercise is to identify key business stakeholders involved in strategic decision making at an organizational level.
INFO-TECH TIP
If your organization does not have a formal governance structure, your stakeholders would be the key players in devising business strategy. For example:
Leverage your organizational chart, governing charter, and senior management knowledge to better identify key stakeholders.
INPUT
OUTPUT
Materials
Participants
1.1: Identify Value Authorities
1.2: Define Value Drivers
2.1: Identify Product or Service SMEs
2.2: Measure Value
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
|
Purpose & Mission |
Past Achievement & Current State |
|
Vision & Future State |
Culture & Leadership |
There must be a consensus view of what is valuable within the organization, and these values need to be shared across the enterprise. Instead of maintaining siloed views and fighting for priorities, all departments must have the same value and purpose in mind. These factors – purpose and mission, past achievement and current state, vision and future state, and culture and leadership – impact what is valuable to the organization.
|
Mission |
Vision |
Business Value |
|---|---|---|
|
Why does the company exist?
|
What does the organization see itself becoming?
|
What critical factors fulfill the mission and vision?
|
Competent organizations know that value cannot always be represented by revenue or reduced expenses. However, it is not always apparent how to envision the full spectrum of value sources. Dissecting value by the benefit type and the value source’s orientation allows you to see the many ways in which a product or service brings value to the organization.
Financial Benefits vs. Improved Capabilities
Financial Benefits refers to the degree to which the value source can be measured through monetary metrics and is often quite tangible. Human Benefits refers to how a product or service can deliver value through a user’s experience.
Inward vs. Outward Orientation
Inward refers to value sources that have an internal impact and improve your organization’s effectiveness and efficiency in performing its operations. Outward refers to value sources that come from your interaction with external factors, such as the market or your customers.
|
Increase Revenue |
Reduce Costs |
Enhance Services |
Reach Customers |
|---|---|---|---|
|
Product or service functions that are specifically related to the impact on your organization’s ability to generate revenue. |
Reduction of overhead. They typically are less related to broad strategic vision or goals and more simply limit expenses that would occur had the product or service not been put in place. |
Functions that enable business capabilities that improve the organization’s ability to perform its internal operations. |
Application functions that enable and improve the interaction with customers or produce market information and insights. |
Different industries have a wide range of value drivers. Consider the difference between public and private entities with respect to generating revenue or reaching their customers or other external stakeholders. Even organizations in the same industry may have different values. For example, a mature, well-established manufacturer may view reputation and innovation as its highest-priority values, whereas a struggling manufacturer will see revenue or market share growth as its main drivers.
Value Drivers | |||
|---|---|---|---|
Increase Revenue | Reduce Costs | Enhance Services | Reach Customers |
|
|
|
|
You do not need to dissect each quadrant into an exhaustive list of value drivers. Info-Tech recommends defining distinct value drivers only for the areas you’ve identified as critical to your organization’s core goals and objectives.
|
Direct Revenue This value driver is the ability of a product or service to directly produce revenue through core revenue streams. Can be derived from:
Be aware of the differences between your products and services that enable a revenue source and those that facilitate the flow of capital. |
Funding This value driver is the ability of a product or service to enable other types of funding unrelated to core revenue streams. Can be derived from:
Be aware of the difference between your products and services that enable a revenue source and those that facilitate the flow of capital. |
|
Scale & Growth In essence, this driver can be viewed as the potential for growth in market share or new developing revenue sources. Does the product or service:
Be cautious of which items you identify here, as many innovative activities may have some potential to generate future revenue. Stick to those with a strong connection to future revenue and don’t qualify for other value driver categories. |
Monetization of Assets This value driver is the ability of your products and services to generate additional assets. Can be derived from:
This value source is often overlooked. If given the right attention, it can lead to a big win for IT’s role in the business. |
|
Cost Reduction A cost reduction is a “hard” cost saving that is reflected as a tangible decrease to the bottom line. This can be derived from reduction of expenses such as:
Cost reduction plays a critical role in an application’s ability to increase efficiency. |
Cost Avoidance A cost avoidance is a “soft” cost saving, typically achieved by preventing a cost from occurring in the first place (i.e. risk mitigation). Cost avoidance indirectly impacts the bottom line. This can be derived from prevention of expenses by:
|
|
Enable Core Operations Some applications are in place to facilitate and support the structure of the organization. These vary depending on the capabilities of your organization but should be assessed in relation to the organization’s culture and structure.
This example is intentionally broad, as “core operations” should be further dissected to define different capabilities with ranging priority. |
Compliance A product or service may be required in order to meet a regulatory requirement. In these cases, you need to be aware of the organizational risk of NOT implementing or maintaining a service in relation to those risks. In this case, the product or service is required in order to:
|
|
Internal Improvement An application’s ability to create value outside of its core operations and facilitate the transfer of information, insights, and knowledge. Value can be derived by:
|
Innovation Innovation is typically an ill-defined value driver, as it refers to the ability of your products and services to explore new value streams. Consider:
Innovation is one of the more divisive value drivers, as some organizations will strive to be cutting edge and others will want no part in taking such risks. |
|
Policy Products and services can also be assessed in relation to whether they enable and support policies of the organization. Policies identify and reinforce required processes, organizational culture, and core values. Policy value can be derived from:
|
Experience Applications are often designed to improve the interaction between customer and product. This value type is most closely linked to product quality and user experience. Customers, in this sense, can also include any stakeholders who consume core offerings. Customer experience value can be derived from:
|
|
Customer Information Understanding demand and customer trends is a core driver for all organizations. Data provided through understanding the ways, times, and reasons that consumers use your services is a key driver for growth and stability. Customer information value can be achieved when an app:
|
Trust & Reputation Products and services are designed to enable goals of digital ethics and are highly linked to your organization’s brand strategy. Trust and reputation can also be described as:
Prioritizing this value source is critical, as traditional priorities can often come at the expense of trust and reputation. |
The objective of this exercise is to establish a common understanding of the different values of the organization.
INPUT
OUTPUT
Materials
Participants
Value Driver Name Reach Customers | Value Driver Description Our organization’s ability to provide quality products and experience to our core customers | Value Driver Weight 10/10 |
Related Business Capabilities
| Key Business Outcomes, KPIs, and Targets
| |
The objective of this exercise is to prioritize your value drivers based on their relative importance to the business.
INPUT
OUTPUT
Materials
Participants
Value Driver | Percentage Allocation | 1 to 10 Weight |
|---|---|---|
Revenue and other funding | 24% | 9 |
Cost reduction | 8% | 3 |
Compliance | 5% | 2 |
Customer value | 30% | 10 |
Operations | 13% | 7 |
Innovation | 5% | 2 |
Sustainability and social responsibility | 2% | 1 |
Internal learning and development | 3% | 1 |
Future growth | 10% | 5 |
Total | 100% |
Document results of this activity in the “Value Drivers” tab of the Value Calculator.
List your value drivers.
Define or describe your value drivers.
Use this tool to create a repository for value sources to reuse and maintain consistency across your measurements.
Enter the weight of each value driver in terms of importance to the organization.
1.1: Identify Value Authorities
1.2: Define Value Drivers
2.1: Identify Product or Service SMEs
2.2: Measure Value
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
In order to get a full evaluation of a product or service you need to understand its multiple facets, functions, features capabilities, requirements, or any language you use to describe its various components.
Decompose a product or service:
This table looks at how the different use cases of the VMF call for variations of this analysis, is directed at different roles, and relies on participation from different subject matter experts to provide business context.
|
Use Case (uses of the VMF applied in this blueprint) |
Value (current vs. future value) |
Item (the singular entity you are producing a value score for) |
Components (the various facets of that entity that need to be considered) |
Scope (# of systems undergoing analysis) |
Evaluator (typical role responsible for applying the VMF) |
Cadence (when and why do you apply the VMF) |
Information Sources (what documents, tools, etc., do you need to leverage) |
SMEs (who needs to participate to define and measure value) |
|---|---|---|---|---|---|---|---|---|
|
1. Prioritize Your Product Backlog |
You are estimating future value of proposed changes to an application. |
Product backlog items (epic, feature, etc.) in your product backlog |
|
A product |
Product owner |
Continuously apply the VMF to prioritize new and changing product backlog items. |
|
Product manager ???? |
|
2. Prioritize Your Project Backlog |
Proposed projects in your project backlog |
|
Multiple existing and/or new applications |
Project portfolio manager |
Apply the VMF during your project intake process as new projects are proposed. |
|
Project manager Product owners Business analysts |
|
|
3. Application Rationalization |
You are measuring current value of existing applications and their features. |
An application in your portfolio |
The uses of the application (features, function, capabilities) |
A subset of applications or the full portfolio |
Application portfolio manager |
During an application rationalization initiative:
|
|
Business process owners Business unit representatives Business architects Application architects Application SMEs |
|
4. Application Categorization |
The full portfolio |
Application maintenance or operations manager |
|
The objective of this exercise is to identify specific business stakeholders who can speak to the business outcomes of your applications at a functional level.
INPUT
OUTPUT
Materials
Participants
Prioritizing your product backlog (epics, features, etc.) requires a consistent method of measuring the value of your product backlog items (PBIs) to continuously compare their value relative to one another. This should be treated as an ongoing initiative as new items are added and existing items change, but an initial introduction of the VMF will require you to collect and analyze all of the items in your backlog.
Regardless of producing a value score for an epic, feature, or user story, your focus should be on identifying their various value sources. Review your product’s artifact documentation, toolsets, or other information sources to extract the business outcomes, impact, benefits, KPIs, or any other description of a value source.
|
High |
Epics Carefully valuated with input from multiple stakeholders, using metrics and consistent scoring |
|
Level of valuation effort per PBI |
User Stories Collaboratively valuated by the product owner and teams based on alignment and traceability to corresponding epic or feature |
|
Low |
Raw Ideas Intuitively valuated by the product owner based on alignment to product vision and organization value drivers |
What’s in your backlog?
You may need to create standards for defining and measuring your different PBIs. Traceability can be critical here, as defined business outcomes for features or user stories may be documented at an epic level.
Additional Research
Build a Better Backlog helps you define and organize your product backlog items.
Depending on where your project is in your intake process, there should be some degree of stated business outcomes or benefits. This may be a less refined description in the form of a project request or business case document, or it could be more defined in a project charter, business requirements document/toolset, or work breakdown structure (WBS). Regardless of the information source, to make proper use of the VMF you need a clear understanding of the various business outcomes to establish the new or improved value sources for the proposed project.
|
Project |
||
|
User Requirements |
Business Requirements |
System Requirements |
|
1 |
1 |
1 |
|
2 |
2 |
2 |
|
3 |
3 |
|
|
4 |
||
Set Metrics Early
Good project intake documentation begins the discussion of KPIs early on. This alerts teams to the intended value and gives your PMO the ability to integrate it into the workload of other proposed or approved projects.
Additional Research
An application can enable multiple capabilities, perform a variety of functions, and have a range of different user groups. Therefore, a single application can produce multiple value sources, which range in type, impact, and significance to the business’ overarching priorities. In order to effectively measure the overall value of an application you need to determine all of the ways in which that application is used and apply a business-downward view of your applications.
Business Capability
Application
Aim for Business Use
Simply listing the business capabilities of an app can be too high level. Regardless of your organization’s terminology, you need to establish all of the different uses and users of an application to properly measure all of the facets of its value.
Additional Research
The objective of this exercise is to produce a list of the different items that you are scoring and ensure you have considered all relevant components.
|
Item |
Components |
|---|---|
|
Add Customer Portal (Epic) |
User story #1: As a sales team member I need to process customer info. User story #2: As a customer I want access to… |
|
Transition to the Cloud (Project) |
Requirement #1: Build Checkout Cart NFR – Build integration with data store |
|
CRM (Application) |
Order Processing (module), Returns & Claims (module), Analytics & Reporting (Feature) |
INPUT
OUTPUT
Materials
Participants
The objective of this exercise is to establish the different use cases of an application.
Example: Ordering Products Online
|
Actors Order Customer |
Order Online |
Search Products |
Consumers |
|
Submit Delivery Information |
Order Customer |
||
|
Pay Order |
Bank |
INPUT
OUTPUT
Materials
Participants
5. Align your application’s use cases to the appropriate business capabilities and stakeholder objectives.
Example:
|
Stakeholder Objective: Automate Client Creation Processes |
Business Capability: Account Management |
Function: Create Client Profile |
|
Function: Search Client Profiles |
||
|
Business Capability: Sales Transaction Management |
Function: Order Online |
Function: Search Products Function: Search Products |
|
Function: Submit Delivery Information |
||
|
Function: Pay Order |
1.1: Identify Value Authorities
1.2: Define Value Drivers
2.1: Identify Product or Service SMEs
2.2: Measure Value
This step will walk you through the following activities:
This step involves the following participants:
Outcomes of this step
With your products or services broken down, you can then determine a list of value sources, as well as their alignment to a value driver and a gauge of their value fulfillment, which in turn indicate the importance and impact of a value source respectively.
Lastly, we produce a value score for all items:
Business outcomes are the business-oriented results produced by organization’s capabilities and the applications that support those capabilities. The value source is, in essence, “How does the application impact the outcome?” and this can be either qualitative or quantitative.
|
Quantitative |
Qualitative |
||
|---|---|---|---|
|
Key Words |
Examples |
Key Words |
Examples |
|
Faster, cheaper |
Deliver faster |
Better |
Better user experience |
|
More, less |
More registrations per week |
Private |
Enhanced privacy |
|
Increase, decrease |
Decrease clerical errors |
Easier |
Easier to input data |
|
Can, cannot |
Can access their own records |
Improved |
Improved screen flow |
|
Do not have to |
Do not have to print form |
Enjoyable |
Enjoyable user experience |
|
Compliant |
Complies with regulation 12 |
Transparent |
Transparent progress |
|
Consistent |
Standardized information gathered |
Richer |
Richer data availability |
Adapted from Agile Coach Journal.
The objective of this exercise is to establish the different value sources of a product or service.
Consider applying the user story format for future value sources or a variation for current value sources.
As a (user), I want to (activity) so that I get (impact)
INPUT
OUTPUT
Materials
Participants
The objective of this exercise is to determine the value driver for each value source.
INPUT
OUTPUT
Materials
Participants
Example:
Document results of this activity in the Value Calculator in the Item {#} tab.
List your Value Sources
Your Value Driver weights will auto-populate
S pecific
M easureable
A chievable
R ealisitic
T ime-based
Follow the SMART framework when adding metrics to the VMF.
The intention of SMART goals and metrics is to make sure you have chosen a gauge that will:
Metrics are NOT a magical solution. They should be treated as a tool in your toolbox and are sometimes no more than a rough gauge of performance. Carefully assign metrics to your products and services and do not disregard the informed subjective perspective when SMART metrics are unavailable.
One last critical consideration here is the degree of effort required to collect the metric compared to the value of the analysis you are performing. Assessing whether or not to invest in a project should apply the rigor of carefully selecting and measuring value. However, performing a rationalization of the full app portfolio will likely lead to analysis paralysis. Taking an informed subjective perspective may be the better route.
The objective of this exercise is to determine an appropriate metric for each value source.
10 = The product or service far exceeds expectations and targets on the metric.
5 = the product or service meets expectations on this metric.
1 = the product or service underperforms on this metric.
INPUT
OUTPUT
Materials
Participants
Document results of this activity in the Value Calculator in the Item {#} tab.
Assign Metrics.
Consider using current or estimated performance and targets.
Assess the impact on the value source with the value fulfillment.
Collect your Overall Balanced Value Score
Brown, Alex. “Calculating Business Value.” Agile 2014 Orlando – July 13, 2014. Scrum Inc. 2014. Web. 20 Nov. 2017.
Brown, Roger. “Defining Business Value.” Scrum Gathering San Diego 2017. Agile Coach Journal. Web.
Curtis, Bill. “The Business Value of Application Internal Quality.” CAST. 6 April 2009. Web. 20 Nov. 2017.
Fleet, Neville, Joan Lasselle, and Paul Zimmerman. “Using a Balance Scorecard to Measure the Productivity and Value of Technical Documentation Organizations.” CIDM. April 2008. Web. 20 Nov. 2017.
Harris, Michael. “Measuring the Business Value of IT.” David Consulting Group. 20 Nov. 2017.
Intrafocus. “What is a Balanced Scorecard?” Intrafocus. Web. 20 Nov. 2017
Kerzner, Harold. Project Management: A Systems Approach to Planning, Scheduling, and Controlling. 12th ed., Wiley, 2017.
Lankhorst, Marc., et al. “Architecture-Based IT Valuation.” Via Nova Architectura. 31 March 2010. Web. 20 Nov. 2017.
Rachlin, Sue, and John Marshall. “Value Measuring Methodology.” Federal CIO Council, Best Practices Committee. October 2002. Web. April 2019.
Thiagarajan, Srinivasan. “Bridging the Gap: Enabling IT to Deliver Better Business Outcomes.” Cognizant. July 2017. Web. April 2019.
The process of navigating from waterfall to Agile can be incredibly challenging. Even more problematic; how do you operate your requirements management practices once there? There traditionally isn’t a role for a business analyst, the traditional keeper of requirements. It isn’t like switching on a light.
You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they’ve leveraged Agile.
But you aren’t here for assurances. You’re here for answers and help.
Agile and requirements management are complementary, not competitors.
Info-Tech’s advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. How can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?
Manage Requirements in an Agile Environment is your guide.
Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Provides support and guidance for organizations struggling with their requirements management practices in Agile environments.
The Agile Requirements Playbook becomes THE artifact for your Agile requirements practices. Great for onboarding, reviewing progress, and ensuring a shared understanding of your ways of working.
The Documentation Calculator can inform your documentation decison making, ensuring you're investing just the right amount of time, money, and effort.
This workbook is designed to capture the results of your exercises in the Manage Requirements in an Agile Environment Storyboard. Each worksheet corresponds to an exercise in the storyboard. This is a tool for you, so customize the content and layout to best suit your product. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.
The Agile Requirements Assessment is a great tool for determining your current capabilities and maturity in Agile and Business Analysis. You can also articulate your target state, which enables the identification of capability gaps, the creation of improvement goals, and a roadmap for maturing your Agile Requirements practice.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Sets the context for the organization, to ensure a shared understanding of the benefits of both Agile and business analysis/requirements management.
Have a shared definition of Agile and business analysis / requirements.
Understand the current state of Agile and business analysis in your organization.
1.1 Define what Agile and business analysis mean in your organization.
1.2 Agile requirements assessment.
Alignment on Agile and business analysis / requirements in your organization.
A current and target state assessment of Agile and business analysis in your organization.
Confirm you’re going the right way for effective solution delivery.
Confirm the appropriate delivery methodology.
2.1 Confirm your selected methodology.
Confidence in your selected project delivery methodology.
Provides the guardrails for your Agile requirements practice, to define a high-level process, roles and responsibilities, governance and decision-making, and how to deal with change.
Clearly defined interactions between the BA and their partners
Define a plan for management and governance at the project team level
3.1 Define your agile requirements process.
3.2 Define your agile requirements RACI.
3.3 Define your governance.
3.4 Define your change and backlog refinement plan.
Agile requirements process.
Agile requirements RACI.
A governance and documentation plan.
A change and backlog refinement approach.
Provides the action plan to achieve your target state maturity
Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.
Establish a roadmap for next steps to mature your Agile requirements practice.
4.1 Define your stakeholder communication plan.
4.2 Identify your capability gaps.
4.3 Plan your agile requirements roadmap.
A stakeholder communication plan.
A list of capability gaps to achieve your desired target state.
A prioritized roadmap to achieve the target state.
To provide practical guidance on technique usage, which can enable an improved experience with technical elements of the blueprint.
An opportunity to learn new tools to support your Agile requirements practice.
5.1 Managing requirements' traceability.
5.2 Creating and managing user stories.
5.3 Managing your requirements backlog.
5.4 Maintaining a requirements library.
Support and advice for leveraging a given tool or technique.
Support and advice for leveraging a given tool or technique.
Support and advice for leveraging a given tool or technique.
Support and advice for leveraging a given tool or technique.
Agile and requirements management are complementary, not competitors
The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business then you have failed, regardless of how fast you've gone.
Delivery in Agile doesn't mean you stop needing solid business analysis. In fact, it's even more critical, to ensure your products and projects are adding value. With the rise of Agile, the role of the business analyst has been misunderstood.
As a result, we often throw out the analysis with the bathwater, thinking we'll be just fine without analysis, documentation, and deliberate action, as the speed and dexterity of Agile is enough.
Consequently, what we get is wasted time, money, and effort, with solutions that fail to deliver value, or need to be re-worked to get it right.
The best organizations find balance between these two forces, to align, and gain the benefits of both Agile and business analysis, working in tandem to manage requirements that bring solutions that are "just right".
Vincent Mirabelli
Principal Research Director, Applications Delivery and Management
Info-Tech Research Group
The process of navigating from waterfall to Agile can be incredibly challenging. And even more problematic; how do you operate your requirements management practices once there? Since there traditionally isn't a role for a business analyst; the traditional keeper of requirements. it isn't like switching on a light.
You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they've leveraged Agile.
But you aren't here for assurances. You're here for answers and help.
many organizations and teams face is that there are so busy doing Agile that they fail to be Agile.
Agile was supposed to be the saving grace of project delivery but is misguided in taking the short-term view of "going quickly" at the expense of important elements, such as team formation and interaction, stakeholder engagement and communication, the timing and sequencing of analysis work, decision-making, documentation, and dealing with change.
The idea that good requirements just happen because you have user stories is wrong. So, requirements remain superficial, as you "can iterate later"…but sometimes later never comes, or doesn't come fast enough.
Organizations need to be very deliberate when aligning their Agile and requirements management practices. The work is the same. How the work is done is what changes.
Infotech's advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. And how can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?
Manage Requirements in an Agile Environment is your guide.
Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.
Agile and requirements management are complementary, not competitors.
The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone.
Agile and requirements management are complementary, not competitors.
The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone
48%
Had project deadlines more than double
85%
Exceeded their original budget by at least 20%
25%
At least doubled their original budget
Source: PPM Express.
The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution, became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stay with the status quo. Given that organizations evolve at a rapid pace, what was a pain at the beginning of an initiative may not be so even 6 months later.
Agile became the answer.
Since its' first appearance nearly 20 years ago, Agile has become the methodology of choice for a many of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.
Requirements analysis, design maturity, and management are critical for a successful Agile transformation.
"One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
– "Large Scale IT Projects – From Nightmare to Value Creation"
"Requirements maturity is more important to project outcomes than methodology."
– "Business Analysis Benchmark: Full Report"
"Mature Agile practices spend 28% of their time on analysis and design."
– "Quantitative Analysis of Agile Methods Study (2017): Twelve Major Findings"
"There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
– "The Business Case for Agile Business Analysis" - Requirements Engineering Magazine
N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.
Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.
Many subject matter experts are necessary to create accurate requirements, but their time is limited too.
Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.
Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.
Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.
In Agile, the what of business analysis does not change.
What does change is the how and when that work happens.
Team formation is key, as Agile is a team sport
A business analyst in an Agile team typically interacts with several different roles, including:
Tracking metrics and measuring your progress
As you implement the actions from this Blueprint, you should see measurable improvements in;
Without sacrificing time to delivery
| Metric | Description and motivation |
|---|---|
| Team satisfaction (%) | Expect team satisfaction to increase as a result of clearer role delineation and value contribution. |
| Stakeholder satisfaction (%) | Expect Stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value |
| Requirements rework | Measures the quality of requirements from your Agile Projects. Expect that the Requirements Rework will decrease, in terms of volume/frequency. |
| Cost of documentation | Quantifies the cost of documentation, including Elicitation, Analysis, Validation, Presentation, and Management |
| Time to delivery | Balancing Metric. We don't want improvements in other at the expense of time to delivery |
1. Framing Agile and Business Analysis |
2. Tailoring Your Approach |
3. Defining Your Requirements Thresholds |
4. Planning Your Next Steps |
|
|---|---|---|---|---|
Phase Activities |
1.1 Understand the benefits and limitations of Agile and business analysis 1.2 Align Agile and business analysis within your organization |
2.1 Decide the best-fit approach for delivery 2.2 Manage your requirements backlog |
3.1 Define project roles and responsibilities 3.2 Define your level of acceptable documentation 3.3 Manage requirements as an asset 3.4 Define your requirements change management plan |
4.1 Preparing new ways of working 4.2 Develop a roadmap for next steps |
Phase Outcomes |
Recognize the benefits and detriments of both Agile and BA. Understand the current state of Agile and business analysis in your organization. |
Confirm the appropriate delivery methodology. Manage your requirements backlog. Connect the business need to user story. |
Clearly defined interactions between the BA and their partners. Define a plan for management and governance at the project team level. Documentation and tactics that are right-sized for the need. |
Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization. Establish a roadmap for next steps to mature your Agile requirements practice. |
A practical playbook for aligning your teams and articulating the guidelines for managing your requirements in Agile
A tool to help you answer the question: What is the right level of Agile requirements documentation for my organization?
Establishes your current maturity level, defines your target state, and supports planning to get there.
Supporting tools and templates in advancing your Agile requirements practice, to be used with the Agile Requirements Blueprint and Playbook.
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| 1. Framing Agile and Business Analysis / 2. Tailoring Your Approach | 3. Defining Your Requirements Thresholds |
3. Defining Your Requirements Thresholds / 4. Planning Your Next Steps | (OPTIONAL) Agile Requirements Techniques (a la carte) | Next Steps and Wrap-Up (Offsite) | |
Activities |
What does Agile mean in your organization? What do requirements mean in your organization? Agile Requirements Assessment Confirm your selected methodology |
Define your Agile requirements process Define your Agile requirements RACI (Optional) Define your Agile requirements governance |
Defining your change management plan Define your communication plan Capability gap list Planning your Agile requirements roadmap |
Managing requirements traceability Creating and managing user stories Managing your requirements backlog Maintaining a requirements library |
Develop Agile Requirements Playbook Complete in-progress deliverables from previous four days. Set up review time for workshop deliverables and next steps |
Outcomes |
Shared definition of Agile and business analysis / requirements Understand the current state of Agile and business analysis in your organization |
Agile requirements process
Agile requirements RACI (Optional) Defined Agile requirements governance and documentation plan |
Change and backlog refinement plan Stakeholder communication plan Action plan and roadmap for maturing your Agile requirements practice |
Practical knowledge and practice about various tactics and techniques in support of your Agile requirements efforts | Completed Agile Requirements Playbook |
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
Call #1: Scope objectives, and your specific challenges. |
Call #4: Define your approach to project delivery. |
Call #6: Define your Agile requirements process. |
Call #9: Identify gaps from current to target state maturity. |
Call #2: Assess current maturity. |
Call #5: Managing your requirements backlog. |
Call #7: Define roles and responsibilities. |
Call #10: Pprioritize next steps to mature your Agile requirements practice. |
Call #3: Identify target-state capabilities. |
Call #8: Define your change and backlog refinement approach. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 10 calls over the course of 4 to 6 months.
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Understand the benefits and limitations of Agile and business analysis 1.2 Align Agile and business analysis within your organization | 2.1 Confirm the best-fit approach for delivery 2.2 manage your requirements backlog | 3.1 Define project roles and responsibilities 3.2 define your level of acceptable documentation 3.3 Manage requirements as an asset 3.4 Define your requirements change management plan | 4.1 Preparing new ways of working 4.2 Develop a roadmap for next steps |
This phase will walk you through the following activities:
This phase involves the following participants:
Understand the benefits and limitations of Agile and business analysis
1.1.1 Define what Agile and business analysis mean in your organization
This step involves the following participants:
Outcomes of this step
48%
Had project deadlines more than double
85%
Exceeded their original budget by at least 20%
25%
At least doubled their original budget
Source: PPM Express.
Business analysts had historically been aligned to specific lines of business, in support of their partners in their respective domains. Somewhere along the way, the function was moved to IT. Conceptually this made sense, in that it allowed BAs to provide technical solutions to complex business problems. This had the unintended result of lost domain knowledge, and connection to the business.
It all starts with the business. IT enables business goals. The closer you can get to the business, the better.
Business analysts were the main drivers of helping to define the business requirements, or needs, and then decompose those into solution requirements, to develop the best option to solve those problems, or address those needs. And the case for good analysis was clear. The later a poor requirement was caught, the more expensive it was to fix. And if requirements were poor, there was no way to know until much later in the project lifecycle, when the cost to correct them was exponentially higher, to the tune of 10-100x the initial cost.
Adapted from PPM Express. "Why Projects Fail: Business Analysis is the Key".
The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stand pat in the current state. And besides, organizations evolve at a rapid pace. What was a pain at the beginning of an initiative may not be so even six months later.
Agile became the answer.
Since its first appearance nearly 20 years ago, Agile has become the methodology of choice for a huge swathe of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.
To say that's significant is an understatement.
According to the Agile manifesto, "We value. . ."
"…while there is value in the items on the right, we value the items on the left more."
Source: Agilemanifesto, 2001
94% of respondents report using Agile practices in their organization
according to Digital.AI's "The 15th State of Agile Report"
That same report notes a steady expansion of Agile outside of IT, as other areas of the organization seek to benefit from increased agility and responsiveness, including Human Resources, Finance and Marketing.
"Agile projects are 37% faster to market than [the] industry average"
(Requirements Engineering Magazine, 2017)
"One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
– BCG, 2015
"Requirements maturity is more important to project outcomes than methodology."
– IAG Consulting, 2009.
"Mature Agile practices spend 28% of their time on analysis and design."
– InfoQ, 2017."
"There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
– Requirements Engineering Magazine, 2017
N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.
Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.
Agile is a highly effective tool.
This isn't about discarding Agile. It is being used for things completely outside of what was originally intended. When developing products or code, it is in its element. However, outside of that realm, its being used to bypass business analysis activities, which help define the true customer and business need.
Business analysts were forced to adapt and shift focus. Overnight they morphed into product owners, or no longer had a place on the team. Requirements and analysis took a backseat.
The result?
Increased rework, decreased stakeholder satisfaction, and a lot of wasted money and effort.
"Too often, the process of two-week sprints becomes the thing, and the team never gets the time and space to step back and obsess over what is truly needed to delight customers."
Harvard Business Review, 9 April 2021.
Requirements in Agile are the same, but the purpose of requirements changes.
The stated principles of waterfall say nothing of how work is to be linear.
Source: Royce, Dr. Winston W., 1970.
For more on Agile methodology, check out Info-Tech's Agile Research Centre
Organizations went from engaging business stakeholders up front, and then not until solution delivery, to forcing those partners to give up their resources to the project. From taking years to deliver a massive solution (which may or may not even still fit the need) to delivering in rapid cycles called sprints.
This tug-of-war is costing organizations significant time, money, and effort.
Your approach to requirements management needs to be centered. We can start to make that shift by better aligning our Agile and business analysis practices. Outside of the product space, Agile needs to be combined with other disciplines (Harvard Business Review, 2021) to be effective.
Agility is important. Though it is not a replacement for approach or strategy (RCG Global Services, 2022). In Agile, team constraints are leveraged because of time. There is a failure to develop new capabilities to address the business needs Harvard Business Review, 2021).
Agility needs analysis.
Many subject matter experts are necessary to create accurate requirements, but their time is limited too.
Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.
Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.
Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.
We do this because there isn't even agreement by the experts on what the terms "Agile" and "business analysis" mean, so let's establish a definition within the context of your organization.
Your Agile Requirements Playbook will include
1.2.1 Assess your Agile requirements maturity
This step involves the following participants:
Outcomes of this step
What is the driving force behind that decision?
There are many reasons to leverage the power of Agile within your organization, and specifically as part of your requirements management efforts. And it shouldn't just be to improve productivity. That's only one aspect.
Begin by asking, "Why Agile?" Are you looking to improve:
Or a combination of the above?
Project delivery methodologies aren't either/or. You don't have to be 100% waterfall or 100% Agile. Select the right approach for your project, product, or service.
In the end, your business partners don't want projects delivered faster, they want value faster!
For more on understanding Agile, check out the Implement Agile Practices That Work Blueprint
Responses to a 2019 KPMG survey:
13% said that their top management fully supports Agile transformation.
76% of organizations did not agree that their organization supports Agile culture.
62% of top management believe Agile has no implications for them.
Business analysts need to focus on six key elements when managing requirements in Agile.
In Agile, the what of business analysis does not change.
What does change is the how and when that work happens.
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Understand the benefits and limitations of Agile and business analysis 1.2 Align Agile and business analysis within your organization | 2.1 Confirm the best-fit approach for delivery 2.2 manage your requirements backlog | 3.1 Define project roles and responsibilities 3.2 define your level of acceptable documentation 3.3 Manage requirements as an asset 3.4 Define your requirements change management plan | 4.1 Preparing new ways of working 4.2 Develop a roadmap for next steps |
This phase will walk you through the following activities:
This phase involves the following participants:
Managing Requirements in an Agile Environment
2.1.1 Confirm your methodology
This step involves the following participants:
Outcomes of this step
Selecting the right approach (or confirming you're on the right track) is easier when you assess two key inputs to your project; your level of certainty about the solution, and the level of complexity among the different variables and inputs to your project, such as team experience and training, the number of impacted stakeholders or context. lines of business, and the organizational
Solution certainty refers to the level of understanding of the problem and the solution at the start of the project. In projects with high solution certainty, the requirements and solutions are well defined, and the project scope is clear. In contrast, projects with low solution certainty have vague or changing requirements, and the solutions are not well understood.
Project complexity refers to the level of complexity of the project, including the number of stakeholders, the number of deliverables, and the level of technical complexity. In projects with high complexity, there are many stakeholders with different priorities, many deliverables, and high technical complexity. In contrast, projects with low complexity have fewer stakeholders, fewer deliverables, and lower technical complexity.
"Agile is a fantastic approach when you have no clue how you're going to solve a problem"
Waterfall methodology is best suited for projects with high solution certainty and high complexity. This is because the waterfall model follows a linear and sequential approach, where each phase of the project is completed before moving on to the next. This makes it ideal for projects where the requirements and solutions are well-defined, and the project scope is clear.
On the other hand, Agile methodology is best suited for projects with low solution certainty. Agile follows an iterative and incremental approach, where the requirements and solutions are detailed and refined throughout the project. This makes it ideal for projects where the requirements and solutions are vague or changing.
Note that there are other models that exist for determining which path to take, should this approach not fit within your organization.
Use info-tech's-methodology-selection-matrix
Adapted from The Chaos Report, 2015 (The Standish Group)
Download the Agile Requirements Workbook
1 = Strongly disagree
2 = Disagree
3 = Neutral
4 = Agree
5 = Strongly agree.
Manage Your Requirements Backlog
2.2.1 Create your user stories
This step involves the following participants:
Outcomes of this step
Tailoring Your Approach
 |
|
Defines |
|---|---|---|
Intended benefits and outcomes |
||
|
Why it is needed, and by who |
|
|
What is needed, and how its going to be achieved |
Business requirements describe what a company needs in order to achieve its goals and objectives. Solution requirements describe how those needs will be met. User stories are a way to express the functionality that a solution will provide from the perspective of an end user.
A traceability matrix helps clearly connect and maintain your requirements.
To connect business requirements to solution requirements, you can start by identifying the specific needs that the business has and then determining how those needs can be met through technology or other solutions; or what the solution needs to do to meet the business need. So, if the business requirement is to increase online sales, a solution requirement might include implementing a shopping cart feature on your company website.
Once you have identified the solution requirements, you can then use those to create user stories. A user story describes a specific piece of functionality that the solution will provide from the perspective of a user.
For example, "As a customer, I want to be able to add items to my shopping cart so that I can purchase them." This user story is directly tied to the solution requirement of implementing a shopping cart feature.
Tracing from User Story back up to Business Requirement is essential in ensuring your solutions support your organization's strategic vison and objectives.
Download the Info-Tech Requirements Traceability Matrix
There are several attributes to look for in requirements: |
|||||||
|---|---|---|---|---|---|---|---|
Verifiable |
Unambiguous |
Complete |
Consistent |
Achievable |
Traceable |
Unitary |
Agnostic |
Stated in a way that can be easily tested |
Free of subjective terms and can only be interpreted in one way |
Contains all relevant information |
Does not conflict with other requirements |
Possible to accomplish with budgetary and technological constraints |
Trackable from inception through to testing |
Addresses only one thing and cannot be decomposed into multiple requirements |
Doesn't pre-suppose a specific vendor or product |
For more on developing high quality requirements, check out the Improve Requirements Gathering Blueprint
Prioritization is the process of ranking each requirement based on its importance to project success. Each requirement should be assigned a priority level. The delivery team will use these priority levels to ensure efforts are targeted toward the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order your requirements.
The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994
(Source: ProductPlan).
| Criteria | Description |
|---|---|
| Regulatory and legal compliance | These requirements will be considered mandatory. |
| Policy compliance | Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory. |
| Business value significance | Give a higher priority to high-value requirements. |
| Business risk | Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early. |
| Likelihood of success | Especially in proof-of-concept projects, it is recommended that requirements have good odds. |
| Implementation complexity | Give a higher priority to low implementation difficulty requirements. |
| Alignment with strategy | Give a higher priority to requirements that enable the corporate strategy. |
| Urgency | Prioritize requirements based on time sensitivity. |
| Dependencies | A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it. |
It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.
Agile teams are familiar with the use of a Sprint Backlog, but in Requirements Management, a Product Backlog is a more appropriate choice.
A product backlog and a Sprint backlog are similar in that they are both lists of items that need to be completed in order to deliver a product or project, but there are some key differences between the two.
A product backlog is a list of all the features, user stories, and requirements that are needed for a product or project. It is typically created and maintained by the business analyst or product owner and is used to prioritize and guide the development of the product.
A Sprint backlog, on the other hand, is a list of items specifically for an upcoming sprint, which is an iteration of work in Scrum. The Sprint backlog is created by the development team and is used to plan and guide the work that will be done during the sprint. The items in the Sprint backlog are typically taken from the product backlog and are prioritized based on their importance and readiness.
For more on building effective product backlogs, visit Deliver on Your Digital Product Vision
Your backlog must give you a holistic understanding of demand for change in the product.
A well-formed backlog can be thought of as a DEEP backlog
Detailed appropriately: Requirements are broken down and refined as necessary
Emergent: The backlog grows and evolves over time as requirements are added and removed.
Estimated: The effort to deliver a requirement is estimated at each tier.
Prioritized: A requirement's value and priority are determined at each tier.
Adapted from Essential Scrum
This will help ensure the value and scope of each functionality and change are clear and well understood by both developers and stakeholders before the start of the sprint. The definition of ready should be two-fold: ready for the backlog, and ready for coding.
Who will be interacting with the product or feature being developed? This will help to focus the user story on the user's needs and goals.
Create the user story using the following template: "As a [user], I want [feature] so that [benefit]."
This helps articulate the user's need and the value that the requirement will provide.
User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.
User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.
NOTE: There is not a 1:1 relationship between requirements and user stories.
It is possible that a single requirement will have multiple user stories, and similarly, that a single user story will apply to multiple solution requirements.
At this point your requirements should be high-level stories. The goal is to refine your backlog items, so they are . . .
 |
Independent: Ideally your user stories can be built in any order (i.e. independent from each other). This allows you to prioritize based on value and not get caught up in sequencing and prerequisites. |
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Understand the benefits and limitations of Agile and business analysis 1.2 Align Agile and business analysis within your organization | 2.1 Confirm the best-fit approach for delivery 2.2 manage your requirements backlog | 3.1 Define project roles and responsibilities 3.2 define your level of acceptable documentation 3.3 Manage requirements as an asset 3.4 Define your requirements change management plan | 4.1 Preparing new ways of working 4.2 Develop a roadmap for next steps |
This phase will walk you through the following activities:
This phase involves the following participants:
Managing Requirements in an Agile Environment
Define Project Roles and Responsibilities
3.1.1 Define your Agile requirements RACI (optional)
3.1.2 Define your Agile requirements process
Defining Your Requirements Thresholds
This step involves the following participants:
Outcomes of this step
A business analyst in an Agile team typically interacts with several different roles, including the product owner, development team, and many other stakeholders throughout the organization.
Additionally, during the sprint retrospectives, the team will review their performance and find ways to improve for the next sprint. As a team member, the business analyst helps to identify areas where the team could improve how they are working with requirements and understand how the team can improve communication with stakeholders.
Industry: Anonymous Organization in the Energy sector
Source: Interview
Agile teams were struggling to deliver within a defined sprint, as there were consistent delays in requirements meeting the definition of ready for development. As such, sprints were often delayed, or key requirements were descoped and deferred to a future sprint.
During a given two-week sprint cycle, the business analyst assigned to the team would be working along multiple horizons, completing elicitation, analysis, and validation, while concurrently supporting the sprint and dealing with stakeholder changes.
As a part of addressing this ongoing pain, a pilot program was run to add a second business analyst to the team.
The intent was, as one is engaged preparing requirements through elicitation, analysis, and validation for a future sprint, the second is supporting the current sprint cycle, and gaining insights from stakeholders to refine the requirements backlog.
Essentially, these two were leap-frogging each other in time. At all times, one BA was focused on the present, and one on the future.
A happier team, more satisfied stakeholders, and consistent delivery of features and functions by the Agile teams. The pilot team outperformed all other Agile teams in the organization, and the "2 BA" approach was made the new standard.
Short development cycles can make requirements management more difficult because they often result in a higher rate of change to the requirements. In a shorter timeframe, there is less time to gather and verify requirements, leading to a higher likelihood of poor or incomplete requirements. Additionally, there may be more pressure to make decisions quickly, which can lead to less thorough analysis and validation of requirements. This can make it more challenging to ensure that the final solution meets the needs of the stakeholders.
When planning your requirements cycles, it's important to consider;
Sprint N(-1) |
Sprint N |
Sprint N(+1) |
|
|---|---|---|---|
 |
 |
 |
|
Changes from waterfall to Agile |
Gathering and documenting requirements: Requirements are discovered and refined throughout the project, rather than being gathered and documented up front. This can be difficult for business analysts who are used to working in a waterfall environment where all requirements are gathered and documented before development begins. |
Defining acceptance criteria: Acceptance criteria are defined for each user story to ensure that the team understands what needs to be delivered. Business analysts need to understand how to write effective acceptance criteria and how to use them to ensure that the team delivers what the customer needs. |
Managing changing requirements: It is expected that requirements will change throughout the project. Business analysts need to be able to adapt quickly to changing requirements and ensure that the team is aware of the changes and how they will impact the project. |
NOTE: The process is intended to be at a high enough level to leave space and flexibility for team members to adapt and adjust, but at a sufficient depth that everyone understands the process and workflows. In other words, the process will be both flexible and rigid, and the two are not mutually exclusive.
Establishing the right level of governance and decision making is important in Agile requirements because there is a cost to decision making, as time plays an important factor. Even the failure to decide can have significant impacts.
Good governance and decision-making practices can help to minimize risks, ensure that requirements are well understood and managed, and that project progress is tracked and reported effectively.
In Agile environments, this often involves establishing clear roles and responsibilities, implementing effective communication and collaboration practices, and ensuring that decision-making processes are efficient and effective.
Good requirements management practices can help to ensure that projects are aligned with organizational goals and strategy, that stakeholders' needs are understood and addressed, and that deliverables are of high quality and meet the needs of the business.
By ensuring that governance and decision-making is effective, organizations can improve the chances of project success, and deliver value to the business. Risks and costs can be mitigated by staying small and nimble.
Check out Make Your IT Governance Adaptable
Organizations should look to progress in their governance stages. Ad-hoc and controlled governance tends to be slow, expensive, and a poor fit for modern practices.
The goal as you progress through your stages is to delegate governance and empower teams to make optimal decisions in real-time, knowing that they are aligned with the understood best interests of the organization.
Automate governance for optimal velocity, while mitigating risks and driving value.
This puts your organization in the best position to be adaptive and able to react effectively to volatility and uncertainty.
Decision making must be delegated down within the organization, and all resources must be empowered and supported to make effective decisions.
Outcomes and goals must be clearly articulated and understood across the organization to ensure decisions are in line and stay within reasonable boundaries.
Integrated risk information must be available with sufficient data to support decision making and design approaches at all levels of the organization.
Governance standards and activities need to be embedded in processes and practices. Optimal governance reduces its manual footprint while remaining viable. This also allows for more dynamic adaptation.
Standards and policies need to be defined as the foundation for embedding governance practices organizationally. These guardrails will create boundaries to reinforce delegated decision making.
"Push the decision making down as far as possible, down to the point where sprint teams completely coordinate all the integration, development, and design. What I push up the management chain is risk taking. [Management] decides what level of risk they are willing to take and [they] demonstrate that by the amount of decision making you push down."
– Senior Manager, Canadian P&C Insurance Company, Info-Tech Interview
3.2.1 Calculate the cost of documentation
This step involves the following participants:
Outcomes of this step
Before creating any documentation, consider why; why are you creating documentation, and what purpose is it expected to serve?
Is it:
Next, consider what level of documentation would be acceptable and 'enough' for your stakeholders. Recognize that 'enough' will depend on your stakeholder's personal definition and perspective.
There may also be considerations for maintaining documentation for the purposes of compliance, and auditability in some contexts and industries.
The point is not to eliminate all documentation, but rather, to question why we're producing it, so that we can create just enough to deliver value.
"What does the next person need to do their work well, to gain or create a shared understanding?"
- Filip Hendrickx, Innovating BA and Founder, altershape
All things take time, and that would imply that all things have an inherent cost. We often don't think in these terms, as it's just the work we do, and costs are only associated with activities requiring additional capital expenditure. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.
When creating documentation, we are making a decision. There is an opportunity cost of investing time to create, and concurrently, not working on other activities. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.
In order to make better informed decisions about the types, quantity and even quality of the documentation we are producing, we need to capture that data. To ensure we are receiving good value for our documentation, we should compare the expected costs to the expected benefits of a sprint or project.
Re-using deliverables (documentation, process, product, etc.) is important in maintaining the velocity of work. If you find yourself constantly recreating your current state documentation at the start of a project, it's hard to deliver with agility.
3.3.1 Discuss your current perspectives on requirements as assets
This step involves the following participants:
Outcomes of this step
In order to delivery with agility, you need to maximize the re-usability of artifacts. These artifacts could take the form of current state documentation, user stories, test cases, and yes, even requirements for re-use.
Think of it like a library for understanding where your organization is today. Understanding the people, processes, and technology, in one convenient location. These artifacts become assets when we choose to retain them, rather than discard them at the end of a project, when we think they'll no longer be needed.
And just like finding a single book in a vast library, we need to ensure our assets can be found when we need them. And this means making them searchable.
We can do this by establishing criteria for requirements and artifact reuse;
When writing requirements for products or services, write them for the need first, and not simply for what is changing.
Retention of knowledge in a knowledge base that allows the team to retain current business requirements, process documentation, business rules, and any other relevant information.
A clearly defined scope to reduce stakeholder, business, and compliance conflicts.
Impact analysis of changes to the current organizational assets.
Source: Requirement Engineering Magazine, 2017.
Industry: Anonymous Organization in the Government sector
Source: Interview
A large government organization faced a challenge with managing requirements, processes, and project artifacts with any consistency.
Historically, their documentation was lacking, with multiple versions existing in email sent folders and manila folders no one could find. Confirming the current state at any given time meant the heavy lift of re-documenting and validating, so that effort was avoided for an excessive period.
Then there was a request for audit and compliance, to review their existing documentation practices. With nothing concrete to show, drastic recommendations were made to ensure this practice would end.
A small but effective team was created to compile and (if not available) document all existing project and product documentation, including processes, requirements, artifacts, business cases, etc.
A single repository was built and demonstrated to key stakeholders to ensure it would satisfy the needs of the audit and compliance group.
A single source of truth for the organization, which was;
Baseline + Release Changes = New Baseline
3.4.1 Triage your requirements
This step involves the following participants:
Outcomes of this step
In Agile development, change is expected and embraced. Instead of trying to rigidly follow a plan that may become outdated, Agile teams focus on regularly reassessing their priorities and adapting their plans accordingly. This means that the requirements can change often, and it's important for the team to have a process in place for managing these changes.
A common approach to managing change in Agile is to use a technique called "backlog refinement." Where previously we populated our backlog with requirements to get them ready for development and deployment, this involves regularly reviewing and updating the list of work to be done. The team will prioritize the items on the evolving backlog, and the prioritized items will be worked on during the next sprint. This allows the team to quickly respond to changes in requirements and stay focused on the most important work.
Another key aspect of managing change in Agile is effective communication. The team should have regular meetings, such as daily stand-up meetings or weekly sprint planning meetings, to discuss any changes in requirements and ensure that everyone is on the same page.
Clearly communicate your change process, criteria, and any techniques, tools, and templates that are part of your approach.
Maintain consistent control and communication and ensure that an impact assessment is completed. This is key to managing risks.
Leverage tools when you have them available. This could be a Requirements Management system, a defect/change log, or even by turning on "track changes" in your documents.
For every change, define the source of the change, the reason for the change, key dates for decisions, and any supporting documentation.
Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.
How will changes to requirements be codified?
How will intake happen?
How will potential changes be triaged and evaluated?
What is the review and approval process?
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Understand the benefits and limitations of Agile and business analysis 1.2 Align Agile and business analysis within your organization | 2.1 Confirm the best-fit approach for delivery 2.2 manage your requirements backlog | 3.1 Define project roles and responsibilities 3.2 define your level of acceptable documentation 3.3 Manage requirements as an asset 3.4 Define your requirements change management plan | 4.1 Preparing new ways of working 4.2 Develop a roadmap for next steps |
This phase will walk you through the following activities:
This phase involves the following participants:
Managing Requirements in an Agile Environment
4.1.1 Define your communication plan
This step involves the following participants:
Outcomes of this step
|
As a result, you'll need to focus on; Emphasizing flexibility: In Agile organizations, there is a greater emphasis on flexibility and the ability to adapt to change. This means that requirements may evolve over time and may not be fully defined at the beginning of the project. |
Within the team
Within the organization
"Whether in an Agile environment or not, collaboration and relationships are still required and important…how you collaborate, communicate, and how you build relationships are key."
- Paula Bell, CEO, Paula A. Bell Consulting
4.2.1 Develop your Agile requirements action plan
Outcomes of this step
With a mindset of continuous improvement, there is always some way we can get better.
As you mature your Agile requirements practice, recognize that those gaps for improvement can come from multiple levels, from the organizational down to the individual.
Each level will bring challenges and opportunities.
The organization
The team
The individual
 |
Learning: Agile is a radical change in how people work doing Agile to being Agile. |
Automation: While Agile is tool-agnostic at its roots, Agile work management tools and DevOps inspired SDLC tools that have become a key part of Agile practices. |
|
Integrated Teams:
|
|
Metrics and Governance: Successful Agile implementations of delivery and operations |
|
Culture: Agile teams believe that value is best created by standing, self-organizing cross-functional teams who deliver sustainably in frequent, |
Agile gaps may only have a short-term, perceived benefit. For example, coding without a team mindset can allow for maximum speed to market for a seasoned developer. Post-deployment maintenance initiatives, however, often lock the single developer as no one else understands the rationale for the decisions that were made.
Note: the feasibility and timing of the ideas will happen in the following "Now, Next, Later" exercise.
 |
The "Now, Next, Later" technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:
By using this technique, you can prioritize and plan the most important tasks first, while also allowing for flexibility and the ability to adjust plans as necessary. |
Monitoring progress is important in achieving your target state. Be deliberate with your actions, to continue to mature your Agile requirements practice.
As you navigate toward your target state, continue to monitor your progress, your successes, and your challenges. As your Agile requirements practice matures, you should see improvements in the stated metrics below.
Establish a cadence to review these metrics, as well as how you are progressing on your roadmap, against the plan.
This is not about adding work, but rather, about ensuring you're heading in the right direction; finding the balance in your Agile requirements practice.
| Metric | |
|---|---|
| Team satisfaction (%) | Expect team satisfaction to increase as a result of clearer role delineation and value contribution. |
| Stakeholder satisfaction (%) | Expect stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value. |
| Requirements rework | Measures the quality of requirements from your Agile projects. Expect that the requirements rework will decrease, in terms of volume/frequency. |
| Cost of documentation | Quantifies the cost of documentation, including elicitation, analysis, validation, presentation, and management. |
| Time to delivery | Balancing metric. We don't want improvements in other at the expense of time to delivery. |
Emal Bariali
Business Architect & Business Analyst
Bariali Consulting
Emal Bariali is a Senior Business Analyst and Business Architect with 17 years of experience, executing nearly 20 projects. He has experience in both waterfall and Agile methodologies and has delivered solutions in a variety of forms, including custom builds and turnkey projects. He holds a Master's degree in Information Systems from the University of Toronto, a Bachelor's degree in Information Technology from York University, and a post-diploma in Software & Database Development from Seneca College.
Paula Bell
Paula A. Bell Consulting, LLC
Paula Bell is the CEO of Paula A Bell Consulting, LLC. She is a Business Analyst, Leadership and Career Development coach, consultant, speaker, and author with 21+ years of experience in corporate America in project roles including business analyst, requirements manager, business initiatives manager, business process quality manager, technical writer, project manager, developer, test lead, and implementation lead. Paula has experience in a variety of industries including media, courts, manufacturing, and financial. Paula has led multiple highly-visible multi-million-dollar technology and business projects to create solutions to transform businesses as either a consultant, senior business analyst, or manager.
Currently she is Director of Operations for Bridging the Gap, where she oversees the entire operation and their main flagship certification program.
Ryan Folster
Consulting Services Manager, Business Analysis
Dimension Data
Ryan Folster is a Business Analyst Lead and Product Professional from Johannesburg, South Africa. His strong focus on innovation and his involvement in the business analysis community have seen Ryan develop professionally from a small company, serving a small number of users, to large multi-national organizations. Having merged into business analysis through the business domain, Ryan has developed a firm grounding and provides context to the methodologies applied to clients and projects he is working on. Ryan has gained exposure to the Human Resources, Asset Management, and Financial Services sectors, working on projects that span from Enterprise Line of Business Software to BI and Compliance.
Ryan is also heavily involved in the local chapter of IIBA®; having previously served as the chapter president, he currently serves as a non-executive board member. Ryan is passionate about the role a Business Analyst plays within an organization and is a firm believer that the role will develop further in the future and become a crucial aspect of any successful business.
Filip Hendrickx
Innovating BA, Visiting Professor @ VUB
altershape
Filip loves bridging business analysis and innovation and mixes both in his work as speaker, trainer, coach, and consultant.
As co-founder of the BA & Beyond Conference and IIBA Brussels Chapter president, Filip helps support the BA profession and grow the BA community in and around Belgium. For these activities, Filip received the 2022 IIBA® EMEA Region Volunteer of the Year Award.
Together with Ian Richards, Filip is the author ofBrainy Glue, a business novel on business analysis, innovation and change. Filip is also co-author of the BCS book Digital Product Management and Cycles, a book, method and toolkit enabling faster innovation.
Fabricio Laguna
Professional Speaker, Consultant, and Trainer
TheBrazilianBA.com
Fabrício Laguna, aka The Brazilian BA, is the main reference on business analysis in Brazil. Author and producer of videos, articles, classes, lectures, and playful content, he can explain complex things in a simple and easy-to-understand way. IIBA Brazil Chapter president between 2012-2022. CBAP, AAC, CPOA, PMP, MBA. Consultant and instructor for more than 25 years working with business analysis, methodology, solution development, systems analysis, project management, business architecture, and systems architecture. His online courses are approved by students from 65 countries.
Ryland Leyton
Business Analyst and Agile Coach
Independent Consultant
Ryland Leyton, CBAP, PMP, CSM, is an avid Agile advocate and coach, business analyst, author, speaker, and educator. He has worked in the technology sector since 1998, starting off with database and web programming, gradually moving through project management and finding his passion in the BA and Agile fields. He has been a core team member of the IIBA Extension to the BABOK and the IIBA Agile Analysis Certification. Ryland has written popular books on agility, business analysis, and career. He can be reached at www.RylandLeyton.com.
Steve Jones
Supervisor, Market Support Business Analysis
ISO New England
Steve is a passionate analyst and BA manager with more than 20 years of experience in improving processes, services and software, working across all areas of software development lifecycle, business change and business analysis. He rejoices in solving complex business problems and increasing process reproducibility and compliance through the application of business analysis tools and techniques.
Steve is currently serving as VP of Education for IIBA Hartford. He is a CBAP, certified SAFe Product Owner/Product Manager, Six Sigma Green Belt, and holds an MS in Information Management and Communications.
Angela Wick
Founder
BA-Squared and BA-Cube
Founder of BA-Squared and BA-Cube.com, Angela is passionate about teaching practical, modern product ownership and BA skills. With over 20 years' experience she takes BA skills to the next level and into the future!
Angela is also a LinkedIn Learning instructor on Agile product ownership and business analysis, an IC-Agile Authorized Trainer, Product Owner and BA highly-rated trainer, highly-rated speaker, sought-after workshop facilitator, and contributor to many industry publications, including:
Rachael Wilterdink
Principal Consultant
Infotech Enterprises
Rachael Wilterdink is a Principal Consultant with Infotech Enterprises. With over 25 years of IT experience, she holds multiple business analysis and Agile certifications. As a consultant, Rachael has served clients in the financial, retail, manufacturing, healthcare, government, non-profit, and insurance industries. Giving back to the professional community, Ms. Wilterdink served on the boards of her local IIBA® and PMI® chapters. As a passionate public speaker, Rachael presents various topics at conferences and user groups across the country and the world. Rachael is also the author of the popular eBook "40 Agile Transformation Pain Points (and how to avoid or manage them)."
"2021 Business Agility Report: Rising to the Challenge." Business Agility, 2021. Accessed 13 June 2022.
Axure. "The Pitfalls of Agile and How We Got Here". Axure. Accessed 14 November 2022.
Beck, Kent, et al. "Manifesto for Agile Software Development." Agilemanifesto. 2001.
Brock, Jon, et al. "Large-Scale IT Projects: From Nightmare to Value Creation." BCG, 25 May 2015.
Bryar, Colin and Bill Carr. "Have We Taken Agile Too Far?" Harvard Business Review, 9 April 2021. Accessed 11 November, 2022.
Clarke, Thomas. "When Agile Isn't Responsive to Business Goals" RCG Global Services, Accessed 14 November 2022.
Digital.ai "The 15th State of Agile Report". Digital.ai. Accessed 21 November 2022.
Hackshall, Robin. "Product Backlog Refinement." Scrum Alliance. 9 Oct. 2014.
Hartman, Bob. "New to Agile? INVEST in good user stories." Agile For All.
IAG Consulting. "Business Analysis Benchmark: Full Report." IAG Consulting, 2009.
Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce. 18 May 2018
KPMG. Agile Transformation (2019 Survey on Agility). KPMG. Accessed November 29.
Laguna, Fabricio "REQM guidance matrix: A framework to drive requirements management", Requirements Engineering Magazine. 12 September 2017. Accessed 10 November 2022.
Miller, G. J. (2013). Agile problems, challenges, & failures. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.
Product Management: MoSCoW Prioritization." ProductPlan, n.d. Web.
Podeswa, Howard "The Business Case for Agile Business Analysis" Requirements Engineering Magazine. 21 February 2017. Accessed 7 November 2022.
PPM Express. "Why Projects Fail: Business Analysis is the Key". PPM Express. Accessed 16 November 2022.
Reifer, Donald J. "Quantitative Analysis of Agile Methods Study: Twelve Major Findings." InfoQ, 6 February, 2017.
Royce, Dr. Winston W. "Managing the Development of Large Software Systems." Scf.usc.edu. 1970. (royce1970.pdf (usc.edu))
Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education. 2012.
Singer, Michael. "15+ Surprising Agile Statistics: Everything You Need To Know About Agile Management". Enterprise Apps Today. 22 August 2022.
The Standish Group. The Chaos Report, 2015. The Standish Group.
Improve Requirements Gathering
Back to basics: great products are built on great requirements.
Make the Case for Product Delivery
Align your organization on the practices to deliver what matters most.
Requirements for Small and Medium Enterprises
Right-size the guidelines of your requirements gathering process.
Implement Agile Practices that Work
Improve collaboration and transparency with the business to minimize project failure.
Create an Agile-Friendly Gating and Governance Model
Use Info-Tech's Agile Gating Framework as a guide to gating your Agile projects following a "trust but verify" approach.
Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.
Deliver on Your Digital Product Vision
Build a product vision your organization can take from strategy through execution.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the stakeholder priorities driving changes in your application maintenance practice.
Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.
Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.
Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.
Understand any current issues that are affecting your maintenance practice.
Awareness of business and IT priorities.
An understanding of the maturity of your maintenance practices and identification of issues to alleviate.
1.1 Define priorities for enhanced maintenance practices.
1.2 Conduct a current state assessment of your application maintenance practices.
List of business and technical priorities
List of the root-cause issues, constraints, and opportunities of current maintenance practice
Define the processes, roles, and points of communication across all maintenance activities.
An in-depth understanding of all maintenance activities and what they require to function effectively.
2.1 Modify your maintenance process.
2.2 Define your maintenance roles and responsibilities.
Application maintenance process flow
List of metrics to gauge success
Maintenance roles and responsibilities
Maintenance communication flow
Understand in greater detail the process and people involved in receiving and triaging a request.
Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.
Understand backlog management and release planning tactics to accommodate maintenance.
An understanding of the stakeholders needed to assess and approve requests.
The criteria used to build a tailored prioritization scheme.
Tactics for efficient use of resources and ideal timing of the delivery of changes.
A process that ensures maintenance teams are always working on tasks that are valuable to the business.
3.1 Review your maintenance intake process.
3.2 Define a request prioritization scheme.
3.3 Create a set of practices to manage your backlog and release plans.
Understanding of the maintenance request intake process
Approach to assess the impact, urgency, and severity of requests for prioritization
List of backlog management grooming and release planning practices
Understand how to apply development best practices and quality standards to application maintenance.
Learn the methods for monitoring and visualizing maintenance work.
An understanding of quality standards and the scenarios for where they apply.
The tactics to monitor and visualize maintenance work.
Streamlined maintenance delivery process with best practices.
4.1 Define approach to monitor maintenance work.
4.2 Define application quality attributes.
4.3 Discuss best practices to enhance maintenance development and deployment.
Taskboard structure and rules
Definition of application quality attributes with user scenarios
List of best practices to streamline maintenance development and deployment
Create a target state built from appropriate metrics and attainable goals.
Consider the required items and steps for the implementation of your optimization initiatives.
A realistic target state for your optimized application maintenance practice.
A well-defined and structured roadmap for the implementation of your optimization initiatives.
5.1 Refine your target state maintenance practices.
5.2 Develop a roadmap to achieve your target state.
Finalized application maintenance process document
Roadmap of initiatives to achieve your target state
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use the information in this blueprint and Info-Tech’s Agile Contract Playbook-Checklist to review and assess your Agile contracts, ensuring that the provisions and protections are suitable for Agile contracts specifically.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
To understand Agile-specific contract clauses, to improve risk identification, and to be more effective at negotiating Agile contract terms.
Increased awareness of how Agile contract provisions are different from traditional or waterfall contracts in 12 key areas.
Understanding available options.
Understanding the impact of being too prescriptive.
1.1 Review the Agile Contract Playbook-Checklist.
1.2 Review 12 contract provisions and reinforce key learnings with exercises.
Configured Playbook-Checklist as applicable
Exercise results and debrief
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Ensure a formal selection process is in place and make a concerted effort to align stakeholder calendars.
Reduce time spent watching vendor dog and pony shows, while reducing the size of your RFPs or skipping them entirely.
Narrow the field to four contenders prior to in-depth comparison and engage in accelerated enterprise architecture oversight.
Focus on key use cases rather than lists of features.
Save more by bringing two vendors to the final stage of the project and surfacing a consolidated list of demands prior to entering negotiation.
This report is based on data gathered from a survey of 43,000 real-world IT practitioners.
The data is compiled from SoftwareReviews (a sister company of Info-Tech Research Group), which collects and aggregates feedback on a wide variety of enterprise technologies.
The insights, charts, and graphs in this presentation are all derived from data submitted by real end users.
Limit the risk of ineffective “decision making by committee”
Expedite resolution of key issues and accelerate crucial decisions
Achieve alignment on critical requirements
Streamline calendar management
Too many cooks spoil the broth: create a highly focused selection team that can devote the majority of its time to the project while it’s in flight to demonstrate faster time to value.
Organizations keep too many players on the field, leading to scheduling slowdowns and scope creep. |
Keeping the size of the core selection team down, while liaising with more stakeholders and subject matter experts (SMEs), leads to improved results. |
Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness are stagnant or decrease once the team grows beyond five people.
Cumbersome or ad hoc selection processes lead to business-driven software selection. |
Increase stakeholder satisfaction by using a consistent selection framework that captures their needs while not being a burden. |
Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.
Info-Tech Insight
It sounds natural to include as many players as possible in the core selection group; however, expanding the group beyond five people does not lead to an increase in satisfaction. Consider including a general stakeholder feedback working session instead.
Exclusion is not the name of the game.
Small organizations
Teams smaller than five people are common due to limited resources.
Medium organizations
Selection project satisfaction peaks with teams of fewer than two people. Consider growing the team to about five people to make stakeholders feel more included with minimal drops in satisfaction.
Large organizations
Satisfaction peaks when teams are kept to three to five people. With many SMEs available, it is critical to choose the right players for your team.
Info-Tech Insight
Core team size remains the same regardless of the application being selected. However, team composition will vary depending on the end users being targeted.
Think beyond application complexity
Achieve peak satisfaction by allotting 30 days for an application selection project.
Awareness |
Education & Discovery |
Evaluation |
|---|---|---|
Reduce Time |
Reduce Time |
Reduce Time |
| ↓ | ↓ | ↓ |
Save time duplicating existing market research. Save time and maintain alignment with focus groups. |
Save time across tedious demos and understanding the marketplace. |
Save time gathering detailed historical requirements. Instead, focus on key issues. |
Info-Tech Insight – Awareness
Timebox the process of impact analysis. More time should be spent performing the action than building a business case.
Info-Tech Insight – Education
Save time duplicating existing market research. Save time and maintain alignment with focus groups.
Info-Tech Insight – Evaluation
Decision committee time is valuable. Get up to speed using third-party data and written collateral. Use committee time to conduct investigative interviews instead. Salesperson charisma and marketing collateral quality should not be primary selection criteria. Sadly, this is the case far too often.
Info-Tech Insight
Office collaboration tools are a great case study for increasing satisfaction with decreased time to selection. Given the sharp impetus of COVID-19, many organizations quickly selected tools like Zoom and Teams, enabling remote work with very high end-user satisfaction.
There are alternative approaches for enterprise-sized applications:
| 1. ALIGN & ELIMINATE ELAPSED TIME |
|
|---|---|
| 2. REDUCE TIME SPENT ON LOW-IMPACT ACTIVITIES |
|
| 3. FOCUS ON HIGH- IMPACT ACTIVITIES |
|
| 4. USE RAPID & ESSENTIAL ASSESSMENT TOOLS |
|
| 5. ENGAGE TWO VIABLE VENDORS IN NEGOTIATION |
|
✓ Ensure a formal selection process is in place.
✓ Reduce time by timeboxing the project to 30 days.
✓ Align the calendars of the five-person core selection team.
It is critical to improve the selection process before formalizing
Leverage Info-Tech’s Rapid Application Selection Framework to gain insights on how you can fine-tune and accelerate existing codified approaches to application selection.
Vendor selection is politically charged, requiring Procurement to navigate around stakeholder biases and existing relationships. |
Stakeholders |
The process is time consuming and often started too late. In the absence of clarity around requirements, it is easy to default to looking at price instead of best functional and architectural fit. |
Timing |
Formal selection methodologies are repeatable processes that anybody can consistently follow to quickly select new technology. |
Repeatable |
The goal of formalizing the approach is to enable IT to deliver business value consistently while also empowering stakeholders to find tools that meet their needs. Remember! A formal selection process is synonymous with a bureaucratic, overblown approach. |
Driving Value |
Investing time improving your software selection methodology has big returns.
Not all software selection projects are created equal – some are very small; some span the entire enterprise. To ensure that IT is using the right framework, understand the cost and complexity profile of the application you’re looking to select. The Rapid Application Selection Framework approach is best for commodity and mid-tier enterprise applications; selecting complex applications is better handled by the methodology described in Implement a Proactive and Consistent Vendor Selection Process.
Don’t get bogged down “waiting for the stars to align” in terms of people’s availability: if you wait for the perfect alignment, the project may never get done.
If a key stakeholder is unavailable for weeks or months due to PTO or other commitments, don’t jeopardize project timelines to wait for them to be free. Find a relevant designate that can act in their stead!
You don’t need the entire team on the field at once. Keep certain stakeholders on the bench to swap in and out as needed.
Assemble the key stakeholders for project kick-off to synchronize the application selection process and limit elapsed time. Getting all parties on the same page increases output satisfaction and eliminates rework. Save time and get input from key stakeholders at the project kick-off.
How to manage the cross-functional selection team:
IT Leader |
Technical IT |
Business Analyst/ Project Manager |
Business Lead |
Process Expert |
|---|---|---|---|---|
This team member is an IT director or CIO who will provide sponsorship and oversight from the IT perspective. |
This team member will focus on application security, integration, and enterprise architecture. |
This team member elicits business needs and translates them into technology requirements. |
This team member will provide sponsorship from the business needs perspective. |
This team member will contribute their domain-specific knowledge around the processes that the new application supports. |
Info-Tech Insight
It is critical for the selection team to determine who has decision rights. Organizational culture will play the largest role in dictating which team member holds the final say for selection decisions.
Who is involved in selecting the new application?
When to adjust the selection team’s business to IT ratio:
When to adjust the selection team’s business to IT ratio:
Find the right balance!
Info-Tech Insight
When selecting their software, organizations have an average of two to four business and IT decision makers/influencers on the core selection team.
Project Cadence:
Info-Tech Insight
Use weekly touchpoints with the core selection team to eliminate broken telephone. Hold focus groups and workshops to take a more collaborative, timely, and consensus-driven approach to zero in on critical requirements.
✓ Reduce time spent on internet research. Leverage hard data and experts.
✓ Reduce RFP size or skip RFPs entirely.
✓ Reduce time spent watching vendor dog and pony shows.
REDUCE BIAS
Taking a data-driven approach to vendor selection ensures that decisions are made in a manner that reduces human bias and exposure to misaligned incentives.
SCORING MODELS
Create a vendor scoring model that uses several different scored criteria (alignment to needs, alignment to architecture, cost, relationship, etc.) and weight them.
AGGREGATE EXPERIENCES
When you leverage services such as SoftwareReviews, you’re relying on amalgamated data from hundreds of others that have already been down this path: benefit from their experience!
PEER-DRIVEN INSIGHTS
Formally incorporate a review of Category Reports from SoftwareReviews into your vendor selection process to take advantage of peer-driven expert insights.
Contact Us
Info-Tech is just a phone call away. Our expert analysts can guide you to successful project completion at no additional cost to you.
You may miss out on the right vendor if:
How to write a successful RFI/MV-RFP:
Use the appropriate Info-Tech template for your needs (RFI, RFQ, or RFP). The Request for Information Template is best suited to the RASF approach.
Info-Tech Insight
Prescriptive yet flexible: Avoid RFP overload when selecting customer experience–centric applications, but a formal approach to selection is still beneficial.
When will an RFP increase satisfaction?
Use data to take control back from the vendor
Kill the “golf course effect” and eliminate stakeholder bias
Make sure the solution will work for your business Give each vendor 60 to 90 minutes to give a rapid-fire presentation. We suggest the following structure:
To ensure a consistent evaluation, vendors should be asked analogous questions, and a tabulation of answers should be conducted. |
How to challenge the vendors in the investigative interview
|
Rapid-Fire Vendor Investigative Interview
Invite vendors to come onsite (or join you via videoconference) to demonstrate the product and to answer questions. Use a highly targeted demo script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.
Awareness | Education & Discovery | Evaluation | Selection | Negotiation & Configuration |
Reduce Time | Reduce Time | Reduce Time | Reduce Time | Reduce Time |
↓ | ↓ | ↓ | ↑ | ↑ |
Save time | Save time across tedious demos and understanding the marketplace. | Save time gathering detailed historical requirements. Instead, focus on key issues. | Use your time to validate how the solution will handle mission-critical requirements. | Spend time negotiating with two viable alternatives to reduce price by up to 50%. |
Use a tier-based model to accelerate commodity and complex selection projects.
Eliminate elapsed process time with focus groups and workshops.
✓ Narrow the field to four contenders prior to in-depth comparison.
✓ Identify portfolio overlap with accelerated enterprise architecture oversight.
✓ Focus on investigative interviews and proof of concept projects.
1. ACCELERATE SELECTION
Save time by exclusively engaging vendors that support the organization’s differentiating requirements.
2. DECISION CLARITY
Prevent stakeholders from getting lost in the weeds with endless lists of vendors.
3.CONDENSED DEMOS
Limiting the project to four contenders allows you to stack demos/investigative interviews into the same day.
4. LICENSING LEVERAGE
Keep track of key differences between vendor offerings with a tight shortlist.
Info-Tech Insight
Targeting an enterprise architecture evaluation as part of your software selection process that does not delay the selection while also providing sufficient insight into platform fit is critical.
Key activities for rapid enterprise architecture evaluation include:
The data confirms that it is worthwhile to spend time on enterprise architecture
Keep the scope manageable!
Conversations With the Vendor
Pilot Projects and Trial Environments
✓ Focus on key use cases, not lists of features.
✓ You only need three essential tools:
Failure to differentiate must-have and nice-to-have use cases leads to applications full of non-critical features.
Accelerate the process by skipping common requirements that we know that every vendor will support.
Working with a tighter list of core use cases increases time spent evaluating the most impactful functionality.
Eliminating dubious “sacred cow” requirements reduces costly and painful platform customization.
The Software Selection Workbook
Work through the straightforward templates that tie to each phase of the Rapid Application Selection Framework, from assessing the business impact to requirements gathering.
The Vendor Evaluation Workbook
Consolidate the vendor evaluation process into a single document. Easily compare vendors as you narrow the field to finalists.
The Guide to Software Selection: A Business Stakeholder Manual
Quickly explain the Rapid Application Selection Framework to your team while also highlighting its benefits to stakeholders.
✓ Save more during negotiation by selecting two viable alternatives.
✓ Surface a consolidated list of demands prior to entering negotiation.
✓ Communicate your success with the organization.
VENDOR 1
Build in a realistic plan B that allows you to apply leverage to the incumbent or primary vendor of choice.
VENDOR 2
If the top contender is aware that they do not have competition, they will be less inclined to make concessions.
Maintain momentum with two options
Secure best pricing by playing vendors off each other
Truly commit to a thorough analysis of alternatives
ANALYZE |
DOCUMENT |
CONSOLIDATE |
PRESENT |
|---|---|---|---|
|
|
|
|
Hard cost savings speak louder than words. Executive leadership will see IT as the go-to team for driving business value quickly, yet responsibly.
Generate enthusiasm by highlighting the improved user experience provided by the new software that was has just been selected.
Position the cost savings as an opportunity to invest in onboarding. An application is only as valuable as your employees’ ability to effectively use it.
Use the momentum from the project and its successful negotiation to roll out the accelerated selection approach to more departments across the organization.
Organizations keep too many players on the field, leading to scheduling slowdowns and scope creep. |
Keeping the size of the core selection team down, while liaising with more stakeholders and subject matter experts (SMEs), leads to improved results. |
Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness are stagnant or decrease once the team grows beyond five people.
Cumbersome or ad hoc selection processes lead to business-driven software selection. |
Increase stakeholder satisfaction by using a consistent selection framework that captures their needs while not being a burden. |
Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.
1. ALIGN & ELIMINATE ELAPSED TIME |
|
|---|---|
2. REDUCE TIME SPENT ON LOW-IMPACT ACTIVITIES |
|
3. FOCUS ON HIGH- IMPACT ACTIVITIES |
|
4. USE RAPID & ESSENTIAL ASSESSMENT TOOLS |
|
5. ENGAGE TWO VIABLE VENDORS IN NEGOTIATION |
|
Qualitative & Secondary |
Using comprehensive statistical techniques, we surveyed what our members identified as key drivers of success in selecting enterprise software. Our goal was to determine how organizations can accelerate selection processes and improve outcomes by identifying where people should spend their time for the best results. |
|---|---|
Large-n Survey |
To determine the “Magic Numbers,” we used a large-n survey: 40,000 respondents answered questions about their applications, selection processes, organizational firmographics, and personal characteristics. We used this data to determine what drives satisfaction not only with the application but with the selection process itself. |
Quantitative Drill-Down |
We used the survey to narrow the list of game-changing practices. We then conducted additional quantitative research to understand why our respondents may have selected the responses they did. |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current maturity, establish a team, and choose a pilot business unit. Identify business processes, dependencies, and alternatives.
Define an objective impact scoring scale, estimate the impact of downtime, and set recovery targets.
Build a workflow of the current steps for business recovery. Identify gaps and risks to recovery. Brainstorm and prioritize solutions to address gaps and mitigate risks.
Present pilot project results and next steps. Create BCMS teams. Update and maintain BCMS documentation.
Use these tools and templates to assist in the creation of your BCP.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Define BCP scope, objectives, and stakeholders.
Prioritize BCP efforts and level-set scope with key stakeholders.
1.1 Assess current BCP maturity.
1.2 Identify key business processes to include in scope.
1.3 Flowchart key business processes to identify business processes, dependencies, and alternatives.
BCP Maturity Scorecard: measure progress and identify gaps.
Business process flowcharts: review, optimize, and allow for knowledge transfer of processes.
Identify workarounds for common disruptions to day-to-day continuity.
Define RTOs and RPOs based on your BIA.
Set recovery targets based business impact, and illustrate the importance of BCP efforts via the impact of downtime.
2.1 Define an objective scoring scale to indicate different levels of impact.
2.2 Estimate the impact of downtime.
2.3 Determine acceptable RTO/RPO targets for business processes based on business impact.
BCP Business Impact Analysis: objective scoring scale to assess cost, goodwill, compliance, and safety impacts.
Apply the scoring scale to estimate the impact of downtime on business processes.
Acceptable RTOs/RPOs to dictate recovery strategy.
Create a recovery workflow.
Build an actionable, high-level, recovery workflow that can be adapted to a variety of different scenarios.
3.1 Conduct a tabletop exercise to determine current recovery procedures.
3.2 Identify and prioritize projects to close gaps and mitigate recovery risks.
3.3 Evaluate options for command centers and alternate business locations (i.e. BC site).
Recovery flow diagram – current and future state
Identify gaps and recovery risks.
Create a project roadmap to close gaps.
Evaluate requirements for alternate business sites.
Extend the results of the pilot BCP and implement governance.
Outline the actions required for the rest of your BCMS, and the required effort to complete those actions, based on the results of the pilot.
4.1 Summarize the accomplishments and required next steps to create an overall BCP.
4.2 Identify required BCM roles.
4.3 Create a plan to update and maintain your overall BCP.
Pilot BCP Executive Presentation
Business Continuity Team Roles & Responsibilities
3. Maintenance plan and BCP templates to complete the relevant documentation (BC Policy, BCP Action Items, Recovery Workflow, etc.)
None of us needs to look very far to find a reason to have an effective business continuity plan.
From pandemics to natural disasters to supply chain disruptions to IT outages, there’s no shortage of events that can disrupt your complex and interconnected business processes. How in the world can anyone build a plan to address all these threats?
Don’t try to boil the ocean. Use these tactics to streamline your BCP project and stay on track:
No one can predict every possible disruption, but by following the guidance in this blueprint, you can build a flexible continuity plan that allows you to withstand the threats your organization may face.
Research Director,
IT Infrastructure & Operations Practice
Info-Tech Research Group
Senior Research Analyst,
IT Infrastructure & Operations Practice
Info-Tech Research Group
IT leaders, because of their cross-functional view and experience with incident management and DR, are often asked to lead BCP efforts.
As an IT leader you have the skill set and organizational knowledge to lead a BCP project, but you must enable business leaders to own their department’s BCP practices and outputs. They know their processes and, therefore, their requirements to resume business operations better than anyone else.
A business continuity plan (BCP) consists of separate but related sub-plans, as illustrated below. This blueprint enables you to:
A plan to restore IT application and infrastructure services following a disruption.
Info-Tech’s disaster recovery planning blueprint provides a methodology for creating the IT DRP. Leverage this blueprint to validate and provide inputs for your IT DRP.
A set of plans to resume business processes for each business unit. This includes:
A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.
Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.
Back when transactions were recorded on paper and then keyed into the mainframe system later, it was easier to revert to deskside processes. There is very little in the way of paper-based processes anymore, and as a result, it is increasingly difficult to resume business processes without IT.
Think about your own organization. What IT system(s) are absolutely critical to business operations? While you might be able to continue doing business without IT, this requires regular preparation and training. It’s likely a completely offline process and won’t be a viable workaround for long even if staff know how to do the work. If your data center and core systems are down, technology-enabled workarounds (such as collaboration via mobile technologies or cloud-based solutions) could help you weather the outage, and may be more flexible and adaptable for day-to-day work.
The bottom line:
Technology is a critical dependency for business processes. Consider the role IT systems play as process dependencies and as workarounds as part of continuity planning.
BCP for Business Unit A:
Scope → Pilot BIA → Response Plan → Gap Analysis
→ Lessons Learned:
= Ongoing governance, testing, maintenance, improvement, awareness, and training.
By comparison, a traditional BCP approach takes much longer to mitigate risk:
Organizational Risk Assessment and Business Impact Analysis → Solution Design to Achieve Recovery Objectives → Create and Validate Response Plans
A charitable foundation for a major state university engaged Info-Tech to support the creation of their business continuity plan.
With support from Info-Tech analysts and the tools in this blueprint, they worked with their business unit stakeholders to identify recovery objectives, confirm recovery capabilities and business process workarounds, and address gaps in their continuity plans.
The outcome wasn’t a pandemic plan – it was a continuity plan that was applicable to pandemics. And it worked. Business processes were prioritized, gaps in work-from-home and business process workarounds had been identified and addressed, business leaders owned their plan and understood their role in it, and IT had clear requirements that they were able and ready to support.
“The work you did here with us was beyond valuable! I wish I could actually explain how ready we really were for this…while not necessarily for a pandemic, we were ready to spring into action, set things up, the priorities were established, and most importantly some of the changes we’ve made over the past few years helped beyond words! The fact that the groups had talked about this previously almost made what we had to do easy.“ -- VP IT Infrastructure
| Phases | Phase 1: Identify BCP Maturity and Document Process Dependencies | Phase 2: Conduct a BIA to Determine Acceptable RTOs and RPOs | Phase 3: Document the Recovery Workflow and Projects to Close Gaps | Phase 4: Extend the Results of the Pilot BCP and Implement Governance |
|---|---|---|---|---|
| Steps | 1.1 Assess current BCP maturity | 2.1 Define an objective impact scoring scale | 3.1 Determine current recovery procedures | 4.1 Consolidate BCP pilot insights to support an overall BCP project plan |
| 1.2 Establish the pilot BCP team | 2.2 Estimate the impact of downtime | 3.2 Identify and prioritize projects to close gaps | 4.2 Outline a business continuity management (BCM) program | |
| 1.3 Identify business processes, dependencies, and alternatives | 2.3 Determine acceptable RTO/RPO targets | 3.3 Evaluate BC site and command center options | 4.3 Test and maintain your BCP | |
| Tools and Templates | ||||
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
BCP Business Impact Analysis Tool: Conduct and document a business impact analysis using this document.
BCP Recovery Workflows Example: Model your own recovery workflows on this example.
BCP Project Roadmap: Use this tool to prioritize projects that can improve BCP capabilities and mitigate gaps and risks.
BCP Relocation Checklists: Plan for and manage a site relocation – whether to an alternate site or work from home.
Summarize your organization's continuity capabilities and objectives in a 15-page, easy-to-consume template.
This document consolidates data from the supporting documentation and tools to the right.
Download Info-Tech’s BCP Summary Document
Focus less on risk, and more on recovery
Avoid focusing on risk and probability analysis to drive your continuity strategy. You never know what might disrupt your business, so develop a flexible plan to enable business resumption regardless of the event.
Small teams = good pilots
Choose a small team for your BCP pilot. Small teams are better at trialing new techniques and finding new ways to think about problems.
Calculate downtime impact
Develop and apply a scoring scale to develop a more-objective assessment of downtime impact for the organization. This will help you prioritize recovery.
It’s not no, but rather not now…
You can’t address all the organization’s continuity challenges at once. Prioritize high value, low effort initiatives and create a long-term roadmap for the rest.
Show Value Now
Get to value quickly. Start with one business unit with continuity challenges, and a small, focused project team who can rapidly learn the methodology, identify continuity gaps, and define solutions that can also be leveraged by other departments right away.
Lightweight Testing Exercises
Outline recovery capabilities using lightweight, low risk tabletop planning exercises. Our research shows tabletop exercises increase confidence in recovery capabilities almost as much as live exercises, which carry much higher costs and risks.
Info-Tech members told us they save an average of $44,522 and 23 days by working with an Info-Tech analyst on BCP (source: client response data from Info-Tech's Measured Value Survey).
Why do members report value from analyst engagement?
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostic and consistent frameworks are used throughout all four options.
A Guided Implementation (GI) is series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between eight to twelve calls over the course of four to six months.
Call 1: Scope requirements, objectives, and stakeholders. Identify a pilot BCP project.
Calls 2 - 4: Assess current BCP maturity. Create business process workflows, dependencies, alternates, and workarounds.
Calls 5 – 7: Create an impact scoring scale and conduct a BIA. Identify acceptable RTO and RPO.
Calls 8 – 9: Create a recovery workflow based on tabletop planning.
Call 10: Summarize the pilot results and plan next steps. Define roles and responsibilities. Make the case for a wider BCP program.
Contact your account representative for more information.
workshops@infotech.com | 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Identify BCP Maturity, Key Processes, and Dependencies | Conduct a BIA to Determine Acceptable RTOs and RPOs | Document the Current Recovery Workflow and Projects to Close Gaps | Identify Remaining BCP Documentation and Next Steps | Next Steps and Wrap-Up (offsite) | |
| Activities |
1.1 Assess current BCP maturity. 1.2 Identify key business processes to include in scope. 1.3 Create a flowchart for key business processes to identify business processes, dependencies, and alternatives. |
2.1 Define an objective scoring scale to indicate different levels of impact. 2.2 Estimate the impact of a business disruption on cost, goodwill, compliance, and health & safety. 2.3 Determine acceptable RTOs/RPOs for selected business processes based on business impact. |
3.1 Review tabletop planning – what is it, how is it done? 3.2 Walk through a business disruption scenario to determine your current recovery timeline, RTO/RPO gaps, and risks to your ability to resume business operations. 3.3 Identify and prioritize projects to close RTO/RPO gaps and mitigate recovery risks. |
4.1 Assign business continuity management (BCM) roles to govern BCP development and maintenance, as well as roles required to execute recovery. 4.2 Identify remaining documentation required for the pilot business unit and how to leverage the results to repeat the methodology for remaining business units. 4.3 Workshop review and wrap-up. |
5.1 Finalize deliverables for the workshop. 5.2 Set up review time for workshop outputs and to discuss next steps. |
| Deliverables |
|
|
|
|
|
1.1 Assess Current BCP Maturity
1.2 Establish the pilot BCP team
1.3 Identify business processes, dependencies, and alternatives
Define the scope for the BCP project: assess the current state of the plan, create a pilot project team and pilot project charter, and map the business processes that will be the focus of the pilot.
This step will walk you through the following activities:
This step involves the following participants:
You'll use the following tools & templates:
Establish current BCP maturity using Info-Tech’s ISO 22301-aligned BCP Maturity Scorecard.
This blueprint primarily addresses the first four sections in the scorecard, which align with the creation of the core components of your business continuity plan.
Info-Tech’s maturity scorecard is aligned with ISO 22301, the international standard that describes the key elements of a functioning business continuity management system or program – the overarching set of documents, practices, and controls that support the ongoing creation and maintenance of your BCP. A fully functional BCMS goes beyond business continuity planning to include crisis management, BCP testing, and documentation management.
Audit tools tend to treat every bullet point in ISO 22301 as a separate requirement – which means there’s almost 400 lines to assess. Info-Tech’s BCP Maturity Scorecard has synthesized key requirements, minimizing repetition to create a high-level self-assessment aligned with the standard.
A high score is a good indicator of likely success with an audit.
Download Info-Tech's BCP Maturity Scorecard
"The fact that this aligns with ISO is huge." - Dr. Bernard Jones MBCI, CBCP
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Assign roles and responsibilities for the BCP pilot project. Set milestones and timelines for the pilot.
Though IT is a critical dependency for most processes, IT shouldn’t own the business continuity plan. IT should be an internal BCP process consultant, and each business unit must own their plan.
IT should be an internal BCP consultant.
Why shouldn’t IT own the plan?
Info-Tech Insight
A goal of the pilot is to seed success for further planning exercises. This is as much about demonstrating the value of continuity planning to the business unit, and enabling them to own it, as it is about implementing the methodology successfully.
Outline roles and responsibilities on the pilot team using a “RACI” exercise. Remember, only one party can be ultimately accountable for the work being completed.
| Board | Executive Team | BCP Executive Sponsor | BCP Team Leader | BCP Coordinator | Pilot Bus. Unit Manager | Expert Bus. Unit Staff | IT Manager | |
|---|---|---|---|---|---|---|---|---|
| Communicate BCP project status | I | I | I | A | R | C | C | I |
| Assign resources to pilot BCP project | A | R | C | R | C | R | ||
| Conduct continuity planning activities | I | A/R | R | R | R | R | ||
| Create pilot BCP deliverables | I | A | R | R | C | C | C | |
| Manage BCP documentation | I | A | C | R | I | C | C | |
| Integrate results into BCMS | I | I | A | R | R | I | C | C |
| Create overall BCP project plan | I | I | A | R | C | C |
R: Responsible for doing the work.
A: Accountable to ensure the activity/work happens.
C: Consulted prior to decision or action.
I: Informed of the decision/action once it’s made.
"Large teams excel at solving problems, but it is small teams that are more likely to come up with new problems for their more sizable counterparts to solve." – Wang & Evans, 2019
Small teams tend to be better at trialing new techniques and finding new ways to think about problems, both of which are needed for a BCP pilot project.
Many organizations begin their BCP project with a target business unit in mind. It’s still worth establishing whether this business unit meets the criteria below.
Good candidates for a pilot project:
These short descriptions establish the functions, expectations, and responsibilities of each role at a more granular level.
The Board and executives have an outsized influence on the speed at which the project can be completed. Ensure that communication with these stakeholders is clear and concise. Avoid involving them directly in activities and deliverable creation, unless it’s required by their role (e.g. as a business unit manager).
| Project Role | Description |
|---|---|
| Board & Executive Team |
|
| Executive Sponsor |
|
| Pilot Business Unit Manager |
|
| BCP Coordinator |
|
| Expert Business Unit Staff |
|
| IT Manager |
|
| Other Business Unit Managers |
|
A skilled and committed coordinator is critical to building an effective and durable BCP.
Structure the role of the BCP Coordinator
The BCP Coordinator works with the pilot business unit as well as remaining business units to provide continuity and resolve discrepancies as they come up between business units.
Specifically, this role includes:
"We found it necessary to have the same person work with each business unit to pass along lessons learned and resolve contingency planning conflicts for common dependencies." – Michelle Swessel, PM and IT Bus. Analyst, Wisconsin Compensation Rating Bureau (WCRB)
This step will walk you through the following activities:
This step involves the following participants:
You'll use the following tools & templates:
Documented workflows, process dependencies, and workarounds when dependencies are unavailable.
Process review often results in discovering informal processes, previously unknown workarounds or breakdowns, shadow IT, or process improvement opportunities.
Note: A more in-depth analysis will be conducted later to refine priorities. The goal here is a high-level order of priority for the next steps in the planning methodology (identify business processes and dependencies).
Download Info-Tech’s Business Process Workflows Example
Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the go-to staff members who are well versed in how a process works.
2.1 Define an objective impact scoring scale
2.2 Estimate the impact of downtime
2.3 Determine acceptable RTO/RPO targets
Assess the impact of business process downtime using objective, customized impact scoring scales. Sort business processes by criticality and by assigning criticality tiers, recovery time, and recovery point objectives.
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Define an impact scoring scale relevant to your business, which allows you to more-objectively assess the impact of business process downtime.
The activities in Phase 2 will help you set appropriate, acceptable recovery objectives based on the business impact of process downtime.
For example:
Create Impact Scoring Scales→Assess the impact of process downtime→Review overall impact of process downtime→Set Criticality Tiers→Set Recovery Time and Recovery Point Objectives
Work with the Business Unit Manager and Executive Sponsor to identify the maximum impact in each category to the entire business. Use a worst-case scenario to estimate the maximum for each scale. In the future, you can use this scoring scale to estimate the impact of downtime for other business units.
Cost estimates are like hand grenades and horseshoes: you don’t need to be exact. It’s much easier to get input and validation from other stakeholders when you have estimates. Even weak estimates are far better than a blank sheet.
Use just the impact scales that are relevant to your organization.
This step involves the following participants:
In this step, you’ll use these tools and templates:
Develop an objective view of the impact of downtime for key business processes.
Example: Highest total Goodwill, Compliance, and Safety impact score is 18.
| Tier | Score Range | % of high score |
|---|---|---|
| Tier 1 - Gold | 9-18 | 50-100% |
| Tier 2 - Silver | 5 to 9 | 25-50% |
| Tier 3 - Bronze | 0 to 5 | 0-25% |
This step involves the following participants:
In this step, you’ll use these tools and templates:
Right-size recovery objectives based on business impact.
The impact of downtime for most business processes tends to look something like the increasing impact curve in the image to the right.
In the moments after a disruption, impact tends to be minimal. Imagine, for example, that your organization was suddenly unable to pay its suppliers (don’t worry about the reason for the disruption, for the moment). Chances are, this disruption wouldn’t affect many payees if it lasted just a few minutes, or even a few hours. But if the disruption were to continue for days, or weeks, the impact of downtime would start to spiral out of control.
In general, we want to target recovery somewhere between the point where impact begins, and the point where impact is intolerable. We want to balance the impact of downtime with the investment required to make processes more resilient.
Account for hard copy files as well as electronic data. If that information is lost, is there a backup? BCP can be the driver to remove the last resistance to paperless processes, allowing IT to apply appropriate data protection.
Set recovery time objectives and recovery point objectives in the “Debate Space”
RTOs and RPOs are business-defined, impact-aligned objectives that you may not be able to achieve today. It may require significant investments of time and capital to enable the organization to meet RTO and RPO.
Set a range for RTO for each Tier.
| Tier | RTO |
|---|---|
| Tier 1 | 4 hrs- 24 hrs |
| Tier 2 | 24 hrs - 72 hrs |
| Tier 3 | 72 hrs - 120 hrs |
3.1 Determine current recovery procedures
3.2 Identify and prioritize projects to close gaps
3.3 Evaluate business continuity site and command center options
Outline business recovery processes. Highlight gaps and risks that could hinder business recovery. Brainstorm ideas to address gaps and risks. Review alternate site and business relocation options.
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Establish steps required for business recovery and current recovery timelines.
Identify risks & gaps that could delay or obstruct an effective recovery.
Step 2 - 2 hours
Establish command center.
Step 2: Risks
Step 2: Gaps
A good scenario is one that helps the group focus on the goal of tabletop planning – to discuss and document the steps required to recover business processes. We suggest choosing a scenario for your first exercise that:
An example: a gas leak at company HQ that requires the area to be cordoned off and power to be shut down. The business must resume processes from another location without access to materials, equipment, or IT services at the primary location.
A plan that satisfies the gas leak scenario should meet the needs of other scenarios that affect your normal workspace. Then use BCP testing to validate that the plan meets a wider range of incidents.
Notification
How will you be notified of a disaster event? How will this be escalated to leadership? How will the team responsible for making decisions coordinate (if they can’t meet on-site)? What emergency response plans are in place to protect health and safety? What additional steps are involved if there’s a risk to health and safety?
Assessment
Who’s in charge of the initial assessment? Who may need to be involved in the assessment? Who will coordinate if multiple teams are required to investigate and assess the situation? Who needs to review the results of the assessment, and how will the results of the assessment be communicated (e.g. phone bridge, written memo)? What happens if your primary mode of communication is unavailable (e.g. phone service is down)?
Declaration
Who is responsible today for declaring a disaster and activating business continuity plans? What are the organization’s criteria for activating continuity plans, and how will BCP activation be communicated? Establish a crisis management team to guide the organization through a wide range of crises by Implementing Crisis Management Best Practices.
Do the following:
Tabletop planning is most effective when you keep it simple.
Create one recovery workflow for all scenarios.
Traditional planning calls for separate plans for different “what-if” scenarios. This is challenging not just because it’s a lot more documentation – and maintenance – but because it’s impossible to predict every possible incident. Use the template, aligned to recovery of process dependencies, to create one recovery workflow for each business unit that can be used in and tested against different scenarios.
Download Info-Tech’s BCP Recovery Workflow Example
"We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director-IT Operations, Healthcare Industry
"Very few business interruptions are actually major disasters. It’s usually a power outage or hardware failure, so I ensure my plans address ‘minor’ incidents as well as major disasters."- BCP Consultant
Add the following data to your copy of the BCP Business Impact Analysis Tool.
Operating at a minimum acceptable functional level may not be feasible for more than a few days or weeks. Develop plans for immediate continuity first, then develop further plans for long-term continuity processes as required. Recognize that for longer term outages, you will evolve your plans in the crisis to meet the needs of the situation.
Work from and update the soft copy of your recovery workflow.
Info-Tech Insight
Remember that health and safety risks must be dealt with first in a crisis. The business unit recovery workflow will focus on restoring business operations after employees are no longer at risk (e.g. the risk has been resolved or employees have been safely relocated). See Implement Crisis Management Best Practices for ideas on how to respond to and assess a wide range of crises.
For some organizations, it’s not practical or possible to invest in the redundancy that would be necessary to recover in a timely manner from certain major events.
Leverage existing risk management practices to identify key high impact events that could present major business continuity challenges that could cause catastrophic disruptions to facility, IT, staffing, suppliers, or equipment. If you don’t have a risk register, review the scenarios on the next slide and brainstorm risks with the working group.
Work through tabletop planning to identify how you might work through an event like this, at a high level. In step 3.2, you can estimate the effort, cost, and benefit for different ideas that can help mitigate the damage to the business to help decision makers choose between investment in mitigation or accepting the risk.
Document any scenarios that you identify as outside the scope of your continuity plans in the “Scope” section of your BCP Summary document.
For example:
A single location manufacturing company is creating a BCP.
The factory is large and contains expensive equipment; it’s not possible to build a second factory for redundancy. If the factory is destroyed, operations can’t be resumed until the factory is rebuilt. In this case, the BCP outlines how to conduct an orderly business shutdown while the factory is rebuilt.
Contingency planning to resume factory operations after less destructive events, as well as a BCP for corporate services, is still practical and necessary.
| Scenario Type | Considerations |
|---|---|
| Local hazard (gas leak, chemical leak, criminal incident, etc.) |
|
| Equipment/building damage (fire, roof collapse, etc.) |
|
| Regional natural disasters |
|
| Supplier failure (IT provider outage, disaster at supplier, etc.) |
|
| Staff (lottery win, work stoppage, pandemic/quarantine) |
|
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Identify and prioritize projects and action items that can improve business continuity capabilities.
Try to avoid debates about feasibility at this point. The goal is to get ideas on the board.
When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution – other ideas can expand on it and improve it.
Step 4: No formal process to declare a disaster and invoke business continuity.
Step 7: Alternate site could be affected by the same regional event as the main office.
Step 12: Need to confirm supplier service-level agreements (SLAs).
With COVID-19, most organizations have experience with mass work-from-home.
Review the following case studies. Do they reflect your experience during the COVID-19 pandemic?
Consider where your own work-from-home plans fell short.
People
→
Site & Facilities
→
External Services & Suppliers
→
Technology & Physical Assets
→
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Identify requirements for an alternate business site.
"There are horror stories about organizations that assumed things about their alternate site that they later found out they weren’t true in practice." – Dr. Bernard Jones, MBCI CBCP
If you choose a shared location as a BCP site, a regional disaster may put you in competition with other tenants for space.
For many organizations, a dedicated command center (TVs on the wall, maps and charts in filing cabinets) isn’t necessary. A conference bridge and collaboration tools allowing everyone to work remotely can be an acceptable offsite command center as long as digital options can meet your command center requirements.
Leverage the methodology and tools in this blueprint to define your return to normal (repatriation) procedures:
For more on supporting a business move back to the office from the IT perspective, see Responsibly Resume IT Operations in the Office
4.1 Consolidate BCP pilot insights to support an overall BCP project plan
4.2 Outline a business continuity management (BCM) program
4.3 Test and maintain your BCP
Summarize and consolidate your initial insights and documentation. Create a project plan for overall BCP. Identify teams, responsibilities, and accountabilities, and assign documentation ownership. Integrate BCP findings in DR and crisis management practices. Set guidelines for testing, plan maintenance, training, and awareness.
Participants
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Present results from the pilot BCP, and outline how you’ll use the pilot process with other business units to create an overall continuity program.
Structure the overall BCP program.
The BCP Summary document is the capstone to business unit continuity planning exercises. It consolidates your findings in a short overview of your business continuity requirements, capabilities, and maintenance procedures.
Info-Tech recommends embedding hyperlinks within the Summary to the rest of your BCP documentation to allow the reader to drill down further as needed. Leverage the following documents:
The same methodology described in this blueprint can be repeated for each business unit. Also, many of the artifacts from the BCP pilot can be reused or built upon to give the remaining business units a head start. For example:
You may need to create some artifacts that are site specific. For example, relocation plans or emergency plans may not be reusable from one site to another. Use your judgement to reuse as much of the templates as you can – similar templates simplify audit, oversight, and plan management.
Adjust the pilot charter to answer the following questions:
As with the pilot, choose a business unit, or business units, where BCP will have the greatest impact and where further BCP activities will have the greatest likelihood of success. Prioritize business units that are critical to many areas of the business to get key results sooner.
Work with one business unit at a time if:
Work with several business units at the same time if:
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Document BCP teams, roles, and responsibilities.
Document contact information, alternates, and succession rules.
A BCM program should:
Develop a Business Continuity Management Program
Phase 4 of this blueprint will focus on the following elements of a business continuity management program:
Schedule a call with an Info-Tech Analyst for help building out these core elements, and for advice on developing the rest of your BCM program.
BC management teams (including the secondary teams such as the emergency response team) have two primary roles:
Crisis leaders require strong crisis management skills:
Collectively, the team must include a broad range of expertise as well as strong planning skills:
Note: For specific BC team roles and responsibilities, including key resources such as Legal, HR, and IT SMEs required to prepare for and execute crisis management plans, see Implement Crisis Management Best Practices.
BCM Team: Govern business continuity, DR, and crisis management planning. Support the organization’s response to a crisis, including the decision to declare a disaster or emergency.
Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.
Emergency Response Teams: Assist staff and BC teams during a crisis, with a focus first on health and safety. There’s usually one team per location. Develop and maintain emergency response plans.
IT Disaster Recovery Team: Manage the recovery of IT services and data following an incident. Develop and maintain the IT DRP.
Business Unit BCP Teams: Coordinate business process recovery at the business unit level. Develop and maintain business unit BCPs.
“Planning Mode”
Executive Team → BC Management Team ↓
“Crisis Mode”
Executive Team ↔Crisis Management Team↓ ↔ Emergency Response Teams (ERT)
For more details on specific roles to include on these teams, as well as more information on crisis management, review Info-Tech’s blueprint, Implement Crisis Management Best Practices.
Track teams, roles, and contacts in this template. It is pre-populated with roles and responsibilities for business continuity, crisis management, IT disaster recovery, emergency response, and vendors and suppliers critical to business operations.
Track contact information in this template only if you don’t have a more streamlined way of tracking it elsewhere.
Download Info-Tech’s Business Continuity Teams and Roles Tool
Suppliers and vendors might include:
Supplier RTOs and RPOs should align with the acceptable RTOs and RPOs defined in the BIA. Where they do not, explore options for improvement.
Confirm the following:
Your BCP isn’t any one document. It’s multiple documents that work together.
Continue to work through any additional required documentation. Build a repository where master copies of each document will reside and can be updated as required. Assign ownership of document management to someone with an understanding of the process (e.g. the BCP Coordinator).
| Governance | Recovery | ||
|---|---|---|---|
| BCMS Policy | BCP Summary | Core BCP Recovery Workflows | |
| Business Process Workflows | Action Items & Project Roadmap | BCP Recovery Checklists | |
| BIA | Teams, Roles, Contact Information | BCP Business Process Workarounds and Recovery Checklists | |
| BCP Maturity Scorecard | BCP Project Charter | Additional Recovery Workflows | |
| Business Unit Prioritization Tool | BCP Presentation | ||
Recovery documentation has a different audience, purpose, and lifecycle than governance documentation, and keeping the documents separate can help with content management. Disciplined document management keeps the plan current and accessible.
Use the following BCP outputs to inform your DRP:
| PCP Outputs | DRP Activities | |
|---|---|---|
| Business processes defined | Identify critical applications | |
|
Dependencies identified:
|
↗ → |
Identify IT dependencies:
|
|
Recovery objectives defined:
|
→ |
Identify recovery objectives:
|
|
Projects identified to close gaps:
|
→ |
Identify projects to close gaps:
|
Info-Tech Insight
Don’t think of inconsistencies between your DRP and BCP as a problem. Discrepancies between the plans are part of the discovery process, and they’re an opportunity to have a conversation that can improve alignment between IT service capabilities and business needs. You should expect that there will be discrepancies – managing discrepancies is part of the ongoing process to refine and improve both plans.
BC/DR Planning Workflow
1. Collect BCP outputs that impact IT DRP (e.g. technology RTOs/RPOs).
2. As BCPs are done, BCP Coordinator reviews outputs with IT DRP Management Team.
3. Use the RTOs/RPOs from the BCPs as a starting point to determine IT recovery plans.
4. Identify investments required to meet business-defined RTOs/RPOs, and validate with the business.
5. Create a DR technology roadmap to meet validated RTOs/RPOs.
6. Review and update business unit BCPs to reflect updated RTOs/RPOs.
Shadow IT can be a symptom of larger service support issues. There should be a process for requesting and tracking non-standard services from IT with appropriate technical, security, and management oversight.
Assign the BCP Coordinator the task of creating a master list of BC projects, and then work with the BC management team to review and reprioritize this list, as described below:
Improving business continuity capabilities is a marathon, not a sprint. Change for the better is still change and introduces risk – massive changes introduce massive risk. Incremental changes help minimize disruption. Use Info-Tech research to deliver organizational change.
"Developing a BCP can be like solving a Rubik’s Cube. It’s a complex, interdepartmental concern with multiple and sometimes conflicting objectives. When you have one side in place, another gets pushed out of alignment." – Ray Mach, BCP Expert
This step will walk you through the following activities:
This step involves the following participants:
In this step, you’ll use these tools and templates:
Create a plan to maintain the BCP.
Mastery comes through practice and iteration. Iterating on and testing your plan will help you keep up to date with business changes, identify plan improvements, and help your organization’s employees develop a mindset of continuity readiness. Maintenance drives continued success; don’t let your plan become stagnant, messy, and unusable.
Your BCM program should structure BCP reviews and updates by answering the following:
At a minimum, review goals should include:
Who leads reviews and updates documents?
The BCP Coordinator is likely heavily involved in facilitating reviews and updating documentation, at least at first. Look for opportunities to hand off document ownership to the business units over time.
How do we track reviews, tests, and updates?
Keep track of your good work by keeping a log of document changes. If you don’t have one, you can use the last tab on the BCP-DRP Maintenance Checklist.
When do we review the plan?
This tool helps you set a schedule for plan update activities, identify document and exercise owners, and log updates for audit and governance purposes.
Info-Tech Insight
Everyone gets busy. If there’s a meeting you can schedule months in advance, schedule it months in advance! Then send reminders closer to the date. As soon as you’re done the pilot BCP, set aside time in everyone’s calendar for your first review session, whether that’s three months, six months, or a year from now.
Use this template to:
If you require more detail to support your recovery procedures, you can use this template to:
Download Info-Tech’s BCP Process Workarounds & Recovery Checklists Template
Use this template to:
Download Info-Tech’s BCP Notification, Assessment, and Disaster Declaration Plan template
Use this template to:
These HR research resources live on the website of Info-Tech’s sister company, McLean & Company. Contact your Account Manager to gain access to these resources.
This blueprint outlined:
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
Dr. Bernard A. Jones, MBCI, CBCP
Professor and Continuity Consultant Berkeley College
Dr. Jones is a professor at Berkeley College within the School of Professional Studies teaching courses in Homeland Security and Emergency Management. He is a member of the National Board of Directors for the Association of Continuity Professionals (ACP) as well as the Information & Publications Committee Chair for the Garden State Chapter of the ACP. Dr. Jones earned a doctorate degree in Civil Security Leadership, Management & Policy from New Jersey City University where his research focus was on organizational resilience.
Kris L. Roberson
Disaster Recovery Analyst Veterans United Home Loans
Kris Roberson is the Disaster Recovery Analyst for Veterans United Home Loans, the #1 VA mortgage lender in the US. Kris oversees the development and maintenance of the Veterans United Home Loans DR program and leads the business continuity program. She is responsible for determining the broader strategies for DR testing and continuity planning, as well as the implementation of disaster recovery and business continuity technologies, vendors, and services. Kris holds a Masters of Strategic Leadership with a focus on organizational change management and a Bachelors in Music. She is a member of Infragard, the National Association of Professional Women, and Sigma Alpha Iota, and holds a Project+ certification.
Trevor Butler
General Manager of Information Technology City of Lethbridge
As the General Manager of Information Technology with the City of Lethbridge, Trevor is accountable for providing strategic management and advancement of the city’s information technology and communications systems consistent with the goals and priorities of the corporation while ensuring that corporate risks are appropriately managed. He has 15+ years of progressive IT leadership experience, including 10+ years with public sector organizations. He holds a B.Mgt. and PMP certification along with masters certificates in both Project Management and Business Analysis.
Robert Miller
Information Services Director Witt/Kieffer
Bob Miller is the Information Services Director at Witt/Kieffer. His department provides end-user support for all company-owned devices and software for Oak Brook, the regional offices, home offices, and traveling employees. The department purchases, implements, manages, and monitors the infrastructure, which includes web hosting, networks, wireless solutions, cell phones, servers, and file storage. Bob is also responsible for the firm’s security planning, capacity planning, and business continuity and disaster preparedness planning to ensure that the firm has functional technology to conduct business and continue business growth.
Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.
Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.
Select the Optimal Disaster Recovery Deployment Model
Determine which deployment models, including hybrid solutions, best meet your DR requirements.
“Business Continuity Planning.” IT Examination HandBook. The Federal Financial Institution Examination Council (FFIEC), February 2015. Web.
“Business Continuity Plans and Emergency Contact Information.” FINRA, 12 February 2015. Web.
“COBIT 5: A Business Framework for the Governance and Management of Enterprise IT.” ISACA, n.d. Web.
Disaster Resource GUIDE. Emergency Lifeline Corporation, n.d. Web.
“DR Rules & Regulations.” Disaster Recovery Journal, March 2017. Web.
“Federal Information Security Management Act (FISMA).” Homeland Security, 2014. Web.
FEMA. “Planning & Templates.” FEMA, n.d. Web.
“FINRA-SEC-CFTC Joint Advisory (Regulatory Notice 13-25).” FINRA, August 2013. Web.
Gosling, Mel and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 24 April 2009. Web.
Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, 2016. Web.
Potter, Patrick. “BCM Regulatory Alphabet Soup – Part Two.” RSA Link, 28 August 2012. Web.
The Good Practice Guidelines. Business Continuity Institute, 2013. Web.
Wang, Dashun and James A. Evans. “When Small Teams are Better than Big Ones.” Harvard Business Review, 21 February 2019. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the benefits of DataOps and why organizations are looking to establish agile principles in their data practice, the challenges associated with doing so, and what the new DataOps strategy needs to be successful.
Analyze DataOps using Info-Tech’s DataOps use case framework, to help you identify the gaps in your data practices that need to be matured to truly realize DataOps benefits including data integration, data security, data quality, data engineering, and data science.
Mature your data practice by putting in the right people in the right roles and establishing DataOps metrics, communication plan, DataOps best practices, and data principles.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the DataOps approach and value proposition.
A clear understanding of organization data priorities and metrics along with a simplified view of data using Info-Tech’s Onion framework.
1.1 Explain DataOps approach and value proposition.
1.2 Review the common business drivers and how the organization is driving a need for DataOps.
1.3 Understand Info-Tech’s DataOps Framework.
Organization's data priorities and metrics
Data Onion framework
Assess the DataOps maturity of the organization.
Define clear understanding of organization’s DataOps capabilities.
2.1 Assess current state.
2.2 Develop target state summary.
2.3 Define DataOps improvement initiatives.
Current state summary
Target state summary
Establish clear action items and roadmap.
Define clear and measurable roadmap to mature DataOps within the organization.
3.1 Continue DataOps improvement initiatives.
3.2 Document the improvement initiatives.
3.3 Develop a roadmap for DataOps practice.
DataOps initiatives roadmap
Define a plan for continuous improvements.
Continue to improve DataOps practice.
4.1 Create target cross-functional team structures.
4.2 Define DataOps metrics for continuous monitoring.
4.3 Create a communication plan.
DataOps cross-functional team structure
DataOps metrics
Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge - which, when lost, results in decreased productivity, increased risk, and money out the door.
Successful completion of the IT knowledge transfer project will result in the following outcomes:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Minimize risk and IT costs resulting from attrition through effective knowledge transfer.
Use this template to document the knowledge transfer stakeholder power map by identifying the stakeholder’s name and role, and identifying their position on the power map.
Use this template to communicate the value and rationale for knowledge transfer to key stakeholders.
Use this tool to identify and assess the knowledge and individual risk of key knowledge holders.
Use this template to track knowledge activities, intended recipients of knowledge, and appropriate transfer tactics for each knowledge source.
Use this template as a starting point for managers to interview knowledge sources to extract information about the type of knowledge the source has.
Use this template as a starting point to build your proposed IT knowledge transfer roadmap presentation to management to obtain formal sign-off and initiate the next steps in the process.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
EXECUTIVE BRIEF
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge1 which, when lost, results in decreased productivity, increased risk, and money out the door. You need to:
|
|
Our client-tested methodology and project steps allow you to tailor your knowledge transfer plan to any size of organization, across industries. Successful completion of the IT knowledge transfer project will result in the following outcomes:
|
Seventy-four percent of organizations do not have a formal process for capturing and retaining knowledge which, when lost, results in decreased productivity, increased risk, and money out the door.1
Today, the value of an organization has less to do with its fixed assets and more to do with its intangible assets. Intangible assets include patents, research and development, business processes and software, employee training, and employee knowledge and capability.
People (and their knowledge and capabilities) are an organization’s competitive advantage and with the baby boomer retirement looming, organizations need to invest in capturing employee knowledge before the employees leave. Losing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, severed relationships, and missed opportunities.
Knowledge Transfer (KT) is the process and tactics by which intangible assets – expertise, knowledge, and capabilities – are transferred from one stakeholder to another. A well-devised knowledge transfer plan will mitigate the risk of knowledge loss, yet as many as 74%2 of organizations have no formal approach to KT – and it’s costing them money, reputation, and time.
84%of all enterprise value on the S&P 500 is intangibles.3
$31.5 billion lost annually by Fortune 500 companies failing to share knowledge. 1
74% of organizations have no formal process for facilitating knowledge transfer. 2
1 Shedding Light on Knowledge Management, 2004, p. 46
| 1 | Inefficiency due to “reinvention of the wheel.” When older workers leave and don’t effectively transfer their knowledge, younger generations duplicate effort to solve problems and find solutions. |
|---|---|
| 2 | Loss of competitive advantage. What and who you know is a tremendous source of competitive edge. Losing knowledge and/or established client relationships hurts your asset base and stifles growth, especially in terms of proprietary or unique knowledge. |
| 3 | Reduced capacity to innovate. Older workers know what works and what doesn’t, as well as what’s new and what’s not. They can identify the status quo faster, to make way for novel thinking. |
| 4 | Increased vulnerability. One thing that comes with knowledge is a deeper understanding of risk. Losing knowledge can impede your organizational ability to identify, understand, and mitigate risks. You’ll have to learn through experience all over again. |
55-60 |
67% |
78% |
$14k / minute |
|---|---|---|---|
the average age of mainframe workers – making close to 50% of workers over 60.2 |
of Fortune 100 companies still use mainframes3 requiring. specialized skills and knowledge |
of CIOs report mainframe applications will remain a key asset in the next decade.1 |
is the cost of mainframe outages for an average enterprise.1 |
A system failure to a mainframe could be disastrous for organizations that haven’t effectively transferred key knowledge. Now think past the mainframe to key processes, customer/vendor relationships, legal requirements, home grown solutions etc. in your organization.
What would knowledge loss cost you in terms of financial and reputational loss?
Source: 1 Big Tech Problem as Mainframes Outlast Workforce
Source: 2 IT's most wanted: Mainframe programmers
Source: 3The State of the Mainframe, 2022
Insurance organization fails to mitigate risk of employee departure and incurs costly consequences – in the millions
INDUSTRY: Insurance
SOURCE: ITRG Member
Challenge |
Solution |
Results |
|---|---|---|
|
|
|
IT knowledge transfer is a process that, at its most basic level, ensures that essential IT knowledge and capabilities don’t leave the organization – and at its most sophisticated level, drives innovation and customer service by leveraging knowledge assets.
Knowledge Transfer Risks: |
Knowledge Transfer Opportunities: |
|---|---|
|
✗ Increased training and development costs when key stakeholders leave the organization. ✗ Decreased efficiency through long development cycles. ✗ Late projects that tie up IT resources longer than planned, and cost overruns that come out of the IT budget. ✗ Lost relationships with key stakeholders within and outside the organization. ✗ Inconsistent project/task execution, leading to inconsistent outcomes. ✗ IT losing its credibility due to system or project failure from lost information. ✗ Customer dissatisfaction from inconsistent service. |
✓ Mitigated risks and costs from talent leaving the organization. ✓ Business continuity through redundancies preventing service interruptions and project delays. ✓ Operational efficiency through increased productivity by never having to start projects from scratch. ✓ Increased engagement from junior staff through development planning. ✓ Innovation by capitalizing on collective knowledge. ✓ Increased ability to adapt to change and save time-to-market. ✓ IT teams that drive process improvement and improved execution. |
How you build your knowledge transfer roadmap will not change drastically based on the size of your organization; however, the scope of your initiative, tactics you employ, and your communication plan for knowledge transfer may change.
How knowledge transfer projects vary by organization size:
Small Organization |
Medium Organization |
Large Organization |
|
|---|---|---|---|
Project Opportunities |
✓ Project scope is much more manageable. ✓ Communication and planning can be more manageable. ✓ Fewer knowledge sources and receivers can clarify prioritization needs. |
✓ Project scope is more manageable. ✓ Moderate budget for knowledge transfer activities. ✓ Communication and enforcement is easier. |
✓ Budget available to knowledge transfer initiatives. ✓ In-house expertise may be available. |
Project Risks |
✗ Limited resources for the project. ✗ In-house expertise is unlikely. ✗ Knowledge transfer may be informal and not documented. ✗ Limited overlap in responsibilities, resulting in fewer redundancies. |
✗ Limited staff with knowledge transfer experience for the project. ✗ Knowledge assets are less likely to be documented. ✗ Knowledge transfer may be a lower priority and difficult to generate buy-in. |
✗ More staff to manage knowledge transfer for, and much larger scope for the project. ✗ Impact of poor knowledge transfer can result in much higher costs. ✗Geographically dispersed business units make collaboration and communication difficult. ✗ Vast amounts of historical knowledge to capture. |
Explicit |
Tacit |
||
|
|
||
Types of explicit knowledge |
Types of tacit knowledge |
||
Information
|
Process
|
Skills
|
Expertise
|
Examples: reading music, building a bike, knowing the alphabet, watching a YouTube video on karate. |
Examples: playing the piano, riding a bike, reading or speaking a language, earning a black belt in karate. |
||
 |
No formal knowledge transfer program exists; knowledge transfer is ad hoc, or may be conducted through an exit interview only. 74% of organizations are at level 0.1 |
At level one, knowledge transfer is focused around ensuring that high risk, explicit knowledge is covered for all high-risk stakeholders. |
|
Organizations have knowledge transfer plans for all high-risk knowledge to ensure redundancies exist and leverage this to drive process improvements, effectiveness, and employee engagement. |
|
Increase end-user satisfaction and create a knowledge value center by leveraging the collective knowledge to solve repeat customer issues and drive new product innovation. |
I’m an IT Leader who…
Stabilize |
…has witnessed that new employees have recently left or are preparing to leave the organization, and worries that we don’t have their knowledge captured anywhere. …previously had to cut down our IT department, and as a result there is a lack of redundancy for tasks. If someone leaves, we don’t have the information we need to continue operating effectively. …is worried that the IT department has no succession planning in place and that we’re opening ourselves up to risk. |
|---|---|
Proactive |
…feels like we are losing productivity because the same problems are being solved differently multiple times. …worries that different employees have unique knowledge which is critical to performance and that they are the only ones who know about it. …has noticed that the processes people are using are different from the ones that are written down. …feels like the IT department is constantly starting projects from scratch, and employees aren’t leveraging each other’s information, which is causing inefficiencies. …feels like new employees take too long to get up to speed. …knows that we have undocumented systems and more are being built each day. |
Knowledge Culture |
…feels like we’re losing out on opportunities to innovate because we’re not sharing information, learning from others’ mistakes, or capitalizing on their successes. …notices that staff don’t have a platform to share information on a regular basis, and believes if we brought that information together, we would be able to improve customer service and drive product innovation. …wants to create a culture where employees are valued for their competencies and motivated to learn. …values knowledge and the contributions of my team. |
This blueprint can help you build a roadmap to resolve each of these pain points. However, not all organizations need to have a knowledge culture. In the next section, we will walk you through the steps of selecting your target maturity model based on your knowledge goals.
INDUSTRY: Electronics Engineering
SOURCE: KM Best Practices
Challenge | Solution | Results |
|---|---|---|
|
|
|
The Info-Tech difference:
Project outcomes |
1. Approval for IT knowledge transfer project obtained |
2. Knowledge and stakeholder risks identified |
3. Tactics for individuals’ knowledge transfer identified |
4. Knowledge transfer roadmap built |
5. Knowledge transfer roadmap approved |
|---|---|---|---|---|---|
Info-Tech tools and templates to help you complete your project deliverables |
Project Stakeholder Register Template |
IT Knowledge Transfer Risk Assessment Tool |
IT Knowledge Identification Interview Guide Template |
Project Planning and Monitoring Tool |
IT Knowledge Transfer Roadmap Presentation Template |
IT Knowledge Transfer Project Charter Template |
IT Knowledge Transfer Plan Template |
||||
Your completed project deliverables |
IT Knowledge Transfer Plans |
IT Knowledge Transfer Roadmap Presentation |
|||
IT Knowledge Transfer Roadmap |
|||||
1. Initiate |
2. Design |
3. Implement |
|
|---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
IT Knowledge Transfer Project Charter Establish a clear project scope, decision rights, and executive sponsorship for the project. |
 |
IT Knowledge Transfer Risk Assessment Tool Identify and assess the knowledge and individual risk of key knowledge holders. |
 |
IT Knowledge Identification Interview Guide Extract information about the type of knowledge sources have. |
 |
IT Knowledge Transfer Roadmap Presentation Communicate IT knowledge transfer recommendations to stakeholders to gain buy-in. |
 |
IT Knowledge Transfer Plan
Track knowledge activities, intended recipients, and appropriate transfer tactics for each knowledge source.
IT Benefits |
Business Benefits |
|
|
“ Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
Call #1: Structure the project. Discuss transfer maturity goal and metrics. |
Call #2: Build knowledge transfer plans. Call #3: Identify priorities & review risk assessment tool. |
Call #4: Build knowledge transfer roadmap. Determine logistics of implementation. Call #5: Determine logistics of implementation. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is five to six calls.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
|---|---|---|---|---|---|
Define the Current and Target State |
Identify Knowledge Priorities |
Build Knowledge Transfer Plans |
Define the Knowledge Transfer Roadmap |
Next Steps and |
|
Activities |
1.1 Have knowledge transfer fireside chat. 1.2 Identify current and target maturity. 1.3 Identify knowledge transfer metrics 1.4 Identify knowledge transfer project stakeholders |
2.1 Identify your knowledge sources. 2.2 Complete a knowledge risk assessment. 2.3 Identify knowledge sources’ level of knowledge risk. |
3.1 Build an interview guide. 3.2 Interview knowledge holders. |
4.1 Prioritize the sequence of initiatives. 4.2 Complete the project roadmap. 4.3 Prepare communication presentation. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
Deliverables |
|
|
|
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
1.1 Obtain approval for project 1.2 Identify knowledge and stakeholder risks |
2.1 Build knowledge transfer plans 2.2 Build knowledge transfer roadmap |
3.1 Communicate your roadmap |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
1.1.1 Hold a Working Session With Key Stakeholders
1.1.2 Conduct a Current and Target State Analysis.
1.1.3 Identify Key Metrics
1.1.4 Identify Your Project Team
1.1.5 Populate an RACI
1.1.6 Build the Project Charter and Obtain Approval
Initiate Your IT Knowledge Transfer Project
The primary goal of this section is to gain a thorough understanding of the reasons why your organization should invest in knowledge transfer and to identify the specific challenges to address.
Outcomes of this step
Organizational benefits and current pain points of knowledge transfer
Don’t build your project charter in a vacuum. Involve key stakeholders to determine the desired knowledge transfer goals, target maturity and KPIs, and ultimately build the project charter.
Building the project charter as a group will help you to clarify your key messages and help secure buy-in from critical stakeholders up-front, which is key.
In order to execute on the knowledge transfer project, you will need significant involvement from your IT leadership team. The trouble is that knowledge transfer can be inherently stressful for employees as it can cause concerns around job security. Members of your IT leadership team will also be individuals who need to participate in knowledge transfer, so get them involved upfront. The working session will help stakeholders feel more engaged in the project, which is pivotal for success.
You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value and plans for knowledge transfer will be necessary.
Meeting Agenda
Led by: Project Sponsor
Led by: Project Manager
Led by: Project Manager
Led by: Project Manager
Led by: Project Manager
Identify the pain points you’re experiencing with knowledge transfer and some of the benefits which you’d like to see from a program to determine the key objectives By doing so, you’ll get a holistic view of what you need to achieve.
Collect this information by:
| Input | Output |
|
|
| Materials | Participants |
|
|
|
|
|
How to determine your current and target state of maturity:
| Input | Output |
|
|
| Materials | Participants |
|
|
Depending on the level of maturity you are trying to achieve, a knowledge transfer project could take weeks, months, or even years. Your maturity level depends on the business goal you would like to achieve, and impacts who and what your roadmap targets.
The maturity levels build on one another; if you start with a project, it is possible to move from a level 0 to a level 1, and once the project is complete, you can advance to a level 2 or 3. However, it’s important to set clear boundaries upfront to limit scope creep, and it’s important to set appropriate expectations for what the project will deliver.
Goal |
Description |
Time to implement |
Benefits |
|
|---|---|---|---|---|
Level 0: Accidental |
Not Prioritized |
|
N/A |
|
Level 1: Stabilize |
Risk Mitigation |
At level one, knowledge transfer is focused around ensuring that redundancies exist for explicit knowledge for:
Your high-risk knowledge is any information which is proprietary, unique, or specialized. High risk stakeholders are those individuals who are at a higher likelihood of departing the organization due to retirement or disengagement. |
0 – 6 months |
|
Goal | Description | Time to implement | Benefits | |
|---|---|---|---|---|
Level 2: Proactive | Operational Efficiency | Level 2 extends Level 1. Once stabilized, you can work on KT initiatives that allow you to be more proactive and cover high risk knowledge that may not be held by those see as high risk individuals. Knowledge transfer plans must exist for ALL high risk knowledge. | 3m – 1yr |
|
Level 3: Knowledge Culture | Drive Innovation Through Knowledge | Level 3 extends Level 2.
| 1-2 years |
|
You need to ensure your knowledge transfer initiatives are having the desired effect and adjust course when necessary. Establishing an upfront list of key performance indicators that will be benchmarked and tracked is a crucial step.
Many organizations overlook the creation of KPIs for knowledge transfer because the benefits are often one step removed from the knowledge transfer itself. However, there are several metrics you can use to measure success.
Hint: Metrics will vary based on your knowledge transfer maturity goals.
Creating KPIs for knowledge transfer is a crucial step that many organizations overlook because the benefits are often one step removed from the knowledge transfer itself. However, there are several qualitative and quantitative metrics you can use to measure success depending on your maturity level goals.
Stabilize
Be Proactive
Promote Knowledge Culture
How to determine knowledge transfer metrics:
| Input | Output |
|
|
| Materials | Participants |
|
|
Determine Project Participants |
Pick a Project Sponsor |
|
|
The project sponsor is the main catalyst for the creation of the roadmap. They will be the one who signs off on the project roadmap. The Project Participants are the key stakeholders in your organization whose input will be pivotal to the creation of the roadmap. The project stakeholders are the senior executives who have a vested interest in knowledge transfer. Following completion of this workshop, you will present your roadmap to these individuals for approval. |
|
How to define the knowledge transfer project team:
Project Stakeholder Register Template
| Input | Output |
|
|
| Materials | Participants |
|
|
If your IT leadership team isn’t on board, you’re in serious trouble! IT leaders will not only be highly involved in the knowledge transfer project, but they also may be participants, so it’s essential that you get their buy-in for the project upfront.
Document the results in the Project Stakeholder Register Template; use this as a guide to help structure your communication with stakeholders based on where they fall on the grid.
How to Manage: |
Focus on increasing these stakeholders’ level of support!
|
 |
Capitalize on champions to drive the project/change.
|
How to Manage: |
How to Manage: |
Pick your battles – focus on your noise makers first, and then move on to your blockers.
|
Leverage this group where possible to help socialize the program and to help encourage dissenters to support.
|
How to Manage: |
Role |
Project Role |
|
|---|---|---|
Required |
CIO |
Will often play the role of project sponsor and should be involved in key decision points. |
IT Managers Directors |
Assist in the identification of high-risk stakeholders and knowledge and will be heavily involved in the development of each transfer plan. |
|
Project Manager |
Should be in charge of leading the development and execution of the project. |
|
Business Analysts |
Responsible for knowledge transfer elicitation analysis and validation for the knowledge transfer project. |
|
Situational |
Technical Lead |
Responsible for solution design where required for knowledge transfer tactics. |
HR |
Will aid in the identification of high-risk stakeholders or help with communication and stakeholder management. |
|
Legal |
Organizations that are subject to knowledge confidentiality, Sarbanes-Oxley, federal rules, etc. may need legal to participate in planning. |
Apps MGR |
Dev. MGR |
Infra MGR |
|
|---|---|---|---|
Build the project charter |
R |
R |
I |
Identify IT stakeholders |
R |
R |
I |
Identify high risk stakeholders |
R |
A | R |
Identify high risk knowledge |
I | C | C |
Validate prioritized stakeholders |
I | C | R |
Interview key stakeholders |
R | R | A |
Identify knowledge transfer tactics for individuals |
C | C | A |
Communicate knowledge transfer goals |
C | R | A |
Build the knowledge transfer roadmap |
C | R | A |
Approve knowledge transfer roadmap |
C | R | C |
How to define RACI for the project team:
Responsible: The one responsible for getting the job done.
Accountable: Only one person can be accountable for each task.
Consulted: Involvement through input of knowledge and information.
Informed: Receiving information about process execution and quality.
| Input | Output |
|
|
| Materials | Participants |
|
|
Build the project charter and obtain sign-off from your project sponsor. Use your organization’s project charter if one exists. If not, customize Info-Tech’s IT Knowledge Transfer Project Charter Template to suit your needs.
Activities
1.2.1 Identify Knowledge Sources
1.2.2 Complete a Knowledge Risk Assessment
1.2.3 Review the Prioritized List of Knowledge Sources
The primary goal of this section is to identify who your primary risk targets are for knowledge transfer.
Outcomes of this step
Throughout this section, we will walk through the following 3 activities in the tool to determine where you need to focus attention for your knowledge transfer roadmap based on knowledge value and likelihood of departure.
1. Identify Knowledge Sources
Create a list of knowledge sources for whom you will be conducting the analysis, and identify which sources currently have a transfer plan in place.
2. Value of Knowledge
Consider the type of knowledge held by each identified knowledge source and determine the level of risk based on the knowledge:
3. Likelihood of Departure
Identify the knowledge source’s risk of leaving the organization based on their:
This tool contains sensitive information. Do not share this tool with knowledge sources. The BA and Project Manager, and potentially the project sponsor, should be the only ones who see the completed tool.
Identify Key Roles
Hold a meeting with your IT Leadership team, or meet with members individually, and ask these questions to identify key roles:
Key roles include:
This step is meant to help speed up and simplify the process for large IT organizations. IT organizations with fewer than 30 people, or organizations looking to build a knowledge culture, can opt to skip this step and include all members of the IT team. This way, everyone is considered and you can prioritize accordingly.
| Input | Output |
|
|
| Materials | Participants |
|
|
Legend:
1. Document knowledge source information (name, department, and manager).
2. Select the current state of knowledge transfer plans for each knowledge source.
Once you have identified key roles, conduct a sanity check and ask – “did we miss anybody?” For example:
Municipal government learns the importance of thorough knowledge source identification after losing key stakeholder
INDUSTRY: Government
Challenge |
Solution |
Results |
|
|
|
Risk Parameter | Description | How to Collect this Data: |
Age Cohort |
| For those people on your shortlist, pull some hard demographic data. Compile a report that breaks down employees into age-based demographic groups. Flag those over the age of 50 – they’re in the “retirement zone” and could decide to leave at any time. Check to see which stakeholders identified fall into the “over 50” age demographic. Document this information in the IT Knowledge Transfer Risk Assessment Tool. |
150% of an employee’s base salary and benefits is the estimated cost of turnover according to The Society of Human Resource Professionals.1
1McLean & Company, Make the Case for Employee Engagement
Risk Parameter | Description | How to Collect this Data: |
Engagement | An engaged stakeholder is energized and passionate about their work, leading them to exert discretionary effort to drive organizational performance (lowest risk). An almost engaged stakeholder is generally passionate about their work. At times they exert discretionary effort to help achieve organizational goals. Indifferent employees are satisfied, comfortable, and generally able to meet minimum expectations. They see their work as “just a job,” prioritizing their needs before organizational goals. Disengaged employees have little interest in their job and the organization and often display negative attitudes (highest risk). | Option 1: The optimal approach for determining employee engagement is through an engagement survey. See McLean & Company for more details. Option 2: Ask the identified stakeholder’s manager to provide an assessment of their engagement either independently or via a meeting. |
Engaged employees are five times more likely than disengaged employees to agree that they are committed to their organization.1
1Source: McLean & Company, N = 13683
Risk Parameter | Description | How to Collect this Data: |
Criticality | Roles that are critical to the continuation of business and cannot be left vacant without risking business operations. Would the role, if vacant, create system, function, or process failure for the organization? | Option 1: (preferred) Meet with IT managers/directors over the phone or directly and review each of the identified reports to determine the risk. Option 2: Send the IT mangers/directors the list of their direct reports, and ask them to evaluate their knowledge type risk independently and return the information to you. Option 3: (if necessary) Review individual job descriptions independently, and use your judgment to come up with a rating for each. Send the assessment to the stakeholders’ managers for validation. |
Availability | Refers to level of redundancy both within and outside of the organization. Information which is highly available is considered lower risk. Key questions to consider include: does this individual have specialized, unique, or proprietary expertise? Are there internal redundancies? |
Complete a Tab 3 assessment for each of your identified Knowledge Sources. The Knowledge Source tab will pre-populate with information from Tab 2 of the tool. For each knowledge source, you will determine their likelihood of departure and degree of knowledge risk.
Likelihood of departure:
Degree of knowledge risk is based on:
| Input | Output |
|
|
| Materials | Participants |
|
|
Knowledge sources have been separated into the three maturity levels (Stabilize, Proactive, and Knowledge Culture) and prioritized within each level.
Focus first on your stabilize groups, and based on your target maturity goal, move on to your proactive and knowledge culture groups respectively.
Sequential Prioritization Orange line Level 1: Stabilize Blue Line Level 2: Proactive Green Line Level 3: Knowledge Culture |
Each pie chart indicates which of the stakeholders in that risk column currently has knowledge transfer plans. |
Each individual also has their own status ball on whether they currently have a knowledge transfer plan. |
Identify knowledge sources to focus on for the knowledge transfer roadmap. Review the IT Knowledge Transfer Map on Tab 5 to determine where to focus your knowledge transfer efforts
| Input | Output |
|
|
| Materials | Participants |
|
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
1.1 Obtain approval for project 1.2 Identify knowledge and stakeholder risks |
2.1 Build knowledge transfer plans 2.2 Build knowledge transfer roadmap |
3.1 Communicate your roadmap |
This phase will walk you through the following activities:
This phase involves the following participants:
Define what knowledge needs to be transferred |
Each knowledge source has unique information which needs to be transferred. Chances are you don’t know what you don’t know. The first step is therefore to interview knowledge sources to find out. |
Identify the knowledge receiver |
Depending on who the information is going to, the knowledge transfer tactic you employ will differ. Before deciding on the knowledge receiver and tactic, consider three key factors:
|
Identify which knowledge transfer tactics you will use for each knowledge asset |
Not all tactics are good in every situation. Always keep the “knowledge type” (information, process, skills, and expertise), knowledge sources’ engagement level, and the knowledge receiver in mind as you select tactics. |
This tool is built to accommodate up to 30 knowledge items; Info-Tech recommends focusing on the top 10-15 items.
These steps should be completed by the BA or IT Manager. The BA is helpful to have around because they can learn about the tactics and answer any questions about the tactics that the managers might have when completing the template.
Activities
2.1.1 Interview Knowledge Sources to Uncover Key Knowledge Items
2.1.2 Identify When to use Knowledge Transfer Tactics
2.1.3 Build Individual Knowledge Transfer Plans
The primary goal of this section is to build an interview guide and interview knowledge sources to identify key knowledge assets.
Outcomes of this step
The first step is for managers to interview knowledge sources in order to extract information about the type of knowledge the source has.
Meet with the knowledge sources and work with them to identify essential knowledge. Use the following questions as guidance:
| Input | Output |
|
|
| Materials | Participants |
|
|
| Input | Output |
|
|
| Materials | Participants |
|
|
Interviews provide an opportunity to meet one-on-one with key stakeholders to document key knowledge assets. Interviews can be used for explicit and tacit information, and in particular, capture processes, rules, coding information, best practices, etc.
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development: Minimal Duration: Annual | Participants Business analysts Knowledge source | Materials Interview guide Notepad Pen |
Business process mapping refers to building a flow chart diagram of the sequence of actions which defines what a business does. The flow chart defines exactly what a process does and the specific succession of steps including all inputs, outputs, flows, and linkages. Process maps are a powerful tool to frame requirements in the context of the complete solution.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development: Minimal Duration: Annual | Participants Business analysts Knowledge source | Materials Whiteboard / flip-chart paper Marker |
Use case diagrams are a common transfer tactic where the BA maps out step-by-step how an employee completes a project or uses a system. Use cases show what a system or project does rather than how it does it. Use cases are frequently used by product managers and developers.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development: Minimal Duration: Annual | Participants Business analysts Knowledge source | Materials Whiteboard / flip-chart paper Marker |
Job shadowing is a working arrangement where the “knowledge receiver” learns how to do a job by observing an experienced employee complete key tasks throughout their normal workday.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: N/A Process Development:Required Duration:Ongoing | Participants BA IT manager Knowledge source and receiver | Materials N/A |
Meeting or workshop where peers from different teams share their experiences and knowledge with individuals or teams that require help with a specific challenge or problem.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Minimal Technology Support: N/A Process Development:Required Duration:Ongoing | Participants Knowledge sources Knowledge receiver BA to build a skill repository | Materials Intranet |
A half- to full-day exercise where an outgoing leader facilitates a knowledge transfer of key insights they have learned along the way and any high-profile knowledge they may have.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: Some Process Development: Some Duration:Ongoing | Participants IT leader Incoming IT team Key stakeholders | Materials Meeting space Video conferencing (as needed) |
Action Review is a team-based discussion at the end of a project or step to review how the activity went and what can be done differently next time. It is ideal for transferring expertise and skills.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training:Minimal Technology Support: Minimal Process Development: Some Duration:Ongoing | Participants IT unit/group Any related IT stakeholder impacted by or involved in a project. | Materials Meeting space Video conferencing (as needed) |
Mentoring can be a formal program where management sets schedules and expectations. It can also be informal through an environment for open dialogue where staff is encouraged to seek advice and guidance, and to share their knowledge with more novice members of the organization.
Benefits:
How to get started:
Creating a mentorship program is a full project in itself. For full details on how to set up a mentorship program, see McLean & Company’s Build a Mentoring Program.
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: N/a Process Development:Required Duration:Ongoing | Participants IT unit/group | Materials Meeting space Video conferencing (as needed) Documentation |
Knowledge sources use anecdotal examples to highlight a specific point and pass on information, experience, and ideas through narrative.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Required Technology Support: Some Process Development:Required Duration:Ongoing | Participants Knowledge source Knowledge receiver Videographer (where applicable) | Materials Meeting space Video conferencing (as needed) Documentation |
Job share exists when at least two people share the knowledge and responsibilities of two job roles.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training: Some Technology Support: Minimal Process Development:Required Duration:Ongoing | Participants IT manager HR Employees | Materials Job descriptions |
Communities of practice are working groups of individuals who engage in a process of regularly sharing information with each other across different parts of the organization by focusing on common purpose and working practices. These groups meet on a regular basis to work together on problem solving, to gain information, ask for help and assets, and share opinions and best practices.
Benefits:
How to get started:
Knowledge Types Information Process Skills Expertise | Dependencies Training:Required Technology Support: Required Process Development:Required Duration:Ongoing | Participants Employees BA (to assist in establishing) IT managers (rewards and recognition) | Materials TBD |
This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared to four different knowledge types.
Not all techniques are effective for types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.
Very strong = Very effective
Strong = Effective
Medium = Somewhat effective
Weak = Minimally effective
Very weak = Not effective
Knowledge Type | ||||
Tactic | Explicit | Tacit | ||
Information | Process | Skills | Expertise | |
Interviews | Very strong | Strong | Strong | Strong |
Process mapping | Medium | Very strong | Very weak | Very weak |
Use cases | Medium | Very strong | Very weak | Very weak |
Job shadow | Very weak | Medium | Very strong | Very strong |
Peer assist | Strong | Medium | Very strong | Very strong |
Action review | Medium | Medium | Strong | Weak |
Mentoring | Weak | Weak | Strong | Very strong |
Transition workshop | Strong | Strong | Strong | Strong |
Story telling | Weak | Weak | Strong | Very strong |
Job share | Weak | Weak | Very strong | Very strong |
Communities of practice | Strong | Weak | Very strong | Very strong |
Level of Engagement | ||
Tactic | Disengaged/ Indifferent | Almost Engaged - Engaged |
Interviews | Yes | Yes |
Process mapping | Yes | Yes |
Use cases | Yes | Yes |
Job shadow | No | Yes |
Peer assist | Yes | Yes |
Action review | Yes | Yes |
Mentoring | No | Yes |
Transition workshop | Yes | Yes |
Story telling | No | Yes |
Job share | Maybe | Yes |
Communities of practice | Maybe | Yes |
When considering which tactics to employ, it’s important to consider the knowledge holder’s level of engagement. Employees whom you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.
Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It’s essential that motivations for knowledge transfer are communicated effectively.
Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what’s in it for them.
Putting disengaged employees in a position where they are mentoring others can be a risk. Their negativity could influence others not to participate as well or negate the work you’re doing to create a positive knowledge sharing culture.
There is a wide variety of different collaboration tools available to enable interpersonal and team connections for work-related purposes. Familiarize yourself with all types of collaboration tools to understand what is available to help facilitate knowledge transfer.
Collaboration Tools |
|||
Content Management |
Real Time Communication |
Community Collaboration |
Social Collaboration |
Tools for collaborating around documents. They store content and allow for easy sharing and editing, e.g. content repositories and version control. Can be used for:
|
Tools that enable real-time employee interactions. They permit “on-demand” workplace communication, e.g. IM, video and web conferencing. Can be used for:
|
Tools that allow teams and communities to come together and share ideas or collaborate on projects, e.g. team portals, discussion boards, and ideation tools. Can be used for:
|
Social tools borrow concepts from consumer social media and apply them to the employee-centric context, e.g. employee profiles, activity streams, and microblogging. Can be used for:
|
For more information on Collaboration Tools and how to use them, see Info-Tech’s Establish a Communication and Collaboration System Strategy.
Wherever possible, ask employees about their personal learning styles. It’s likely that a collaborative compromise will have to be struck for knowledge transfer to work well.
We will use the IT Knowledge Transfer Plans as the foundation for building your knowledge transfer roadmap.
The Strength Level column will indicate how well matched the tactic is to the type of knowledge.
| Input | Output |
|
|
| Materials | Participants |
|
|
Activities
2.2.1 Merge Your Knowledge Transfer Plans
2.2.2 Define Knowledge Transfer Initiatives’ Timeframes
The goal of this step is to build the logistics of the knowledge transfer roadmap to prepare to communicate it to key stakeholders.
Outcomes of this step
Depending on the desired state of maturity, the number of initiatives your organization has will vary and there could be a lengthy number of tasks and subtasks required to reach your organization knowledge transfer target state. The best way to plan, organize, and manage all of them is with a project roadmap.
Populate the task column of the Project Planning and Monitoring Tool. See the following slides for more details on how to do this.
Effort by Stakeholder | |||||
Tactic | Business Analyst | IT Manager | Knowledge Holder | Knowledge Receiver | |
| Interviews | Medium | N/A | Low | Low | These tactics require the least amount of effort, especially for organizations that are already using these tactics for a traditional requirements gathering process. |
Process Mapping | Medium | N/A | Low | Low | |
Use Cases | Medium | N/A | Low | Low | |
Job Shadow | Medium | Medium | Medium | Medium | These tactics generally require more involvement from IT management and the BA in tandem for preparation. They will also require ongoing effort for all stakeholders. Stakeholder buy-in is key for success. |
Peer Assist | Medium | Medium | Medium | Medium | |
Action Review | Low | Medium | Medium | Low | |
Mentoring | Medium | High | High | Medium | |
Transition Workshop | Medium | Low | Medium | Low | |
Story Telling | Medium | Medium | Low | Low | |
Job Share | Medium | High | Medium | Medium | |
Communities of Practice | High | Medium | Medium | Medium | |
Implementation Dependencies | |||||
Tactic | Training | Technology Support | Process Development | Duration | |
| Interviews | Minimal | N/A | Minimal | Annual | Start your knowledge transfer project here to get quick wins for explicit knowledge. |
Process Mapping | Minimal | N/A | Minimal | Annual | |
Use Cases | Minimal | N/A | Minimal | Annual | |
Job Shadow | Required | N/A | Required | Ongoing | Don’t change too much too quickly or try to introduce all of the tactics at once. Focus on 1-2 key tactics and spend a significant amount of time upfront building an effective process and rolling it out. Leverage the effectiveness of the initial tactics to push these initiatives forward. |
| Peer Assist | Minimal | N/A | Required | Ongoing | |
| Action Review | Minimal | Minimal | Some | Ongoing | |
| Mentoring | Required | N/A | Required | Ongoing | |
| Transition Workshop | Required | Some | Some | Ongoing | |
| Story Telling | Some | Required | Required | Ongoing | |
| Job Share | Some | Minimal | Required | Ongoing | |
| Communities of Practice | Required | Required | Required | Ongoing | |
| Input | Output |
| |
| Materials | Participants |
|
|
| Input | Output |
|
|
| Materials | Participants |
|
|
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Obtain approval for project 1.2 Identify knowledge and stakeholder risks | 2.1 Build knowledge transfer plans 2.2 Build knowledge transfer roadmap | 3.1 Communicate your roadmap |
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
3.1.1 Prepare IT Knowledge Transfer Roadmap Presentation
The goal of this step is to be ready to communicate the roadmap with the project team, project sponsor, and other key stakeholders.
Outcomes of this step
Obtain approval for the IT Knowledge Transfer Roadmap by customizing Info-Tech’s IT Knowledge Transfer Roadmap Presentation Template designed to effectively convey your key messages. Tailor the template to suit your needs.
It includes:
The support of IT leadership is critical to the success of your roadmap roll-out. Remind them of the project benefits and impact them hard with the risks/pain points.
Know your audience:
| Input | Output |
|
|
| Materials | Participants |
|
|
Babcock, Pamela. “Shedding Light on Knowledge Management.” HR Magazine, 1 May 2004.
King, Rachael. "Big Tech Problem as Mainframes Outlast Workforce." Bloomberg, 3 Aug. 2010. Web.
Krill, Paul. “IT’s Most Wanted: Mainframe Programmers.” IDG Communications, Inc. 1 December 2011.
McLean & Company. “Mitigate the Risk of Baby Boomer Retirement with Scalable Succession Planning.” 7 March 2016.
McLean & Company. “Make the Case For Employee Engagement.” McLean and Company. 27 March 2014.
PwC. “15th Annual Global CEO Survey: Delivering Results Growth and Value in a Volatile World.” PwC, 2012.
Rocket Software, Inc. “Rocket Software 2022 Survey Report: The State of the Mainframe.” Rocket Software, Inc. January 2022. Accessed 30 April 2022.
Ross, Jenna. “Intangible Assets: A Hidden but Crucial Driver of Company Value.” Visual Capitalist, 11 February 2020. Accessed 2 May 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Calculate the cost of the project backlog and assess the root causes of its unmanageability.
Increase the manageability of the backlog by updating stale requests and removing dead weight.
Develop and maintain a manageable backlog growth rate by establishing disciplined backlog management processes.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Gauge the manageability of your project backlog in its current state.
Calculate the total cost of your project backlog investments.
Determine the root causes that contribute to the unmanageability of your project backlog.
An understanding of the organizational need for more disciplined backlog management.
Visibility into the costs incurred by the project backlog.
An awareness of the sources that feed the growth of the project backlog and make it a challenge to maintain.
1.1 Calculate the sunk and marginal costs that have gone into your project backlog.
1.2 Estimate the throughput of backlog items.
1.3 Survey the root causes of your project backlog.
The total estimated cost of the project backlog.
A project backlog return-on-investment score.
A project backlog root cause analysis.
Identify the most organizationally appropriate goals for your backlog cleanse.
Pinpoint those items that warrant immediate removal from the backlog and establish a game plan for putting a bullet in them.
Communicate backlog decisions with stakeholders in a way that minimizes friction and resistance.
An effective, achievable, and organizationally right-sized approach to cleansing the backlog.
Criteria for cleanse outcomes and a protocol for carrying out the near-term cleanse.
A project sponsor outreach plan to help ensure that decisions made during your near-term cleanse stick.
2.1 Establish roles and responsibilities for the near-term cleanse.
2.2 Determine cleanse scope.
2.3 Develop backlog prioritization criteria.
2.4 Prepare a communication strategy.
Clear accountabilities to ensure the backlog is effectively minimized and outcomes are communicated effectively.
Clearly defined and achievable goals.
Effective criteria for cleansing the backlog of zombie projects and maintaining projects that are of strategic and operational value.
A communication strategy to minimize stakeholder friction and resistance.
Ensure ongoing backlog manageability.
Make sure the executive layer is aware of the ongoing status of the backlog when making project decisions.
Customize a best-practice toolkit to help keep the project backlog useful.
A list of pending projects that is minimal, maintainable, and of high value.
Executive engagement with the backlog to ensure intake and approval decisions are made with a view of the backlog in mind.
A backlog management tool and processes for ongoing manageability.
3.1 Develop a project backlog management operating model.
3.2 Configure a project backlog management solution.
3.3 Assign roles and responsibilities for your long-term project backlog management processes.
3.4 Customize a project backlog management operating plan.
An operating model to structure your long-term strategy around.
A right-sized management tool to help enable your processes and executive visibility into the backlog.
Defined accountabilities for executing project backlog management responsibilities.
Clearly established processes for how items get in and out of the backlog, as well as for ongoing backlog review.
Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.
The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.
Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint will help you:
Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.
Connectivity and security are tightly coupled
Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.
Many services are no longer within the network
The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.
Users are demanding an anywhere, any device access model
Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.
The enterprise network of 2020 and beyond is changing:
The above statements are all accurate for enterprise networks, though each potentially to differing levels depending on the business being supported by the network. Depending on how affected the network in question currently is and will be in the near future, there are different common network archetypes that are best able to address these concerns while delivering business value at an appropriate price point.
Understand what the business needs are and where users and resources are located.
Trust is a spectrum and tied tightly to security.
How will the network be deployed?
What tools are in the market to help achieve design principles?
Mission
Never ignore the basics. Start with revisiting the mission and vision of the business to address relevant needs.
Users
Identify where users will be accessing services from. Remote vs. “on net” is a design consideration now more than ever.
Resources
Identify required resources and their locations, on net vs. cloud.
Controls
Identify required controls in order to define control points and solutions.
Trust is a spectrum
Implicit
Trust everything within the network. Security is perimeter based and designed to stop external actors from entering the large trusted zone.
Controlled
Multiple zones of trust within the network. Segmentation is a standard practice to separate areas of higher and lower trust.
Zero
Verify trust. The network is set up to recognize and support the principle of least privilege where only required access is supported.
Archetypes are a good guide
Traditional
Services are provided from within the traditional network boundaries and security is provided at the network edge.
Hybrid
Services are provided both externally and from within the traditional network boundaries, and security is primarily at the network edge.
Inverted
Services are provided primarily externally, and security is cloud centric.
Abstract
A traditional network is one in which there are clear boundaries defined by a security perimeter. Trust can be applied within the network boundaries as appropriate, and traffic is generally routed through internally deployed control points that may be centralized. Traditional networks commonly include large firewalls and other “big iron” security and control devices.
Network Design Tenets
Control
In the traditional network, it is assumed that all required control points can be adequately deployed across hardware/software that is “on prem” and under the control of central IT.
Info-Tech Insight
With increased cloud services provided to end users, this network is now more commonly used in data centers or OT networks.
Abstract
A hybrid network is one that combines elements of a traditional network with cloud resources. As some of these resources are not fully under the control of IT and may be completely “offnet” or loosely coupled to the on-premises network, the security boundaries and control points are less likely to be centralized. Hybrid networks allow the flexibility and speed of cloud deployment without leaving behind traditional network constructs. This generally makes them expensive to secure and maintain.
Network Design Tenets
Control
The hallmark of a hybrid network is the blending of public and private resources. This blending tends to necessitate both public and private points of control that may not be homogenous.
Info-Tech Insight
With multiple control points to address, take care in simplifying designs while addressing all concerns to ease operational load.
Abstract
An inverted perimeter network is one in which security and control points cover the entire workflow, on or off net, from the consumer of services through to the services themselves with zero trust. Since the control plane is designed to encompass the workflow in a secure manner, much of the underlying connectivity can be abstracted. In an extreme version of this deployment, IT would abstract end-user access, and any cloud-based or on-premises resources would be securely published through the control plane with context-aware precision access.
Network Design Tenets
Control
An inverted network abstracts the lower-layer connectivity away and focuses on implementing a cloud-based zero trust control plane.
Info-Tech Insight
This model is extremely attractive for organizations that consume primarily cloud services and have a large remote work force.
“It is essential to have good tools, but it is also essential that the tools should be used in the right way.” — Wallace D. Wattles
Simplified branch office connectivity
Archetype Value: Traditional Networks
SD-WAN is generally not a way to slash spending by lowering WAN circuit costs. Though it is traditionally deployed across lower cost access, to minimize risk and realize the most benefits from the platform many organizations install multiple circuits with greater bandwidths at each endpoint when replacing the more costly traditional circuits. Though this maximizes the value of the technology investment, it will result in the end cost being similar to the traditional cost plus or minus a small percentage.
SD-WAN is a subset of software-defined networking (SDN) designed specifically to deploy a secure, centrally managed, connectivity agnostic, overlay network connecting multiple office locations. This technology can be used to replace, work in concert with, or augment more traditional costly connectivity such as MPLS or private point to point (PtP) circuits. In addition to the secure overlay, SD-WAN usually also enables policy-based, intelligent controls, based on traffic and circuit intelligence.
You have multiple endpoint locations connected by expensive lower bandwidth traditional circuits. Your target is to increase visibility and control while controlling costs if and where possible. Ease of centralized management and the ability to more rapidly turn up new locations are attractive.
Inline policy enforcement placed between users and cloud services
Archetype Value: Hybrid Networks
CASBs do not provide network protection; they are designed to provide compliance and enforcement of rules. Though CASBs are designed to give visibility and control into cloud traffic, they have limits to the data that they generally ingest and utilize. A CASB does not gather or report on cloud usage details, licencing information, financial costing, or whether the cloud resource usage is aligned with the deployment purpose.
A CASB is designed to establish security controls beyond a company’s environment. It is commonly deployed to augment traditional solutions to extend visibility and control into the cloud. To protect assets in the cloud, CASBs are designed to provide central policy control and apply services primarily in the areas of visibility, data security, threat protection, and compliance.
You a mixture of on-premises and cloud assets. In moving assets out to the cloud, you have lost the traditional controls that were implemented in the data center. You now need to have visibility and apply controls to the usage of these cloud assets.
Convergence of security and service access in the cloud
Archetype Value: Inverted Networks
Though the service will consist of many service offerings, SASE is not multiple services strung together. To present the value proposed by this platform, all functionality proposed must be provided by a single platform under a “single pane of glass.” SASE is not a mature and well-established service. The market is still solidifying, and the full-service definition remains somewhat fluid.
SASE exists at the intersection of network-as-a-service and network-security-as-a-service. It is a superset of many network and security cloud offerings such as CASB, secure web gateway, SD-WAN, and WAN optimization. Any services offered by a SASE provider will be cloud hosted, presented in a single stack, and controlled through a single pane of glass.
Your network is inverting, and services are provided primarily as cloud assets. In a full realization of this deployment’s value, you would abstract how and where users gain initial network access yet remain in control of the communications and data flow.
Activity: Network assessment in an hour
Review your design options with security and compliance in mind. Infrastructure is no longer a standalone entity and now tightly integrates with software-defined networks and security solutions.
Learn about the Enterprise Network Roadmap Technology Assessment Tool.
This workbook provides a high-level analysis of a technology’s readiness for adoption based on your organization’s needs.
Complete the Enterprise Network Roadmap Technology Assessment Tool.
Effectively Acquire Infrastructure Services
Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.
Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
There are very few IT infrastructure components you should be housing internally – outsource everything else.
Build Your Infrastructure Roadmap
Move beyond alignment: Put yourself in the driver’s seat for true business value.
Drive Successful Sourcing Outcomes With a Robust RFP Process
Leverage your vendor sourcing process to get better results.
Scott Young, Principal Research Advisor, Info-Tech Research Group
Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.
Troy Cheeseman, Practice Lead, Info-Tech Research Group
Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.
Ahlgren, Bengt. “Design considerations for a network of information.” ACM Digital Library, 21 Dec. 2008.
Cox Business. “Digital transformation is here. Is your business ready to upgrade your mobile work equation?” BizJournals, 1 April 2022. Accessed April 2022.
Elmore, Ed. “Benefits of integrating security and networking with SASE.” Tech Radar, 1 April 2022. Web.
Greenfield, Dave. “From SD-WAN to SASE: How the WAN Evolution is Progressing.” Cato Networks, 19 May 2020. Web
Korolov, Maria. “What is SASE? A cloud service that marries SD-WAN with security.” Network World, 7 Sept. 2020. Web.
Korzeniowski, Paul, “CASB tools evolve to meet broader set of cloud security needs.” TechTarget, 26 July 2019. Accessed March 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Determine how to establish the foundation of your security operations.
Assess the maturity of your prevention, detection, analysis, and response processes.
Design a target state and improve your governance and policy solutions.
Make your case to the board and develop a roadmap for your prioritized security initiatives.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identify security obligations and the security operations program’s pressure posture.
Assess current people, process, and technology capabilities.
Determine foundational controls and complete system and asset inventory.
Identified the foundational elements needed for planning before a security operations program can be built
1.1 Define your security obligations and assess your security pressure posture.
1.2 Determine current knowledge and skill gaps.
1.3 Shine a spotlight on services worth monitoring.
1.4 Assess and document your information system environment.
Customized security pressure posture
Current knowledge and skills gaps
Log register of essential services
Asset management inventory
Identify the maturity level of existing security operations program processes.
Current maturity assessment of security operations processes
2.1 Assess the current maturity level of the existing security operations program processes.
Current maturity assessment
Design your optimized target state.
Improve your security operations processes with governance and policy solutions.
Identify and prioritize gap initiatives.
A comprehensive list of initiatives to reach ideal target state
Optimized security operations with repeatable and standardized policies
3.1 Complete standardized policy templates.
3.2 Map out your ideal target state.
3.3 Identify gap initiatives.
Security operations policies
Gap analysis between current and target states
List of prioritized initiatives
Formalize project strategy with a project charter.
Determine your sourcing strategy for in-house or outsourced security operations processes.
Assign responsibilities and complete an implementation roadmap.
An overarching and documented strategy and vision for your security operations
A thorough rationale for in-house or outsourced security operations processes
Assigned and documented responsibilities for key projects
4.1 Complete a security operations project charter.
4.2 Determine in-house vs. outsourcing rationale.
4.3 Identify dependencies of your initiatives and prioritize initiatives in phases of implementation.
4.4 Complete a security operations roadmap.
Security operations project charter
In-house vs. outsourcing rationale
Initiatives organized according to phases of development
Planned and achievable security operations roadmap
Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value and slowly add improvements to ease buy-in.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this storyboard as a guide to align projects with your IT change management lifecycle.
Use this SOP as a template to document and maintain your change management practice.
Focus on frequent and transparent communications between the project team and change management.
|
Misalignment between IT change management and project management leads to headaches for both practices. Project managers should aim to be represented in the change advisory board (CAB) to ensure their projects are prioritized and scheduled appropriately. Advanced notice on project progress allows for fewer last-minute accommodations at implementation. Widespread access of the change calendar can also lead project management to effectively schedule projects to give change management advanced notice. Moreover, alignment between the two practices at intake allows for requests to be properly sorted, whether they enter change management directly or are governed as a project. Lastly, standardizing implementation and post-implementation across everyone involved ensures more successful changes and socialized/documented lessons learned for when implementations do not go well. Benedict Chang |
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
To align projects with the change lifecycle, IT leaders must:
|
Loose definitions may work for clear-cut examples of changes and projects at intake, but grey-area requests end up falling through the cracks. Changes to project scope, when not communicated, often leads to scheduling conflicts at go-live. Too few checkpoints between change and project management can lead to conflicts. Too many checkpoints can lead to delays. |
Set up touchpoints between IT change management and project management at strategic points in the change and project lifecycles. Include appropriate project representation at the change advisory board (CAB). Leverage standard change resources such as the change calendar and request for change form (RFC). |
Improvement can be incremental. You do not have to adopt every recommended improvement right away. Ensure every process change you make will create value, and slowly add improvements to ease buy-in.
This deck is intended to align established processes. If you are just starting to build IT change processes, see the related research below.
Align Projects With the IT Change Lifecycle |
01 Optimize IT Change Management | |
|---|---|---|
Increase the success of your changes by integrating project touchpoints in your change lifecycle. (You are here) |
Decide which IT projects to approve and when to start them. |
Right-size IT change management to protect the live environment. |
IT Benefits |
Business Benefits |
|---|---|
|
|
IT satisfaction with change management will drive business satisfaction with IT. Once the process is working efficiently, staff will be more motivated to adhere to the process, reducing the number of unauthorized changes. As fewer changes bypass proper evaluation and testing, service disruptions will decrease and business satisfaction will increase.
Control |
Collaboration |
Consistency |
Confidence |
|---|---|---|---|
Change management brings daily control over the IT environment, allowing you to review every relatively new change, eliminate changes that would have likely failed, and review all changes to improve the IT environment. |
Change management planning brings increased communication and collaboration across groups by coordinating changes with business activities. The CAB brings a more formalized and centralized communication method for IT. |
Request-for-change templates and a structured process result in implementation, test, and backout plans being more consistent. Implementing processes for pre-approved changes also ensures these frequent changes are executed consistently and efficiently. |
Change management processes will give your organization more confidence through more accurate planning, improved execution of changes, less failure, and more control over the IT environment. This also leads to greater protection against audits. |
Both changes and projects will end up in change control in the end. Here, we define the intake.
Changes and projects will both go to change control when ready to go live. However, defining the governance needed at intake is critical.
A change should be governed by change control from beginning to end. It would typically be less than a week’s worth of work for a SME to build and come in at a nominal cost (e.g. <$20k over operating costs).
Projects on the other hand, will be governed by project management in terms of scope, scheduling, resourcing, etc. Projects typically take over a week and/or cost more. However, the project, when ready to go live, should still be scheduled through change control to avoid any conflicts at implementation. At triage and intake, a project can be further scoped based on projected scale.
This initial touchpoint between change control and project management is crucial to ensure tasks and request are executed with the proper governance. To distinguish between changes and projects at intake, list examples of each and determine what resourcing separates changes from projects.
Need help scoping projects? Download the Project Intake Classification Matrix
Change |
Project |
|---|---|
|
|
While effort and cost are good indicators of changes and projects, consider evaluating risk and complexity too.
Change | Project | Service Request (Optional) | Operational Task (Optional) | Release (Optional) |
|---|---|---|---|---|
Changing Configuration | New ERP | Add new user | Delete temp files | Software release |
Download the Change Management Standard Operating Procedure (SOP).
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
CAB touchpoints
Consistently communicate the plan and timeline for hitting these milestones so CAB can prioritize and plan changes around it. This will give change control advanced notice of altered timelines.
RFCs
Projects may have multiple associated RFCs. Keeping CAB appraised of the project RFC or RFCs gives them the ability to further plan changes.
Change Calendar
Query and fill the change calendar with project timelines and milestones to compliment the CAB touchpoints.
The request for change (RFC) form does not have to be a burden to fill out. If designed with value in mind, it can be leveraged to set standards on all changes (from projects and otherwise).
When looking at the RFC during the Build and Test phase of a project, prioritize the following fields to ensure the implementation will be successful from a technical and user-adoption point of view.
Filling these fields of the RFC and communicating them to the CAB at go-live approval gives the approvers confidence that the project will be implemented successfully and measures are known for when that implementation is not successful.
Download the Request for Change Form Template
Communication Plan The project may be successful from a technical point of view, but if users do not know about go-live or how to interact with the project, it will ultimately fail. |
Training Plan If necessary, think of how to train different stakeholders on the project go-live. This includes training for end users interacting with the project and technicians supporting the project. |
Implementation Plan Write the implementation plan at a high enough level that gives the CAB confidence that the implementation team knows the steps well. |
Rollback Plan Having a well-formulated rollback plan gives the CAB the confidence that the impact of the project is well known and the impact to the business is limited even if the implementation does not go well. |
Inputs
Guidelines
Roles
Info-Tech Insight
Make the calendar visible to as many parties as necessary. However, limit the number of personnel who can make active changes to the calendar to limit calendar conflicts.
As optional CAB members
Project SMEs may attend when projects are ready to go live and when invited by the change manager. Optional members provide details on change cross-dependencies, high-level testing, rollback, communication plans, etc. to inform prioritization and scheduling decisions.
As project management representatives
Project management should also attend CAB meetings to report in on changes to ongoing projects, implementation timelines, and project milestones. Projects are typically high-priority changes when going live due to their impact. Advanced notice of timeline and milestone changes allow the rest of the CAB to properly manage other changes going into production.
As core CAB members
The core responsibilities of CAB must still be fulfilled:
1. Protect the live environment from poorly assessed, tested, and implemented changes.
2. Prioritize changes in a way that fairly reflects change impact, urgency, and likelihood.
3. Schedule deployments in a way the minimizes conflict and disruption.
If you need to define the authority and responsibilities of the CAB, see Activity 2.1.3 of the Optimize IT Change Management blueprint.
Verification |
Once the change has been implemented, verify that all requirements are fulfilled. |
|---|---|
Review |
Ensure all affected systems and applications are operating as predicted. |
Update change ticket and change log |
Update RFC status and CMDB as well (if necessary). |
Transition |
Once the change implementation is complete, it’s imperative that the team involved inform and train the operational and support groups. |
If you need to define transitioning changes to production, download Transition Projects to the Service Desk
Conduct PIRs for failed changes. Successful changes can simply be noted and transitioned to operations.
It’s best to perform a PIR once a change-related incident is resolved.
Include a root-cause analysis, mitigation actions/timeline, and lessons learned in the documentation.
Socialize the findings of the PIR at the subsequent CAB meeting.
If a similar change is conducted, append the related PIR to avoid the same mistakes.
Info-Tech Insight
Include your PIR documentation right in the RFC for easy reference.
Download the RFC template for more details on post-implementation reviews
Download the Change Management Standard Operating Procedure (SOP).
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Right-size IT change management to protect the live environment. |
Optimize IT Project Intake, Approval, and Prioritization Decide which IT projects to approve and when to start them. |
Maintain an Organized Portfolio Align portfolio management practices with COBIT (APO05: Manage Portfolio). |
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Define the business context needed to complete strategic IT initiatives.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Conduct analysis and facilitate discussions to uncover business needs for IT.
A baseline understanding of what business needs mean for IT
1.1 Define the strategic CIO initiatives our organization will pursue.
1.2 Complete the Business Context Discovery Tool.
1.3 Schedule relevant interviews.
1.4 Select relevant Info-Tech diagnostics to conduct.
Business context scope
Completed Business Context Discovery Tool
Completed Info-Tech diagnostics
Analyze the outputs from step 1 and uncover the business context gaps.
A thorough understanding of business needs and why IT should pursue certain initiatives
2.1 Conduct group or one-on-one interviews to identify the missing pieces of the business context.
Documentation of answers to business context gaps
Analyze the outputs from step 1 and uncover the business context gaps.
A thorough understanding of business needs and why IT should pursue certain initiatives
3.1 Conduct group or one-on-one interviews to identify the missing pieces of the business context.
Documentation of answers to business context gaps
Review findings and implications for IT’s strategic initiative.
A thorough understanding of business needs and how IT’s strategic initiatives addresses those needs
4.1 Review documented business context with IT team.
4.2 Discuss next steps for strategic CIO initiative execution.
Finalized version of the business context
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Analyze your project history to identify and fill gaps in your estimation practices.
Allocate time across project phases to validate and refine estimates and estimate assumptions.
Implement a lessons learned process to provide transparency to your sponsors and confidence to your teams.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Track key performance indicators on past projects to inform goals for future projects.
Developed Project History List.
Refined starting estimates that can be adjusted accurately from project to project.
1.1 Build project history.
1.2 Analyze estimation capabilities.
1.3 Identify estimation goals.
Project History List
T-Shirt Sizing Health Check
Estimate Tracking Plan
Outline the common attributes required to complete projects.
Identify the commonly forgotten attributes to ensure comprehensive scoping early on.
Refined initial estimate based on high-level insights into work required and resources available.
2.1 Develop a list of in-scope project attributes.
2.2 Identify leadership priorities for deliverables and attributes.
2.3 Track team and skill responsibilities for attributes.
Identified list or store of past project attributes and costs
Attribute List and Estimated Cost
Required Skills List
Set clear processes for tracking the health of your estimate to ensure it is always as accurate as possible.
Define check-in points to evaluate risks and challenges to the project and identify trigger conditions.
An estimation process rooted in organizational memory and lessons learned.
Project estimates that are consistently reevaluated to predict and correct challenges before they can drastically affect your projects.
3.1 Determine Milestone Check-In Points.
3.2 Develop Lessons Learned Meeting Agendas.
3.3 Identify common risks and past lessons learned.
3.4 Develop contingency tracking capabilities.
Project Lessons Learned Template
Historic Risks and Lessons Learned Master Template
Contingency Reserve and Risk Registers
Bridge the gap between death march projects and bloated and uncertain estimates by communicating expectations and assumptions clearly to your sponsors.
Clear estimation criteria and assumptions aligned with business priorities.
Post-mortem discussion items crucial to improving project history knowledge for next time.
4.1 Identify leadership risk priorities.
4.2 Develop IT business alignment.
4.3 Develop hand-off procedures and milestone approval methods.
4.4 Create a list of post-mortem priorities.
Estimation Quotation
Risk Priority Rankings
Hand-Off Procedures
Post-mortem agenda planning
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Read our executive brief to understand our approach to SDLC optimization and why we advocate a holistic approach for your company.
This phase helps you understand your business goals and priorities. You will document your current SDLC process and find where the challenges are.
Prioritize your initiatives and formalize them in a roll-out strategy and roadmap. Communicate your plan to all your stakeholders.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the benefits of a robust CXM strategy.
Identify drivers and objectives for CXM using a persona-driven approach and deploy the right applications to meet those objectives.
Complete the initiatives roadmap for CXM.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish a consistent vision across IT, marketing, sales, and customer service for CXM technology enablement.
A clear understanding of key business and technology drivers for CXM.
1.1 CXM fireside chat
1.2 CXM business drivers
1.3 CXM vision statement
1.4 Project structure
CXM vision statement
CXM project charter
Create a set of strategic requirements for CXM based on a thorough external market scan and internal capabilities assessment.
Well-defined technology requirements based on rigorous, multi-faceted analysis.
2.1 PEST analysis
2.2 Competitive analysis
2.3 Market and trend analysis
2.4 SWOT analysis
2.5 VRIO analysis
2.6 Channel map
Completed external analysis
Strategic requirements (from external analysis)
Completed internal review
Channel interaction map
Augment strategic requirements through customer persona and scenario development.
Functional requirements aligned to supporting steps in customer interaction scenarios.
3.1 Persona development
3.2 Scenario development
3.3 Requirements definition for CXM
Personas and scenarios
Strategic requirements (based on personas)
Using the requirements identified in the preceding modules, build a future-state application inventory for CXM.
A cohesive, rationalized portfolio of customer interaction applications that aligns with identified requirements and allows investment (or rationalization) decisions to be made.
4.1 Build business process maps
4.2 Review application satisfaction
4.3 Create the CXM application portfolio
4.4 Prioritize applications
Business process maps
Application satisfaction diagnostic
Prioritized CXM application portfolio
Establish repeatable best practices for CXM applications in areas such as data management and end-user adoption.
Best practices for rollout of new CXM applications.
A prioritized initiatives roadmap.
5.1 Create data integration map
5.2 Define adoption best practices
5.3 Build initiatives roadmap
5.4 Confirm initiatives roadmap
Integration map for CXM
End-user adoption plan
Initiatives roadmap
"Customers want to interact with your organization on their own terms, and in the channels of their choice (including social media, mobile applications, and connected devices). Regardless of your industry, your customers expect a frictionless experience across the customer lifecycle. They desire personalized and well-targeted marketing messages, straightforward transactions, and effortless service. Research shows that customers value – and will pay more for! – well-designed experiences.
Strong technology enablement is critical for creating customer experiences that drive revenue. However, most organizations struggle with creating a cohesive technology strategy for customer experience management (CXM). IT leaders need to take a proactive approach to developing a strong portfolio of customer interaction applications that are in lockstep with the needs of their marketing, sales, and customer service teams. It is critical to incorporate the voice of the customer into this strategy.
When developing a technology strategy for CXM, don’t just “pave the cow path,” but instead move the needle forward by providing capabilities for customer intelligence, omnichannel interactions, and predictive analytics. This blueprint will help you build an integrated CXM technology roadmap that drives top-line revenue while rationalizing application spend."
Ben Dickie
Research Director, Customer Experience Strategy
Info-Tech Research Group
Info-Tech Insight
CXM - Customer Experience Management
CX - Customer Experience
CRM - Customer Relationship Management
CSM - Customer Service Management
MMS - Marketing Management System
SMMP - Social Media Management Platform
RFP - Request for Proposal
SaaS - Software as a Service
Today’s consumers expect speed, convenience, and tailored experiences at every stage of the customer lifecycle. Successful organizations strive to support these expectations.
67% of end consumers will pay more for a world-class customer experience. 74% of business buyers will pay more for strong B2B experiences. (Salesforce, 2018)
(Customer Experience Insight, 2016)
Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored customer experiences.
Providing a seamless customer experience increases the likelihood of cross-sell and up-sell opportunities and boosts customer loyalty and retention. IT can contribute to driving revenue and decreasing costs by providing the business with the right set of tools, applications, and technical support.
Cross-sell, up-sell, and drive customer acquisition.
67% of consumers are willing to pay more for an upgraded experience. (Salesforce, 2018)
80%: The margin by which CX leaders outperformer laggards in the S&P 500.(Qualtrics, 2017)
59% of customers say tailored engagement based on past interactions is very important to winning their business. (Salesforce, 2018)
Focus on customer retention as well as acquisition.
It is 6-7x more costly to attract a new customer than it is to retain an existing customer. (Salesforce Blog, 2019)
A 5% increase in customer retention has been found to increase profits by 25% to 95%. (Bain & Company, n.d.)
Organizations are prioritizing CXM capabilities (and associated technologies) as a strategic investment. Keep pace with the competition and gain a competitive advantage by creating a cohesive strategy that uses best practices to integrate marketing, sales, and customer support functions.
87% of customers share great experiences they’ve had with a company. (Zendesk, n.d.)
61% of organizations are investing in CXM. (CX Network, 2015)
53% of organizations believe CXM provides a competitive advantage. (Harvard Business Review, 2014)
Top Investment Priorities for Customer Experience
(CX Network 2015)
Get ahead of the competition by doing omnichannel right. Devise a CXM strategy that allows you to create and maintain a consistent, seamless customer experience by optimizing operations within an omnichannel framework. Customers want to interact with you on their own terms, and it falls to IT to ensure that applications are in place to support and manage a wide range of interaction channels.
Omnichannel is a “multi-channel approach to sales that seeks to provide the customer with a seamless transactional experience whether the customer is shopping online from a desktop or mobile device, by telephone, or in a bricks and mortar store.” (TechTarget, 2014)
97% of companies say that they are investing in omnichannel. (Huffington Post, 2015)
23% of companies are doing omnichannel well.
The success of your CXM strategy depends on the effective interaction of various marketing, sales, and customer support functions. To deliver on customer experience, organizations need to take a customer-centric approach to operations.
From an application perspective, a CRM platform generally serves as the unifying repository of customer information, supported by adjacent solutions as warranted by your CXM objectives.
CXM ECOSYSTEM
Customer Relationship Management Platform
CXM solutions are a broad range of tools that provide comprehensive feature sets for supporting customer interaction processes. These suites supplant more basic applications for customer interaction management. Popular solutions that fall under the umbrella of CXM include CRM suites, marketing automation tools, and customer service applications.
Microsoft Dynamics
Adobe
Marketo
sprinklr
Salesforce
SugarCRM
Strong CXM applications can improve:
Technology is the key enabler of building strong customer experiences: IT must stand shoulder-to-shoulder with the business to develop a technology framework for CXM.
(Harvard Business Review, 2014)
Only 19% of organizations have a customer experience team tasked with bridging gaps between departments. (Genesys, 2018)
IT and Marketing can only tackle CXM with the full support of each other. The cooperation of the departments is crucial when trying to improve CXM technology capabilities and customer interaction and drive a strong revenue mandate.
CASE STUDY
Industry Entertainment
Source Forbes, 2014
Blockbuster
As the leader of the video retail industry, Blockbuster had thousands of retail locations internationally and millions of customers. Blockbuster’s massive marketing budget and efficient operations allowed it to dominate the competition for years.
Situation
Trends in Blockbuster’s consumer market changed in terms of distribution channels and customer experience. As the digital age emerged and developed, consumers were looking for immediacy and convenience. This threatened Blockbuster’s traditional, brick-and-mortar B2C operating model.
The Competition
Netflix entered the video retail market, making itself accessible through non-traditional channels (direct mail, and eventually, the internet).
Results
Despite long-term relationships with customers and competitive standing in the market, Blockbuster’s inability to understand and respond to changing technology trends and customer demands led to its demise. The organization did not effectively leverage internal or external networks or technology to adapt to customer demands. Blockbuster went bankrupt in 2010.
Customer Relationship Management
Blockbuster did not leverage emerging technologies to effectively respond to trends in its consumer network. It did not optimize organizational effectiveness around customer experience.
CASE STUDY
Industry Entertainment
Source Forbes, 2014
Netflix
Beginning as a mail-out service, Netflix offered subscribers a catalog of videos to select from and have mailed to them directly. Customers no longer had to go to a retail store to rent a video. However, the lack of immediacy of direct mail as the distribution channel resulted in slow adoption.
The Situation
In response to the increasing presence of tech-savvy consumers on the internet, Netflix invested in developing its online platform as its primary distribution channel. The benefit of doing so was two-fold: passive brand advertising (by being present on the internet) and meeting customer demands for immediacy and convenience. Netflix also recognized the rising demand for personalized service and created an unprecedented, tailored customer experience.
The Competition
Blockbuster was the industry leader in video retail but was lagging in its response to industry, consumer, and technology trends around customer experience.
Results
Netflix’s disruptive innovation is built on the foundation of great CXM. Netflix is now a $28 billion company, which is tenfold what Blockbuster was worth.
Customer Relationship Management Platform
Netflix used disruptive technologies to innovatively build a customer experience that put it ahead of the long-time, video rental industry leader, Blockbuster.
Creating an end-to-end technology-enablement strategy for CXM requires a concerted, dedicated effort: Info-Tech can help with our proven approach.
Build the CXM Project Charter
Conduct a Thorough Environmental Scan
Build Customer Personas and Scenarios
Draft Strategic CXM Requirements
Build the CXM Application Portfolio
Implement Operational Best Practices
Info-Tech draws on best-practice research and the experiences of our global member base to develop a methodology for CXM that is driven by rigorous customer-centric analysis.
Our approach uses a unique combination of techniques to ensure that your team has done its due diligence in crafting a forward-thinking technology-enablement strategy for CXM that creates measurable value.
CASE STUDY
Industry Professionals Services
Source Info-Tech Workshop
The Situation
A global professional services firm in the B2B space was experiencing a fragmented approach to customer engagement, particularly in the pre-sales funnel. Legacy applications weren’t keeping pace with an increased demand for lead evaluation and routing technology. Web experience management was also an area of significant concern, with a lack of ongoing customer engagement through the existing web portal.
The Approach
Working with a team of Info-Tech facilitators, the company was able to develop several internal and external customer personas. These personas formed the basis of strategic requirements for a new CXM application stack, which involved dedicated platforms for core CRM, lead automation, web content management, and site analytics.
Results
Customer “stickiness” metrics increased, and Sales reported significantly higher turnaround times in lead evaluations, resulting in improved rep productivity and faster cycle times.
| Components of a persona | |
|---|---|
| Name | Name personas to reflect a key attribute such as the persona’s primary role or motivation. |
| Demographic | Include basic descriptors of the persona (e.g. age, geographic location, preferred language, education, job, employer, household income, etc.) |
| Wants, needs, pain points | Identify surface-level motivations for buying habits. |
| Psychographic/behavioral traits | Observe persona traits that are representative of the customers’ behaviors (e.g. attitudes, buying patterns, etc.). |
Create the Project Vision
Structure the Project
Scan the External Environment
Assess the Current State of CXM
Create an Application Portfolio
Develop Deployment Best Practices
Create an Initiative Rollout Plan
Confirm and Finalize the CXM Blueprint
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
Diagnostics and consistent frameworks used throughout all four options
| 1. Drive Value With CXM | 2. Create the Framework | 3. Finalize the Framework | |
|---|---|---|---|
| Best-Practice Toolkit | 1.1 Create the Project Vision 1.2 Structure the CXM Project |
2.1 Scan the External Environment 2.2 Assess the Current State of CXM 2.3 Create an Application Portfolio 2.4 Develop Deployment Best Practices |
3.1 Create an Initiative Rollout Plan 3.2 Confirm and Finalize the CXM Blueprint |
| Guided Implementations |
|
|
|
| Onsite Workshop | Module 1: Drive Measurable Value with a World-Class CXM Program | Module 2: Create the Strategic Framework for CXM | Module 3: Finalize the CXM Framework |
Phase 1 Outcome:
|
Phase 2 Outcome:
|
Phase 3 Outcome:
|
Contact your account representative or email Workshops@InfoTech.com for more information.
| Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | Workshop Day 5 | |
|---|---|---|---|---|---|
| Activities | Create the Vision for CXM Enablement 1.1 CXM Fireside Chat 1.2 CXM Business Drivers 1.3 CXM Vision Statement 1.4 Project Structure |
Conduct the Environmental Scan and Internal Review 2.1 PEST Analysis 2.2 Competitive Analysis 2.3 Market and Trend Analysis 2.4 SWOT Analysis 2.5 VRIO Analysis 2.6 Channel Mapping |
Build Personas and Scenarios 3.1 Persona Development 3.2 Scenario Development 3.3 Requirements Definition for CXM |
Create the CXM Application Portfolio 4.1 Build Business Process Maps 4.2 Review Application Satisfaction 4.3 Create the CXM Application Portfolio 4.4 Prioritize Applications |
Review Best Practices and Confirm Initiatives 5.1 Create Data Integration Map 5.2 Define Adoption Best Practices 5.3 Build Initiatives Roadmap 5.4 Confirm Initiatives Roadmap |
| Deliverables |
|
|
|
|
|
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 2 weeks
Step 1.1: Create the Project Vision
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Step 1.2: Structure the Project
Review findings with analyst:
Then complete these activities…
With these tools & templates:
Phase 1 Results & Insights:
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
An aligned, optimized CX strategy is:
Rapid: to intentionally and strategically respond to quickly-changing opportunities and issues.
Outcome-based: to make key decisions based on strong business cases, data, and analytics in addition to intuition and judgment.
Rigorous: to bring discipline and science to bear; to improve operations and results.
Collaborative: to conduct activities in a broader ecosystem of partners, suppliers, vendors, co-developers, and even competitors.
(The Wall Street Journal, 2013)
Info-Tech Insight
If IT fails to adequately support marketing, sales, and customer service teams, the organization’s revenue will be in direct jeopardy. As a result, CIOs and Applications Directors must work with their counterparts in these departments to craft a cohesive and comprehensive strategy for using technology to create meaningful (and profitable) customer experiences.
1.1.1 30 minutes
1.1.2 30 minutes
There’s no silver bullet for developing a strategy. You can encounter pitfalls at a myriad of different points including not involving the right stakeholders from the business, not staying abreast of recent trends in the external environment, and not aligning sales, marketing, and support initiatives with a focus on the delivery of value to prospects and customers.
Common Pitfalls When Creating a Technology-Enablement Strategy for CXM
Senior management is not involved in strategy development.
Not paying attention to the “art of the possible.”
“Paving the cow path” rather than focusing on revising core processes.
Misalignment between objectives and financial/personnel resources.
Inexperienced team on either the business or IT side.
Not paying attention to the actions of competitors.
Entrenched management preferences for legacy systems.
Sales culture that downplays the potential value of technology or new applications.
IT →Marketing, Sales, and Service →External Customers
Internal-Facing Applications
Customer-Facing Applications
Info-Tech Insight
IT often overlooks direct customer considerations when devising a technology strategy for CXM. Instead, IT leaders rely on other business stakeholders to simply pass on requirements. By sitting down with their counterparts in marketing and sales, and fully understanding business drivers and customer personas, IT will be much better positioned to roll out supporting applications that drive customer engagement.
1.1.3 30 minutes
| Business Driver Name | Driver Assumptions, Capabilities, and Constraints | Impact on CXM Strategy |
|---|---|---|
| High degree of customer-centric solution selling | A technically complex product means that solution selling approaches are employed – sales cycles are long. | There is a strong need for applications and data quality processes that support longer-term customer relationships rather than transactional selling. |
| High desire to increase scalability of sales processes | Although sales cycles are long, the organization wishes to increase the effectiveness of rep time via marketing automation where possible. | Sales is always looking for new ways to leverage their reps for face-to-face solution selling while leaving low-level tasks to automation. Marketing wants to support these tasks. |
| Highly remote sales team and unusual hours are the norm | Not based around core hours – significant overtime or remote working occurs frequently. | Misalignment between IT working only core hours and after-hours teams leads to lag times that can delay work. Scheduling of preventative sales maintenance must typically be done on weekends rather than weekday evenings. |
1.1.4 30 minutes
| IT Driver Name | Driver Assumptions, Capabilities, and Constraints | Impact on CXM Strategy |
|---|---|---|
| Sales Application Procurement Methodology | Strong preference for on-premise COTS deployments over homebrewed applications. | IT may not be able to support cloud-based sales applications due to security requirements for on premise. |
| Vendor Relations | Minimal vendor relationships; SLAs not drafted internally but used as part of standard agreement. | IT may want to investigate tightening up SLAs with vendors to ensure more timely support is available for their sales teams. |
| Development Methodology | Agile methodology employed, some pockets of Waterfall employed for large-scale deployments. | Agile development means more perfective maintenance requests come in, but it leads to greater responsiveness for making urgent corrective changes to non-COTS products. |
| Data Quality Approach | IT sees as Sales’ responsibility | IT is not standing as a strategic partner for helping to keep data clean, causing dissatisfaction from customer-facing departments. |
| Staffing Availability | Limited to 9–5 | Execution of sales support takes place during core hours only, limiting response times and access for on-the-road sales personnel. |
1.1.5 30 minutes
1. Based on the IT and business drivers identified, craft guiding principles for CXM technology enablement. Keep guiding principles in mind throughout the project and ensure they support (or reconcile) the business and IT drivers.
| Guiding Principle | Description |
|---|---|
| Sales processes must be scalable. | Our sales processes must be able to reach a high number of target customers in a short time without straining systems or personnel. |
| Marketing processes must be high touch. | Processes must be oriented to support technically sophisticated, solution-selling methodologies. |
2. Summarize the guiding principles above by creating a CXM mission statement. See below for an example.
Example: CXM Mission Statement
To ensure our marketing, sales and service team is equipped with tools that will allow them to reach out to a large volume of contacts while still providing a solution-selling approach. This will be done with secure, on-premise systems to safeguard customer data.
Determine if now is the right time to move forward with building (or overhauling) your technology-enablement strategy for CXM.
Not all organizations will be able to proceed immediately to optimize their CXM technology enablement. Determine if the organizational willingness, backbone, and resources are present to commit to overhauling the existing strategy. If you’re not ready to proceed, consider waiting to begin this project until you can procure the right resources.
1.1.3; 1.1.4; 1.1.5 - Identify business and IT drivers to create CXM guiding principles
The facilitator will work with stakeholders from both the business and IT to identify implicit or explicit strategic drivers that will support (or pose constraints on) the technology-enablement framework for the CXM strategy. In doing so, guiding principles will be established for the project.
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
CXM Strategy Project Charter Template
1.2.1 CXM Strategy Project Charter Template
Having a project charter is the first step for any project: it specifies how the project will be resourced from a people, process, and technology perspective, and it clearly outlines major project milestones and timelines for strategy development. CXM technology enablement crosses many organizational boundaries, so a project charter is a very useful tool for ensuring everyone is on the same page.
Sections of the document:
INFO-TECH DELIVERABLE
CXM Strategy Project Charter Template
Populate the relevant sections of your project charter as you complete activities 1.2.2-1.2.8.
Understand the role of each player within your project structure. Look for listed participants on the activities slides to determine when each player should be involved.
| Title | Role Within Project Structure |
|---|---|
| Project Sponsor |
|
| Project Manager |
|
| Business Lead |
|
| Project Team |
|
| Steering Committee |
|
Info-Tech Insight
Do not limit project input or participation to the aforementioned roles. Include subject matter experts and internal stakeholders at particular stages within the project. Such inputs can be solicited on a one-off basis as needed. This ensures you take a holistic approach to creating your CXM technology-enablement strategy.
1.2.2 30 minutes
Hold a meeting with IT, Marketing, Sales, Service, Operations, and any other impacted business stakeholders that have input into CXM to accomplish the following:
Info-Tech Insight
Going forward, set up a quarterly review process to understand changing needs. It is rare that organizations never change their marketing and sales strategy. This will change the way the CXM will be utilized.
In order to gauge the effectiveness of CXM technology enablement, establish core metrics:
| Metric Description | Current Metric | Future Goal |
|---|---|---|
| Market Share | 25% | 35% |
| Share of Voice (All Channels) | 40% | 50% |
| Average Deal Size | $10,500 | $12,000 |
| Account Volume | 1,400 | 1,800 |
| Average Time to Resolution | 32 min | 25 min |
| First Contact Resolution | 15% | 35% |
| Web Traffic per Month (Unique Visitors) | 10,000 | 15,000 |
| End-User Satisfaction | 62% | 85%+ |
| Other metric | ||
| Other metric | ||
| Other metric |
Be sure to understand what is in scope for a CXM strategy project. Prevent too wide of a scope to avoid scope creep – for example, we aren’t tackling ERP or BI under CXM.
Establishing the parameters of the project in a scope statement helps define expectations and provides a baseline for resource allocation and planning. Future decisions about the strategic direction of CXM will be based on the scope statement.
Well-executed requirements gathering will help you avoid expanding project parameters, drawing on your resources, and contributing to cost overruns and project delays. Avoid scope creep by gathering high-level requirements that lead to the selection of category-level application solutions (e.g. CRM, MMS, SMMP, etc.), rather than granular requirements that would lead to vendor application selection (e.g. Salesforce, Marketo, Hootsuite, etc.).
Out-of-scope items should also be defined to alleviate ambiguity, reduce assumptions, and further clarify expectations for stakeholders. Out-of-scope items can be placed in a backlog for later consideration. For example, fulfilment and logistics management is out of scope as it pertains to CXM.
| In Scope | ||
|---|---|---|
| Strategy | ||
| High-Level CXM Application Requirements | CXM Strategic Direction | Category Level Application Solutions (e.g. CRM, MMS, etc.) |
| Out of Scope | ||
|---|---|---|
| Software Selection | ||
| Vendor Application Review | Vendor Application Selection | Granular Application System Requirements |
1.2.3 30 minutes
To form your scope statement, ask the following questions:
Consider the core team functions when composing the project team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned CXM strategy.
| Required Skills/Knowledge | Suggested Project Team Members |
|---|---|
| IT | |
|
|
| Business | |
|
|
| Other | |
|
|
Info-Tech Insight
Don’t let your project team become too large when trying to include all relevant stakeholders. Carefully limiting the size of the project team will enable effective decision making while still including functional business units such as marketing, sales, service, and finance, as well as IT.
1.2.4 45 minutes
Build a list of the core CXM strategy team members, and then structure a RACI chart with the relevant categories and roles for the overall project.
Responsible - Conducts work to achieve the task
Accountable - Answerable for completeness of task
Consulted - Provides input for the task
Informed - Receives updates on the task
Info-Tech Insight
Avoid missed tasks between inter-functional communications by defining roles and responsibilities for the project as early as possible.
Benefits of Assigning RACI Early:
1.2.5 30 minutes
| Example: RACI Chart | Project Sponsor (e.g. CMO) | Project Manager (e.g. Applications Manager) | Business Lead (e.g. Marketing Director) | Steering Committee (e.g. PM, CMO, CFO…) | Project Team (e.g. PM, BL, SMEs…) |
|---|---|---|---|---|---|
| Assess Project Value | I | C | A | R | C |
| Conduct a Current State Assessment | I | I | A | C | R |
| Design Application Portfolio | I | C | A | R | I |
| Create CXM Roadmap | R | R | A | I | I |
| ... | ... | ... | ... | ... | ... |
1.2.6 30 minutes
| Key Activities | Start Date | End Date | Target | Status | Resource(s) |
|---|---|---|---|---|---|
| Structure the Project and Build the Project Team | |||||
| Articulate Business Objectives and Define Vision for Future State | |||||
| Document Current State and Assess Gaps | |||||
| Identify CXM Technology Solutions | |||||
| Build the Strategy for CXM | |||||
| Implement the Strategy |
| Management Support | Change Management | IT Readiness | |
|---|---|---|---|
| Definition | The degree of understanding and acceptance of CXM as a concept and necessary portfolio of technologies. | The degree to which employees are ready to accept change and the organization is ready to manage it. | The degree to which the organization is equipped with IT resources to handle new systems and processes. |
| Assessment Outcomes |
|
|
|
| Risk |
|
|
|
1.2.7 45 minutes
Likelihood:
1 - High/Needs Focus
2 - Can Be Mitigated
3 - Unlikely
Impact
1 - High Impact
2 - Moderate Impact
3 - Minimal Impact
Example: Risk Register and Mitigation Tactics
| Risk | Impact | Likelihood | Mitigation Effort |
|---|---|---|---|
| Cost of time and implementation: designing a robust portfolio of CXM applications can be a time consuming task, representing a heavy investment for the organization | 1 | 1 |
|
| Availability of resources: lack of in-house resources (e.g. infrastructure, CXM application developers) may result in the need to insource or outsource resources | 1 | 2 |
|
1.2.8 45 minutes
Before beginning to develop the CXM strategy, validate the project charter and metrics with senior sponsors or stakeholders and receive their approval to proceed.
Info-Tech Insight
In most circumstances, you should have your CXM strategy project charter validated with the following stakeholders:
1.2.2 Define project purpose, objectives, and business metrics
Through an in-depth discussion, an analyst will help you prioritize corporate objectives and organizational drivers to establish a distinct project purpose.
1.2.3 Define the scope of the CXM strategy
An analyst will facilitate a discussion to address critical questions to understand your distinct business needs. These questions include: What are the major coverage points? Who will be using the system?
1.2.4; 1.2.5; 1.2.6 Create the CXM project team, build a RACI chart, and establish a timeline
Our analysts will guide you through how to create a designated project team to ensure the success of your CXM strategy and suite selection initiative, including project milestones and team composition, as well as designated duties and responsibilities.
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 4 weeks
Step 2.1: Scan the External Environment
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
CXM Strategy Stakeholder Presentation Template
Step 2.2: Assess the Current State for CRM
Review findings with analyst:
Then complete these activities…
With these tools & templates:
CXM Strategy Stakeholder Presentation Template
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 4 weeks
Step 2.3: Create an Application Portfolio
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
CXM Portfolio Designer
CXM Strategy Stakeholder Presentation Template
CXM Business Process Shortlisting Tool
Step 2.4: Develop Deployment Best Practices
Review findings with analyst:
Then complete these activities…
With these tools & templates:
CXM Strategy Stakeholder Presentation Template
Phase 2 Results & Insights:
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
Establish the drivers, enablers, and barriers to developing a CXM technology enablement strategy. In doing so, consider needs, environmental factors, organizational drivers, and technology drivers as inputs.
CXM Strategy
| Business Needs | Organizational Drivers | Technology Drivers | Environmental Factors | |
|---|---|---|---|---|
| Definition | A business need is a requirement associated with a particular business process (for example, Marketing needs customer insights from the website – the business need would therefore be web analytics capabilities). | Organizational drivers can be thought of as business-level goals. These are tangible benefits the business can measure such as customer retention, operation excellence, and financial performance. | Technology drivers are technological changes that have created the need for a new CXM enablement strategy. Many organizations turn to technology systems to help them obtain a competitive edge. | External considerations are factors taking place outside of the organization that are impacting the way business is conducted inside the organization. These are often outside the control of the business. |
| Examples |
|
|
|
|
Info-Tech Insight
A common organizational driver is to provide adequate technology enablement across multiple channels, resulting in a consistent customer experience. This driver is a result of external considerations. Many industries today are highly competitive and rapidly changing. To succeed under these pressures, you must have a rationalized portfolio of enterprise applications for customer interaction.
2.1.1 30 minutes
Take stock of internal challenges and barriers to effective CXM strategy execution.
Example: Internal Challenges & Potential Barriers
| Understanding the Customer | Change Management | IT Readiness | |
|---|---|---|---|
| Definition | The degree to which a holistic understanding of the customer can be created, including customer demographic and psychographics. | The degree to which employees are ready to accept operational and cultural changes and the degree to which the organization is ready to manage it. | The degree to which IT is ready to support new technologies and processes associated with a portfolio of CXM applications. |
| Questions to Ask |
|
|
|
| Implications |
|
|
|
2.1.2 30 minutes
Existing internal conditions, capabilities, and resources can create opportunities to enable the CXM strategy. These opportunities are critical to overcoming challenges and barriers.
Example: Opportunities to Leverage for Strategy Enablement
| Management Buy-In | Customer Data Quality | Current Technology Portfolio | |
|---|---|---|---|
| Definition | The degree to which upper management understands and is willing to enable a CXM project, complete with sponsorship, funding, and resource allocation. | The degree to which customer data is accurate, consistent, complete, and reliable. Strong customer data quality is an opportunity – poor data quality is a barrier. | The degree to which the existing portfolio of CXM-supporting enterprise applications can be leveraged to enable the CXM strategy. |
| Questions to Ask |
|
|
|
| Implications |
|
|
|
2.1.3 30 minutes
A successful CXM strategy requires a comprehensive understanding of an organization’s overall corporate strategy and its effects on the interrelated departments of marketing, sales, and service, including subsequent technology implications. For example, a CXM strategy that emphasizes tools for omnichannel management and is at odds with a corporate strategy that focuses on only one or two channels will fail.
Corporate Strategy
CXM Strategy
Unified Strategy
Info-Tech Insight
Your organization’s corporate strategy is especially important in dictating the direction of the CXM strategy. Corporate strategies are often focused on customer-facing activity and will heavily influence the direction of marketing, sales, customer service, and consequentially, CXM. Corporate strategies will often dictate market targeting, sales tactics, service models, and more.
Identifying organizational objectives of high priority will assist in breaking down CXM objectives to better align with the overall corporate strategy and achieve buy-in from key stakeholders.
| Corporate Objectives | Aligned CXM Technology Objectives | ||
|---|---|---|---|
| Increase Revenue | Enable lead scoring | Deploy sales collateral management tools | Improve average cost per lead via a marketing automation tool |
| Enhance Market Share | Enhance targeting effectiveness with a CRM | Increase social media presence via an SMMP | Architect customer intelligence analysis |
| Improve Customer Satisfaction | Reduce time-to-resolution via better routing | Increase accessibility to customer service with live chat | Improve first contact resolution with customer KB |
| Increase Customer Retention | Use a loyalty management application | Improve channel options for existing customers | Use customer analytics to drive targeted offers |
| Create Customer-Centric Culture | Ensure strong training and user adoption programs | Use CRM to provide 360-degree view of all customer interaction | Incorporate the voice of the customer into product development |
2.1.4 30 minutes
Industry E-Commerce
Source Pardot, 2012
Amazon.com, Inc. is an American electronic commerce and cloud computing company. It is the largest e-commerce retailer in the US.
Amazon originated as an online book store, later diversifying to sell various forms of media, software, games, electronics, apparel, furniture, food, toys, and more.
By taking a data-driven approach to marketing and sales, Amazon was able to understand its customers’ needs and wants, penetrate different product markets, and create a consistently personalized online-shopping customer experience that keeps customers coming back.
Use Browsing Data Effectively
Amazon leverages marketing automation suites to view recent activities of prospects on its website. In doing so, a more complete view of the customer is achieved, including insights into purchasing interests and site navigation behaviors.
Optimize Based on Interactions
Using customer intelligence, Amazon surveys and studies standard engagement metrics like open rate, click-through rate, and unsubscribes to ensure the optimal degree of marketing is being targeted to existing and prospective customers, depending on level of engagement.
Insights gained from having a complete understanding of the customer (from basic demographic characteristics provided in customer account profiles to observed psychographic behaviors captured by customer intelligence applications) are used to personalize Amazon’s sales and marketing approaches. This is represented through targeted suggestions in the “recommended for you” section of the browsing experience and tailored email marketing.
It is this capability, partnered with the technological ability to observe and measure customer engagement, that allows Amazon to create individual customer experiences.
Do not develop your CXM technology strategy in isolation. Work with Marketing to understand your STP strategy (segmentation, targeting, positioning): this will inform persona development and technology requirements downstream.
Market Segmentation
Market Targeting
Product Positioning
Info-Tech Insight
It is at this point that you should consider the need for and viability of an omnichannel approach to CXM. Through which channels do you target your customers? Are your customers present and active on a wide variety of channels? Consider how you can position your products, services, and brand through the use of omnichannel methodologies.
2.1.5 1 hour
2.1.5 30 minutes
Example: Competitive Implications
| Competitor Organization | Recent Initiative | Associated Technology | Direction of Impact | Competitive Implication |
|---|---|---|---|---|
| Organization X | Multichannel E-Commerce Integration | WEM – hybrid integration | Positive |
|
| Organization Y | Web Social Analytics | WEM | Positive |
|
A PEST analysis is a structured planning method that identifies external environmental factors that could influence the corporate and IT strategy.
Political - Examine political factors, such as relevant data protection laws and government regulations.
Economic - Examine economic factors, such as funding, cost of web access, and labor shortages for maintaining the site(s).
Technological - Examine technological factors, such as new channels, networks, software and software frameworks, database technologies, wireless capabilities, and availability of software as a service.
Social - Examine social factors, such as gender, race, age, income, and religion.
Info-Tech Insight
When looking at opportunities and threats, PEST analysis can help to ensure that you do not overlook external factors, such as technological changes in your industry. When conducting your PEST analysis specifically for CXM, pay particular attention to the rapid rate of change in the technology bucket. New channels and applications are constantly emerging and evolving, and seeing differential adoption by potential customers.
2.1.6 30 minutes
Example: PEST Analysis
Political
Economic
Technological
Social
2.1.7 30 minutes
For each PEST quadrant:
Example: Parsing Requirements from PEST Analysis
Technological Trend: There has been a sharp increase in popularity of mobile self-service models for buying habits and customer service access.
Goal: Streamline mobile application to be compatible with all mobile devices. Create consistent branding across all service delivery applications (e.g. website, etc.).
Strategic Requirement: Develop a native mobile application while also ensuring that resources through our web presence are built with responsive design interface.
Creating a customer-centric CXM technology strategy requires archetypal customer personas. Creating customer personas will enable you to talk concretely about them as consumers of your customer experience and allow you to build buyer scenarios around them.
A persona (or archetypal user) is an invented person that represents a type of user in a particular use-case scenario. In this case, personas can be based on real customers.
| Components of a persona | Example – Organization: Grocery Store | |
|---|---|---|
| Name | Name personas to reflect a key attribute such as the persona’s primary role or motivation | Brand Loyal Linda: A stay-at-home mother dedicated to maintaining and caring for a household of 5 people |
| Demographic | Include basic descriptors of the persona (e.g. age, geographic location, preferred language, education, job, employer, household income, etc.) | Age: 42 years old Geographic location: London Suburbia Language: English Education: Post-secondary Job: Stay-at-home mother Annual Household Income: $100,000+ |
| Wants, needs, pain points | Identify surface-level motivations for buying habits | Wants: Local products Needs: Health products; child-safe products Pain points: Fragmented shopping experience |
| Psychographic/behavioral traits | Observe persona traits that are representative of the customers’ behaviors (e.g. attitudes, buying patterns, etc.) | Psychographic: Detail-oriented, creature of habit Behavioral: Shops at large grocery store twice a week, visits farmers market on Saturdays, buys organic products online |
2.1.8 2 hours
Project Team
Info-Tech Insight
For CXM, persona building is typically used for understanding the external customer; however, if you need to gain a better understanding of the organization’s internal customers (those who will be interacting with CXM applications), personas can also be built for this purpose. Examples of useful internal personas are sales managers, brand managers, customer service directors, etc.
Post-secondary educated, white-collar professional, three children
Goals & Objectives
Behaviors
Services of Interest
Traits
General Literacy - High
Digital Literacy - Mid-High
Detail-Oriented - High
Willing to Try New Things - Mid-High
Motivated and Persistent - Mid-High
Time Flexible - Mid-High
Familiar With [Red.] - Mid
Access to [Red.] Offices - High
Access to Internet - High
Single, college educated, planning vacation in [redacted], interested in [redacted] job opportunities
Goals & Objectives
Behaviors
Services of Interest
Traits
General Literacy - Mid
Digital Literacy - High
Detail-Oriented - Mid
Willing to Try New Things - High
Motivated and Persistent - Mid
Time Flexible - Mid-High
Familiar With [Red.] - Low
Access to [Red.] Offices - Low
Access to Internet - High
15-year resident of [redacted], high school education, waiter, recently divorced, two children
Goals & Objectives
Behaviors
Services of Interest
Traits
General Literacy - Mid
Digital Literacy - Mid-Low
Detail-Oriented - Mid-Low
Willing to Try New Things - Mid
Motivated and Persistent - High
Time Flexible - Mid
Familiar With [Red.] - Mid-High
Access to [Red.] Offices - High
Access to Internet - High
Single, [redacted] resident, high school graduate
Goals & Objectives
Behaviors
Services of Interest
Traits
General Literacy - Mid
Digital Literacy - Mid
Detail-Oriented - Mid-Low
Willing to Try New Things - Mid-High
Motivated and Persistent - Mid-Low
Time Flexible - High
Familiar With [Red.] - Mid-Low
Access to [Red.] Offices - Mid-Low
Access to Internet - Mid
A scenario is a story or narrative that helps explore the set of interactions that a customer has with an organization. Scenario mapping will help parse requirements used to design the CXM application portfolio.
A Good Scenario…
Scenarios Are Used To…
To Create Good Scenarios…
2.1.9 1.5 hours
Example: Scenario Map
Persona Name: Brand Loyal Linda
Scenario Goal: File a complaint about in-store customer service
Look up “[Store Name] customer service” on public web. →Reach customer support landing page. →Receive proactive notification prompt for online chat with CSR. →Initiate conversation: provide order #. →CSR receives order context and information. →Customer articulates problem, CSR consults knowledgebase. →Discount on next purchase offered. →Send email with discount code to Brand Loyal Linda.
2.1.1; 2.1.2; 2.1.3; 2.1.4 - Create a CXM operating model
An analyst will facilitate a discussion to identify what impacts your CXM strategy and how to align it to your corporate strategy. The discussion will take different perspectives into consideration and look at organizational drivers, external environmental factors, as well as internal barriers and enablers.
2.1.5 Conduct a competitive analysis
Calling on their depth of expertise in working with a broad spectrum of organizations, our facilitator will help you work through a structured, systematic evaluation of competitors’ actions when it comes to CXM.
2.1.6; 2.1.7 - Conduct a PEST analysis
The facilitator will use guided conversation to target each quadrant of the PEST analysis and help your organization fully enumerate political, economic, social, and technological trends that will influence your CXM strategy. Our analysts are deeply familiar with macroenvironmental trends and can provide expert advice in identifying areas of concern in the PEST and drawing strategic requirements as implications.
2.1.8; 2.1.9 - Build customer personas and subsequent persona scenarios
Drawing on the preceding exercises as inputs, the facilitator will help the team create and refine personas, create respective customer interaction scenarios, and parse strategic requirements to support your technology portfolio for CXM.
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
A SWOT analysis is a structured planning method that evaluates the strengths, weaknesses, opportunities, and threats involved in a project.
Strengths - Strengths describe the positive attributes that are within your control and internal to your organization (i.e. what do you do better than anyone else?)
Weaknesses - Weaknesses are internal aspects of your business that place you at a competitive disadvantage; think of what you need to enhance to compete with your top competitor.
Opportunities - Opportunities are external factors the project can capitalize on. Think of them as factors that represent reasons your business is likely to prosper.
Threats - Threats are external factors that could jeopardize the project. While you may not have control over these, you will benefit from having contingency plans to address them if they occur.
Info-Tech Insight
When evaluating weaknesses of your current CXM strategy, ensure that you’re taking into account not just existing applications and business processes, but also potential deficits in your organization’s channel strategy and go-to-market messaging.
2.2.1 30 minutes
Example: SWOT Analysis
Strengths
Weaknesses
Opportunities
Threats
2.2.2 30 minutes
For each SWOT quadrant:
Example: Parsing Requirements from SWOT Analysis
Weakness: Customer service inaccessible in real-time through website or mobile application.
Goal: Increase the ubiquity of access to customer service knowledgebase and agents through a web portal or mobile application.
Strategic Requirement: Provide a live chat portal that matches the customer with the next available and qualified agent.
Applications are the bedrock of technology enablement for CXM. Review your current application portfolio to identify what is working well and what isn’t.
Build the CXM Application Inventory →Assess Usage and Satisfaction →Map to Business Processes and Determine Dependencies →Determine Grow/Maintain/ Retire for Each Application
When assessing the CXM applications portfolio, do not cast your net too narrowly; while CRM and MMS applications are often top of mind, applications for digital asset management and social media management are also instrumental for ensuring a well-integrated CX.
Identify dependencies (either technical or licensing) between applications. This dependency tracing will come into play when deciding which applications should be grown (invested in), which applications should be maintained (held static), and which applications should be retired (divested).
Info-Tech Insight
Shadow IT is prominent here! When building your application inventory, ensure you involve Marketing, Sales, and Service to identify any “unofficial” SaaS applications that are being used for CXM. Many organizations fail to take a systematic view of their CXM application portfolio beyond maintaining a rough inventory. To assess the current state of alignment, you must build the application inventory and assess satisfaction metrics.
Review the major enterprise applications in your organization that enable CXM and align your requirements to these applications (net-new or existing). Identify points of integration to capture the big picture.
Info-Tech Insight
When assessing the current application portfolio that supports CXM, the tendency will be to focus on the applications under the CXM umbrella, relating mostly to marketing, sales, and customer service. Be sure to include systems that act as input to, or benefit due to outputs from, CRM or similar applications. Examples of these systems are ERP systems, ECM (e.g. SharePoint) applications, and more.
Having a portfolio but no contextual data will not give you a full understanding of the current state. The next step is to thoroughly assess usage patterns as well as IT, management, and end-user satisfaction with each application.
Example: Application Usage & Satisfaction Assessment
| Application Name | Level of Usage | IT Satisfaction | Management Satisfaction | End-User Satisfaction | Potential Business Impact |
|---|---|---|---|---|---|
| CRM (e.g. Salesforce) | Medium | High | Medium | Medium | High |
| CRM (e.g. Salesforce) | Low | Medium | Medium | High | Medium |
| ... | ... | ... | ... | ... | ... |
Info-Tech Insight
When evaluating satisfaction with any application, be sure to consult all stakeholders who come into contact with the application or depend on its output. Consider criteria such as ease of use, completeness of information, operational efficiency, data accuracy, etc.
2.2.3 Application Portfolio Assessment: End-User Feedback
Info-Tech’s Application Portfolio Assessment: End-User Feedback diagnostic is a low-effort, high-impact program that will give you detailed report cards on end-user satisfaction with an application. Use these insights to identify problems, develop action plans for improvement, and determine key participants.
Application Portfolio Assessment: End-User Feedback is an 18-question survey that provides valuable insights on user satisfaction with an application by:
INFO-TECH DIAGNOSTIC
2.2.4 1 hour
Example: CXM Application Inventory
| Application Name | Deployed Date | Processes Supported | Technical and Licensing Dependencies |
|---|---|---|---|
| Salesforce | June 2018 | Customer relationship management | XXX |
| Hootsuite | April 2019 | Social media listening | XXX |
| ... | ... | ... | ... |
A VRIO analysis evaluates the ability of internal resources and capabilities to sustain a competitive advantage by evaluating dimensions of value, rarity, imitability, and organization. For critical applications like your CRM platform, use a VRIO analysis to determine their value.
| Is the resource or capability valuable in exploiting an opportunity or neutralizing a threat? | Is the resource or capability rare in the sense that few of your competitors have a similar capability? | Is the resource or capability costly to imitate or replicate? | Is the organization organized enough to leverage and capture value from the resource or capability? | |
| NO | → | → | → | COMPETITIVE DISADVANTAGE |
| YES | NO→ | → | → | COMPETITIVE EQUALITY/PARITY |
| YES | YES | NO→ | → | TEMPORARY COMPETITIVE ADVANTAGE |
| YES | YES | YES | NO→ | UNUSED COMPETITIVE ADVANTAGE |
| YES | YES | YES | YES | LONG-TERM COMPETITIVE ADVANTAGE |
(Strategic Management Insight, 2013)
2.2.5 30 minutes
2.2.1; 2.2.2 Conduct a SWOT Analysis
Our facilitator will use a small-team approach to delve deeply into each area, identifying enablers (strengths and opportunities) and challenges (weaknesses and threats) relating to the CXM strategy.
2.2.3; 2.2.4 Inventory your CXM applications, and assess usage and satisfaction
Working with your core team, the facilitator will assist with building a comprehensive inventory of CXM applications that are currently in use and with identifying adjacent systems that need to be identified for integration purposes. The facilitator will work to identify high and low performing applications and analyze this data with the team during the workshop exercise.
2.2.5 Conduct a VRIO analysis
The facilitator will take you through a VRIO analysis to identify which of your internal technological competencies ensure, or can be leveraged to ensure, your competitiveness in the CXM market.
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
CXM application portfolio map
The interaction between sales, marketing, and customer service is very process-centric. Rethink sales and customer-centric workflows and map the desired workflow, imbedding the improved/reengineered process into the requirements.
Business process modeling facilitates the collaboration between the business and IT, recording the sequence of events, tasks performed, who performed them, and the levels of interaction with the various supporting applications.
By identifying the events and decision points in the process and overlaying the people that perform the functions, the data being interacted with, and the technologies that support them, organizations are better positioned to identify gaps that need to be bridged.
Encourage the analysis by compiling an inventory of business processes that support customer-facing operations that are relevant to achieving the overall organizational strategies.
Outcomes
INFO-TECH OPPORTUNITY
Refer to Info-Tech’s Create a Comprehensive BPM Strategy for Successful Process Automation blueprint for further assistance in taking a BPM approach to your sales-IT alignment.
APQC’s Process Classification Framework is a taxonomy of cross-functional business processes intended to allow the objective comparison of organizational performance within and among organizations.
| OPERATING PROCESSES | ||||
|---|---|---|---|---|
| 1.0 Develop Vision and Strategy | 2.0 Develop and Manage Products and Services | 3.0 Market and Sell Products and Services | 4.0 Deliver Products and Services | 5.0 Manage Customer Service |
| 6.0 Develop and Manage Human Capital | ||||
| 7.0 Manage Information Technology | ||||
| 8.0 Manage Financial Resources | ||||
| 9.0 Acquire, Construct, and Manage Assets | ||||
| 10.0 Manage Enterprise Risk, Compliance, and Resiliency | ||||
| 11.0 Manage External Relationships | ||||
| 12.0 Develop and Manage Business Capabilities | ||||
(APQC, 2011)
MORE ABOUT APQC
3.1 Understand markets, customers, and capabilities
3.2 Develop marketing strategy
3.3 Develop sales strategy
3.4 Develop and manage marketing plans
3.5 Develop and manage sales plans
5.1 Develop customer care/customer service strategy
5.2 Plan and manage customer service operations
5.2 Plan and 5.2.3.1 Receive customer complaints 5.2.3.2 Route customer complaints 5.2.3.3 Resolve customer complaints 5.2.3.4 Respond to customer complaints manage customer service operations
The APQC framework provides levels 1 through 3 for the “Market and Sell Products and Services” framework. Level 4 processes and beyond will need to be defined by your organization as they are more granular (represent the task level) and are often industry-specific.
Level 1 – Category - 1.0 Develop vision and strategy (10002)
Represents the highest level of process in the enterprise, such as manage customer service, supply chain, financial organization, and human resources.
Level 2 – Process Group - 1.1 Define the business concept and long-term vision (10014)
Indicates the next level of processes and represents a group of processes. Examples include perform after sales repairs, procurement, accounts payable, recruit/source, and develop sales strategy.
Level 3 – Process - 1.1.1 Assess the external environment (10017)
A series of interrelated activities that convert input into results (outputs); processes consume resources and require standards for repeatable performance; and processes respond to control systems that direct quality, rate, and cost of performance.
Level 4 – Activity - 1.1.1.1 Analyze and evaluate competition (10021)
Indicates key events performed when executing a process. Examples of activities include receive customer requests, resolve customer complaints, and negotiate purchasing contracts.
Level 5 – Task - 12.2.3.1.1 Identify project requirements and objectives (11117)
Tasks represent the next level of hierarchical decomposition after activities. Tasks are generally much more fine grained and may vary widely across industries. Examples include create business case and obtain funding, and design recognition and reward approaches.
Info-Tech Insight
Define the Level 3 processes in the context of your organization. When creating a CXM strategy, concern yourself with the interrelatedness of processes across existing departmental silos (e.g. marketing, sales, customer service). Reserve the analysis of activities (Level 4) and tasks (Level 3) for granular work initiatives involved in the implementation of applications.
2.3.1 CXM Business Process Shortlisting Tool
The CXM Business Process Shortlisting Tool can help you define which marketing, sales, and service processes you should focus on.
Working in concert with stakeholders from the appropriate departments, complete the short questionnaire.
Based on validated responses, the tool will highlight processes of strategic importance to your organization.
These processes can then be mapped, with requirements extracted and used to build the CXM application portfolio.
INFO-TECH DELIVERABLE
2.3.2 1 hour
Current legend for Weights and Scores
F – Finance
H – Human Resources
I – IT
L – Legal
M – Marketing
BU1 – Business Unit 1
BU2 – Business Unit 2
2.3.3 45 minutes
INFO-TECH OPPORTUNITY
Refer to Info-Tech’s Create a Comprehensive BPM Strategy for Successful Process Automation blueprint for further assistance in taking a BPM approach to your sales-IT alignment.
Info-Tech Insight
Analysis of the current state is important in the context of gap analysis. It aids in understanding the discrepancies between your baseline and the future state vision, and ensures that these gaps are documented as part of the overall requirements.
2.3.4 30 minutes
- What is the input?
- What is the output?
- What are the underlying risks and how can they be mitigated?
- What conditions should be met to mitigate or eliminate each risk?
- What are the improvement opportunities?
- What conditions should be met to enable these opportunities?
Info-Tech Insight
The business and IT should work together to evaluate the current state of business processes and the business requirements necessary to support these processes. Develop a full view of organizational needs while still obtaining the level of detail required to make informed decisions about technology.
Identify the owners of the business processes being evaluated to extract requirements. Process owners will be able to inform business process improvement and assume accountability for reengineered or net-new processes going forward.
Process ownership ensures support, accountability, and governance for CXM and its supporting processes. Process owners must be able to negotiate with business users and other key stakeholders to drive efficiencies within their own process. The process owner must execute tactical process changes and continually optimize the process.
Responsibilities include the following:
Info-Tech Insight
Identify the owners of existing processes early so you understand who needs to be involved in process improvement and reengineering. Once implemented, CXM applications are likely to undergo a series of changes. Unstructured data will multiply, the number of users may increase, administrators may change, and functionality could become obsolete. Should business processes be merged or drastically changed, process ownership can be reallocated during CXM implementation. Make sure you have the right roles in place to avoid inefficient processes and poor data quality.
2.3.5 Process Owner Assignment Guide
The Process Owner Assignment Guide will ensure you are taking the appropriate steps to identify process owners for existing and net-new processes created within the scope of the CXM strategy.
The steps in the document will help with important considerations such as key requirements and responsibilities.
INFO-TECH DELIVERABLE
2.3.6 30 minutes
Face-to-Face is efficient and has a positive personalized aspect that many customers desire, be it for sales or customer service.
Telephony (or IVR) has been a mainstay of customer interaction for decades. While not fading, it must be used alongside newer channels.
Postal used to be employed extensively for all domains, but is now used predominantly for e-commerce order fulfillment.
Email is an asynchronous interaction channel still preferred by many customers. Email gives organizations flexibility with queuing.
Live Chat is a way for clients to avoid long call center wait times and receive a solution from a quick chat with a service rep.
Web Portals permit transactions for sales and customer service from a central interface. They are a must-have for any large company.
Social Media consists of many individual services (like Facebook or Twitter). Social channels are exploding in consumer popularity.
HTML5 Mobile Access allows customers to access resources from their personal device through its integrated web browser.
Dedicated Mobile Apps allow customers to access resources through a dedicated mobile application (e.g. iOS, Android).
Info-Tech Insight
Your channel selections should be driven by customer personas and scenarios. For example, social media may be extensively employed by some persona types (i.e. Millennials) but see limited adoption in other demographics or use cases (i.e. B2B).
2.3.7 30 minutes
Example: Business Unit Channel Use Survey
| Marketing | Sales | Customer Service | ||||
|---|---|---|---|---|---|---|
| Current Used? | Future Use? | Current Used? | Future Use? | Current Used? | Future Use? | |
| Yes | Yes | No | No | No | No | |
| Direct Mail | Yes | No | No | No | No | No |
| Phone | No | No | Yes | Yes | Yes | Yes |
| In-Person | No | No | Yes | Yes | Yes | No |
| Website | Yes | Yes | Yes | Yes | Yes | Yes |
| Social Channels | No | Yes | Yes | Yes | No | Yes |
Discovering your organizational requirements is vital for choosing the right business-enabling initiative, technology, and success metrics. Sorting the requirements by marketing, sales, and service is a prudent mechanism for clarification.
Definition: High-level requirements that will support marketing functions within CXM.
Examples
Definition: High-level requirements that will support sales functions within CXM.
Examples
Definition: High-level requirements that will support customer service functions within CXM.
Examples
2.3.8 30 minutes
Info-Tech Insight
Strategic CXM requirements will be used to prioritize specific initiatives for CXM technology enablement and application rollout. Ensure that IT, the business, and executive management are all aligned on a consistent and agreed upon set of initiatives.
Industry Consumer Goods, Clothing
Source Retail Congress, 2017
Burberry London
Internally, Burberry invested in organizational alignment and sales force brand engagement. The more the sales associate knew about the brand engagement and technology-enabled strategy, the better the store’s performance. Before the efforts went to building relationships with customers, Burberry built engagement with employees.
Burberry embraced “omnichannel,” the hottest buzzword in retailing to provide consumers the most immersive and intuitive brand experience within the store.
RFID tags were attached to products to trigger interactive videos on the store’s screens in the common areas or in a fitting room. Consumers are to have instant access to relevant product combinations, ranging from craftsmanship information to catwalk looks. This is equivalent to the rich, immediate information consumers have grown to expect from the online shopping experience.
Another layer of Burberry’s added capabilities includes in-memory-based analytics to gather and analyze data in real-time to better understand customers’ desires. Burberry builds customer profiles based on what items the shoppers try on from the RFID-tagged garments. Although this requires customer privacy consent, customers are willing to provide personal information to trusted brands.
This program, called “Customer 360,” assisted sales associates in providing data-driven shopping experiences that invite customers to digitally share their buying history and preferences via their tablet devices. As the data is stored in Burberry’s customer data warehouse and accessed through an application such as CRM, it is able to arm sales associates with personal fashion advice on the spot.
Lastly, the customer data warehouse/CRM application is linked to Burberry’s ERP system and other custom applications in a cloud environment to achieve real-time inventory visibility and fulfillment.
Industry Consumer Goods, Clothing
Source Retail Congress, 2017
Burberry London
Internally, Burberry invested in organizational alignment and sales force brand engagement. The more the sales associate knew about the brand engagement and technology-enabled strategy, the better the store’s performance. Before the efforts went to building relationships with customers, Burberry built engagement with employees.
Burberry embraced “omnichannel,” the hottest buzzword in retailing to provide consumers the most immersive and intuitive brand experience within the store.
Burberry achieved one of the most personalized retail shopping experiences. Immediate personal fashion advice using customer data is only one component of the experience. Not only are historic purchases and preference data analyzed, a customer’s social media posts and fashion industry trend data is proactively incorporated into the interactions between the sales associate and the customer.
Burberry achieved CEO Angela Ahrendts’ vision of “Burberry World,” in which the brand experience is seamlessly integrated across channels, devices, retail locations, products, and services.
The organizational alignment between Sales, Marketing, and IT empowered employees to bring the Burberry brand to life in unique ways that customers appreciated and were willing to advocate.
Burberry is now one of the most beloved and valuable luxury brands in the world. The brand tripled sales in five years, became one of the leading voices on trends, fashion, music, and beauty while redefining what top-tier customer experience should be both digitally and physically.
The debate between best-of-breed point solutions versus comprehensive CRM suites is ongoing. There is no single best answer. In most cases, an effective portfolio will include both types of solutions.
Customer Relationship Management (CRM)
Social Media Management Platform (SMMP)
Field Sales/Service Automation (FSA)
Marketing Management Suites
Sales Force Automation
Email Marketing Tools
Lead Management Automation (LMA)
Customer Service Management Suites
Customer Intelligence Systems
Some may find that the capabilities of a CRM suite are not enough to meet their specific requirements: supplementing a CRM suite with a targeted point solution can get the job done. A variety of CXM point solutions are designed to enhance your business processes and improve productivity.
Sales Force Automation: Automatically generates, qualifies, tracks, and contacts leads for sales representatives, minimizing time wasted on administrative duties.
Field Sales: Allows field reps to go through the entire sales cycle (from quote to invoice) while offsite.
Sales Compensation Management: Models, analyzes, and dispenses payouts to sales representatives.
Social Media Management Platforms (SMMP): Manage and track multiple social media services, with extensive social data analysis and insight capabilities.
Email Marketing Bureaus: Conduct email marketing campaigns and mine results to effectively target customers.
Marketing Intelligence Systems: Perform in-depth searches on various data sources to create predictive models.
Customer Service Management (CSM): Manages the customer support lifecycle with a comprehensive array of tools, usually above and beyond what’s in a CRM suite.
Customer Service Knowledge Management (CSKM): Advanced knowledgebase and resolution tools.
Field Service Automation (FSA): Manages customer support tickets, schedules work orders, tracks inventory and fleets, all on the go.
Info-Tech Insight
CRM and point solution integration is critical. A best-of-breed product that poorly integrates with your CRM suite compromises the value generated by the combined solution, such as a 360-degree customer view. Challenge point solution vendors to demonstrate integration capabilities with CRM packages.
Standalone CRM Suite
Sales Conditions: Need selling and lead management capabilities for agents to perform the sales process, along with sales dashboards and statistics.
Marketing or Communication Conditions: Need basic campaign management and ability to refresh contact records with information from social networks.
Member Service Conditions: Need to keep basic customer records with multiple fields per record and basic channels such as email and telephony.
Add a Best-of-Breed or Point Solution
Environmental Conditions: An extensive customer base with many different interactions per customer along with industry specific or “niche” needs. Point solutions will benefit firms with deep needs in specific feature areas (e.g. social media or field service).
Sales Conditions: Lengthy sales process and account management requirements for assessing and managing opportunities – in a technically complex sales process.
Marketing Conditions: Need social media functionality for monitoring and social property management.
Customer Service Conditions: Need complex multi-channel service processes and/or need for best-of-breed knowledgebase and service content management.
Info-Tech Insight
The volume and complexity of both customers and interactions have a direct effect on when to employ just a CRM suite and when to supplement with a point solution. Check to see if your CRM suite can perform a specific business requirement before deciding to evaluate potential point solutions.
2.3.9 CXM Portfolio Designer
The CXM Portfolio Designer features a set of questions geared toward understanding your needs for marketing, sales, and customer service enablement.
These results are scored and used to suggest a comprehensive solution-level set of enterprise applications for CXM that can drive your application portfolio and help you make investment decisions in different areas such as CRM, marketing management, and customer intelligence.
INFO-TECH DELIVERABLE
(Social Centered Learning, n.d.)
Use the two-by-two matrix below to structure your optimal CXM application portfolio. For more help, refer to Info-Tech’s blueprint, Use Agile Application Rationalization Instead of Going Big Bang.
0 Richness of Functionality |
INTEGRATE | RETAIN | |
| REPLACE | REPLACE OR ENHANCE | ||
0 Degree of Integration |
|||
Integrate: The application is functionally rich, so spend time and effort integrating it with other modules by building or enhancing interfaces.
Retain: The application satisfies both functionality and integration requirements, so it should be considered for retention.
Replace/Enhance: The module offers poor functionality but is well integrated with other modules. If enhancing for functionality is easy (e.g. through configuration or custom development), consider enhancement or replace it.
Replace: The application neither offers the functionality sought nor is it integrated with other modules, and thus should be considered for replacement.
2.3.10 1-2 hours
Example: Brainstorming the Art of the Possible
| Application | Gap Satisfied | Related Process | Number of Linked Requirements | Do we have the system? | Priority |
|---|---|---|---|---|---|
| LMA |
|
Sales | 8 | No | Business Critical |
| Customer Intelligence |
|
Customer Service | 6 | Yes | Business Enabling |
| ... | ... | ... | ... | ... | ... |
Now that you have developed the CXM application portfolio and identified areas of new investment, you’re well positioned to execute specific vendor selection projects. After you have built out your initiatives roadmap in phase 3, the following reports provide in-depth vendor reviews, feature guides, and tools and templates to assist with selection and implementation.
Info-Tech Insight
Not all applications are created equally well for each use case. The vendor reports help you make informed procurement decisions by segmenting vendor capabilities among major use cases. The strategic requirements identified as part of this project should be used to select the use case that best fits your needs.
2.3.2; 2.3.3 Shortlist and map the key top-level business processes
Based on experience working with organizations in similar verticals, the facilitator will help your team map out key sample workflows for marketing, sales, and customer service.
2.3.6 Create your strategic requirements for CXM
Drawing on the preceding exercises, the facilitator will work with the team to create a comprehensive list of strategic requirements that will be used to drive technology decisions and roadmap initiatives.
2.3.10 Create and finalize the CXM application portfolio
Using the strategic requirements gathered through internal, external, and technology analysis up to this point, a facilitator will assist you in assembling a categorical technology application portfolio to support CXM.
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
Integration is paramount: your CXM application portfolio must work as a unified face to the customer. Create an integration map to reflect a system of record and the exchange of data.
The points of integration that you’ll need to establish must be based on the objectives and requirements that have informed the creation of the CXM application portfolio. For instance, achieving improved customer insights would necessitate a well-integrated portfolio with customer interaction point solutions, business intelligence tools, and customer data warehouses in order to draw the information necessary to build insight. To increase customer engagement, channel integration is a must (i.e. with robust links to unified communications solutions, email, and VoIP telephony systems).
Info-Tech Insight
If the CXM application portfolio is fragmented, it will be nearly impossible to build a cohesive view of the customer and deliver a consistent customer experience. Points of integration (POIs) are the junctions between the applications that make up the CXM portfolio. They are essential to creating value, particularly in customer insight-focused and omnichannel-focused deployments. Be sure to include enterprise applications that are not included in the CXM application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.
"Find the absolute minimum number of ‘quick wins’ – the POIs you need from day one that are necessary to keep end users happy and deliver value." – Maria Cindric, Australian Catholic University Source: Interview
2.4.1 1 hour
Example: Mapping the Integration of CXM Applications
Data quality is king: if your customer data is garbage in, it will be garbage out. Enable strategic CXM decision making with effective planning of data quality initiatives.
Identify and Eliminate Dead Weight
Poor data can originate in the firm’s system of record, which is typically the CRM system. Custom queries, stored procedures, or profiling tools can be used to assess the key problem areas.
Loose rules in the CRM system lead to records of no significant value in the database. Those rules need to be fixed, but if changes are made before the data is fixed, users could encounter database or application errors, which will reduce user confidence in the system.
Create and Enforce Standards & Policies
Now that the data has been cleaned, protect the system from relapsing.
Work with business users to find out what types of data require validation and which fields should have changes audited. Whenever possible, implement drop-down lists to standardize values and make programming changes to ensure that truncation ceases.
Applications are a critical component of how IT supports Sales, but IT also needs to help Sales keep its data current and accurate. Conducting a sales data audit is critical to ensure Sales has the right information at the right time.
Info-Tech Insight
Data is king. More than ever, having accurate data is essential for your organization to win in hyper-competitive marketplaces. Prudent current state analysis looks at both the overall data model and data architecture, as well as assessing data quality within critical sales-related repositories. As the amount of customer data grows exponentially due to the rise of mobility and the Internet of Things, you must have a forward-looking data model and data marts/customer data warehouse to support sales-relevant decisions.
Refer to Info-Tech’s Develop a Master Data Management Strategy and Roadmap blueprint for further reference and assistance in data management for your sales-IT alignment.
2.4.2 30 minutes
Example: Data Steward Structure
Department A
Department B
Department C
A customer data warehouse (CDW) “is a subject-oriented, integrated, time-variant, non-volatile collection of data used to support the strategic decision-making process across marketing, sales, and service. It is the central point of data integration for customer intelligence and is the source of data for the data marts, delivering a common view of customer data” (Corporate Information Factory, n.d.).
Analogy
CDWs are like a buffet. All the food items are in the buffet. Likewise, your corporate data sources are centralized into one repository. There are so many food items in a buffet that you may need to organize them into separate food stations (data marts) for easier access.
Examples/Use Cases
Pros
Cons
2.4.3. 30 minutes
INFO-TECH OPPORTUNITY
Refer to Info-Tech’s Build an Agile Data Warehouse blueprint for more information on building a centralized and integrated data warehouse.
All training modules will be different, but some will have overlapping areas of interest.
– Assign Project Evangelists – Analytics Training – Mobile Training
Application Training
Info-Tech Insight
Train customers too. Keep the customer-facing sales portals simple and intuitive, have clear explanations/instructions under important functions (e.g. brief directions on how to initiate service inquiries), and provide examples of proper uses (e.g. effective searches). Make sure customers are aware of escalation options available to them if self-service falls short.
The team leading the rollout of new initiatives (be they applications, new governance structures, or data quality procedures) should establish a communication process to ensure management and users are well informed.
CXM-related department groups or designated trainers should take the lead and implement a process for:
The overall objective for inter-departmental kick-off meetings is to confirm that all parties agree on certain key points and understand alignment rationale and new sales app or process functionality.
The kick-off process will significantly improve internal communications by inviting all affected internal IT groups, including business units, to work together to address significant issues before the application process is formally activated.
The kick-off meeting(s) should encompass:
Info-Tech Insight
Determine who in each department will send out a message about initiative implementation, the tone of the message, the medium, and the delivery date.
Info-Tech Insight
Every piece of information that you give to a stakeholder that is not directly relevant to their interests is a distraction from your core message. Always remember to tailor the message, medium, and timing accordingly.
Once the sales-IT alignment committees have been formed, create organizational cadence through a variety of formal and informal gatherings between the two business functions.
Isolation
Collaboration
Synergy
2.4.1 Develop a CXM application integration map
Using the inventory of existing CXM-supporting applications and the newly formed CXM application portfolio as inputs, your facilitator will assist you in creating an integration map of applications to establish a system of record and flow of data.
2.4.2 Develop a mitigation plan for poor quality customer data
Our facilitator will educate your stakeholders on the importance of quality data and guide you through the creation of a mitigation plan for data preservation.
2.4.3 Assess the need for a customer data warehouse
Addressing important factors such as data volume, complexity, and flow, a facilitator will help you assess whether or not a customer data warehouse for CXM is the right fit for your organization.
Build a Strong Technology Foundation for Customer Experience Management
Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.
Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.
Proposed Time to Completion: 1 week
Step 3.1: Create an Initiative Rollout Plan
Start with an analyst kick-off call:
Then complete these activities…
With these tools & templates:
Step 3.2: Confirm and Finalize the CXM Blueprint
Review findings with analyst:
Then complete these activities…
With these tools & templates:
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
Creating a comprehensive CXM strategy roadmap reduces the risk of rework, misallocation of resources, and project delays or abandonment.
Optimize the Change Management Process
You need to design a process that is flexible enough to meet demand for change and strict enough to protect the live environment from change-related incidents.
Create Project Management Success
Investing time up front to plan the project and implementing best practices during project execution to ensure the project is delivered with the planned outcome and quality is critical to project success.
3.1.1 45 minutes
Example: Constructing a Risk Management Plan
| Risk | Impact | Likelihood | Mitigation Effort | |
|---|---|---|---|---|
| Strategy Risks | Project over budget |
|
||
| Inadequate content governance | ||||
| System Risks | Integration with additional systems |
|
||
| .... | ... | ... | ... |
Likelihood
1 – High/ Needs Focus
2 – Can Be Mitigated
3 - Unlikely
Impact
1 - High Risk
2 - Moderate Risk
3 - Minimal Risk
Understanding technical and strategic risks can help you establish contingency measures to reduce the likelihood that risks will occur. Devise mitigation strategies to help offset the impact of risks if contingency measures are not enough.
Remember
The biggest sources of risk in a CXM strategy are lack of planning, poorly defined requirements, and lack of governance.
Apply the following mitigation tips to avoid pitfalls and delays.
Risk Mitigation Tips
Completion of initiatives for your CXM project will be contingent upon multiple variables.
Initiative complexity will define the need for enabling projects. Create a process to define dependencies:
Complex....Initiative
Simple....Initiative
3.1.2 45 minutes
Example: Importance-Capability Matrix
Pinpoint quick wins: high importance, low effort initiatives.
| The size of each plotted initiative must indicate the effort or the complexity and time required to complete. | |
|---|---|
| Top Right Quadrant | Strategic Projects |
| Top Left Quadrant | Quick Wins |
| Bottom Right Quadrant | Risky Bets |
| Bottom Left Quadrant | Discretionary Projects |
3.1.3 1 hour
Example: Project Dependencies
Initiative: Omnichannel E-Commerce
Dependency: WEM Suite Deployment; CRM Suite Deployment; Order Fulfillment Capabilities
3.1.4 30 minutes
Example: Importance-Capability Matrix
| Importance | Initiative | Owner | Completion Date | |
|---|---|---|---|---|
| Example Projects | High | Gather business requirements. | Project Manager | MM/DD/YYYY |
| Quick Wins | ||||
| Long Term | Medium | Implement e-commerce across all sites. | CFO & Web Manager | MM/DD/YYYY |
Importance
3.1.1 Create a risk management plan
Based on the workshop exercises, the facilitator will work with the core team to design a priority-based risk mitigation plan that enumerates the most salient risks to the CXM project and addresses them.
3.1.2; 3.1.3; 3.1.4 Identify initiative dependencies and create the CXM roadmap
After identifying dependencies, our facilitators will work with your IT SMEs and business stakeholders to create a comprehensive roadmap, outlining the initiatives needed to carry out your CXM strategy roadmap.
1.1 Create the Project Vision
1.2 Structure the Project
2.1 Scan the External Environment
2.2 Assess the Current State of CXM
2.3 Create an Application Portfolio
2.4 Develop Deployment Best Practices
3.1 Create an Initiative Rollout Plan
3.2 Confirm and Finalize the CXM Blueprint
Key performance indicators (KPIs) are quantifiable measures that demonstrate the effectiveness of a process and its ability to meet business objectives.
Specific
Measurable
Achievable
Realistic
Time-bound
Follow the SMART methodology when developing KPIs for each process.
Adhering to this methodology is a key component of the Lean management methodology. This framework will help you avoid establishing general metrics that aren’t relevant.
Info-Tech Insight
Metrics are essential to your ability to measure and communicate the success of the CXM strategy to the business. Speak the same language as the business and choose metrics that relate to marketing, sales, and customer service objectives.
3.2.1 1 hour
Example: Metrics for Marketing, Sales, and Customer Service Functions
| Metric | Example | |
|---|---|---|
| Marketing | Customer acquisition cost | X% decrease in costs relating to advertising spend |
| Ratio of lifetime customer value | X% decrease in customer churn | |
| Marketing originated customer % | X% increase in % of customer acquisition driven by marketing | |
| Sales | Conversion rate | X% increase conversion of lead to sale |
| Lead response time | X% decrease in response time per lead | |
| Opportunity-to-win ratio | X% increase in monthly/annual opportunity-to-win ratio | |
| Customer Service | First response time | X% decreased time it takes for customer to receive first response |
| Time-to-resolution | X% decrease of average time-to-resolution | |
| Customer satisfaction | X% improvement of customer satisfaction ratings on immediate feedback survey |
3.2.2 Stakeholder Power Map Template
Use this template and its power map to help visualize the importance of various stakeholders and their concerns. Prioritize your time according to the most powerful and most impacted stakeholders.
Answer questions about each stakeholder:
Focus on key players: relevant stakeholders who have high power, should have high involvement, and are highly impacted.
INFO-TECH DELIVERABLE
3.2.3 Stakeholder Communication Planning Template
Use the Stakeholder Communication Planning Template to document your list of initiative stakeholders so you can track them and plan communication throughout the initiative.
Track the communication methods needed to convey information regarding CXM initiatives. Communicate how a specific initiative will impact the way employees work and the work they do.
INFO-TECH DELIVERABLE
3.2.4 1 hour
3.2.5 CXM Strategy Stakeholder Presentation Template
Complete the presentation template as indicated when you see the green icon throughout this deck. Include the outputs of all activities that are marked with this icon.
Info-Tech has designed the CXM Strategy Stakeholder Presentation Template to capture the most critical aspects of the CXM strategy. Customize it to best convey your message to project stakeholders and to suit your organization.
The presentation should be no longer than one hour. However, additional slides can be added at the discretion of the presenter. Make sure there is adequate time for a question and answer period.
INFO-TECH DELIVERABLE
After the presentation, email the deck to stakeholders to ensure they have it available for their own reference.
3.2.6 30 minutes
3.2.4 Create a stakeholder power map and communication plan
An analyst will walk the project team through the creation of a communication plan, inclusive of project metrics and their respective goals. If you are planning a variety of CXM initiatives, track how the change will be communicated and to whom. Determine the employees who will be impacted by the change.
Accenture Digital. “Growing the Digital Business: Accenture Mobility Research 2015.” Accenture. 2015. Web.
Afshar, Vala. “50 Important Customer Experience Stats for Business Leaders.” Huffington Post. 15 Oct. 2015. Web.
APQC. “Marketing and Sales Definitions and Key Measures.” APQC’s Process Classification Framework, Version 1.0.0. APQC. Mar. 2011. Web.
CX Network. “The Evolution of Customer Experience in 2015.” Customer Experience Network. 2015. Web.
Genesys. “State of Customer Experience Research”. Genesys. 2018. Web.
Harvard Business Review and SAS. “Lessons From the Leading Edge of Customer Experience Management.” Harvard Business School Publishing. 2014. Web.
Help Scout. “75 Customer Service Facts, Quotes & Statistics.” Help Scout. n.d. Web.
Inmon Consulting Services. “Corporate Information Factory (CIF) Overview.” Corporate Information Factory. n.d. Web
Jurevicius, Ovidijus. “VRIO Framework.” Strategic Management Insight. 21 Oct. 2013. Web.
Keenan, Jim, and Barbara Giamanco. “Social Media and Sales Quota.” A Sales Guy Consulting and Social Centered Selling. n.d. Web.
Malik, Om. “Internet of Things Will Have 24 Billion Devices by 2020.” Gigaom. 13 Oct. 2011. Web.
McGovern, Michele. “Customers Want More: 5 New Expectations You Must Meet Now.” Customer Experience Insight. 30 July 2015. Web.
McGinnis, Devon. “40 Customer Service Statistics to Move Your Business Forward.” Salesforce Blog. 1 May 2019. Web.
Reichheld, Fred. “Prescription for Cutting Costs”. Bain & Company. n.d. Web.
Retail Congress Asia Pacific. “SAP – Burberry Makes Shopping Personal.” Retail Congress Asia Pacific. 2017. Web.
Rouse, Margaret. “Omnichannel Definition.” TechTarget. Feb. 2014. Web.
Salesforce Research. “Customer Expectations Hit All-Time High.” Salesforce Research. 2018. Web.
Satell, Greg. “A Look Back at Why Blockbuster Really Failed and Why It Didn’t Have To.” Forbes. 5 Sept. 2014. Web.
Social Centered Learning. “Social Media and Sales Quota: The Impact of Social Media on Sales Quota and Corporate Review.” Social Centered Learning. n.d. Web.
Varner, Scott. “Economic Impact of Experience Management”. Qualtrics/Forrester. 16 Aug. 2017. Web.
Wesson, Matt. “How to Use Your Customer Data Like Amazon.” Salesforce Pardot Blog. 27 Aug. 2012. Web.
Winterberry Group. “Taking Cues From the Customer: ‘Omnichannel’ and the Drive For Audience Engagement.” Winterberry Group LLC. June 2013. Web.
Wollan, Robert, and Saideep Raj. “How CIOs Can Support a More Agile Sales Organization.” The Wall Street Journal: The CIO Report. 25 July 2013. Web.
Zendesk. “The Impact of Customer Service on Customer Lifetime Value 2013.” Z Library. n.d. Web.
Perform an insurance policy comparison with scores based on policy coverage and exclusions.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.
Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Plan out your employee engagement program and launch the Employee Experience Monitor survey for your team.
Interpret your Employee Experience Monitor results, understand what they mean in the context of your team, and involve your staff in brainstorming engagement initiatives.
Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Set up the EXM and collect a few months of data to build on during the workshop.
Arm yourself with an index of employee experience and candid feedback from your team to use as a starting point for your engagement program.
1.1 Identify EXM use case.
1.2 Identify engagement program goals and obstacles.
1.3 Launch EXM.
Defined engagement goals.
EXM online dashboard with three months of results.
To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.
Empower your leadership team to take charge of their own team's engagement.
2.1 Review EXM results to understand employee experience.
2.2 Finalize focus group agendas.
2.3 Train managers.
Customized focus group agendas.
Establish an open dialogue with your staff to understand what drives their engagement.
Understand where in your team’s experience you can make the most impact as an IT leader.
3.1 Identify priority drivers.
3.2 Identify engagement KPIs.
3.3 Brainstorm engagement initiatives.
3.4 Vote on initiatives within teams.
Summary of focus groups results
Identified engagement initiatives.
Learn the characteristics of successful engagement initiatives and build execution plans for each.
Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.
4.1 Select engagement initiatives with IT leadership.
4.2 Discuss and decide on the top five engagement initiatives.
4.3 Create initiative project plans.
4.4 Build detailed project plans.
4.5 Present project plans.
Engagement project plans.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify the symptoms of inadequate IT support of digital marketing to diagnose the problems in your organization.
Identify the untapped digital marketing value in your organization to understand where your organization needs to improve.
Develop a plan for communicating with stakeholders to ensure buy-in to the digital marketing capability building project.
Assess how well each digital channel reaches target segments. Identify the capabilities that must be built to enable digital channels.
Assess the people, processes, and technologies required to build required capabilities and determine the best fit with your organization.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine the fit of each digital channel with your organizational goals.
Determine the fit of digital channels with your organizational structure and business model.
Compare the fit of digital channels with your organization’s current levels of use to:Identify missed opportunities your organization should capitalize on.Identify digital channels that your organization is wasting resources on.
Identify missed opportunities your organization should capitalize on.
Identify digital channels that your organization is wasting resources on.
IT department achieves consensus around which opportunities need to be pursued.
Understanding that continuing to pursue excellent-fit digital channels that your organization is currently active on is a priority.
Identification of the channels that stopping activity on could free up resources for.
1.1 Define and prioritize organizational goals.
1.2 Assess digital channel fit with goals and organizational characteristics.
1.3 Identify missed opportunities and wasted resources in your digital channel mix.
1.4 Brainstorm creative ways to pursue untapped digital channels.
Prioritized list of organizational goals.
Assigned level of fit to digital channels.
List of digital channels that represent missed opportunities or wasted resources.
List of brainstormed ideas for pursuing digital channels.
Identify the digital channels that will be used for specific products and segments.
Identify the IT capabilities that must be built to enable digital channels.
Prioritize the list of IT capabilities.
IT and marketing achieve consensus around which digital channels will be pursued for specific product-segment pairings.
Identification of the capabilities that IT must build.
2.1 Assess digital channel fit with specific products.
2.2 Identify the digital usage patterns of target segments.
2.3 Decide precisely which digital channels you will use to sell specific products to specific segments.
2.4 Identify and prioritize the IT capabilities that need to be built to succeed on each digital channel.
Documented channel fit with products.
Documented channel usage by target segments.
Listed digital channels that will be used for each product-segment pairing.
Listed and prioritized capabilities that must be built to enable success on necessary digital channels.
Identification of the best possible way to build IT capabilities for all channels.
Creation of a plan for leveraging transformational analytics to supercharge your digital marketing strategy.
IT understanding of the costs and benefits of capability building options (people, process, and technology).
Information about how specific technology vendors could fit with your organization.
IT identification of opportunities to leverage transformational analytics in your organization.
3.1 Identify the gaps in your IT capabilities.
3.2 Evaluate options for building capabilities.
3.3 Identify opportunities for transformational analytics.
A list of IT capability gaps.
An action plan for capability building.
A plan for leveraging transformational analytics.
EA’s role in brokering and negotiating overlapping areas can lead to the creation of additional efficiencies at the enterprise level.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
In an accelerated path to digitization, the increasingly important role of enterprise architecture is one of collaboration across siloes, inside and outside the enterprise, in a configurable way that allows for quick adjustment to new threats and conditions, while embracing unprecedented opportunities to scale, stimulating innovation, in order to increase the organization’s competitive advantage.
Enterprise architecture, seen as the glue of the organization, aligns business goals with all the other aspects of the organization, providing additional effectiveness and efficiencies while also providing guardrails for safety.
In an accelerated path to digitization, the increasingly important role of enterprise architecture (EA) is one of collaboration across siloes, inside and outside the enterprise, in a configurable way that allows for quick adjustment to new threats and conditions while embracing unprecedented opportunities to scale, stimulating innovation to increase the organization’s competitive advantage.
 |
Milena Litoiu
|
The Digital transformation journey brings Business and technology increasingly closer.
Because the two become more and more intertwined, the role OF Enterprise Architecture increases in importance, aligning the two in providing additional efficiencies.
THE Current need for an accelerated Digital transformation elevates the importance of Enterprise Architecture.
More than 70% of organizations revamp their enterprise architecture programs. (Info-Tech Tech Trends 2022 Survey)
Most organizations still see a significant gap between the business and IT.
EA's role in brokering and negotiating overlapping areas can lead to the creation of additional efficiencies at the enterprise level.
Approaches:
A plethora of approaches are needed (e.g. architecture modularity, data integration, AI/ML) in addition to other Agile/iterative approaches for the entire organization.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The advent of quantum computing is closer than you think: some nations have already demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer provide sufficient protection. You need to act now to begin your transformation to quantum-resistant encryption.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Developing quantum-resistant cryptography capabilities is crucial to maintaining data security and integrity for critical applications. Organizations need to act now to begin their transformation to quantum-resistant encryption.
The quantum realm presents itself as a peculiar and captivating domain, shedding light on enigmas within our world while pushing the boundaries of computational capabilities. The widespread availability of quantum computers is expected to occur sooner than anticipated. This emerging technology holds the potential to tackle valuable problems that even the most powerful classical supercomputers will never be able to solve. Quantum computers possess the ability to operate millions of times faster than their current counterparts.
As we venture further into the era of quantum mechanics, organizations relying on encryption must contemplate a future where these methods no longer suffice as effective safeguards. The astounding speed and power of quantum machines have the potential to render many existing security measures utterly ineffective, including the most robust encryption techniques used today. To illustrate, a task that currently takes ten years to crack through a brute force attack could be accomplished by a quantum computer in under five minutes.
Amid this transition into a quantum future, the utmost priority for organizations remains data security, particularly safeguarding sensitive information. Organizations must proactively prepare for the development of countermeasures and essential resilience measures to attain a state of being "quantum safe."
Alan Tang
Principal Research Director, Security and Privacy
Info-Tech Research Group
Your Challenge
Common Obstacles
Info-Tech's Approach
The advent of quantum computing (QC) is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.
|
1900-1975 |
1976-1997 |
1998-2018 |
2019-Now |
|---|---|---|---|
|
|
|
|
The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.
Unlike conventional computers that rely on bits, quantum computers use quantum bits or qubits. QC technology surpasses the limitations of current processing powers. By leveraging the properties of superposition, interference, and entanglement, quantum computers have the capacity to simultaneously process millions of operations, thereby surpassing the capabilities of today's most advanced supercomputers.
A 2021 Hyperion Research survey of over 400 key decision makers in North America, Europe, South Korea, and Japan showed nearly 70% of companies have some form of in-house QC program.
Organizations need to reap the substantial benefits of QC's power, while simultaneously shielding against the same technologies when used by cyber adversaries.
QC early adopters see the promise of QC for a wide range of computational workloads, including machine learning applications, finance-oriented optimization, and logistics/supply chain management.
Experienced attackers are likely to be the early adopters of quantum-enabled cryptographic solutions, harnessing the power of QC to exploit vulnerabilities in today's encryption methods. The risks are particularly high for industries that rely on critical infrastructure.
Critical components of classical cryptography will be at risk, potentially leading to the exposure of confidential and sensitive information to the general public. Business, technology, and security leaders are confronted with an immediate imperative to formulate a quantum-safe strategy and establish a roadmap without delay.
In 2019, Google claimed that "Our Sycamore processor takes about 200 seconds to sample one instance of a quantum circuit a million times—our benchmarks currently indicate that the equivalent task for a state-of-the-art classical supercomputer would take approximately 10,000 years."
Source: Nature, 2019
On December 3, 2020, a team of Chinese researchers claim to have achieved quantum supremacy, using a photonic peak 76-qubit system (43 average) known as Jiuzhang, which performed calculations at 100 trillion times the speed of classical supercomputers.
Source: science.org, 2020
The emergence of QC brings forth cybersecurity threats. It is an opportunity to regroup, reassess, and revamp our approaches to cybersecurity.
Quantum computers have reached a level of advancement where even highly intricate calculations, such as factoring large numbers into their primes, which serve as the foundation for RSA encryption and other algorithms, can be solved within minutes.
QC could lead to unauthorized decryption of confidential data in the future. Data confidentiality breaches also impact improperly disposed encrypted storage media.
A recovered private key, which is derived from a public key, can be used through remote control to fraudulently authenticate a critical system.
Cybercriminals can use QC technology to recover private keys and manipulate digital documents and their digital signatures.
Consider RSA-2048, a widely used public-key cryptosystem that facilitates secure data transmission. In a 2021 survey, a majority of leading authorities believed that RSA-2048 could be cracked by quantum computers within a mere 24 hours.
Source: Quantum-Readiness Working Group, 2022
The development of quantum-safe cryptography capabilities is of utmost importance in ensuring the security and integrity of critical applications' data.
The US Congress considers cryptography essential for the national security of the US and the functioning of the US economy. The Quantum Computing Cybersecurity Preparedness Act was introduced on April 18, 2022, and became a public law (No: 117-260) on December 21, 2022.
The purpose of this Act is to encourage the migration of Federal Government information technology systems to quantum-resistant cryptography, and for other purposes.
|
Main Obligations |
|
|---|---|
|
Responsibilities |
Requirements |
| Inventory Establishment | Not later than 180 days after the date of enactment of this Act, the Director of OMB, shall issue guidance on the migration of information technology to post-quantum cryptography. |
| Agency Reports | "Not later than 1 year after the date of enactment of this Act, and on an ongoing basis thereafter, the head of each agency shall provide to the Director of OMB, the Director of CISA, and the National Cyber Director— (1) the inventory described in subsection (a)(1); and (2) any other information required to be reported under subsection (a)(1)(C)." |
| Migration and Assessment | "Not later than 1 year after the date on which the Director of NIST has issued post-quantum cryptography standards, the Director of OMB shall issue guidance requiring each agency to— (1) prioritize information technology described under subsection (a)(2)(A) for migration to post-quantum cryptography; and (2) develop a plan to migrate information technology of the agency to post-quantum cryptography consistent with the prioritization under paragraph (1)." |
"It is the sense of Congress that (1) a strategy for the migration of information technology of the Federal Government to post-quantum cryptography is needed; and (2) the government wide and industry-wide approach to post- quantum cryptography should prioritize developing applications, hardware intellectual property, and software that can be easily updated to support cryptographic agility." – Quantum Computing Cybersecurity Preparedness Act
Since 2016, the National Institute of Standards and Technology (NIST) has been actively engaged in the development of post-quantum encryption standards. The objective is to identify and establish standardized cryptographic algorithms that can withstand attacks from quantum computers.
| Date | Development |
|---|---|
| Dec. 20, 2016 | Round 1 call for proposals: Announcing request for nominations for public-key post-quantum cryptographic algorithms |
| Nov. 30, 2017 | Deadline for submissions – 82 submissions received |
| Dec. 21, 2017 | Round 1 algorithms announced (69 submissions accepted as "complete and proper") |
| Jan. 30, 2019 | Second round candidates announced (26 algorithms) |
|
July 22, 2020 |
Third round candidates announced (7 finalists and 8 alternates) |
|
July 5, 2022 |
Announcement of candidates to be standardized and fourth round candidates |
| 2022/2024 (Plan) | Draft standards available |
|
CRYSTALS – Kyber |
CRYSTALS – Dilithium |
|
FALCON |
SPHINCS+ |
NIST recommends two primary algorithms to be implemented for most use cases: CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). In addition, the signature schemes FALCON and SPHINCS+ will also be standardized.
There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.
The advent of QC is closer than you think: some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.
The advent of QC is closer than you think as some nations have demonstrated capability with the potential to break current asymmetric-key encryption. Traditional encryption methods will no longer be sufficient as a means of protection. You need to act now to begin your transformation to quantum-resistant encryption.
The advent of QC will significantly change our perception of computing and have a crucial impact on the way we protect our digital economy using encryption. The technology's applicability is no longer a theory but a reality to be understood, strategized about, and planned for.
Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a Chief Information Security Officer (CISO) alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.
There is no need to wait for formal NIST PQC standards selection to begin your post-quantum mitigation project. It is advisable to undertake the necessary steps and allocate resources in phases that can be accomplished prior to the finalization of the standards.
The advent of QC poses threats to cybersecurity. It's a time to regroup, reassess, and revamp.
|
IT Benefits |
Business Benefits |
|---|---|
|
|
|
Time, value, and resources saved to obtain buy-in from senior leadership team using our research material: 1 FTEs*10 days*$100,000/year = $6,000 Time, value, and resources saved to implement quantum-resistant cryptography using our research guidance: 2 FTEs* 30 days*$100,000/year = $24,000 Estimated cost and time savings from this blueprint: $6,000 + $24,000 =$30,000 |
The advent of sufficiently powerful quantum computers poses a risk of compromising or weakening traditional forms of asymmetric and symmetric cryptography. To safeguard data security and integrity for critical applications, it is imperative to undertake substantial efforts in migrating an organization's cryptographic systems to post-quantum encryption. The development of quantum-safe cryptography capabilities is crucial in this regard.
Phase 1 - Prepare
Phase 2 - Discover
Phase 3 - Assess
Phase 4 - Prioritize
Phase 5 - Mitigate
The rise of sufficiently powerful quantum computers has the potential to compromise or weaken conventional asymmetric and symmetric cryptography methods. In anticipation of a quantum-safe future, it is essential to prioritize crypto-agility. Consequently, organizations should undertake specific tasks both presently and in the future to adequately prepare for forthcoming quantum threats and the accompanying transformations.
Quantum-resistance preparations must address two different needs:
Reinforce digital transformation initiatives
To thrive in the digital landscape, organizations must strengthen their digital transformation initiatives by embracing emerging technologies and novel business practices. The transition to quantum-safe encryption presents a unique opportunity for transformation, allowing the integration of these capabilities to evolve business transactions and relationships in innovative ways.
Protect data assets in the post-quantum era
Organizations should prioritize supporting remediation efforts aimed at ensuring the quantum safety of existing data assets and services. The implementation of crypto-agility enables organizations to respond promptly to cryptographic vulnerabilities and adapt to future changes in cryptographic standards. This proactive approach is crucial, as the need for quantum-safe measures existed even before the complexities posed by QC emerged.
Preparation for the post-quantum world has been recommended by the US government and other national bodies since 2016.
In 2016, NIST, the National Security Agency (NSA), and Central Security Service stated in their Commercial National Security Algorithm Suite and QC FAQ: "NSA believes the time is now right [to start preparing for the post-quantum world] — consistent with advances in quantum computing."
Source: Cloud Security Alliance, 2021
Preparing for quantum-resistant cryptography goes beyond simply acquiring knowledge and conducting experiments in QC. It is vital for senior management to receive comprehensive guidance on the challenges, risks, and potential mitigations associated with the post-quantum landscape. Quantum and post-quantum education should be tailored to individuals based on their specific roles and the impact of post-quantum mitigations on their responsibilities. This customized approach ensures that individuals are equipped with the necessary knowledge and skills relevant to their respective roles.
Embedding quantum resistance into systems during the process of modernization requires collaboration beyond the scope of a CISO alone. It is a strategic endeavor shaped by leaders throughout the organization, as well as external partners. This comprehensive approach involves the collective input and collaboration of stakeholders from various areas of expertise within and outside the organization.
During the discovery phase, it is crucial to locate and identify any critical data and devices that may require post-quantum protection. This step enables organizations to understand the algorithms in use and their specific locations. By conducting this thorough assessment, organizations gain valuable insights into their existing infrastructure and cryptographic systems, facilitating the implementation of appropriate post-quantum security measures.
Quantum risk assessment entails evaluating the potential consequences of QC on existing security measures and devising strategies to mitigate these risks. This process involves analyzing the susceptibility of current systems to attacks by quantum computers and identifying robust security measures that can withstand QC threats.
By identifying the security gaps that will arise with the advent of QC, organizations can gain insight into the substantial vulnerabilities that core business operations will face when QC becomes a prevalent reality. This proactive understanding enables organizations to prepare and implement appropriate measures to address these vulnerabilities in a timely manner.
Organizations need to prioritize the mitigation initiatives based on various factors such as business value, level of security risk, and the effort needed to implement the mitigation controls. In the diagram below, the size of the circle reflects the degree of effort. The bigger the size, the more effort is needed.
Source: Hyperion Research, 2022
Hyperion's survey found that the range of expected budget varies widely.
To safeguard against cybersecurity risks and threats posed by powerful quantum computers, organizations need to adopt a robust defense-in-depth approach. This entails implementing a combination of well-defined policies, effective technical defenses, and comprehensive education initiatives. Organizations may need to consider implementing new cryptographic algorithms or upgrading existing protocols to incorporate post-quantum encryption methods. The selection and deployment of these measures should be cost-justified and tailored to meet the specific needs and risk profiles of each organization.
Implement solid governance mechanisms to promote visibility and to help ensure consistency
Each type of quantum threat can be mitigated using one or more known defenses.
Adib Ghubril
Executive Advisor, Executive Services
Info-Tech Research Group
Erik Avakian
Technical Counselor
Info-Tech Research Group
Alaisdar Graham
Executive Counselor
Info-Tech Research Group
Carlos Rivera
Principal Research Advisor
Info-Tech Research Group
Hendra Hendrawan
Technical Counselor
Info-Tech Research Group
Fritz Jean-Louis
Principal Cybersecurity Advisor
Info-Tech Research Group
117th Congress (2021-2022). H.R.7535 - Quantum Computing Cybersecurity Preparedness Act. congress.gov, 21 Dec 2022.
Arute, Frank, et al. Quantum supremacy using a programmable superconducting processor. Nature, 23 Oct 2019.
Bernhardt, Chris. Quantum Computing for Everyone. The MIT Press, 2019.
Bob Sorensen. Quantum Computing Early Adopters: Strong Prospects For Future QC Use Case Impact. Hyperion Research, Nov 2022.
Candelon, François, et al. The U.S., China, and Europe are ramping up a quantum computing arms race. Here's what they'll need to do to win. Fortune, 2 Sept 2022.
Curioni, Alessandro. How quantum-safe cryptography will ensure a secure computing future. World Economic Forum, 6 July 2022.
Davis, Mel. Toxic Substance Exposure Requires Record Retention for 30 Years. Alert presented by CalChamber, 18 Feb 2022.
Eddins, Andrew, et al. Doubling the size of quantum simulators by entanglement forging. arXiv, 22 April 2021.
Gambetta, Jay. Expanding the IBM Quantum roadmap to anticipate the future of quantum-centric supercomputing. IBM Research Blog, 10 May 2022.
Golden, Deborah, et al. Solutions for navigating uncertainty and achieving resilience in the quantum era. Deloitte, 2023.
Grimes, Roger, et al. Practical Preparations for the Post-Quantum World. Cloud Security Alliance, 19 Oct 2021.
Harishankar, Ray, et al. Security in the quantum computing era. IBM Institute for Business Value, 2023.
Hayat, Zia. Digital trust: How to unleash the trillion-dollar opportunity for our global economy. World Economic Forum, 17 Aug 2022.
Mateen, Abdul. What is post-quantum cryptography? Educative, 2023.
Moody, Dustin. Let's Get Ready to Rumble—The NIST PQC 'Competition.' NIST, 11 Oct 2022.
Mosca, Michele, Dr. and Dr. Marco Piani. 2021 Quantum Threat Timeline Report. Global Risk Institute, 24 Jan 2022.
Muppidi, Sridhar and Walid Rjaibi. Transitioning to Quantum-Safe Encryption. Security Intelligence, 8 Dec 2022.
Payraudeau, Jean-Stéphane, et al. Digital acceleration: Top technologies driving growth in a time of crisis. IBM Institute for Business Value, Nov 2020.
Quantum-Readiness Working Group (QRWG). Canadian National Quantum-Readiness- Best Practices and Guidelines. Canadian Forum for Digital Infrastructure Resilience (CFDIR), 17 June 2022.
Rotman, David. We're not prepared for the end of Moore's Law. MIT Technology Review, 24 Feb 2020.
Saidi, Susan. Calculating a computing revolution. Roland Berger, 2018.
Shorter., Ted. Why Companies Must Act Now To Prepare For Post-Quantum Cryptography. Forbes.com, 11 Feb 2022.
Sieger, Lucy, et al. The Quantum Decade, Third edition. IBM, 2022.
Sorensen, Bob. Broad Interest in Quantum Computing as a Driver of Commercial Success. Hyperion Research, 17 Nov 2021.
Wise, Jason. How Much Data is Created Every Day in 2022? Earthweb, 22 Sept 2022.
Wright, Lawrence. The Plague Year. The New Yorker, 28 Dec 2020.
Yan, Bao, et al. Factoring integers with sublinear resources on a superconducting quantum processor. arXiv, 23 Dec 2022.
Zhong, Han-Sen, et al. Quantum computational advantage using photons. science.org, 3 Dec 2020.
Passwordless is the right direction even if it’s not your final destination.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Back in 2004 we were promised "the end of passwords" – why, then, are we still struggling with them today?
Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.
"If you buy the premise…you buy the bit."
Johnny Carson
Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."
Be ready for some objection handling!
"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
Bill Gates
A massive worm attack against ARPANET prompted the initial research into password strength
Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.
Table: Modern password security for users
Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects
From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.
Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)
It turns out that humans however are really bad at remembering complex passwords.
An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.
Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.
3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!
The entirety of the password ecosystem has significant vulnerabilities in multiple areas:
Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.
Source: Google, University of California, Berkeley, International Computer Science Institute
Image courtesy of NVIDIA, NVIDIA Grace |
|
Image: IBM Quantum System One (CES 2020) by IBM Research is licensed under CC BY-ND 2.0 |
|
"Give me a place to stand, and a lever long enough, and I will move the world."
Archimedes
Chances are you are already paying for one or more of these technologies from a current vendor:
Global Market of $12.8B
~16.7% CAGR
Source: Report Linker, 2022.
Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.
 |
Something you knowShared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords. Something you haveA token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision. Something you are or doCommonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy. Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive. |
Does the solution support the full variety of end-user devices you have in use?
Can the solution be configured with your existing single sign-on or central identity broker?
Users already want a better experience than passwords.
What new behavior are you expecting (compelling) from the user?
How often and under what conditions will that behavior occur?
Where are the points of failure in the solution?
Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.
Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.
As many solutions are based in the public cloud, manage stakeholder expectations accordingly.
"Move the goalposts…and declare victory."
Informal Fallacy (yet very effective…)
Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.
You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:
"Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
"The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
"What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.
IT teams have:
Use Info-Tech’s phased approach to diagnose your team and use the IDEA model to drive team effectiveness.
The IDEA model includes four factors to identify team challenges and focus on areas for improvement: identity, decision making, exchanges within the team, and atmosphere of team psychological safety.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
The storyboard will walk you through three critical steps to assess, analyze, and build solutions to improve your team’s effectiveness.
Each stage has a deliverable that will support your journey on increasing effectiveness starting with how to communicate to the assessment which will accumulate into a team charter and action plan.
The Facilitation Guide contains instructions to facilitating several activities aligned to each area of the IDEA Model to target your approach directly to your team’s results.
The Action Plan Template captures next steps for the team on what they are committing to in order to build a more effective team.
A Team Charter captures the agreements your team makes with each other in terms of accepted behaviors and how they will communicate, make decisions, and create an environment that everyone feels safe contributing in.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine if proceeding is valuable.
Set context for team members.
1.1 Review the business context.
1.2 Identify IT team members to be included.
1.3 Determine goals and objectives.
1.4 Build execution plan and determine messaging.
1.5 Complete IDEA Model assessment.
Execution and communication plan
IDEA Model assessment distributed
Review results to identify areas of strength and opportunity.
As a team, discuss results and determine actions.
2.1 Debrief results with leadership team.
2.2 Share results with team.
2.3 Identify areas of focus.
2.4 Identify IDEA Model activities to support objectives and explore areas of focus.
IDEA assessment results
Selection of specific activities to be facilitated
Review results to identify areas of strength and opportunity.
build an action plan of solutions to incorporate into team norms.
3.1 Create team charter.
3.2 Determine action plan for improvement.
3.3 Determine metrics.
3.4 Determine frequency of check-ins.
Team Charter
Action Plan
IT often struggles to move from an effective to a high-performing team due to the very nature of their work. They work across multiple disciplines and with multiple stakeholders.
When operating across many disciplines it can become more difficult to identify the connections or points of interactions that define effective teams and separate them from being a working group or focus on their individual performance.
IT employees also work in close partnership with multiple teams outside their IT domain, which can create confusion as to what team are they a primary member of. The tendency is to advocate for or on behalf of the team they primarily work with instead of bringing the IT mindset and alignment to IT roadmap and goals to serve their stakeholders.
Amanda Mathieson
Research Director, People & Leadership Practice
Info-Tech Research Group
The Challenge
Organizations rely on team-based work arrangements to provide organizational benefits and better navigate the volatile, uncertain, complex, and ambiguous (VUCA) operating environment.
This is becoming more challenging in a hybrid environment as interactions now rely less on casual encounters and must become more intentional.
A high-performing team is more than productive. They are more resilient and able to recognize opportunities. They are proactive instead of reactive due to the trust and high level of communication and collaboration.
Common Obstacles
IT teams are more unique, which also provides unique challenges other teams don't experience:
Info-Tech's Approach
Use Info-Tech's phased approach to diagnose your team and use the IDEA model to drive team effectiveness.
The IDEA model includes four factors to identify team challenges and focus on areas for improvement: identity, decision making, exchanges within the team, and atmosphere of team psychological safety.
Info-Tech Insight
IT teams often fail to reach their full potential because teamwork presents unique challenges and complexities due to the work they do across the organization and within their own group. Silos, not working together, and not sharing knowledge are all statements that indicate a problem. As a leader it's difficult to determine what to do first to navigate the different desires and personalities on a team.
Traditionally, organizations have tried to fix ineffective teams by focusing on these four issues: composition, leadership competencies, individual-level performance, and organizational barriers. While these factors are important, our research has shown it is beneficial to focus on the four factors of effective teams addressed in this blueprint first. Then, if additional improvement is needed, shift your focus to the traditional issue areas.
48% |
of IT respondents rate their team as low maturity. Maturity is defined by the value they provide the business, ranging from firefighting to innovative partner. Source: Info-Tech Research Group, Tech Trends, 2022 |
|---|---|
20 Hours |
Data Silos: Teams waste more than 20 hours per month due to poor collaboration and communication. Source: Bloomfire, 2022 |
| How High-Performing Teams Respond: | |
|---|---|
Volatile: High degree of change happening at a rapid pace, making it difficult for organizations to respond effectively. |
Teams are more adaptable to change because they know how to take advantage of each others' diverse skills and experience. |
Uncertain: All possible outcomes are not known, and we cannot accurately assess the probability of outcomes that are known. |
Teams are better able to navigate uncertainty because they know how to work through complex challenges and feel trusted and empowered to change approach when needed. |
Complex: There are numerous risk factors, making it difficult to get a clear sense of what to do in any given situation. |
Teams can reduce complexity by working together to identify and plan to appropriately mitigate risk factors. |
Ambiguous: There is a lack of clarity with respect to the causes and consequences of events. |
Teams can reduce ambiguity through diverse situational knowledge, improving their ability to identify cause and effect. |
Poor Communication
To excel, teams must recognize and adapt to the unique communication styles and preferences of their members.
To find the "just right" amount of communication for your team, communication and collaboration expectations should be set upfront.
85% of tech workers don't feel comfortable speaking in meetings.
Source: Hypercontext, 2022
Decision Making
Decision making is a key component of team effectiveness. Teams are often responsible for decisions without having proper authority.
Establishing a team decision-making process becomes more complicated when appropriate decision-making processes vary according to the level of interdependency between team members and organizational culture.
20% of respondents say their organization excels at decision making.
Source: McKinsey, 2019
Resolving Conflicts
It is common for teams to avoid/ignore conflict – often out of fear. People fail to see how conflict can be healthy for teams if managed properly.
Leaders assume mature adults will resolve conflicts on their own. This is not always the case as people involved in conflicts can lack an objective perspective due to charged emotions.
56% of respondents prioritize restoring harmony in conflict and will push own needs aside.
Source: Niagara Institute, 2022
3.5x |
Having a shared team goal drives higher engagement. When individuals feel like part of a team working toward a shared goal, they are 3.5x more likely to be engaged. Source: McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=5,427 |
|---|---|
90% |
Engaged employees are stronger performers with 90% reporting they regularly accomplish more than what is expected. Source: McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=4,363 |
Effective and high-performing teams exchange information freely. They are clear on the purpose and goals of the organization, which enable empowerment.
Clear decision-making processes allow employees to focus on getting the work done versus navigating the system.
INDUSTRY: Technology
SOURCE: reWork
Google wanted to clearly define what makes a team effective to drive a consistent meaning among its employees. The challenge was to determine more than quantitative measures, because more is not always better as it can just mean more mistakes to fix, and include the qualitative factors that bring some groups of people together better than others.
There was no pattern in the data it studied so Google stepped back and defined what a team is before embarking on defining effectiveness. There is a clear difference between a work group (a collection of people with little interdependence) and a team that is highly interdependent and relies on each other to share problems and learn from one another. Defining the different meanings took time and Google found that different levels of the organization were defining effectiveness differently.
Google ended up with clear definitions that were co-created by all employees, which helped drive the meaning behind the behaviors. More importantly it was also able to define factors that had no bearing on effectiveness; one of which is very relevant in today's hybrid world – colocation.
It was discovered that teams need to trust, have clarity around goals, have structure, and know the impact their work has.
Teams often lack the skills or knowledge to increase effectiveness and performance.
It's unrealistic to expect struggling teams to improve without outside help; if they were able to, they would have already done so.
To improve, teams require:
BUT these are the very things they are lacking when they're struggling.
Begin by assessing, recognizing, and addressing challenges in:
Effective Team
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
| Phase 1: Assess the team | Phase 2: Review results and action plan | Phase 3: Document and measure |
|---|---|---|
Call #1: Scope requirements, objectives, and your specific challenges. |
Call #3: Review the assessment results and plan next steps. |
Call #6: Build out your team agreement. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 |
Day 2 |
Day 3 |
Day 4 |
|
|---|---|---|---|---|
Determine objectives and assess |
Review survey results |
Determine and conduct activities to increase effectiveness |
Bridge the gap and |
|
Activities |
With Leader – 1 hour |
2.1 Debrief results with leadership team. |
3.1 Conduct IDEA Model Activities:
3.2 Record outcomes and actions. |
4.1 Create team charter or agreement. |
Deliverables |
|
|
|
|
Phase 1 |
Phase 2 |
Phase 3 |
|---|---|---|
1.1 Identify team members |
1.1 Review results with team |
1.1 Document outcomes and actions |
Begin by assessing, recognizing, and addressing challenges in:
Effective Team
In addition to having a clear understanding of the team's goals and objectives, team members must also:
Clear goals enable employees to link their contributions to overall success of the team. Those who feel their contributions are important to the success of the department are two times more likely to feel they are part of a team working toward a shared goal compared to those who don't (McLean & Company, Employee Engagement Survey, IT respondents, 2023; N=4,551).
The goals and objectives of the team are the underlying reason for forming the team in the first place. Without a clear and agreed-upon goal, it is difficult for teams to understand the purpose of their work.
Clear goals support creating clear roles and the contributions required for team success.
Decision making adds to the complexity of teamwork.
Individual team members hold different information and opinions that need to be shared to make good decisions.
Ambiguous decision-making processes can result in team members being unable to continue their work until they get clear direction.
The most appropriate decision-making process depends on the type of team:
Spectrum of Decision Making |
||
|---|---|---|
General consensus between all team members. |
A single, final decision maker within the team. |
|
Ensure team members understand how decisions are made within the team. Ask:
Evaluate exchanges within your team using two categories:
These categories are related, but there is not always overlap. While some conflicts involve failures to successfully exchange information, conflict can also occur even when everyone is communicating successfully.
Communication |
Managing Conflict |
||
|---|---|---|---|
Information, motivations, emotions |
Accepting and expressing diverse perspectives |
Resolving conflict (unified action through diverse perspectives) |
|
Transmission |
Reception |
||
Success is defined in terms of how well information, motivations, and emotions are transmitted and received as intended. |
Success is defined in terms of how well the team can move to united action through differences of opinion. Effective teams recognize that conflict can be healthy if managed effectively. |
||
When selecting a method of communication (for example, in-person versus email), consider how that method will impact the exchange of all three aspects – not just information.
Downplaying the importance of emotional and motivational exchanges and focusing solely on information is very risky since emotional and motivational exchanges can impact human relationships and team psychological safety.
Communication affects the whole team
Effects are not limited to the team members communicating directly:
Remember to watch the reactions and behavior of participants and observers when assessing how the team behaves.
Identify how conflict management is embedded into team practices.
Successfully communicating information, emotions, and motivations is not the same as managing conflict.
Teams that are communicating well are more likely to uncover conflicting perspectives and opinions than teams that are not.
Conflict is healthy and can be an important element of team success if it is managed.
The team should have processes in place to resolve conflicts and move to united action.
A team atmosphere that exists when all members feel confident that team members can do the following without suffering negative interpersonal consequences such as blame, shame, or exclusion:
(Administrative Science Quarterly, 1999;
The New York Times, 2016)
What psychologically safe teams look like:
(Administrative Science Quarterly, 1999;
The New York Times, 2016)
What "team psychological safety" is not:
"Psychological safety refers to an individual's perception of the consequences of taking an interpersonal risk or a belief that a team is safe for risk taking in the face of being seen as ignorant, incompetent, negative, or disruptive… They feel confident that no one on the team will embarrass or punish anyone else for admitting a mistake, asking a question, or offering a new idea."
– re:Work
The impact of psychological safety on team effectiveness
Why does an atmosphere of team psychological safety matter?
Creating psychological safety in a hybrid environment requires a deliberate approach to creating team connectedness.
In the Info-Tech State of Hybrid Work in IT report autonomy and team connectedness present an interesting challenge in that higher levels of autonomy drove higher perceptions of lack of connectedness to the respondent's team. In a hybrid world, this means leaders need to be intentional in creating a safe team dynamic.
47% of employees who experienced more control over their decisions related to where, when, and how they work than before the pandemic are feeling less connected to their teams.
Source: Info-Tech, State of Hybrid Work in IT, 2022
Input
Output
Materials
Participants
Download the IT Team Effectiveness Survey
Download the IT Team Effectiveness Survey Results Tool
Paper-Based Cautions & Considerations
Online Direct Cautions & Considerations
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Identify team members | 1.1 Review results with team | 1.1 Document outcomes and actions |
This phase will walk you through the following activities:
This phase involves the following participants:
Deliverables:
Reviewing assessment results and creating an improvement action plan is best accomplished through a team meeting.
Analyzing and preparing for the team meeting may be done by:
Prioritize one to two factors for improvement by selecting those with:
The flatter the bars are across the top, the more agreement there was. Factors that show significant differences in opinion should be discussed to diagnose what is causing the misalignment within your team.
The alignment chart below shows varied responses; however, there are two distinct patterns. This will be an important area to review.
Things to think about:
Facilitation Factors
Select a third-party facilitator if:
Agenda
Materials
Participants
Work with the team to brainstorm and agree on an action plan of continuous improvements.
By creating an action plan together with the team, there is greater buy-in and commitment to the activities identified within the action plan.
Don't forget to include timelines and task owners in the action plan – it isn't complete without them.
Document final decisions in Info-Tech's Improve IT Team Effectiveness Action Plan Tool.
Review activity Develop Team Charter in the Improve IT Team Effectiveness Facilitation Guide and conclude the team meeting by creating a team charter. With a team charter, teams can better understand:
Facilitation Factors
Encourage and support participation from everyone.
Be sure no one on the team dismisses anyone's thoughts or opinions – they present the opportunity for further discussion and deeper insight.
Watch out for anything said or done during the activities that should be discussed in the activity debrief.
Debrief after each activity, outlining any lessons learned, action items, and next steps.
Agenda
Materials
Participants
Phase 1 | Phase 2 | Phase 3 |
|---|---|---|
1.1 Identify team members | 1.1 Review results with team | 1.1 Document outcomes and actions |
This phase will walk you through the following activities:
Building your team charter that will include:
This phase involves the following participants:
As a team it will be important to drive your brainstormed solutions into an output that is co-created.
Set clear expectations for the team's interactions and behaviors.
One contributor to the report shared the effort and intention around maintaining their culture during the pandemic. The team agreement created became a critical tool to enable conversations between leaders and their team – it was not a policy document.
Team effectiveness is driven through thoughtful planned conversations. And it's a continued conversation.
Download the IT Team Charter Template
Baseline metrics will be improved through:
Identify the impact that improved team effectiveness will have on the organization.
Determine your baseline metrics to assess the success of your team interventions and demonstrate the impact to the rest of the organization using pre-determined goals and metrics.
Share success stories through:
Sample effectiveness improvement goal |
Sample Metric |
|---|---|
Increase employee engagement |
|
Strengthen manager/employee relationships |
|
Reduce employee turnover (i.e. increase retention) |
|
Increase organizational productivity |
|
Track the team's progress by reassessing their effectiveness six to twelve months after the initial assessment.
Identify if:
As the team matures, priorities and areas of concern may shift; it is important to regularly reassess team effectiveness to ensure ongoing alignment and suitability.
Note: It is not always necessary to conduct a full formal assessment; once teams become more effective and self-sufficient, informal check-ins by team leads will be sufficient.
If you assess team effectiveness for multiple teams, you have the opportunity to identify trends:
Identifying these trends, initiatives, training, or tactics may be used to improve team effectiveness across the department – or even the organization.
As teams mature, the team lead should become less involved in action planning. However, enabling truly effective teams takes significant time and resources from the team lead.
Use the action plan created and agreed upon during the team meeting to hold teams accountable:
The team coach should have a plan to transition into a supportive role by:
The four factors outlined in the IDEA Model of team effectiveness are very important, but they are not the only things that have a positive or negative impact on teams. If attempts to improve the four factors have not resulted in the desired level of team effectiveness, evaluate other barriers:
For organizational culture, ask if performance and reward programs do the following:
For learning and development, ask:
If an individual team member's or leader's performance is not meeting expectations, potential remedies include a performance improvement plan, reassignment, and termination of employment.
These kinds of interventions are beyond the control of the team itself. In these cases, we recommend you consult with your HR department; HR professionals can be important advocates because they possess the knowledge, influence, and authority in the company to promote changes that support teamwork.
Redesign Your IT Department
Build an IT Employee Engagement Program
Carlene McCubbin
Practice Lead
Info-Tech Research Group
Nick Kozlo
Senior Research Analyst
Info-Tech Research Group
Heather Leier-Murray
Senior Research Analyst
Info-Tech Research Group
Stephen O'Conner
Executive Counselor
Info-Tech Research Group
Jane Kouptsova
Research Director
Info-Tech Research Group
Dr. Julie D. Judd, Ed.D.
Chief Technology Officer
Ventura County Office of Education
Aminov, I., A. DeSmet, and G. Jost. "Decision making in the age of urgency." McKinsey. April 2019. Accessed January 2023.
Duhigg, Charles. "What Google Learned From Its Quest to Build the Perfect Team." The New York Times, 25 Feb. 2016. Accessed January 2023.
Edmondson, Amy. "Psychological Safety and Learning Behavior in Work Teams." Administrative Science Quarterly, vol. 44, no. 2, June 1999, pp. 350-383.
Gardner, Kate. "Julie Judd – Ventura County Office of Education." Toggle, 12 Sept. 2022. Accessed January 2023.
Google People Operations. "Guide: Understand Team Effectiveness." reWork, n.d. Accessed February 2023.
Harkins, Phil. "10 Leadership Techniques for Building High-Performing Teams." Linkage Inc., 2014. Accessed 10 April 2017.
Heath, C. and D. Heath. Decision: How to make better choices in life and work. Random House, 2013, ISBN 9780307361141.
Hill, Jon. "What is an Information Silo and How Can You Avoid It." Bloomfire, 23 March 2022. Accessed January 2023.
"IT Team Management Software for Enhanced Productivity." Freshworks, n.d. Accessed January 2023.
Jackson, Brian. "2022 Tech Trends." Info-Tech Research Group, 2022. Accessed December 2022.
Kahneman, Daniel. Thinking fast and slow. Farrar, Straus and Giroux. 2011.
Kouptsova, J., and A. Mathieson. "State of Hybrid Work in IT." Info-Tech Research Group, 2023. Accessed January 2023.
Mayfield, Clifton, et al. "Psychological Collectivism and Team Effectiveness: Moderating Effects of Trust and Psychological Safety." Journal of Organizational Culture, Communications and Conflict, vol. 20, no. 1, Jan. 2016, pp. 78-94.
Rock, David. "SCARF: A Brain-Based Model for Collaborating With and Influencing Others." NeuroLeadership Journal, 2008. Web.
"The State of High Performing Teams in Tech Hypercontext." Hypercontext. 2022. Accessed November 2022.
Weick, Carl, and Kathleen Sutcliff. Managing the unexpected. John Wiley & Sons, 2007.
"Workplace Conflict Statistics: How we approach conflict at work." The Niagara Institute, August 2022. Accessed December 2022.
It is now 2020 and the GDPR has been in effect for almost 2 years. Many companies thought: been there, done that. And for a while the regulators let some time go by.
The first warnings appeared quickly enough. Eg; in September 2018, the French regulator warned a company that they needed to get consent of their customers for getting geolocation based data.
That same month, an airline was hacked and, on top of the reputational damage and costs to fix the IT systems, it faced the threat of a stiff fine.
Even though we not have really noticed, fines started being imposed as early as January 2019.
Wrong! The fines are levied in a number of cases. And to make it difficult to estimate, there are guidelines that will shape the decision making process, but no hard and fast rules!
The GDPR is very complex and consists of both articles and associated recitals that you need to be in compliance with. it is amuch about the letter as it is about the spirit.
We have a clear view on what most of those cases are.
And more importantly, when you follow our guidelines, you will be well placed to answer any questions by your clients and cooperate with the regulator in a proactive way.
They will never come after me. I'm too small.
And besides, I have my privacy policy and cookie notice in place
Company size has nothing to do with it.
While in the beginning, it seemed mostly a game for the big players (for names, you have to contact us) that is just perception.
As early as March 2018 a €10M revenue company was fined around €120,000. 2 days later another company with operating revenues of around €6.2M was fined close to €200.000 for failing to abide by the DSRR stipulatons.
Don't know what these are?
Fill out the form below and we'll let you in on the good stuff.
We have over 45 fully detailed
and interconnected process guides
for you to improve your operations
Our practical guides help you to improve your operations
We have hundreds of practical guides, grouped in many processes in our model. You may not need all of them. I suggest you browse within the belo top-level categories below and choose where to focus your attention. And with Tymans Group's help, you can go one process area at a time.
If you want help deciding, please use the contact options below or click here.
Our research and guides are priced from €299,00
Tymans Group guidance and (online) consulting using both established and forward-looking research and field experience in our management domains.
Get both inputs, all of the Info-tech research (with cashback rebate), and Tymans Group's guidance.
Info-Tech offers a vast knowledge body, workshops, and guided implementations. You can buy Info-Tech memberships here at Tymans Group with cashback, reducing your actual outlay.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Our concise executive brief shows why you should create or refresh your business intelligence (BI) strategy. We'll show you our methodology and the ways we can help you in handling this.
Upon ordering you receive the complete guide with all files zipped.
Understand critical business information and analyze your current business intelligence landscape.
Assess your current maturity level and define the future state.
Create business intelligence focused initiatives for continuous improvement.
Don’t wait until the necessity arises to evaluate your networking in the cloud. Get ahead of the curve and choose the topology that optimizes benefits and supports organizational needs in the present and the future.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
What cloud networking topology should you use? How do you provide access to shared resources in the cloud or hybrid infrastructure? What sits in the hub and what sits in the spoke?
Cloud adoption among organizations increases gradually across both the number of services used and the amount those services are used. However, network builders tend to overlook the vulnerabilities of network topologies, which leads to complications down the road, especially since the structures of cloud network topologies are not all of the same quality. A network design that suits current needs may not be the best solution for the future state of the organization.
Even if on-prem network strategies were retained for ease of migration, it is important to evaluate and identify the cloud network topology that can not only elevate the performance of your infrastructure in the cloud, but also that can make it easier to manage and provision resources.
An "as the need arises" strategy will not work efficiently since changing network designs will change the way data travels within your network, which will then need to be adopted to existing application architectures. This becomes more complicated as the number of services hosted in the cloud grows.
Keep a network strategy in place early on and start designing your infrastructure accordingly. This gives you more control over your networks and eliminates the need for huge changes to your infrastructure down the road.
Nitin Mukesh
Senior Research Analyst, Infrastructure and Operations
Info-Tech Research Group
The organization is planning to move resources to the cloud or devise a networking strategy for their existing cloud infrastructure to harness value from the cloud.
The right topology needs to be selected to deploy network level isolation, design the cloud for management efficiencies, and provide access to shared services in the cloud.
A perennial challenge for infrastructure in the cloud is planning for governance vs. flexibility, which is often overlooked.
The choice of migration method may result in retaining existing networking patterns and only making changes when the need arises.
Networking in the cloud is still new, and organizations new to the cloud may not be aware of the cloud network designs they can consider for their business needs.
Define organizational needs and understand the pros and cons of cloud network topologies to strategize for the networking design.
Consider the layered complexities of addressing the governance vs. flexibility spectrum for your domains when designing your networks.
Don't wait until the necessity arises to evaluate your networking in the cloud. Get ahead of the curve and choose the topology that optimizes benefits and supports organizational needs in the present and future.
Selecting the right topology: Many organizations migrate to the cloud retaining a mesh networking topology from their on-prem design, or they choose to implement the mesh design leveraging peering technologies in the cloud without a strategy in place for when business needs change. While there may be many network topologies for on-prem infrastructure, the network design team may not be aware of the best approach in cloud platforms for their requirements, or a cloud networking strategy may even go overlooked during the migration.
Finding the right cloud networking infrastructure for:
Deciding between governance and flexibility in networking design: In the hub and spoke model, if a domain is in the hub, the greater the governance over it, and if it sits in the spoke, the higher the flexibility. Having a strategy for the most important domains is key. For example, some security belongs in the hub and some security belongs in the spoke. The tradeoff here is if it sits completely in the spoke, you give it a lot of freedom, but it becomes harder to standardize across the organization.
A mesh is a design where virtual private clouds (VPCs) are connected to each other individually creating a mesh network. The network traffic is fast and can be redirected since the nodes in the network are interconnected. There is no hierarchical relationship between the networks, and any two networks can connect with each other directly.
In the cloud, this design can be implemented by setting up peering connections between any two VPCs. These VPCs can also be set up to communicate with each other internally through the cloud service provider's network without having to route the traffic via the internet.
While this topology offers high redundancy, the number of connections grows tremendously as more networks are added, making it harder to scale a network using a mesh topology.
Mesh Network on AWS
Source: AWS, 2018
| Number of virtual networks | 10 | 20 | 50 | 100 |
| Peering links required [(n-1)*n]/2 |
45 | 190 | 1225 | 4950 |
Proportional relationship of virtual networks to required peering links in a mesh topology
INDUSTRY: Blockchain
SOURCE: Microsoft
An organization with four members wants to deploy a blockchain in the cloud, with each member running their own virtual network. With only four members on the team, a mesh network can be created in the cloud with each of their networks being connected to each other, adding up to a total of 12 peering connections (four members with three connections each). While the members may all be using different cloud accounts, setting up connections between them will still be possible.
The organization wants to expand to 15 members within the next year, with each new member being connected with their separate virtual networks. Once grown, the organization will have a total of 210 peering connections since each of the virtual networks will then need 14 peering connections. While this may still be possible to deploy, the number of connections makes it harder to manage and would be that much more difficult to deploy if the organization grows to even 30 or 40 members. The new scale of virtual connections calls for an alternative networking strategy that cloud providers offer – the hub and spoke topology.
Source: Microsoft, 2017
In hub and spoke network design, each network is connected to a central network that facilitates intercommunication between the networks. The central network, also called the hub, can be used by multiple workloads/servers/services for hosting services and for managing external connectivity. Other networks connected to the hub through network peering are called spokes and host workloads.
Communications between the workloads/servers/services on spokes pass in or out of the hub where they are inspected and routed. The spokes can also be centrally managed from the hub with IT rules and processes.
A hub and spoke design enable a larger number of virtual networks to be interconnected as each network only needs one peered connection (to the hub) to be able to communicate with any other network in the system.
While there are plenty of benefits to using this topology, there are still a few notable disadvantages with the design.
The total number of total peered connections required might be lower than mesh, but the cost of running independent projects is cheaper on mesh as point-to-point data transfers are cheaper.
With global organizations, implementing a single monolithic hub network for network ingress and egress will slow down access to cloud services that users will require. A distributed network will ramp up the speeds for its users to access these services.
Connectivity between the spokes can fail if the hub site dies or faces major disruptions. While there are redundancy plans for cloud networks, it will be an additional cost to plan and build an environment for it.
Providing access to shared services: Hub and spoke can be used to give workloads that are deployed on different networks access to shared services by placing the shared service in the hub. For example, DNS servers can be placed in the hub network, and production or host networks can be connected to the hub to access it, or if the central network is set up to host Active Directory services, then servers in other networks can act as spokes and have full access to the central VPC to send requests. This is also a great way to separate workloads that do not need to communicate with each other but all need access to the same services.
Adding new locations: An expanding organization that needs to add additional global or domestic locations can leverage hub and spoke to connect new network locations to the main system without the need for multiple connections.
Cost savings: Apart from having fewer connections than mesh that can save costs in the cloud, hub and spoke can also be used to centralize services such as DNS and NAT to be managed in one location rather than having to individually deploy in each network. This can bring down management efforts and costs considerably.
Centralized security: Enterprises can deploy a center of excellence on the hub for security, and the spokes connected to it can leverage a higher level of security and increase resilience. It will also be easier to control and manage network policies and networking resources from the hub.
Network management: Since each spoke is peered only once to the hub, detecting connectivity problems or other network issues is made simpler in hub and spoke than on mesh. A network manager deployed on the cloud can give access to network problems faster than on other topologies.
The advantages of using a hub and spoke model far exceed those of using a mesh topology in the cloud and go to show why most organizations ultimately end up using the hub and spoke as their networking strategy.
However, organizations, especially large ones, are complex entities, and choosing only one model may not serve all business needs. In such cases, a hybrid approach may be the best strategy. The following slides will demonstrate the advantages and use cases for mesh, however limited they might be.
An organization can have multiple network topologies where system X is a mesh and system Y is a hub and spoke. A shared system Z can be a part of both systems depending on the needs.
An organization can have multiple networks interconnected in a mesh and some of the networks in the mesh can be a hub for a hub-spoke network. For example, a business unit that works on data analysis can deploy their services in a spoke that is connected to a central hub that can host shared services such as Active Directory or NAT. The central hub can then be connected to a regional on-prem network where data and other shared services can be hosted.
|
Benefits Of Mesh |
Use Cases For Mesh |
|---|---|
|
Security: Setting up a peering connection between two VPCs comes with the benefit of improving security since the connection can be private between the networks and can isolate public traffic from the internet. The traffic between the networks never has to leave the cloud provider's network, which helps reduce a class of risks. Reduced network costs: Since the peered networks communicate internally through the cloud's internal networks, the data transfer costs are typically cheaper than over the public internet. Communication speed: Improved network latency is a key benefit from using mesh because the peered traffic does not have to go over the public internet but rather the internal network. The network traffic between the connections can also be quickly redirected as needed. Higher flexibility for backend services: Mesh networks can be desirable for back-end services if egress traffic needs to be blocked to the public internet from the deployed services/servers. This also helps avoid having to set up public IP or network address translation (NAT) configurations. |
Connecting two or more networks for full access to resources: For example, consider an organization that has separate networks for each department, which don't all need to communicate with each other. Here, a peering network can be set up only between the networks that need to communicate with full or partial access to each other such as finance to HR or accounting to IT. Specific security or compliance need: Mesh or VPC peering can also come in handy to serve specific security needs or logging needs that require using a network to connect to other networks directly and in private. For example, global organizations that face regulatory requirements of storing or transferring data domestically with private connections. Systems with very few networks that do not need internet access: Workloads deployed in networks that need to communicate with each other but do not require internet access or network address translation (NAT) can be connected using mesh especially when there are security reasons to keep them from being connected to the main system, e.g. backend services such as testing environments, labs, or sandboxes can leverage this design. |
The complexities of designing an organization's networks grow with the organization as it becomes global and takes on more services and lines of business. Organizations that choose to deploy the hub and spoke model face a dilemma in choosing between governance and flexibility for their networks. Organizations need to find that sweet spot to find the right balance between how much they want to govern their systems, mainly for security- and cost-monitoring, and how much flexibility they want to provide for innovation and other operations, since the two usually tend to have an inverse relationship.
This decision in hub and spoke usually means that the domains chosen for higher governance must be placed in the hub network, and the domains that need more flexibility in a spoke. The key variables in the following slide will help determine the placement of the domain and will depend entirely on the organization's context.
The two networking patterns in the cloud have layered complexities that need to be systematically addressed.
If a network has more flexibility in all or most of these domains, it may be a good candidate for a spoke-heavy design; otherwise, it may be better designed in a hub-centric pattern.
Resources that are shared between multiple projects or departments or even by the entire organization should be hosted on the hub network to simplify sharing these services. For example, e-learning applications that may be used by multiple business units to train their teams, Active Directory accessed by most teams, or even SAAS platforms such as O365 and Salesforce can leverage buying power and drive down the costs for the organization. Shared services should also be standardized across the organization and for that, it needs to have high governance.
Services that are an individual need for a network and have no preexisting relationship with other networks or buying power and scale can be hosted in a spoke network. For example, specialized accounting software used exclusively by the accounting team or design software used by a single team. Although the services are still a part of the wider network, it helps separate duties from the shared services network and provides flexibility to the teams to customize and manage their services to suit their individual needs.
Network connections, be they in the cloud or hybrid-cloud, are used by everyone to either connect to the internet, access cloud services, or access the organization's data center. Since this is a shared service, a centralized networking account must be placed in the hub for greater governance. Interactions between the spokes in a hub and spoke model happens through the hub, and providing internet access to the spokes through the hub can help leverage cost benefits in the cloud. The network account will perform routing duties between the spokes, on-prem assets, and egress out to the internet.
For example, NAT gateways in the cloud that are managed services are usually charged by the hour, and deploying NAT on each spoke can be harder to manage and expensive to maintain. A NAT gateway deployed in a central networking hub can be accessed by all spokes, so centralizing it is a great option.
Note that, in some cases, when using edge locations for data transfers, it may be cost effective to deploy a NAT in the spoke, but such cases usually do not apply to most organizational units.
A centralized network hub can also be useful to configure network policies and network resources while organizational departments can configure non-network resources, which helps separate responsibilities for all the spokes in the system. For example, subnets and routes can be controlled from the central network hub to ensure standardized network policies across the network.
While there needs to be security in the hub and the spokes individually, finding the balance of operation can make the systems more robust. Hub and spoke design can be an effective tool for security when a principal security hub is hosted in the hub network. The central security hub can collect data from the spokes as well as non-spoke sources such as regulatory bodies and threat intelligence providers, and then share the information with the spokes.
Threat information sharing is a major benefit of using this design, and the hub can take actions to analyze and enrich the data before sharing it with spokes. Shared services such as threat intelligence platforms (TIP) can also benefit from being centralized when stationed in the hub. A collective defense approach between the hub and spoke can be very successful in addressing sophisticated threats.
Compliance and regulatory requirements such as HIPAA can also be placed in the hub, and the spokes connected to it can make use of it instead of having to deploy it in each spoke individually.
The governance vs. flexibility paradigm usually decides the placement of cloud metering, i.e. if the organization wants higher control over cloud costs, it should be in the central hub, whereas if it prioritizes innovation, the spokes should be allowed to control it. Regardless of the placement of the domain, the costs can be monitored from the central hub using cloud-native monitoring tools such as Azure Monitor or any third-party software deployed in the hub.
For ease of governance and since resources are usually shared at a project level, most cloud service providers suggest that an individual metering service be placed in the spokes. The centralized billing system of the organization, however, can make use of scale and reserved instances to drive down the costs that the spokes can take advantage of. For example, billing and access control resources are placed in the lower levels in GCP to enable users to set up projects and perform their tasks. These billing systems in the lower levels are then controlled by a centralized billing system to decide who pays for the resources provisioned.
Borschel, Brett. "Azure Hub Spoke Virtual Network Design Best Practices." Acendri Solutions, 13 Jan. 2022. Web.
Singh, Garvit. "Amazon Virtual Private Cloud Connectivity Options." AWS, January 2018. Web.
"What Is the Hub and Spoke Information Sharing Model?" Cyware, 16 Aug. 2021. Web.
Youseff, Lamia. "Mesh and Hub-and-Spoke Networks on Azure." Microsoft, Dec. 2017. Web.
IT communications are often considered ineffective. This is demonstrated by:
Communications is a responsibility of all members of IT. This is demonstrated through:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This capstone blueprint highlights the components, best practices, and importance of good communication for all IT employees.
IT town halls must deliver value to employees, or they will withdraw and miss key messages. To engage employees, use well-crafted communications in an event that includes crowd-sourced contents, peer involvement, recognition, significant Q&A time allotment, organizational discussions, and goal alignment.
This template provides a framework to build your own IT Year In Review presentation. An IT Year In Review presentation typically covers the major accomplishments, challenges, and initiatives of an organization's information technology (IT) department over the past year.
Brittany Lutes
Research Director
Info-Tech Research Group
Diana MacPherson
Senior Research Analyst
Info-Tech Research Group
IT rarely engages in proper communications. We speak at, inform, or tell our audience what we believe to be important. But true communications seldom take place.
Communications only occur when channels are created to ensure the continuous opportunity to obtain two-way feedback. It is a skill that is developed over time, with no individual having an innate ability to be better at communications. Each person in IT needs to work toward developing their personal communications style. The problem is we rarely invest in development or training related to communications. Information and technology fields spend time and money developing hard skills within IT, not soft ones.
The benefits associated with communications are immense: higher business satisfaction, funding for IT initiatives, increased employee engagement, better IT to business alignment, and the general ability to form ongoing partnerships with stakeholders. So, for IT departments looking to obtain these benefits through true communications, develop the necessary skills.
| Your Challenge | Common Obstacles | Info-Tech’s Approach |
IT communications are often considered ineffective. This is demonstrated by:
|
Frequently, these barriers have prevented IT communications from being effective:
|
Communications is a responsibility of all members of IT. This is demonstrated through:
|
Info-Tech Insight
No one is born a good communicator. Every IT employee needs to spend the time and effort to grow their communication skills as constant change and worsening IT crises mean that IT cannot afford to communicate poorly anymore.
The bottom line? For every 10% increase in communications there 8.6% increase in overall IT satisfaction. Therefore, when IT communicates with the organization, stakeholders are more likely to be satisfied with IT overall.
Info-Tech Diagnostic Programs, N=330 organizations
IT struggles to communicate effectively with the organization:
Effective IT communications are rare:
53% of CXOs believe poor communication between business and IT is a barrier to innovation.
Source: Info-Tech CEO-CIO Alignment Survey, 2022
“69% of those in management positions don’t feel comfortable even communicating with their staff.”
Source: TeamStage, 2022
The Info-Tech difference:
Communicating Up to Board or Executives
Communicating Across the Organization
Communicating Within IT
Overarching insight
IT cannot afford to communicate poorly given the overwhelming impact and frequency of change related to technology. Learn to communicate well or get out of the way of someone who can.
| Insight 1: The skills needed to communicate effectively as a frontline employee or a CIO are the same. It’s important to begin the development of these skills from the beginning of one’s career. |
| Insight 2: Time is a non-renewable resource. Any communication needs to be considered valuable and engaging by the audience or they will be unforgiving. |
| Insight 3: Don’t make data your star. It is a supporting character. People can argue about the collection methods or interpretation of the data, but they cannot argue the story you share. |
| Insight 4: Measure if the communication is being received and resulting in the desired outcome. If not, modify what and how the message is being expressed. |
| Insight 5: Messages are also non-verbal. Practice using your voice and body to set the right tone and impact your audience. |
Two-Way
Incorporate feedback loops into your communication efforts. Providing stakeholders with the opportunity to voice their opinions and ideas will help gain their commitment and buy-in.
Timely
Frequent communications mitigate rumors and the spread of misinformation. Provide warning before the implementation of any changes whenever possible. Communicate as soon as possible after decisions have been made.
Consistent
Make sure the messaging is consistent across departments, mediums, and presenters. Provide managers with key phrases to support the consistency of messages.
Open & Honest
Transparency is a critical component of communication. Always tell employees that you will share information as soon as you can. This may not be as soon as you receive the information but as soon as sharing it is acceptable.
Authentic
Write messages in a way that embodies the personality of the organization. Don’t spin information; position it within the wider organizational context.
Targeted
Use your target audience profiles to determine which audiences need to consume which messages and what mediums should be employed.
IT needs to communicate well because:
“Poor communication results in employee misunderstanding and errors that cost approximately $37 billion.”
– Intranet Connections, 2019
What makes internal communications effective?
To be effective, internal communications must be strategic. They should directly support organizational objectives, reinforce key messages to make sure they drive action, and facilitate two-way dialogue, not just one-way messaging.
Methods to determine effectiveness:
“‘Effectiveness’ can mean different things, and effectiveness for your project is going to look different than it would for any other project.”
– Gale McCreary in WikiHow, 2022
Keep in mind:
| 1 | 2 | 3 |
|---|---|---|
| Priorities Differ | Words Matter | The Power of Three |
| What’s important to you as CIO is very different from what is important to a board or executive leadership team or even the individual members of these groups. Share only what is important or relevant to the stakeholder(s). | Simplify the message into common language whenever possible. A good test is to ensure that someone without any technical background could understand the message. | Keep every slide to three points with no more than three words. You are the one to translate this information into a worth-while story to share. |
“Today’s CIOs have a story to tell. They must change the old narrative and describe the art of the (newly) possible. A great leader rises to the occasion and shares a vision that inspires the entire organization.”
– Dan Roberts, CIO, 2019
DEFINING INSIGHT
Stop presenting what is important to you as the CIO and present to the board what is important to them.
Why does IT need to communicate with the board?
FRAMEWORK
CHECKLIST
Do’s & Don’ts of Communicating Board Presentations:
Do: Ensure you know all the members of the board and their strengths/areas of focus.
Do: Ensure the IT objectives and initiatives align to the business objectives.
Do: Avoid using any technical jargon.
Do: Limit the amount of data you are using to present information. If it can’t stand alone, it isn’t a strong enough data point.
Do: Avoid providing IT service metrics or other operational statistics.
Do: Demonstrate how the organization’s revenue is impacted by IT activities.
Do: Tell a story that is compelling and excited.
OUTCOME
Organization Alignment
Stakeholder Buy-In
Awareness on Technology Trends
Risks
DEFINING INSIGHT
Business leaders care about themselves and their goals – present ideas and initiatives that lean into this self-interest.
Why does IT need to communicate business updates?
FRAMEWORK
CHECKLIST
Do’s & Don’ts of Communicating Business Updates:
Do: Ensure IT is given sufficient time to present with the rest of the business leaders.
Do: Ensure the goals of IT are clear and can be depicted visually.
Do: Tie every IT goal to the objectives of different business leaders.
Do: Avoid using any technical jargon.
Do: Reinforce the positive benefits business leaders can expect.
Do: Avoid providing IT service metrics or other operational statistics.
Do: Demonstrate how IT is driving the digital transformation of the organization.
OUTCOME
Better Reputation
Executive Buy-In
Digital Transformation
Relationship Building
| 1 | 2 | 3 |
|---|---|---|
| Competing to Be Heard | Measure Impact | Enhance the IT Brand |
| IT messages are often competing with a variety of other communications simultaneously taking place in the organization. Avoid the information-overload paradox by communicating necessary, timely, and relevant information. | Don’t underestimate the benefit of qualitative feedback that comes from talking to people within the organization. Ensure they read/heard and absorbed the communication. | IT might be a business enabler, but if it is never communicated as such to the organization, it will only be seen as a support function. Use purposeful communications to change the IT narrative. |
Less than 50% of internal communications lean on a proper framework to support their communication activities.
– Philip Nunn, iabc, 2020
DEFINING INSIGHT
IT leaders struggle to communicate how the IT strategy is aligned to the overall business objectives using a common language understood by all.
Why does IT need to communicate its strategic objectives?
FRAMEWORK
CHECKLIST
Do’s & Don’ts of Communicating IT Strategic Objectives:
Do: Ensure all IT leaders are aware of and understand the objectives in the IT strategy.
Do: Ensure there is a visual representation of IT’s goals.
Do: Ensure the IT objectives and initiatives align to the business objectives.
Do: Avoid using any technical jargon.
Do: Provide metrics if they are relevant, timely, and immediately understandable.
Do: Avoid providing IT service metrics or other operational statistics.
Do: Demonstrate how the future of the organization will benefit from IT initiatives.
OUTCOME
Organization Alignment
Stakeholder Buy-In
Role Clarity
Demonstrate Growth
DEFINING INSIGHT
A crisis communication should fit onto a sticky note. If it’s not clear, concise, and reassuring, it won’t be effectively understood by the audience.
Why does IT need to communicate when a crisis occurs?
FRAMEWORK
CHECKLIST
Do’s & Don’ts of Communicating During a Crisis:
Do: Provide timely and regular updates about the crisis to all stakeholders.
Do: Involve the Board or ELT immediately for transparency.
Do: Avoid providing too much information in a crisis communication.
Do: Have crisis communication statements ready to be shared at any time for possible or common IT crises.
Do: Highlight that employee safety and wellbeing is top priority.
Do: Work with members of the public relations team to prepare any external communications that might be required.
OUTCOME
Ready to Act
Reduce Fears
Maintain Trust
Eliminate Negative Reactions
Keep in mind:
| 1 | 2 | 3 |
|---|---|---|
| Training for All | Listening Is Critical | Reinforce Collaboration |
| From the service desk technician to CIO, every person within IT needs to have a basic ability to communicate. Invest in the training necessary to develop this skill set. | It seems simple, but as humans we do an innately poor job at listening to others. It’s important you hear employee concerns, feedback, and recommendations, enabling the two-way aspect of communication. | IT employees will reflect the types of communications they see. If IT leaders and managers cannot collaborate together, then teams will also struggle, leading to productivity and quality losses. |
“IT professionals who […] enroll in communications training have a chance to both upgrade their professional capabilities and set themselves apart in a crowded field of technology specialists.”
– Mark Schlesinger, Forbes, 2021
DEFINING INSIGHT
Depending on IT goals, the structure might need to change to support better communication among IT employees.
Why does IT need to communicate IT activities?
FRAMEWORK
CHECKLIST
Do’s & Don’ts of Communicating IT Activities:
Do: Provide metrics that define how success of the project will be measured.
Do: Demonstrate how each project aligns to the overarching objectives of the organization.
Do: Avoid having large meetings that include stakeholders from two or more projects.
Do: Consistently create a safe space for employees to communicate risks related to the project(s).
Do: Ensure the right tools are being leveraged for in-office, hybrid, and virtual environments to support project collaboration.
Do: Leverage a project management software to reduce unnecessary communications.
OUTCOME
Stakeholder Adoption
Resource Allocation
Meet Responsibly
Encourage Engagement
DEFINING INSIGHT
Employees are looking for empathy to be demonstrated by those they are interacting with, from their peers to managers. Yet, we rarely provide it.
Why does IT need to communicate on regularly with itself?
FRAMEWORK
CHECKLIST
Do’s & Don’ts of Communicating within IT:
Do: Have responses for likely questions prepared and ready to go.
Do: Ensure that all leaders are sharing the same messages with their teams.
Do: Avoid providing irrelevant or confusing information.
Do: Speak with your team on a regular basis.
Do: Reinforce the messages of the organization every chance possible.
Do: Ensure employees feel empowered to do their jobs effectively.
Do: Engage employees in dialogue. The worst employee experience is when they are only spoken at, not engaged with.
OUTCOME
Increased Collaboration
Role Clarity
Prevent Rumors
Organizational Insight
Amazon
INDUSTRY
E-Commerce
SOURCE
Harvard Business Review
Jeff Bezos has definitely taken on unorthodox approaches to business and leadership, but one that many might not know about is his approach to communication. Some of the key elements that he focused on in the early 2000s when Amazon was becoming a multi-billion-dollar empire included:
Results
While he was creating the Amazon empire, 85% of Jeff Bezos’ communication was written in a way that an eighth grader could read. Communicating in a way that was easy to understand and encouraging his leadership team to do so as well is one of the many reasons this business has grown to an estimated value of over $800B.
“If you cannot simplify a message and communicate it compellingly, believe me, you cannot get the masses to follow you.”
– Indra Nooyi, in Harvard Business Review, 2022
| Demonstrated Communication Behavior | |
| Level 1: Follow | Has sufficient communication skills for effective dialogue with others. |
| Level 2: Assist | Has sufficient communication skills for effective dialogue with customers, suppliers, and partners. |
| Level 3: Apply | Demonstrates effective communication skills. |
| Level 4: Enable | Communicates fluently, orally, and in writing and can present complex information to both technical and non-technical audiences. |
| Level 5: Ensure, Advise | Communicates effectively both formally and informally. |
| Level 6: Initiate, Influence | Communicates effectively at all levels to both technical and non-technical audiences. |
| Level 7: Set Strategy, Inspire, Mobilize | Understands, explains, and presents complex ideas to audiences at all levels in a persuasive and convincing manner. |
Source: Skills Framework for the Information Age, 2021
| Goal | Key Performance Indicator (KPI) | Related Resource |
| Obtain board buy-in for IT strategic initiatives | X% of IT initiatives that were approved to be funded. Number of times technical initiatives were asked to be explained further. | Using our Board Presentation Review service |
| Establish stronger relationships with executive leaders | X% of business leadership satisfied with the statement “IT communicates with your group effectively.” | Using the CIO Business Vision Diagnostic |
| Organizationally, people know what products and services IT provides | X% of end users who are satisfied with communications around changing services or applications. | Using the End-User Satisfaction Survey |
| Organizational reach and understanding of the crisis. | Number of follow-up tickets or requests related to the crisis after the initial crisis communication was sent. | Using templates and tools for crisis communications |
| Project stakeholders receive sufficient communication throughout the initiative. | X% overall satisfaction with the quality of the project communications. | Using the PPM Customer Satisfaction Diagnostic |
| Employee feedback is provided, heard, and acted on | X% of satisfaction employees have with managers or IT leadership to act on employee feedback. | Using the Employee Engagement Diagnostic Program |
Introduction
Communications overview.
Plan
Plan your communications using a strategic tool.
Compose
Create your own message.
Deliver
Practice delivering your own message.
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
Anuja Agrawal
National Communications Director
PwC
Anuja is an accomplished global communications professional, with extensive experience in the insurance, banking, financial, and professional services industries in Asia, the US, and Canada. She is currently the National Communications Director at PwC Canada. Her prior work experience includes communication leadership roles at Deutsche Bank, GE, Aviva, and Veritas. Anuja works closely with senior business leaders and key stakeholders to deliver measurable results and effective change and culture building programs. Anuja has experience in both internal and external communications, including strategic leadership communication, employee engagement, PR and media management, digital and social media, and M&A/change and crisis management. Anuja believes in leveraging digital tools and technology-enabled solutions, combined with in-person engagement, to help improve the quality of dialogue and increase interactive communication within the organization to help build an inclusive culture of belonging.
Nastaran Bisheban
Chief Technology Officer
KFC Canada
A passionate technologist, and seasoned transformational leader. A software engineer and computer scientist by education, a certified Project Manager that holds an MBA in Leadership with Honors and Distinction from University of Liverpool. A public speaker on various disciplines of technology and data strategy with a Harvard Business School executive leadership program training to round it all. Challenges status quo and conventional practices; is an advocate for taking calculated risk and following the principle of continuous improvement. With multiple computer software and project management publications she is a strategic mentor and board member on various non-profit organizations. Nastaran sees the world as a better place only when everyone has a seat at the table and is an active advocate for diversity and inclusion.
Heidi Davidson
Co-Founder & CEO
Galvanize Worldwide and Galvanize On Demand
Dr. Heidi Davidson is the co-founder and CEO of Galvanize Worldwide, the largest distributed network of marketing and communications experts in the world. She also is the co-founder and CEO of Galvanize On Demand, a tech platform that matches marketing and communications freelancers with client projects. Now with 167 active experts, the Galvanize team delivers startup advisory work, outsourced marketing, training, and crisis communications to organizations of all sizes. Before Galvanize, Heidi spent four years as part of the turnaround team at BlackBerry as the Chief Communications Officer and SVP of Corporate Marketing, where she helped the company move from a device manufacturer to a security software provider.
Eli Gladstone
Co-Founder
Speaker Labs
Eli is a co-founder of Speaker Labs. He has spent over six years helping countless individuals overcome their public speaking fears and communicate with clarity and confidence. When he’s not coaching others on how to build and deliver the perfect presentation, you’ll probably find him reading some weird books, teaching his kids how to ski or play tennis, or trying to develop a good-enough jumpshot to avoid being a liability on the basketball court.
Francisco Mahfuz
Keynote Speaker & Storytelling Coach
Francisco Mahfuz has been telling stories in front of audiences for a decade and even became a National Champion of public speaking. Today, Francisco is a keynote speaker and storytelling coach and offers communication training to individuals and international organizations and has worked with organizations like Pepsi, HP, the United Nations, Santander, and Cornell University. He’s the author of Bare: A Guide to Brutally Honest Public Speaking and the host of The Storypowers Podcast, and he’s been part of the IESE MBA communications course since 2020. He’s received a BA in English Literature from Birkbeck University in London.
Sarah Shortreed
EVP & CTO
ATCO Ltd.
Sarah Shortreed is ATCO’s Executive Vice President and Chief Technology Officer. Her responsibilities include leading ATCO’s Information Technology (IT) function as it continues to drive agility and collaboration throughout ATCO’s global businesses and expanding and enhancing its enterprise IT strategy, including establishing ATCO’s technology roadmap for the future. Ms. Shortreed’s skill and expertise are drawn from her more than 30-year career that spans many industries and includes executive roles in business consulting, complex multi-stakeholder programs, operations, sales, customer relationship management, and product management. She was recently the Chief Information Officer at Bruce Power and has previously worked at BlackBerry, IBM, and Union Gas. She sits on the Board of Governors for the University of Western Ontario and is the current Chair of the Chief Information Officer (CIO) Committee at the Conference Board of Canada.
Eric Silverberg
Co-Founder
Speaker Labs
Eric is a co-founder of Speaker Labs and has helped thousands of people build their public speaking confidence and become more dynamic and engaging communicators. When he’s not running workshops to help people grow in their careers, there’s a good chance you’ll find him with his wife and dog, drinking Diet Coke, and rewatching iconic episodes of the reality TV show Survivor! He’s such a die-hard fan, that you’ll probably see him playing the game one day.
Stephanie Stewart
Communications Officer & DR Coordinator
Info Security Services Simon Fraser University
Steve Strout
President
Miovision Technologies
Mr. Strout is a recognized and experienced technology leader with extensive experience in delivering value. He has successfully led business and technology transformations by leveraging many dozens of complex global SFDC, Oracle, and SAP projects. He is especially adept at leading what some call “Project Rescues” – saving people’s careers where projects have gone awry; always driving “on-time and on-budget.” Mr. Strout is the current President of Miovision Technologies and the former CEO and board member of the Americas’ SAP Users” Group (ASUG). His wealth of practical knowledge comes from 30 years of extensive experience in many CxO and executive roles at some prestigious organizations such as Vonage, Sabre, BlackBerry, Shred-it, The Thomson Corporation (now Thomson Reuters), and Morris Communications. He has served on boards including Customer Advisory Boards of Apple, AgriSource Data, Dell, Edgewise, EMC, LogiSense, Socrates.ai, Spiro Carbon Group, and Unifi.
Plus an additional two contributors who wish to remain anonymous.
During a crisis it is important to communicate to employees through messages that convey calm and are transparent and tailored to your audience. Use the Crisis Communication Guides to:
“Communication in the Workplace Statistics: Importance and Effectiveness in 2022.” TeamStage, 2022.
Gallo, Carmine. “How Great Leaders Communicate.” Harvard Business Review, 23 November 2022
Guthrie, Georgina. “Why Good Internal Communications Matter Now More than Ever.” Nulab, 15 December 2021.
Lambden, Duncan. “The Importance of Effective Workplace Communication – Statistics for 2022.” Expert Market, 13 June 2022.
“Mapping SFIA Levels of Responsibilities to Behavioural Factors.” Skills Framework for the Information Age, 2021.
McCreary, Gale. “How to Measure the Effectiveness of Communication: 14 Steps.” WikiHow, 31 March 2023.
Nowak, Marcin. “Top 7 Communication Problems in the Workplace.” MIT Enterprise Forum CEE, 2021.
Nunn, Philip. “Messaging That Works: A Unique Framework to Maximize Communication Success.” iabc, 26 October 2020.
Picincu, Andra. “How to Measure Effective Communications.” Small Business Chron. 12 January 2021.
Price. David A. “Pixar Story Rules.” Stories From the Frontiers of Knowledge, 2011.
Roberts, Dan. “How CIOs Become Visionary Communicators.” CIO, 2019.
Schlesinger, Mark. “Why building effective communication skill in IT is incredibly important.” Forbes, 2021.
Stanten, Andrew. “Planning for the Worst: Crisis Communications 101.” CIO, 25 May 2017.
State of the American Workplace Report. Gallup, 6 February 2020.
“The CIO Revolution.” IBM, 2021.
“The State of High Performing Teams in Tech 2022.” Hypercontex, 2022.
Walters, Katlin. “Top 5 Ways to Measure Internal Communication.” Intranet Connections, 30 May 2019.
Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:
IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.
Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.
This project will provide several benefits for both IT and the business. It includes:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.
Review and understand the features, downsides, and differences between the big three players.
Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This publication will validate if the PMP certification is still valuable and worth your time. In addition, you will gain different perspectives related to other PMI and non-PMI certifications. You will gain a better understanding of the evolution of the PMBOK Guide, and the significant changes made from PMBOK 6th edition to the 7th edition.
I often get asked, “Is the PMP worth it?” I then proceed with a question of my own: “If it gets you an interview or a foot in the door or bolsters your salary, would it be worth it?” Typically, the answer is a resounding “YES!”
CIO magazine ranked the PMP as the top project management certification in North America because it demonstrates that you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.
Given its popularity and the demand in the marketplace, I strongly believe it is still worth your time and investment. The PMP is a globally recognized certification that has dominated for decades. It is hard to overlook the fact that the Project Management Institute (PMI) has more than 1.2 million PMP certification holders worldwide and is still considered the gold standard for project management.
Yes, it’s worth it. It gets you interviews, a foot in the door, and bolsters your salary. Oh, and it makes you a more complete project manager.
Your Challenge
The PMP certification has lost its sizzle while other emerging certifications have started to penetrate the market. It’s hard to distinguish which certification still holds weight. |
Common Obstacles
There are other, less intensive certifications available. It’s unclear what will be popular in the future. |
Info-Tech's Approach
There are a lot of certification options out there, and every day there seems to be a new one that pops up. Wait and see how the market reacts before investing your time and money in a new certification. |
The PMP certification is still valuable and worthy of your time in 2023.
DIY Toolkit"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." |
Guide Implementation"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." |
Workshop"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." |
Consulting"Our team does not have the time or knowledge to take this project on. We need assistance through the entirety of the this project." |
The PMI’s flagship PMP certification numbers have not significantly increased from 2021 to 2022. However, PMP substantially outpaces all competitors with over 1.2 million certified PMPs.
Source: projectmanagement.com
Source: PMI, “PMP Certification.” PMI, “Why You Should Get the PMP.”
79% of project managers surveyed have the PMP certification out of 30,000 respondents in 40 countries.
The PMP became table stakes for jobs in project management and PMO’s.
Source: PMI’s Earning Power: Project Management Salary Survey—Twelfth Edition (2021)
Timeline adapted from Wikipedia, “Project Management Body of Knowledge.”
Roughly every 3-5 years, the PMI has released a new PMBOK version. It’s unclear if there will be an eighth edition.
Source: projectmanagement.com as of July 2022
PMP – Project Management Professional
It is a concerning trend that their bread and butter, the PMP flagship certification, has largely stalled in 2022. We are unsure if this was attributed to them being displaced by competitors such as the Agile Alliance, their own Agile offerings, or the market’s lackluster reaction to PMBOK Guide – Seventh Edition.
Source: projectmanagement.com as of July 2022
The PMI’s membership appears to have a direct correlation to the PMP numbers. As the PMP number stalls, so do the PMI’s memberships.
Source: projectmanagement.com as of July 2022
Source: projectmanagement.com as of July 2022
PRINCE2 and CSM appear to be the more popular ones in the market.
In April 2022, CIO.com outlined other popular project management certifications outside of the PMI.
Source: CIO.com
Source: PMI, Narrowing The Talent Gap, 2021
Source: PMI, “Agile Certifications,” and ScrumAlliance, “Become a Certified ScrumMaster.”
There is a lot of chatter about which Agile certification is better, and the jury is still out with no consensus. There are pros and cons to both certifications. We believe the PMI-ACP will give you more mileage and flexibility because of its breath of coverage in the Agile practice compared to the CSM.
1. PMI, Talent Gap, 2021.
2. PM Network, 2019.
The median salary for PMP holders in the US is 25% higher than those without PMP certification.
On a global level, the Project Management Professional (PMP) certification has been shown to bolster salary levels. Holders of the PMP certification report higher median salaries than those without a PMP certification – 16% higher on average across the 40 countries surveyed.
Source: PMI, Earning Power, 2021
Source: PMI, Narrowing The Talent Gap, 2021.
According to the PMI Megatrends 2022 report, they have identified six areas as the top digital-age skills for product delivery:
Many organizations aren’t considering candidates who don’t have project-related qualifications. Indeed, many more are increasing the requirements for their qualifications than those who are reducing it.
Source: PMI, Narrowing The Talent Gap, 2021
Currently, there is an imbalance with more emphasis of training on tools, processes, techniques, and methodologies rather than business acumen skills, collaboration, and management skills. With the explosion of remote work, training needs to be revamped and, in some cases, redesigned altogether to accommodate remote employees.
Lack of strategic prioritization is evident in how training and development is being done, with organizations largely not embracing a diversity of learning preferences and opportunities.
Source: PMI, Narrowing The Talent Gap, 2021
Project managers are evolving. No longer creatures of scope, schedule, and budget alone, they are now – enabled by new technology – focusing on influencing outcomes, building relationships, and achieving the strategic goals of their organizations.
Source: PMI, Narrowing the Talent Gap, 2021
Talent managers will need to retool their toolbox to fill the capability gap and to look beyond where the role is geographically based by embracing flexible staffing models.
They will need to evolve their talent strategies in line with changing business priorities.
Organizations should be actively working to increase the diversity of candidates and upskilling young people in underrepresented communities as a priority.
Most organizations are still relying on traditional approaches to recruit talent. Although we are prioritizing power skills and business acumen, we are still searching in the same, shrinking pool of talent.
Source: PMI, Narrowing the Talent Gap, 2021.
“Agile Certifications for Every Step in Your Career.” PMI. Web.
“Become a Certified ScrumMaster and Help Your Team Thrive.” ScrumAlliance. Web.
“Become a Project Manager.” PMI. Accessed 14 Sept. 2022.
Bucero, A. “The Next Evolution: Young Project Managers Will Change the Profession: Here's What Organizations Need to Know.” PM Network, 2019, 33(6), 26–27.
“Certification Framework.” PMI. Accessed 14 Sept. 2022.
“Certifications.” PMI. Accessed 14 Sept. 2022.
DePrisco, Mike. Global Megatrends 2022. “Foreword.” PMI, 2022. Accessed 14 Sept. 2022.
Earning Power: Project Management Salary Survey. 12th ed. PMI, 2021. Accessed 14 Sept. 2022.
“Global Research From PMI and PwC Reveals Attributes and Strategies of the World’s Leading Project Management Offices.” PMI, 1 Mar. 2022. Press Release. Accessed 14 Sept. 2022.
Narrowing the Talent Gap. PMI, 2021. Accessed 14 Sept. 2022.
“PMP Certification.” PMI. Accessed 4 Aug. 2022.
“Project Management Body of Knowledge.” Wikipedia, Wikimedia Foundation, 29 Aug. 2022.
“Project Portfolio Management Pulse Survey 2021.” PwC. Accessed 30 Aug. 2022.
Talent Gap: Ten-Year Employment Trends, Costs, and Global Implications. PMI. Accessed 14 Sept. 2022.
“The Critical Path.” ProjectManagement.com. Accessed 14 Sept. 2022.
“True Business Agility Starts Here.” PMI. Accessed 14 Sept. 2022.
White, Sarah K. and Sharon Florentine. “Top 15 Project Management Certifications.” CIO.com, 22 Apr. 2022. Web.
“Why You Should Get the PMP.” PMI. Accessed 14 Sept. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.
Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.
Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.
Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.
Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.
Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.
Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.
Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.
Complete a current state assessment of key security controls in a ransomware context.
1.1 Review incidents, challenges, and project drivers.
1.2 Diagram critical systems and dependencies and build risk scenario.
1.3 Assess ransomware resilience.
Workshop goals
Ransomware Risk Scenario
Ransomware Resilience Assessment
Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.
Identify targeted countermeasures that improve protection and detection capabilities.
2.1 Assess ransomware threat preparedness.
2.2 Determine the impact of ransomware techniques on your environment.
2.3 Identify countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
· Improve your organization’s capacity to respond to ransomware attacks and recover effectively.
Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.
3.1 Review the workflow and runbook templates.
3.2 Update/define your threat escalation protocol.
3.3 Define scenarios for a range of incidents.
3.4 Run a tabletop planning exercise (IT).
3.5 Update your ransomware response runbook.
Security Incident Response Plan Assessment.
Tabletop Planning Session (IT)
Ransomware Workflow and Runbook.
Identify prioritized initiatives to improve ransomware resilience.
Identify the role of leadership in ransomware response and recovery.
Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.
4.1 Run a tabletop planning exercise (Leadership).
4.2 Identify initiatives to close gaps and improve resilience.
4.3 Review broader strategies to improve your overall security program.
4.4 Prioritize initiatives based on factors such as effort, cost, and risk.
4.5 Review the dashboard to fine tune your roadmap.
4.6 Summarize status and next steps in an executive presentation.
Tabletop Planning Session (Leadership)
Ransomware Resilience Roadmap and Metrics
Ransomware Workflow and Runbook
Ransomware is a high-profile threat that demands immediate attention:
Ransomware is more complex than other security threats:
To prevent a ransomware attack:
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.
As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.
The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.
Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.
Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group
Three factors contribute to the threat:
Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.
A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.
Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.
Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.
The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.
66%
Hit by ransomware in 2021
(up from 37% in 2020)
90%
Ransomware attack affected their ability to operate
$812,360 USD
Average ransom payment
$4.54M
Average remediation cost
(not including ransom)
ONE MONTH
Average recovery time
Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.
Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.
While these elements can help recover from an attack, they don't prevent it in the first place.
Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)
At each point of the playbook, malicious agents need to achieve something before they can move to the next step.
Resilient organizations look for opportunities to:
|
Initial access Execution |
Privilege Escalation Credential Access |
Lateral Movement Collection |
Data Exfiltration |
Data encryption |
|---|---|---|---|---|
|
Deliver phishing email designed to avoid spam filter. Launch malware undetected. |
Identify user accounts. Target an admin account. Use brute force tactics to crack it. |
Move through the network and collect data. Infect as many critical systems and backups as possible to limit recovery options. |
Exfiltrate data to gain leverage. |
Encrypt data, which triggers alert. Deliver ransom note. |
Ransomware groups thrive through extortion tactics.
Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:
Source: IBM, Cost of a Data Breach (2022)
An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.
Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.
Ransomware dwell times and average encryption rates are improving dramatically.
Hackers spend less time in your network before they attack, and their attacks are much more effective.
Avg dwell time
3-5 Days
Avg encryption rate
70 GB/h
Avg detection time
11 Days
Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.
Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.
It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.
References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.
This blueprint will focus on improving your ransomware resilience to:
|
Response |
Recovery |
|---|---|
|
|
|
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery. |
|
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
| Protect | Detect | Respond |
Recover |
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.
| Assess resilience | Protect and detect | Respond and recover | Improve resilience | |
|---|---|---|---|---|
| Phase steps |
|
|
|
|
| Phase outcomes |
|
|
|
|
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.
Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly
Build risk scenarios that describe how a ransomware attack would impact organizational goals.
Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.
The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.
The resilience roadmap captures the key insights your work will generate, including:
Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.
Ransomware Resilience Assessment
Measure ransomware resilience, identify gaps, and draft initiatives.
Enterprise Threat Preparedness Workbook
Analyze common ransomware techniques and develop countermeasures.
Ransomware Response Workflow & Runbook
Capture key process steps for ransomware response and recovery.
Run tabletops for your IT team and your leadership team to gather lessons learned.
Capture project insights and measure resilience over time.
Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.
Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.
Source: IBM, Cost of a Data Breach (2022)
See what members have to say about the ransomware resilience blueprint:
"Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."
CIO, Global Manufacturing Organization
|
IT benefits |
Business benefits |
|---|---|
|
|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
SOURCE: Interview with CIO of large enterprise
Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.
In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.
Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.
The organization decided not to pay the ransom because it had a copy on an unaffected server.
The organization was praised for its timely and transparent response.
The breach motivated the organization to put more protections in place, including:
SOURCE: Info-Tech Workshop Results
iNDUSTRY: Government
Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning
The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.
Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.
Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.
The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.
| Scoping Call | Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|---|
|
Call #1: Discuss context, identify challenges, and scope project requirements. Identify ransomware resilience metrics. |
Call #2: Build ransomware risk scenario. |
Call #4: Review common ransomware attack vectors. Identify and assess mitigation controls. |
Call #5: Document ransomware workflow and runbook. |
Call #7: Run tabletop test with leadership. |
|
Call #3: Assess ransomware resilience. |
Call #6: Run tabletop test with IT. |
Call #8: Build ransomware roadmap. Measure ransomware resilience metrics. |
A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
| Activities |
Assess ransomware resilience |
Protect and detect |
Respond and recover |
Improve ransomware resilience |
Wrap-up (offsite and offline) |
|
1.1 1 Review incidents, challenges, and project drivers. 1.1.2 Diagram critical systems and dependencies. 1.1.3 Build ransomware risk scenario. |
2.1 1. Assess ransomware threat preparedness. 2.2 2. Determine the impact of ransomware techniques on your environment. 2.3 3. Identify countermeasures to improve protection and detection capabilities. |
3.1.1 Review the workflow and runbook templates. 3.1.2 Update/define your threat escalation protocol. 3.2.1 Define scenarios for a range of incidents. 3.2.2 Run a tabletop planning exercise (IT). 3.3.1 Update your ransomware response workflow. |
4.1.1 Run a tabletop planning exercise (leadership). 4.1.2 Identify initiatives to close gaps and improve resilience. 4.1.3 Review broader strategies to improve your overall security program. 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk. 4.2.2 Review the dashboard to fine tune your roadmap. 4.3.1 Summarize status and next steps in an executive presentation. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. 5.3 Revisit ransomware resilience metrics in three months. |
|
| Deliverables |
|
|
|
|
|
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment |
2.1 Assess attack vectors 2.2 Identify countermeasures |
3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook |
4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will walk you through the following activities:
This phase involves the following participants:
1.1.1 Review incidents, challenges and project drivers
1.1.2 Diagram critical systems and dependencies
1.1.3 Build ransomware risk scenario
This step will guide you through the following activities:
This step involves the following participants:
Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.
Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.
Focus on a few key critical systems.
Start with a WAN diagram, then your production data center, and then each critical
system. Use the next three slides as your guide.
When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:
For now, make a note of these gaps and continue with the next step.
Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.
Risk identification → Risk scenario → Risk statement
The slides walk through how to build a ransomware risk scenario
|
|||
|
An actor capable of harming an asset |
Anything of value that can be affected and results in loss |
Technique an actor uses to affect an asset |
How loss materializes |
|---|---|---|---|
|
Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors |
Examples: Systems, regulated data, intellectual property, people |
Examples: Credential compromise, privilege escalation, data exfiltration |
Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety |
Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.
Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.
In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.
The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.
As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.
Consider the impact on:
Inputs for risk scenario identification
|
Risk analysis |
|||
|---|---|---|---|
|
Critical assets |
ERP, CRM, FMS, LMS |
Operational technology |
Sensitive or regulated data |
|
Threat agents |
Cybercriminals |
||
|
Methods |
Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities. Identify and crack administrative account. Escalate privileges. Move laterally. Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,. Threaten to publish exfiltrated data and demand ransom. |
||
|
Adverse effect |
Serious business disruption Financial damage Reputational damage Potential litigation Average downtime: 30 Days Average clean-up costs: USD 1.4M |
||
Likelihood: Medium
Impact: High
Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.
They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.
Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.
Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.
Threat Actor:
Assets:
Effect:
Methods:
1.2.1 Complete resilience assessment
1.2.2 Establish resilience metrics
The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.
|
CMMI Maturity Level – Default Descriptions: |
CMMI Maturity Level – Modified for This Assessment: |
|---|---|
|
|
(Source: CMMI Institute, CMMI Levels of Capability and Performance)
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
| Protect | Detect | Respond |
Recover |
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.
Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.
Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.
Download the Ransomware Resilience Assessment
Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.
Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.
| Attack workflow | Process | Metric | Target trend | Current | Goal |
|---|---|---|---|---|---|
| GET IN | Vulnerability Management | % Critical patches applied | Higher is better | ||
| Vulnerability Management | # of external exposures | Fewer is better | |||
| Security Awareness Training | % of users tested for phishing | Higher is better | |||
| SPREAD | Identity and Access Management | Adm accounts / 1000 users | Lower is better | ||
| Identity and Access Management | % of users enrolled for MFA | Higher is better | |||
| Security Incident Management | Avg time to detect | Lower is better | |||
| PROFIT | Security Incident Management | Avg time to resolve | Lower is better | ||
| Backup and Disaster Recovery | % critical assets with recovery test | Higher is better | |||
| Backup and Disaster Recovery | % backup to immutable storage | Higher is better |
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will walk you through the following activities:
This phase involves the following participants:
2.1.1 Assess ransomware threat preparedness
2.1.2 Determine the impact of ransomware techniques on your environment
This step involves the following activities:
This step involves the following participants:
Assess risks associated with common ransomware attack vectors.
Download the Enterprise Threat Preparedness Workbook
Deliver phishing email designed to avoid spam filter. Launch malware undetected. | Identify user accounts. Target an admin account. Use brute force tactics to crack it. | Move through the network. Collect data. Infect critical systems and backups to limit recovery options. | Exfiltrate data to gain leverage. | Encrypt data, which triggers alert. Deliver ransom note. |
Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.
Download the Enterprise Threat Preparedness Workbook
If you would like to change the set-up, go through the following steps.
The following slides walk you through the process with screenshots from the workbook.
Download the Enterprise Threat Preparedness Workbook
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.
Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.
The Technique level is faster but provides less specifics for each control and analyzes them as a group.
The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.
Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).
When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.
How an attacker will attempt to achieve their goals through a specific action.
The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.
If an attack of this type is successful on your network, how deep does the damage run?
What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.
We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.
You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.
|
If you have chosen the Sub-Technique level, the tool should resemble this image.
Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.
|
|
2.2.1 Identify countermeasures
Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.
As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.
For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.
Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.
Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will guide you through the following steps:
This phase involves the following participants:
3.1.1 Review the workflow and runbook templates
3.1.2 Update/define your threat escalation protocol
This step will walk you through the following activities:
This step involves the following participants:
This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.
Download the Ransomware Response Workflow Template
Download the Ransomware Response Runbook Template
Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:
Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.
Severity assessment: Define the severity levels based on impact and scope criteria.
Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.
If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.
3.2.1 Define scenarios for a range of incidents
3.2.2 Run a tabletop planning exercise
As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:
Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.
Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.
Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:
Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).
Download the Ransomware Tabletop Planning Results – Example
3.3.1 Update your ransomware response workflow
3.3.2 Update your ransomware response runbook
Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:
Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:
| Phase 1 | Phase 2 | Phase 3 | Phase 4 |
|---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:
This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.
Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.
IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.
For more information, see Build a Zero-Trust Roadmap.
A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.
Download the Ransomware Resilience Assessment
Prioritize initiatives in the Ransomware Resilience Assessment.
Review and update the roadmap dashboard in your Ransomware Resilience Assessment.
4.3.1 Summarize status and next steps in an executive presentation
Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:
Overall key findings and next steps.
Download the Ransomware Readiness Summary Presentation Template
Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.
Revisit metrics as the project nears completion and compare them against your baseline to measure progress.
| Attack workflow | Process | Metric | Target trend | Current | Goal |
|---|---|---|---|---|---|
| GET IN | Vulnerability Management | % Critical patches applied | Higher is better | ||
| Vulnerability Management | # of external exposures | Fewer is better | |||
| Security Awareness Training | % of users tested for phishing | Higher is better | |||
| SPREAD | Identity and Access Management | Adm accounts / 1000 users | Lower is better | ||
| Identity and Access Management | % of users enrolled for MFA | Higher is better | |||
| Security Incident Management | Avg time to detect | Lower is better | |||
| PROFIT | Security Incident Management | Avg time to resolve | Lower is better | ||
| Backup and Disaster Recovery | % critical assets with recovery test | Higher is better | |||
| Backup and Disaster Recovery | % backup to immutable storage | Higher is better |
|
Project overview |
Project deliverables |
|---|---|
|
This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices. |
|
|
Project phases |
|
|
Phase 1: Assess ransomware resilience Phase 2: Protect and detect Phase 3: Respond and recover Phase 4: Improve ransomware resilience |
Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.
Jimmy Tom
AVP of Information Technology and Infrastructure
Financial Horizons
Dan Reisig
Vice President of Technology
UV&S
Samuel Sutton
Computer Scientist (Retired)
FBI
Ali Dehghantanha
Canada Research Chair in Cybersecurity and Threat Intelligence,
University of Guelph
Gary Rietz
CIO
Blommer Chocolate Company
Mark Roman
CIO
Simon Fraser University
Derrick Whalen
Director, IT Services
Halifax Port Authority
Stuart Gaslonde
Director of IT & Digital Services
Falmouth-Exeter Plus
Deborah Curtis
CISO
Placer County
Deuce Sapp
VP of IT
ISCO Industries
Trevor Ward
Information Security Assurance Manager
Falmouth-Exeter Plus
Brian Murphy
IT Manager
Placer County
Arturo Montalvo
CISO
Texas General Land Office and Veterans Land Board
Mduduzi Dlamini
IT Systems Manager
Eswatini Railway
Mike Hare
System Administrator
18th Circuit Florida Courts
Linda Barratt
Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation
Josh Lazar
CIO
18th Circuit Florida Courts
Douglas Williamson
Director of IT
Jamaica Civil Aviation Authority
Ira Goldstein
Chief Operating Officer
Herjavec Group
Celine Gravelines
Senior Cybersecurity Analyst
Encryptics
Dan Mathieson
Mayor
City of Stratford
Jacopo Fumagalli
CISO
Omya
Matthew Parker
Program Manager
Utah Transit Authority
Two Additional Anonymous Contributors
2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
"CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
"Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
"Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
Global-Security-Attitude-Survey.-CrowdStrike,-2019.
Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
Global-News,-10-Dec.-2019.
Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
"LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
"Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
"Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
"Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
"Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
"The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
"The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
"The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
"The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
In early April, I already wrote about exit plans and how they are the latest burning platform.
As of the end of May 2025, we have both Microsoft and Google reassuring European clients about their sovereign cloud solutions. There are even air-gapped options for military applications. These messages come as a result of the trade war between the US and the rest of the world.
There is also the other, more mundane example of over-reliance on a single vendor: the Bloomberg-terminal outage of May 21st, 2025. That global outage severely disrupted financial markets. It caused traders to lose access to real-time data, analytics, and pricing information for approximately 90 minutes. This widespread system failure delayed critical government bond auctions in the UK, Portugal, Sweden, and the EU.
It serves as a reminder of the heavy reliance on the Bloomberg Terminal, which is considered an industry standard despite its high annual cost. While some Bloomberg services like instant messaging remained functional, allowing limited communication among traders, the core disruption led to significant frustration and slowed down trading activities.
You want to think about this for a moment. Bloomberg is, just like Google and Microsoft are, cornerstones in their respective industries. MS, Google, and Amazon even in many more industries.
So the issue goes beyond the “panic of the day.” Every day, there will be some announcement that sends markets reeling and companies fearing. Granted, the period we go through today can have grave consequences, but at the same time, it may be over in the coming months or years.
Let's take a step back and see if we can locate the larger issue at stake. I dare to say that the underlying issue is trust. We are losing trust in one another at a fast pace. Not between business partners, meaning companies who are, in a transaction or relationship, are more or less equal. Regardless of their geolocation, people are keen to do business together in a predictable, mutually beneficial way. And as long as that situation is stable, there is little need, beyond compliance and normal sound practices, to start to distrust each other.
Trouble brews when other factors come into play. I want to focus on two of them in this article.
The past few years have seen a large increase in power of the cloud computing platforms. The pandemic of 2019 through to 2023 changed our way of working and gave a big boost to these platforms. Of course, they were already establishing their dominance in the early 2010s.
Amazon launched SQS in 2004 with S3 (storage) and EC2 (compute) in 2006. Azure launched in 2008 as a PaaS platform for .NET developers, and became really available in 2010. Since then, it grew into the IaaS (infrastructure as a service) platform we know today. Google's Cloud Platform (GCP) launched in 2008 and added components such as BigQuery, Compute Engine and Storage in the 2010s.
Since the pandemic, we've seen another boost to their popularity. These platforms solidified their lead through several vectors:
Companies made decisions on these premises. A prime example is the use of native cloud functions. These make life easier for developers. Native functions allow for serverless functionality to be made available to clients, and to do so in a non-infra-based way. It gives the impression of less complexity to the management. They are also easily scalable.
This comes at a cost, however. The cost is vendor lock-in. And with vendor lock-in, comes increased pricing power for the vendor.
For a long time, it seems EU companies' attitude was: “It won't be such an issue, after all, there are multiple cloud vendors and if all else fails, we just go back.” The reality is much starker, I suspect that cloud providers with this level of market power will increase their pricing significantly.
in come two elements:
The latest push to their market power came as an unintended consequence of EU Law: DORA. That EU law requires companies to have testable exit plans in place. But it goes well beyond this. The EU has increased the regulatory burden on companies significantly. BusinessEurope, a supranational organization, estimates that in the past five years, the Eu managed to release over 13,000 legislative acts. This is compared to 3,500 in the US.
Coming back to DORA, this law requires EU companies to actually test their exit plans and show proof of it to the EU ESAs (European Supervisory Agency). The reaction I have seen in industry representative organizations is complacency.
The cost of compliance is significant; hence, companies try to limit their exposure to the law as much as possible. They typically do this by limiting the applicability scope of the law to their business, based on the wording of the law. And herein lies the trap. This is not lost on the IT providers. They see that companies do the heavy lifting for them. What do I mean by that? Several large providers are looked at by the EU as systemic providers. They fall under direct supervision by the ESAs.
For local EU providers, it is what it is, but for non-EU providers, they get to show their goodwill, using sovereign IT services. I will come back to this in the next point, US unpredictability and laws. But the main point is: we are giving them more market power, and we have less contractual power. Why? Because we are showing them that we will go to great lengths to keep using their services.
US companies must comply with US law. So far, so good. Current US legislation also already requires US companies to share data on non-US citizens.
This last one is of particular concern. Not so much because of its contents, but because it is an Executive Order.
We know that the current (May 2025) US government mostly works through executive orders. Let's not forget that executive orders are a legitimate way to implement policy, This means that the US government could use access to cloud services as a lever to obtain more favorable trade rules.
The EU responds to this (the laws and executive order) by implementing several sovereignty countermeasures like GDPR, DORA, Digital markets Act (DMA), Data Governance Act (DGA), Cybersecurity Act and the upcoming European Health Data Act (EHDS). This is called the “Brussels Effect.”
Europe is also investing in several strategic initiatives such as
This points to a new dynamic between the EU and the US, EU-based companies simply cannot trust their US counterparts anymore to the degree they could before. The sad thing is, that there is no difference on the interpersonal level. It is just that companies must comply with their respective laws.
Hence, Microsoft, Google, and AWS and any other US provider cannot legally provide sovereign cloud services. In a strict legal sense, Microsoft and Google cannot absolutely guarantee that they can completely insulate EU companies and citizens from all US law enforcement requests for data, despite their robust efforts and sovereign cloud offerings. This is because they are US companies, subject to US law and US jurisdiction. The CLOUD act and FISA section 702 compel US companies to comply.
Moreover, there is the nature of sovereign cloud offerings:
And lastly, there are the legal challenges to the EU data privacy Framework (DPF)
This all means that while the cloud providers are doing everything they can, and I'm assuming they are acting in good faith. The fact that they are US entities means however that they are subject to all US legislation and executive orders. And we cannot trust this last part. Again, this is why the EU is pursuing its digital sovereignty initiatives and why some highly sensitive EU public sector entities are gravitating towards truly EU-owned and operated cloud solutions.
If your provider goes bankrupt, you do not have a leg to stand on. Most jurisdictions, including the EU and US, have the following elements regarding bankruptcy:
Automatic Stay: Upon a bankruptcy filing (in most jurisdictions, including the US and EU), an “automatic stay” is immediately imposed. This is a court order that stops most collection activities against the debtor. For you as a customer, this can mean you might be prevented from:
Debtor's Estate and Creditor Priority
So, while I understand the wait and see stance in regard to exit plans, given where we are, it is in my opinion the wrong thing to do. Companies must make actionable exit plans and prepare beforehand for the exit. That means that you have to:
If you want more detailed steps on how to get there, feel free to contact me.
This blueprint can help you:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint will help you achieve a single view of your most important data assets by following our two-phase methodology:
This tool will help you determine if your organization has a master data problem and if an MDM project should be undertaken.
The tool will help you identify the sources of data within the business unit and use the typical properties of master data to determine which data should be classified as master data.
The template will help you communicate your organization's specific pains surrounding poor management of master data and identify and communicate the benefits of effective MDM. Communicate Info-Tech's approach for creating an effective MDM practice and platform.
The project charter will help you document the project sponsor of the project. Identify purpose, goals, and objectives. Identify the project risks. Build a cross-functional project team and assign responsibilities. Define project team expectations and meeting frequency. Develop a timeline for the project with key milestones. Identify metrics for tracking success. Receive approval for the project.
This template will assist you:
The master data management practice pattern describes the core capabilities, accountabilities, processes, essential roles, and the elements that provide oversight or governance of the practice, all of which are required to deliver on high value services and deliverables or output for the organization.
This template will assist you:
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Identification of MDM and why it is important.
Differentiate between reference data and master data.
Discuss and understand the key challenges and pains felt by the business and IT with respect to master data, and identify the opportunities MDM can provide to the business.
Identification of what is and is not master data.
Understand the value of MDM and how it can help the organization better monetize its data.
Knowledge of how master data can benefit both IT and the business.
1.1 Establish business context for master data management.
1.2 Assess the value, benefits, challenges, and opportunities associated with MDM.
1.3 Develop the vision, purpose, and scope of master data management for the business.
1.4 Identify MDM enablers.
1.5 Interview business stakeholders.
High-level data requirements
Identification of business priorities
Project vision and scope
Recognize business drivers for MDM.
Determine where master data lives and how this data moves within the organization.
Streamline business process, map the movement of data, and achieve a common understanding across the company.
Identify the source of master data and what other systems will contribute to the MDM system.
2.1 Evaluate the risks and value of critical data.
2.2 Map and understand the flow of data within the business.
2.3 Identify master data sources and users.
2.4 Document the current architectural state of the organization.
Data flow diagram with identified master data sources and users
Business data glossary
Documented current data state.
Document the target data state of the organization surrounding MDM.
Identify key initiatives and metrics.
Recognition of four MDM implementation styles.
Identification of key initiatives and success metrics.
3.1 Document the target architectural state of the organization.
3.2 Develop alignment of initiatives to strategies.
3.3 Consolidate master data management initiatives and strategies.
3.4 Develop a project timeline and define key success measures.
Documented target state surrounding MDM.
Data and master data management alignment and strategies
Get a clear picture of what the organization wants to get out of MDM.
Identify master data management capabilities, accountabilities, process, roles, and governance.
Prioritized master data management capabilities, accountabilities, process, roles, and governance.
4.1 Identify master data management capabilities, roles, process, and governance.
4.2 Build a master data management practice and platform.
Master Data Management Practice and Platform
|
The most crucial and shared data assets inside the firm must serve as the foundation for the data maturing process. This is commonly linked to your master data (such as customers, products, employees, and locations). Every organization has master data, but not every organization has a master data problem. Don't waste time or resources before determining the source of your master data problem. Master data issues are rooted in the business practices of your organization (such as mergers and acquisitions and federated multi-geographic operations). To address this issue, you will require a master data management (MDM) solution and the necessary architecture, governance, and support from very senior champions to ensure the long-term success of your MDM initiative. Approaching MDM with a clear blueprint that provides a step-by-step approach will aid in the development of your MDM practice and platform. |
|
|
Ruyi Sun |
Rajesh Parab |
|
Your Challenge |
Common Obstacles |
Info-Tech’s Approach |
|---|---|---|
|
Your organization is experiencing data challenges, including:
|
MDM is useful in situations such as a business undergoing a merger or acquisition, where a unique set of master data needs to be created to act as a single source of truth. However, having a unified view of the definitions and systems of record for the most critical data in your organization can be difficult to achieve. An organization might experience some pain points:
|
|
Info-Tech Insight
Everybody has master data (e.g. customer, product) but not a master data problem (e.g. duplicate customers and products). MDM is complex in practice and requires investments in data governance, data architecture, and data strategy. Identifying business outcomes based on quality master data is essential before you pull the trigger on an MDM solution.
Info-Tech’s Data Management Framework Adapted from DAMA-DMBOK and Advanced Knowledge Innovations Global Solutions. See Create a Data Management Roadmap blueprint for more information.
|
Customer Intimacy |
Innovation Leadership |
Risk Management |
Operational Excellence |
|---|---|---|---|
|
Improve marketing and the customer experience by using the right data from the system of record to analyze complete customer views of transactions, sentiments, and interactions. |
Gain insights on your products, services, usage trends, industry directions, and competitor results, and use these data artifacts to support decisions on innovations, new products, services, and pricing. |
Maintain more transparent and accurate records and ensure that appropriate rules are followed to support audit, compliance, regulatory, and legal requirements. Monitor data usage to avoid fraud. |
Make sure the right solution is delivered rapidly and consistently to the right parties for the right price and cost structure. Automate processes by using the right data to drive process improvements. |
|
85% of customers expect consistent interactions across departments (Salesforce, 2022). |
Top-decile economic performers are 20% more likely to have a common source of data that serves as the single source of truth across the organization compared to their peers (McKinsey & Company, 2021). |
Only 6% of board members believe they are effective in managing risk (McKinsey & Company, 2018). |
32% of sales and marketing teams consider data inconsistency across platforms as their biggest challenge (Dun & Bradstreet, 2022). |
On average, 25 different data sources are used for generating customer insights and engagement.
On average, 16 different technology applications are used to leverage customer data.
Source: Deloitte Digital, 2020
Changes in business process often come with challenges for CIOs and IT leaders. From an IT perspective, there are several common business operating models that can result in multiple sets of master data being created and held in various locations. Some examples could be:
In such situations, implementing an MDM solution helps achieve harmonization and synchronization of master data and provide a single, reliable, and precise view of the organization. However, MDM is a complex system that requires more than just a technical solution. An organization might experience the following pain points:
Building a successful MDM initiative can be a large undertaking that takes some preparation before starting. Understanding the fundamental roles that data governance, data architecture, and data strategy play in MDM is essential before the implementation.
“Only 3 in 10 of respondents are completely confident in their company's ability to deliver a consistent omnichannel experience.”
Source: Dun & Bradstreet, 2022
Overarching insight
Everybody has master data (e.g. customer, product) but not a master data problem (e.g. duplicate customers and products). MDM is complex in practice and requires investments in data governance, data architecture, and data strategy. Figuring out what the organization needs out of its master data is essential before you pull the trigger on an MDM solution.
Phase 1 insight
A master data management solution will assist you in solving master data challenges if your organization is large or complex, such as a multinational corporation or a company with multiple product lines, with frequent mergers and acquisitions, or adopting a digital transformation strategy such as omnichannel.
Organizations often have trouble getting started because of the difficulty of agreeing on the definition of master data within the enterprise. Reference data is an easy place to find that common ground.
While the organization may have data that fits into more than one master data domain, it does not necessarily need to be mastered. Determine what master data entities your organization needs.
Although it is easy to get distracted by the technical aspects of the MDM project – such as extraction and consolidation rules – the true goal of MDM is to make sure that the consumers of master data (such as business units, sales) have access to consistent, relevant, and trusted shared data.
Phase 2 insight
An organization with activities such as mergers and acquisitions or multi-ERP systems poses a significant master data challenge. Prioritize your master data practice based on your organization’s ability to locate and maintain a single source of master data.
Leverage modern capabilities such as artificial intelligence or machine learning to support large and complex MDM deployments.
|
1. Build a Vision for MDM |
2. Build an MDM Practice and Platform |
|
|---|---|---|
|
Phase Steps |
|
|
|
Phase Participants |
CIO, CDO, or IT Executive Head of the Information Management Practice Business Domain Representatives |
Enterprise Architecture Domain Architects Information Management MDM Experts Data Stewards or Data Owners |
|
Phase Outcomes |
This step identifies the essential concepts around MDM, including its definitions, your readiness, and prioritized master data domains. This will ensure the MDM initiatives are aligned to business goals and objectives. |
To begin addressing the MDM project, you must understand your current and target data state in terms of data architecture and data governance surrounding your MDM strategy. With all these considerations in mind, design your organizational MDM practice and platform. |
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
1. MDM Readiness Assessment Tool
|
2. Business Needs Assessment Tool 
|
3. Business Case Presentation Template 
|
4. Project Charter Template 
|
5. Architecture Design Template 
|
6. MDM Practice Pattern Template
7. MDM Platform Template
Define the intentional relationships between the business and the master data through a well-thought-out master data platform and practice.
In phase 1 of this blueprint, we will help you establish the business context and master data needs.
In phase 2, we will help you document the current and target state of your organization and develop a practice and platform so that master data is well managed to deliver on those defined metrics.
|
Sample Metrics |
Method of Calculation |
|---|---|
|
Master Data Sharing Availability and Utilization |
# of Business Lines That Use Master Data |
|
Master Data Sharing Volume |
# of Master Entities # of Key Elements, e.g. # of Customers With Many Addresses |
|
Master Data Quality and Compliance |
# of Duplicate Master Data Records Identified Sources That Contribute to Master Data Quality Issues # of Master Data Quality Issues Discovered or Resolved # of Non-Compliance Issues |
|
Master Data Standardization/Governance |
# of Definitions for Each Master Entity # of Roles (e.g. Data Stewards) Defined and Created |
|
Trust and Satisfaction |
Trust Indicator, e.g. Confidence Indicator of Golden Record |
“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”
“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”
“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”
“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”
What does a typical GI on this topic look like?
| Phase 1 | Phase 2 |
|---|---|
|
Call #1: Identify master data problem and assess your organizational readiness for MDM. Call #2: Define master data domains and priorities. Call #3: Determine business requirements for MDM. Call #4: Develop a strategic vision for the MDM project. Call #5: Map and understand the flow of data within the business. |
Call #6: Document current architectural state. Call #7: Discover the MDM implementation styles of MDM and document target architectural state. Call #8: Create MDM data practice and platform. Call #9: Summarize results and plan next steps. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 8 to 12 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
|---|---|---|---|---|---|
|
Develop a Vision for the MDM Project |
Document the |
Document the |
Develop a MDM Practice and Platform |
Next Steps and |
|
|
Activities |
|
|
|
|
|
|
Deliverables |
|
|
|
|
|
Objectives
1. Build a solid foundation of knowledge surrounding MDM.
2. Recognize MDM problems that the organization faces in the areas of mergers and acquisitions, omnichannel, multi-product line, and multi-ERP setups.
This step involves the following participants:
CIO, CDO, or IT Executive
Head of Information Management
Outcomes of this step
An understanding of master data, MDM, and the prerequisites necessary to create an MDM program.
Determine if there is a need for MDM in the organization.
Info-Tech analyzes the value of data through the lenses of its four distinct classes: Master, Transactional, Operational, and Reference.
|
Master |
Transactional |
Operational |
Reference |
|---|---|---|---|
|
|
|
|
Organizational buy-in
Understanding the existing data environment
Before starting to look at technology solutions, make sure you have organizational buy-in and an understanding of the existing data environment. These two prerequisites are the foundation for MDM success.
MDM can be approached in two ways: analytical and operational.
Think of it in the context of your own organization:
An investment in MDM will improve the opportunities for using the organization’s most valuable data assets, including opportunities like:
9.5% of revenue was at risk when bad experiences were offered to customers.
85% In a survey of nearly 17,000 consumers and business buyers, 85% of customers expect consistent interactions across departments.
Yet, 60% of customer say it generally feels like sales, service, and marketing teams do not share information.
What is a business without the customer? Positive customer service experience drives customer retention, satisfaction, and revenue growth, and ultimately, determines the success of the organization. Effective MDM can improve customer experiences by providing consistent interactions and the ability to meet customer expectations.
61% of customers say they would switch to a competitor after just one bad customer service experience.
Mergers and acquisitions (M&A)
M&A involves activities related to the consolidation of two companies. From IT’s perspective, whether the organization maintains different IT systems and applications in parallel or undergoes data integration process, it is common to have multiple instances of the same customer or product entity across different systems between companies, leading to incomplete, duplicate, and conflicting data sets. The organization may face challenges in both operational and analytical aspects. For many, the objective is to create a list of master data to have a single view of the organization.
Multiple-instance ERP or multinational organizations
Multiple-instance ERP solutions are commonly used by businesses that operate globally to accommodate each country’s needs or financial systems (Brightwork Research). With MDM, having a single source of truth could be a great advantage in certain business units to collaborate globally, such as sharing inventory coding systems to allow common identity and productive resource allocation and shared customer information for analytical purposes.
Multiple product lines of business
An example for firms that sells multiple product lines could be Nike’s multiple product lines including footwear, clothing, and equipment. Keeping track of many product lines is a constant challenge for organizations in terms of inventory management, vendor database, and a tracking system. The ability to track and maintain your product data accurately and consistently is crucial for a successful supply chain (whether in a warehouse, distribution center, or retail office), which leads to improved customer satisfaction and increased sales.
Info-Tech Insight
A master data management solution will assist you in solving master data challenges if your organization is large or complex such as a multinational corporation or a company with multiple product lines, frequent mergers and acquisitions, or adopting a digital transformation strategy such as omnichannel.
Omni-channel
In e-commerce and retail industry, omnichannel means a business strategy that offers seamless shopping experiences across all channels, such as in-store, mobile, and online (Oracle). This also means the company needs to provide consistent information on orders, inventory, pricing, and promotions to customers and keep the customer records up to date. The challenges of omnichannel include having to synchronize data across channels and systems such as ERP, CRM, and social media. MDM becomes a solution for the success of an omnichannel strategy that refers to the same source of truth across business functions and channels.
30 Minutes
Download the MDM Readiness Assessment Tool
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Identify the Master Data Domains
Objectives
Determine which data domain contains the most critical master data in the organization for an MDM strategy.
This step involves the following participants:
Business Domain Representatives
Data Stewards or Data Owners
Information Management Team
Outcomes of this step
Determine the ideal data domain target for the organization based on where the business is experiencing the largest pains related to master data and where it will see the most benefit from MDM.
Info-Tech Insight
Organizations often have trouble getting started because of the difficulty of agreeing on the definition of master data within the enterprise. Reference data is an easy place to find that common ground.
A successful implementation of MDM depends on the careful selection of the data element to be mastered. As departments often have different interests, establishing a standard set of data elements can lead to a lot of discussion. When selecting what data should be considered master data, consider the following:
Begin by documenting the existing data sources within the organization.
Use Info-Tech’s Master Data Management Business Needs Assessment Tool to determine master data sources.
Info-Tech Insight
While the organization may have data that fits into more than one master data domain, it does not necessarily need to be mastered. Determine what master data entities your organization needs.
More perspectives to consider and define which data is your master data.
|
Internally Created Entities |
Externally Created Entities |
Large Non-Recurring Transactions |
Categories/Relationships/ Hierarchies/Aggregational Patterns |
|---|---|---|---|
|
|
|
|
|
Parties
|
Product
|
|
Financial
|
Locations
|
Single Domain vs. Multi-Domain
2 hours
Use the Master Data Management Business Needs Assessment Tool to assist you in determining the master data domains present in your organization and the suggested domain(s) for your MDM solution.
Download the MDM Business Needs Assessment Tool
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Objectives
1. Understand the true goal of MDM – ensuring that the needs of the master data users in the organization are fulfilled.
2. Create a plan to obtain organizational buy-in for the MDM initiative.
3. Organize and officialize your project by documenting key metrics, responsibilities, and goals for MDM.
This step involves the following participants:
CEO, CDO, or CIO
Business Domain Representatives
Information Management Team
Outcomes of this step
Obtain business buy-in and direction for the MDM initiative.
Create the critical foundation plans that will guide you in evaluating, planning, and implementing your immediate and long-term MDM goals.
Make sure the whole organization is involved throughout the project.
Keep the priorities of the users of master data at the forefront of your MDM initiative.
Info-Tech Insight
Although it is easy to get distracted by the technical aspects of the MDM project – such as extraction and consolidation rules – the true goal of MDM is to make sure that the consumers of master data (such as business units, sales reps) have access to consistent, relevant, and trusted shared data.
1 hours
Instructions
Tactical Tips
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Info-Tech Insight
Prevent the interviews from being just a venue for the business to complain about data by opening the discussion of having them share current concerns and then focus the second half on what they would like to do with data and how they see master data assets supporting their strategic plans.
MDM exists to enable the success of the organization as a whole, not just as a technology venture. To be successful in the MDM initiative, IT must understand how MDM will help the critical aspects of the business. Likewise, the business must understand why it is important to them to ensure long-term support of the project.
“If an organization only wants to look at MDM as a tech project, it will likely be a failure. It takes a very strong business and IT partnership to make it happen.”
– Julie Hunt, Software Industry Analyst, Hub Designs Magazine
1-2 hours
Objectives
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Download the MDM Business Case Presentation Template
Use this master document to centralize the critical information regarding the objectives, staffing, timeline, budget, and expected outcome of the project.
1. MDM Vision and Mission
Overview
Define the value proposition behind addressing master data strategies and developing the organization's master data management practice.
Consider
Why is this project critical for the business?
Why should this project be done now, instead of delayed further down the road?
2. Goals or Objectives
Overview
Your goals and objectives should be practical and measurable. Goals and objectives should be mapped back to the reasons for MDM that we identified in the Executive Brief.
Example Objectives
Align the organization’s IT and business capabilities in MDM to the requirements of the organization’s business processes and the data that supports it.
3. Expected Outcomes
Overview
Master data management as a concept can change based on the organization and with definitions and expectations varying heavily for individuals. Ensure alignment at the outset of the project by outlining and attaining agreement on the expectations and expected outcomes (deliverables) of the project.
Recommended Outcomes
Outline of an action plan
Documented data strategies
4. Outline of Action Plan
Overview
Document the plans for your project in the associated sections of the project charter to align with the outcomes and deliverables associated with the project. Use the sample material in the charter and the “Develop Your Timeline for the MDM Project” section to support developing your project plans.
Recommended Project Scope
Align master data MDM plan with the business.
Document current and future architectural state of MDM.
Download the MDM Project Charter Template
5. Identify the Resourcing Requirements
Overview
Create a project team that has representation of both IT and the business (this will help improve alignment and downstream implementation planning).
Business Roles to Engage
Data owners (for subject area data)
Data stewards who are custodians of business data (related to subject areas evaluated)
Data scientists or other power users who are heavy consumers of data
IT Roles to Engage
Data architect(s)
Any data management professionals who are involved in modeling data, managing data assets, or supporting the systems in which the data resides.
Database administrators or data warehousing architects with a deep knowledge of data operations.
Individuals responsible for data governance.
Objectives
1. Understand roles that data strategy, data governance, and data architecture play in MDM.
2. Document the organization’s current data state for MDM.
This step involves the following participants:
Data Stewards or Data Custodians
Data or Enterprise Architect
Information Management Team
Outcomes of this step
Document the organization’s current data state, understanding the business processes and movement of data across the company.
For more information, see Info-Tech Research Group’s Establish Data Governance blueprint.
Regardless of the maturity of the organization or the type of MDM project being undertaken, all three representatives must be present and independent. Effective communication between them is also necessary.
|
Technology Representative |
Governance Representative |
Business Representative |
|---|---|---|
|
Role ensures:
|
Role ensures:
|
Role ensures:
|
The following roles need to be created and maintained for effective MDM:
Data Owners are accountable for:
Data Stewards are responsible for:
Match-Merge Rules vs. Match-Link Rules
Match-Merge Rules
Match-Link Rules
Data quality is directly impacted by architecture.
Before designing the MDM architecture, consider:
“Having an architectural oversight and reference model is a very important step before implementing the MDM solutions.”
– Selwyn Samuel, Director of Enterprise Architecture
2-3 hours
Populate the template with your current organization's data components and the business flow that forms the architecture.
Think about the source of master data and what other systems will contribute to the MDM system.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Download the MDM Architecture Design Template ArchiMate file
Objectives
1. Understand four implementation styles for MDM deployments.
2. Document target MDM implementation systems.
This step involves the following participants:
Data Stewards or Data Custodians
Data or Enterprise Architect
Information Management Team
Outcomes of this step
Document the organization’s target architectural state surrounding MDM, identifying the specific MDM implementation style.
Understanding the data sources present in the organization and how the business organizes and uses this data is critical to implementing a successful MDM strategy.
Operational MDM
Analytical MDM
Discovery of master data is the same for both approaches, but the end use is very different.
The approaches are often combined by technologically mature organizations, but analytical MDM is generally more expensive due to increased complexity.
Info-Tech Research Group’s Reference MDM Architecture uses a top-down approach.
A top-down approach shows the interdependent relationship between layers – one layer of functionality uses services provided by the layers below, and in turn, provides services to the layers above.
The MDM service layers that make up the hub are:
All MDM architectures will contain a system of entry, a system of record, and in most cases, a system of reference. Collectively, these systems identify where master data is authored and updated and which databases will serve as the authoritative source of master data records.
|
System of Entry (SOE) |
System of Record (SOR) |
System of Reference (SORf) |
|---|---|---|
|
Any system that creates master data. It is the point in the IT architecture where one or more types of master data are entered. For example, an enterprise resource planning (ERP) application is used as a system of entry for information about business entities like products (product master data) and suppliers (supplier master data). |
The system designated as the authoritative data source for enterprise data. The true system of record is the system responsible for authoring and updating master data and this is normally the SOE. An ideal MDM system would contain and manage a single, up-to-date copy of all master data. This database would provide timely and accurate business information to be used by the relevant applications. In these cases, one or more SOE applications (e.g. customer relationship management or CRM) will be declared the SOR for certain types of data. The SOR can be made up of multiple physical subsystems. |
A replica of master data that can be synchronized with the SOR(s). It is updated regularly to resolve discrepancies between data sets, but will not always be completely up to date. Changes in the SOR are typically batched and then transmitted to the SORf. When a SORf is implemented, it acts as the authoritative source of enterprise data, given that it is updated and managed relative to the SOR. The SORf can only be used as a read-only source for data consumers. |
These styles are complementary and see increasing functionality; however, organizations do not need to start with consolidation.
Consolidation | Registry | Coexistence | Transactional | |
|---|---|---|---|---|
What It Means | The MDM is a system of reference (application systems serve as the systems of record). Data is created and stored in the applications and sent (generally in batch mode) to a centralized MDM system. | The MDM is a system of reference. Master data is created and stored in the application systems, but key master data identifiers are linked with the MDM system, which allows a view of master data records to be assembled. | The MDM is a system of reference. Master data is created and stored in application systems; however, an authoritative record of master data is also created (through matching) and stored in the MDM system. | The MDM is a genuine source of record. All master data records are centrally authored and materialized in the MDM system. |
Use Case | This style is ideal for:
| This style is ideal for:
| This style is ideal for:
| This style is ideal for:
|
Method of Use | Analytical | Operational | Analytical, operational, or collaborative | Analytical, operational, or collaborative |
Master data is created and stored in application systems and then placed in a centralized MDM hub that can be used for reference and reporting.
Advantages
Disadvantages
Master data is created and stored in applications. Key identifiers are then linked to the MDM system and used as reference for operational systems.
Advantages
Disadvantages
Master data is created and stored in existing systems and then synced with the MDM system to create an authoritative record of master data.
Advantages
Disadvantages
All master data records are materialized in the MDM system, which provides the organization with a single, complete source of master data at all times.
Advantages
Disadvantages
Architecture is not static – it must be able to adapt to changing business needs.
2-3 hours
Populate the template with your target organization’s data architecture.
Highlight new capabilities and components that MDM introduced based on MDM implementation style.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Objectives
1. Review Info-Tech’s practice pattern and design your master data management practice.
2. Design your master data management platform.
3. Consider next steps for the MDM project.
This step involves the following participants:
Data Stewards or Data Custodians
Data or Enterprise Architect
Information Management Team
Outcomes of this step
Define the key services and outputs that must be delivered by establishing core capabilities, accountabilities, roles, and governance for the practice and platform.
The master data management practice pattern describes the core capabilities, accountabilities, processes, and essential roles and the elements that provide oversight or governance of the practice, all of which are required to deliver on high-value services and deliverables or output for the organization.
Download the Master Data Management Practice Pattern Template ArchiMate File
Guidelines for designing and establishing your various data practices.
A master data management practice pattern includes key services and outputs that must be delivered by establishing core capabilities, accountabilities, roles, and governance for the practice.
Assumption:
The accountabilities and responsibilities for the master data management practice have been established and assigned to a practice lead.
Download the Master Data Management Practice Pattern Template ArchiMate File
Info-Tech Insight
An organization with heavy merger and acquisition activity poses a significant master data challenge. Prioritize your master data practice based on your organization’s ability to locate and maintain a single source of master data.
4.1 Define services and accountabilities
4.2 Define processes and deliverables by stakeholder
4.3 Design practice operating model
4.4 Perform skills inventory and design roles
4.5 Determine practice governance and metrics
4.6 Summarize practice capabilities
Download and Update:
Process Template: MDM Conflict Resolution
The operating model is a visualization of how MDM commonly operates and the value it brings to the organization. It illustrates the master data flow, which works from left to right, from source system to consumption layer. Another important component of the model is the business data glossary, which is part of your data governance plan, to define terminology and master data’s key characteristics across business units.
An MDM platform should include certain core technical capabilities:
Other requirements may include:
Info-Tech Research Group’s MDM platform summarizes an organization’s data environment and the technical capabilities that should be taken into consideration for your organization's MDM implementation.
2-3 hours
Instructions
Download the Master Data Management Platform Template.
The platform is not static. Adapt the template to your own needs based on your target data state, required technical capabilities, and business use cases.
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
Download the MDM Platform Template
There are several deployment options for MDM platforms; pick the one best suited to the organization’s business needs:
|
On-Premises Solutions |
Cloud Solutions |
Hybrid Solutions |
Embrace the technology |
|---|---|---|---|
|
MDM has traditionally been an on-premises initiative. On-premises solutions have typically had different instances for various divisions. On-premises solutions offer interoperability and consistency. Many IT teams of larger companies prefer an on-premises implementation. They want to purchase a perpetual MDM software license, install it on hardware systems, configure and test the MDM software, and maintain it on an ongoing basis. |
Cloud MDM solutions can be application-specific or platform-specific, which involves using a software platform or web-based portal interface to connect internal and external data. Cloud is seen as a more cost-effective MDM solution as it doesn’t require a large IT staff to configure the system and can be paid for through a monthly subscription. Because many organizations are averse to storing their master data outside of their firewalls, some cloud MDM solutions manage the data where it resides (either software as a service or on-premises), rather than maintaining it in the cloud. |
MDM system resides both on premises and in the cloud. As many organizations have some applications on premises and others in the cloud, having a hybrid MDM solution is a realistic option for many. MDM can be leveraged from either on-premises or in the cloud solutions, depending on the current needs of the organization. |
|
Info-Tech Insight
Leverage modern capabilities such as AI and ML to support large and complex MDM deployments.
Build Your Data Quality Program
Build a Data Architecture Roadmap
Create a Data Management Roadmap
Build a Robust and Comprehensive Data Strategy
Build Your Data Practice and Platform
Authors:
|
Name |
Position |
Company |
|---|---|---|
|
Ruyi Sun |
Research Specialist, Data & Analytics |
Info-Tech Research Group |
|
Rajesh Parab |
Research Director, Data & Analytics |
Info-Tech Research Group |
Contributors:
|
Name |
Position |
Company |
|
Selwyn Samuel |
Director of Enterprise Architecture |
Furniture manufacturer |
|
Julie Hunt |
Consultant and Author |
Hub Designs Magazine and Julie Hunt Consulting |
|
David Loshin |
President |
Knowledge Integrity Inc. |
|
Igor Ikonnikov |
Principal Advisory Director |
Info-Tech Research Group |
|
Irina Sedenko |
Advisory Director |
Info-Tech Research Group |
|
Anu Ganesh |
Principal Research Director |
Info-Tech Research Group |
|
Wayne Cain |
Principal Advisory Director |
Info-Tech Research Group |
|
Reddy Doddipalli |
Senior Workshop Director |
Info-Tech Research Group |
|
Imad Jawadi |
Senior Manager, Consulting |
Info-Tech Research Group |
|
Andy Neill |
Associate Vice President |
Info-Tech Research Group |
|
Steve Wills |
Practice Lead |
Info-Tech Research Group |
“DAMA Guide to the Data Management Body of Knowledge (DAMA-DMBOK Guide).” First Edition. DAMA International. 2009. Digital. April 2014.
“State of the Connected Customer, Fifth Edition.” Salesforce, 2022. Accessed Jan. 2023.
“The new digital edge: Rethinking strategy for the postpandemic era.” McKinsey & Company, 26 May. 2021. Assessed Dec. 2022.
“Value and resilience through better risk management.” Mckinsey & Company, 1 Oct. 2018. Assessed Dec. 2022.
“Plotting a course through turbulent times (9TH ANNUAL B2B SALES & MARKETING DATA REPORT)” Dun & Bradstreet, 2022. Assessed Jan. 2023.
““How to Win on Customer Experience.”, Deloitte Digital, 2020. Assessed Dec. 2022.
“CX Trends 2022.”, Zendesk, 2022. Assessed Jan. 2023
.”Global consumer trends to watch out for in 2023.” Qualtrics XM Institute, 8 Nov. 2022. Assessed Dec. 2022
“How to Understand Single Versus Multiple Software Instances.” Brightwork Research & Analysis, 24 Mar. 2021. Assessed Dec. 2022
“What is omnichannel?” Oracle. Assessed Dec. 2022
“How AI Improves Master Data Management (MDM).” Informatica, 30 May. 2021. Assessed Dec. 2022
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Diverse teams are necessary to foster creativity and guide business strategies. Overcome limitations by recruiting people of color and creating a diverse workforce.
Underrepresented employees benefit from an expansive culture. Create an inclusive environment and retain people of color and promote value within your organization.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Introduce challenges and concerns around recruiting and retaining people of color.
Gain a sense of direction.
1.1 Introduction to diversity conversations.
1.2 Assess areas to focus on and determine what is right, wrong, missing, and confusing.
1.3 Obtain feedback from your team about the benefits of working at your organization.
1.4 Establish your employee value proposition (EVP).
1.5 Discuss and establish your recruitment goals.
Current State Analysis
Right, Wrong, Missing, Confusing Quadrant
Draft EVP
Recruitment Goals
Identify areas in your current recruitment process that are preventing you from hiring people of color.
Establish a plan to make improvements.
Optimized recruitment process
2.1 Brainstorm and research community partners.
2.2 Review current job descriptions and equity statement.
2.3 Update job description template and equity statement.
2.4 Set team structure for interview and assessment.
2.5 Identify decision-making structure.
List of community partners
Updated job description template
Updated equity statement
Interview and assessment structure
Behavioral Question Library
Create a plan for an inclusive culture where your managers are supported.
Awareness of how to better support employees of color.
3.1 Discuss engagement and belonging.
3.2 Augment your onboarding materials.
3.3 Create an inclusive culture plan.
3.4 Determine how to support your management team.
List of onboarding content
Inclusive culture plan
Management support plan
Establish mechanisms to gain feedback from your employees and act on them.
Finalize the plan to create your diverse and inclusive workforce.
4.1 Ask and listen: determine what to ask your employees.
4.2 Create your roadmap.
4.3 Wrap-up and next steps.
List of survey questions
Roadmap
Completed support plan
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This blueprint helps you develop an approach to understand your low- and no-code challenges and priorities and to shortlist, govern, and manage the right low- and no-code tools.
This template narrates a story to describe the need and expectations of your low- and no-code initiative to get buy-in from stakeholders and interested parties.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the personas of your low- and no-code users and their needs.
List the challenges low- and no-code is designed to solve or the opportunities you hope to exploit.
Identify the low- and no-code tools to address your needs.
Level set expectations on what low- and no-code can deliver.
Identify areas where low- and no-code can be the most beneficial.
Select the tools to best address your problem and opportunities.
1.1 Profile your digital end users
1.2 Set reasonable expectations
1.3 List your use cases
1.4 Shortlist your tools
Digital end-user skills assessment
Low- and no-code objectives and metrics
Low- and no-code use case opportunities
Low- and no-code tooling shortlist
Optimize your product delivery process to accommodate low- and no-code.
Review and improve your product delivery and management governance model.
Discuss how to improve your low- and no-code capacities.
Encourage business-IT collaborative practices and improve IT’s reputation.
Shift the right accountability and ownership to the business.
Equip digital end users with the right skills and competencies.
2.1 Adapt your delivery process
2.2 Transform your governance
2.3 Identify your low- and no-code capacities
Low- and no-code delivery process and guiding principles
Low- and no-code governance, including roles and responsibilities, product ownership and guardrails
List of low- and no-code capacity improvements
Design a CoE and/or CoP to support low- and no-code capabilities.
Build a roadmap to illustrate key low- and no-code initiatives.
Ensure coordinated, architected, and planned implementation and adoption of low- and no-code consistently across the organization.
Reaffirm support for digital end users new to low- and no-code.
Clearly communicate your approach to low- and no-code.
3.1 Support digital end users and facilitate cross-functional sharing
3.2 Yield results with a roadmap
Low- and no-code supportive body design (e.g. center of excellence, community of practice)
Low- and no-code roadmap
Oh, you thought you were alone in facing some embarrassing moments? I can reassure you; you are not. Most companies face a myriad of issues with their IT. The key is to manage them to support your business efficiently.
Business and IT leaders aiming to recruit and select the best talent need to:
To create a great candidate experience, IT departments must be involved in the process at key points, recruitment and selection is not a job for HR alone!
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Train your IT department to get involved in the recruitment process to attract and select the best talent.
Use this tool in conjunction with the Improve you IT Recruitment Process to document your action plans
To get useful information from an interview, the interviewer should be focused on what candidates are saying and how they are saying it, not on what the next question will be, what probes to ask, or how they will score the responses. This Interview Guide Template will help interviewers stay focused and collect good information about candidates.
Hiring managers can choose from a comprehensive collection of core, functional, and leadership competency-based behavioral interview questions.
Use this template to develop a well-written job posting that will attract the star candidates and, in turn, deflect submission of irrelevant applications by those unqualified.
The most innovative technology isn’t necessarily the right solution. Review talent acquisition (TA) solutions and evaluate the purpose each option serves in addressing critical challenges and replacing critical in-person activities.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish the employee value proposition (EVP) and employer brand.
Have a well-defined EVP that you communicate through your employer brand.
1.1 Gather feedback.
1.2 Build key messages.
1.3 Assess employer brand.
Content and themes surrounding the EVP
Draft EVP and supporting statements
A clearer understanding of the current employer brand and how it could be improved
Develop job postings and build a strong sourcing program.
Create the framework for an effective job posting and analyze existing sourcing methods.
2.1 Review and update your job ads.
2.2 Review the effectiveness of existing sourcing programs.
2.3 Review job ads and sourcing methods for bias.
Updated job ad
Low usage sourcing methods identified for development
Minimize bias present in ads and sourcing methods
Create a high-quality interview process to improve candidate assessment.
Training on being an effective interviewer.
3.1 Create an ideal candidate scorecard.
3.2 Map out your interview process.
3.3 Practice behavioral interviews.
Ideal candidate persona
Finalized interview and assessment process
Practice interviews
Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.
Evaluation of current onboarding practice.
4.1 Evaluate and redesign the onboarding program.
Determine new onboarding activities to fill identified gaps.
Follow this blueprint to:
|
|
Effective Interviewing |
Onboarding: Setting up New Hires For Success |
|||||||||
| Awareness | → | Research | → | Application | → | Screening | → | Interview and Assessment | → | Follow Up | → | Onboarding |
Talent is a priority for the entire organization:
Respondents rated “recruitment” as the top issue facing organizations today (McLean & Company 2022 HR Trends Report).
37% of IT departments are outsourcing roles to fill internal skill shortages (Info-Tech Talent Trends 2022 Survey).
Yet bad hires are alarmingly common:
Hiring is one of the least successful business processes, with three-quarters of managers reporting that they have made a bad hire (Robert Half, 2021).
48% of survey respondents stated improving the quality of hires was the top recruiting priority for 2021 (Jobvite, 2021).
Prework |
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Post work |
|
|---|---|---|---|---|---|---|
Current Process and Job Descriptions Documented |
Establish the Employee Value Proposition (EVP) and Employer Brand |
Develop Job Postings and Build a Strong Sourcing Program |
Effective Interviewing |
Onboarding and Action Planning |
Putting the Action Plan Into Action! |
|
Activities |
|
1.1 Introduce the Concept of an EVP 1.2 Brainstorm Unique Benefits of Working at Your Organization 1.2 Employer Brand Introduction |
2.1 What Makes an Attractive Job Posting 2.2 Create the Framework for Job Posting 2.3 Improve the Sourcing Process 2.4 Review Process for Bias |
3.1 Creating an Interview Process 3.2 Selecting Interview Questions 3.3 Avoiding Bias During Interviews 3.4 Practice Interviews |
4.1 Why Onboarding Matters 4.2 Acclimatize New Hires and Set Them Up for Success 4.3 Action Plan |
5.1 Review Outputs and Select Priorities 5.2 Consult With HR and Senior Management to Get Buy-In 5.3 Plan to Avoid Relapse Behaviors |
Deliverables |
|
|
|
|
Develop a strong employee value proposition
The employee value proposition is your opportunity to showcase the unique benefits and opportunities of working at your organization, allowing you to attract a wider pool of candidates.
AN EMPLOYEE VALUE PROPOSITION IS: |
AN EMPLOYEE VALUE PROPOSITION IS NOT: |
||
|
|
||
THE FOUR KEY COMPONENTS OF AN EMPLOYEE VALUE PROPOSITION |
|||
Rewards |
Organizational Elements |
Working Conditions |
Day-to-Day Job Elements |
|
|
|
|
Creating a compelling EVP that presents a picture of your employee experience, with a focus on diversity, will attract a wide pool of diverse candidates to your team. This can lead to many internal and external benefits for your organization.
Existing Employee Value Proposition: If your organization or IT department has an existing employee value proposition, rather than starting from scratch, we recommend leveraging that and moving to the testing phase to see if the EVP still resonates with staff and external parties.
Employee Engagement Results: If your organization does an employee engagement survey, review the results to identify the areas in which the IT organization is performing well. Identify and document any key comment themes in the report around why employees enjoy working for the organization or what makes your IT department a great place to work.
Social Media Sites. Prepare for the good, the bad, and the ugly. Social media websites like Glassdoor and Indeed make it easier for employees to share their experiences at an organization honestly and candidly. While postings on these sites won’t relate exclusively to the IT department, they do invite participants to identify their department in the organization. You can search these to identify any positive things people are saying about working for the organization and potentially opportunities for improvement (which you can use as a starting point in the retention section of this report).
Download the Recruitment Workbook
Input |
Output |
|
|
Materials |
Participants |
|
|
Examples below.
Input | Output |
|
|
Materials | Participants |
|
|
Shopify |
“We’re Shopify. Our mission is to make commerce better for everyone – but we’re not the workplace for everyone. We thrive on change, operate on trust, and leverage the diverse perspectives of people on our team in everything we do. We solve problems at a rapid pace. In short, we get shit done.” |
|---|---|
Bettercloud |
“At Bettercloud, we have a smart, ambitious team dedicated to delighting our customers. Our culture of ownership and transparency empowers our team to achieve goals they didn’t think possible. For all those on board, it’s going to be a challenging and rewarding journey – and we’re just getting started.” |
Ellevest |
“As a team member at Ellevest, you can expect to make a difference through your work, to have a direct impact on the achievement of a very meaningful mission, to significantly advance your career trajectory, and to have room for fun and fulfillment in your daily life. We know that achieving a mission as critical as ours requires incredible talent and teamwork, and team is the most important thing to us.” |
INTERNAL TEST REVOLVES AROUND THE 3A’s |
EXTERNAL TEST REVOLVES AROUND THE 3C’s |
|---|---|
ALIGNED: The EVP is in line with the organization’s purpose, vision, values, and processes. Ensure policies and programs are aligned with the organization’s EVP. |
CLEAR: The EVP is straightforward, simple, and easy to understand. Without a clear message in the market, even the best intentioned EVPs can be lost in confusion. |
ACCURATE: The EVP is clear and compelling, supported by proof points. It captures the true employee experience, which matches the organization’s communication and message in the market. |
COMPELLING: The EVP emphasizes the value created for employees and is a strong motivator to join this organization. A strong EVP will be effective in drawing in external candidates. The message will resonate with them and attract them to your organization. |
ASPIRATIONAL: The EVP inspires both individuals and the IT organization as a whole. Identify and invest in the areas that are sure to generate the highest returns for employees. |
COMPREHENSIVE: The EVP provides enough information for the potential employee to understand the true employee experience and to self-assess whether they are a good fit for your organization. If the EVP lacks depth, the potential employee may have a hard time understanding the benefits and rewards of working for your organization. |
Market your EVP to potential candidates: Employer Brand
The employer brand is the perception internal and external stakeholders hold of the organization and exists whether it has been curated or not. Curating the employer brand involves marketing the organization and employee experience. Grounding your employer brand in your EVP enables you to communicate and market an accurate portrayal of your organization and employee experience and make you desirable to both current and potential employees.
 |
The unique offering an employer provides to employees in return for their effort, motivating them to join or remain at the organization. The perception internal and external stakeholders hold of the organization. |
Alignment between the EVP, employer brand, and corporate brand is the ideal branding package. An in-sync marketing strategy ensures stakeholders perceive and experience the brand the same way, creating brand ambassadors.
How you present your employer brand is just as important as the content. Ideally, you want the viewer to connect with and personalize the material for the message to have staying power. Use Marketing’s expertise to help craft impactful promotional materials to engage and excite the viewer.
Visuals
Images are often the first thing viewers notice. Use visuals that connect to your employer brand to engage the viewer’s attention and increase the likelihood that your message will resonate. However, if there are too many visuals this may detract from your content – balance is key!
Language
Wordsmithing is often the most difficult aspect of marketing. Your message should be accurate, informative, and engaging. Work with Marketing to ensure your wording is clever and succinct – the more concise, the better.
Composition
Integrate visuals and language to complete your marketing package. Ensure that the text and images are balanced to draw in the viewer.
This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.
Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.
NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.
Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.
The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.
“Looking for a Talent Unicorn: a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”
Steve Thornton
Acting Division Chief, Solutions Division, Goddard Space Flight Center, NASA
Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.
NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.
The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.
Interview with Robert Leahy
Chief Information Officer, Goddard Space Flight Center, NASA
You can use sites like:
| Input | Output |
|
|
| Materials | Participants |
|
|
Create engaging job ads to attract talent to the organization
A job description is an internal document that includes sections such as general job information, major responsibilities, key relationships, qualifications, and competencies. It communicates job expectations to incumbents and key job data to HR programs.
A job ad is an externally facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP.
A job description informs a job ad, it doesn’t replace it. Don’t be lulled into using a job description as a posting when there’s a time crunch to fill a position. Refer to job postings as job advertisements to reinforce that their purpose is to attract attention and talent.
| Position Title |
|
|---|---|
| Company |
|
| Summary Description |
|
| Responsibilities |
|
| Position Characteristics |
|
| Position Requirements |
|
| Work Conditions |
|
| Process to Apply |
|
Bottom Line: A truly successful job posting ferrets out those hidden stars that may be over cautious and filters out hundreds of applications from the woefully under qualified.
DON’T overlook the power of words. Avoid phrases like “strong English language skills” as this may deter non-native English speakers from applying and a “clean-shaven” requirement can exclude candidates whose faith requires them to maintain facial hair. DON’T post a long requirements list. A study showed that the average jobseeker spends only 49.7 seconds reviewing a listing before deciding it's not a fit.* DON’T present a toxic work culture; phrases such as “work hard, play hard” can put off many candidates and play into the “bro- culture” stereotype in tech. |
Position Title: Senior Lorem Ipsum Salary Band: $XXX to $XXX Diversity is a core value at ACME Inc. We believe that diversity and inclusion is our strength, and we’re passionate about building an environment where all employees are valued and can perform at their best. As a … you will … Our ideal candidate …. Required Education and Experience
Required Skills
Preferred Skills
At ACME Inc. you will find … |
DO promote pay equity by being up front and honest about salary expectations. DO emphasize your organization’s commitment to diversity and an inclusive workplace by adding an equity statement. DO limit your requirements to “must haves” or at least showcase them first before the “nice-to-haves.” DO involve current employees or members of your employee resource groups when creating job descriptions to ensure that they ask for what you really need. DO focus on company values and criteria that are important to the job, not just what’s always been done. |
| ☑ | Does the job posting highlight your organization’s EVP |
| ☐ | Does the job posting avoid words that might discourage women, people of color, and other members of underrepresented groups from applying? |
| ☑ | Has the position description been carefully reviewed and revised to reflect current and future expectations for the position, rather than expectations informed by the persons who have previously held the job? |
| ☐ | Has the hiring committee eliminated any unnecessary job skills or requirements (college degree, years or type of previous experience, etc.) that might negatively impact recruitment of underrepresented groups? |
| ☑ | Has the hiring committee posted the job in places (job boards, websites, colleges, etc.) where applicants from underrepresented groups will be able to easily view or access it? |
| ☐ | Have members of the hiring committee attended job fairs or other events hosted by underrepresented groups? |
| ☐ | Has the hiring committee asked current employees from underrepresented groups to spread the word about the position? |
| ☐ | Has the hiring committee worked with the marketing team to ensure that people from diverse groups are featured in the organization’s website, publications, and social media? |
| ☐ | es the job description clearly demonstrate the organization’s and leadership’s commitment to DEI? |
| Input | Output |
|
|
| Materials | Participants |
|
|
Get involved with sourcing to get your job ad seen
Social Media |
Social media has trained candidates to expect:
|
While the focus on the candidate experience is important throughout the talent acquisition process, social media, technology, and values have made it a critical component of sourcing. |
Technology |
Candidates expect to be able to access job ads from all platforms.
Job ads must be clear, concise, and easily viewed on a mobile device. |
|
Candidate Values |
Job candidate’s values are changing.
Authenticity remains important.
|
Internal Talent Mobility (ITM) Program
Social Media Program
Employee Referral Program
Alumni Program
Campus Recruiting Program
Other Sourcing Tactics
What is it?
Positioning the right talent in the right place, at the right time, for the right reasons, and supporting them appropriately.
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | ITM program benefits:
Provide opportunities to develop professionally, whether in the current role or through promotions/lateral moves. Keep strong performers and high-potential employees committed to the organization. Address rapid change, knowledge drain due to retiring Baby Boomers, and frustration associated with time to hire or time to productivity. Reduce spend on talent acquisition, severance, time to productivity, and onboarding. Increase motivation and productivity by providing increased growth and development opportunities. Align with the organization’s offering and what is important to the employees from a development perspective. Support and develop employees from all levels and job functions. |
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? The widely accessible electronic tools that enable anyone to publish and access information, collaborate on common efforts, and build relationships. Learning to use social media effectively is key to sourcing the right talent.
(Ku, 2021) | |
Benefits of social media:
| Challenges of social media: With the proliferation of social media and use by most organizations, social media platforms have become overcrowded. As a result:
| |
“It is all about how we can get someone’s attention and get them to respond. People are becoming jaded.”
– Katrina Collier, Social Recruiting Expert, The Searchologist
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? Employees recommend qualified candidates. If the referral is hired, the referring employee typically receives some sort of reward. Benefits of an employee referral program:
55% of organizations report that hiring a referral is less expensive that a non-referred candidate (Clutch, 2020). The average recruiting lifecycle for an employee referral is 29 days, compared with 55 days for a non referral (Betterup, 2022). 46% percent of employees who were referred stay at their organization for a least one year, compared to 33% of career site hires (Betterup, 2022). High performers are more likely to refer other high performers to an organization (The University of Chicago Press, 2019). |
Avoid the Like Me Bias: Continually evaluate the diversity of candidates sourced from the employee referral program. Unless your workforce is already diverse, referrals can hinder diversity because employees tend to recommend people like themselves.
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? An alumni referral program is a formalized way to maintain ongoing relationships with former employees of the organization. Successful organizations use an alumni program:
Benefits of an alumni program:
|
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | What is it? A formalized means of attracting and hiring individuals who are about to graduate from schools, colleges, or universities. Almost 70% of companies are looking to employ new college graduates every year (HR Shelf, 2022). Campus recruitment benefits:
|
Target schools that align with your culture and needs. Do not just focus on the most prestigious schools: they are likely more costly, have more intense competition, and may not actually provide the right talent.
Internal Talent Mobility (ITM) Program Social Media Program Employee Referral Program Alumni Program Campus Recruiting Program Other Sourcing Tactics | 1. Professional industry associations
| 5. Not-for-profit intermediaries
| American Expresscreated a boot camp for software engineers in partnership with Year Up and Gateway Community College to increase entry-level IT hires. Results:
(HBR, 2016) |
2. Special interest groups
| 6. Gamification
| ||
3. Customers
| PwC (Hungary) created Multiploy, a two-day game that allows students to virtually experience working in accounting or consulting at the organization. Results:
(Zielinski, 2015) | ||
4. Exit interviews
|
Use knowledge that already exists in the organization to improve talent sourcing capabilities.
Marketing |
HR |
|---|---|
Marketing knows how to:
|
HR knows how to:
|
To successfully partner with other departments in your organization:
Encourage your team to seek out, and learn from, employees in different divisions. Training sessions with the teams may not always be possible but one-on-one chats can be just as effective and may be better received.
| Input | Output |
|
|
| Materials | Participants |
|
|
Create a high-quality interview process to improve candidate assessment
If you…
…then stop. Use this research!
Step 5: Define decision rights
Establish decision-making authority and veto power to mitigate post-interview conflicts over who has final say over a candidate’s status.
Follow these steps to create a positive interview experience for all involved.
Define the attributes of the ideal candidate…
Ideal candidate = Ability to do the job + Motivation to do the job + Fit |
|||
Competencies
|
|
|
|
Experiences
|
Data for these come from:
|
||
Data for these come from:
|
|||
Caution: Evaluating for “organizational or cultural fit” can lead to interviewers falling into the trap of the “like me” bias, and excluding diverse candidates.
Non-negotiable = absolutely required for the job! Usually attributes that are hard to train, such as writing skills, or expensive to acquire after hire, such as higher education or specific technical skills. |
An Asset Usually attributes that can be trained, such as computer skills. It’s a bonus if the new hire has it. |
Nice-to-have Attributes that aren’t necessary for the job but beneficial. These could help in breaking final decision ties. |
Deal Breakers: Also discuss and decide on any deal breakers that would automatically exclude a candidate. |
“The hardest work is accurately defining what kind of person is going to best perform this job. What are their virtues? If you’ve all that defined, the rest is not so tough.”
– VP, Financial Services
| Input | Output |
|
|
| Materials | Participants |
|
|
The Screening Interview Template will help you develop a screening interview by providing:
Once completed, this template will help you or HR staff conduct candidate screening interviews with ease and consistency. Always do screening interviews over the phone or via video to save time and money.
Determine the goal of the screening interview – do you want to evaluate technical skills, communication skills, attitude, etc.? – and create questions based on this goal. If evaluating technical skill, have someone with technical competency conduct the interview.
Unstructured: A traditional method of interviewing that involves no constraints on the questions asked, no requirements for standardization, and a subjective assessment of the candidate. This format is the most prone to bias. |
Semi-Structured: A blend of structured and unstructured, where the interviewer will ask a small list of similar questions to all candidates along with some questions pertaining to the resume. |
Structured: An interview consisting of a standardized set of job-relevant questions and a scoring guide. The goal is to reduce interviewer bias and to help make an objective and valid decision about the best candidate. |
Components of a highly structured interview include:
The more of these components your interview has, the more structured it is, and the more valid it will be.
The purpose of interviewing is to assess, not just listen. Questions are what help you do this.
Use the Interview Question Planning Guide tab in the Candidate Interview Strategy and Planning Guide to prepare your interview questions.
Introduce yourself and ask if now is a good time to talk. (Before calling, prepare your sales pitch on the organization and the position.) |
You want to catch candidates off guard so that they don’t have time to prepare scripted answers; however, you must be courteous to their schedule. |
Provide an overview of the position, then start asking pre-set questions. Take a lot of notes. |
It is important to provide candidates with as much information as possible about the position – they are deciding whether they are interested in the role as much as you are deciding whether they are suitable. |
Listen to how the questions are answered. Ask follow-up questions when appropriate and especially if the candidate seems to be holding something back. |
If there are long pauses or the candidate’s voice changes, there may be something they aren’t telling you that you should know. |
Be alert to inconsistencies between the resume and answers to the questions and address them. |
It’s important to get to the bottom of issues before the in-person interview. If dates, titles, responsibilities, etc. seem to be inconsistent, ask more questions. |
Ask candidates about their salary expectations. |
It’s important to ensure alignment of the salary expectations early on. If the expectations are much higher than the range, and the candidate doesn’t seem to be open to the lower range, there is no point interviewing them. This would be a waste of everyone’s time. |
Answer the applicant’s questions and conclude the interview. |
|
Wait until after the interview to rate the applicant. |
Don’t allow yourself to judge throughout the interview, or it could skew questions. Rate the applicant once the interview is complete. |
When you have a shortlist of candidates to invite to an in-person interview, use the Candidate Communication Template to guide you through proper phone and email communications.
Question (traditional): “What would you identify as your greatest strength?” Answer: Ability to work on a team. |
Top-level interview questions set the stage for probing. Your interview script should contain the top two levels of questions in the pyramid and a few probes that you will likely need to ask. You can then drill down further depending on the candidate’s answers. |
|
Follow-Up Question: “Can you outline a particular example when you were able to exercise your teamwork skills to reach a team goal?” |
||
Probing questions start with asking what, when, who, why, and how, and gain insight into a candidate’s thought process, experiences, and successes. |
Probing Level 1: Probe around the what, how, who, when, and where. “How did you accomplish that?” |
How to develop probes? By anticipating the kinds of responses that candidates from different backgrounds or with different levels of experience are likely to give as a response to an interview question. Probes should provide a clear understanding of the situation, the behavior, and the outcome so that the response can be accurately scored. Common probes include:
|
Tailor probes to the candidate’s answers to evoke meaningful and insightful responses. |
Probing Level 2: Allow for some creativity. “What would you do differently if you were to do it again?” |
Consider leveraging behavioral interview questions in your interview to reduce bias.
Assessments are created by people that have biases. This often means that assessments can be biased, especially with preferences towards a Western perspective. Even if the same assessments are administered, the questions will be interpreted differently by candidates with varying cultural backgrounds and lived experiences. If assessments do not account for this, it ultimately leads to favoring the answers of certain demographic groups, often ones similar to those who developed the assessment.
Attribute you are evaluating Probing questions prepared Area to take notes |
 |
Exact question you will ask Place to record score Anchored scale with definitions of a poor, ok and great answer |
The must-haves:
“At the end of the day, it’s the supervisor that has to live with the person, so any decision that does not involve the supervisor is a very flawed process.” – VP, Financial Services
The nice-to-haves:
Record the interview team details in the Candidate Interview Strategy and Planning Guide template.
Who Should… Contact candidates to schedule interviews or communicate decisions?
Who Should… Be responsible for candidate welcomes, walk-outs, and hand-offs between interviews?
Who Should… Define and communicate each stakeholder’s role?
Who Should… Chair the preparation and debrief meetings and play the role of the referee when trying to reach a consensus?
“Unless you’ve got roles within the panel really detailed and agreed upon, for example, who is going to take the lead on what area of questions, you end up with a situation where nobody is in charge or accountable for the final interview assessment." – VP, Financial Services
Try a Two Lens Assessment: One interviewer assesses the candidate as a project leader while another assesses them as a people leader for a question such as “Give me an example of when you exercised your leadership skills with a junior team member.”
It is typical and acceptable that you, as the direct reporting manager, should have veto power, as do some executives. |
Veto Power Direct Supervisor or Manager |
Decision Makers: Must Have Consensus Other Stakeholders Direct Supervisor’s Boss Direct Supervisor |
Contributes Opinion HR Representative Peer |
After the preliminary interview, HR should not be involved in making the decision unless they have a solid understanding of the position. Peers can make an unfair assessment due to perceived competition with a candidate. Additionally, if a peer doesn’t want a candidate to be hired and the direct supervisor does hire the candidate, the peer may hold resentment against that candidate and set the team up for conflict. |
The decision should rest on those who will interact with the candidate on a daily basis and who manage the team or department that the candidate will be joining. |
The decisions being made can include whether or not to move a candidate onto the next phase of the hiring process or a final hiring decision. Deciding decision rights in advance defines accountability for an effective interview process.
Download the Behavioral Interview Question Library
| Input | Output |
|
|
| Materials | Participants |
|
|
Give candidates a warm, genuine greeting. Introduce them to other interviewers present. Offer a drink. Make small talk. |
“There are some real advantages to creating a comfortable climate for the candidate; the obvious respect for the individual, but people really let their guard down.” – HR Director, Financial Services |
Give the candidate an overview of the process, length, and what to expect of the interview. Indicate to the candidate that notes will be taken during the interview. |
If shorter than an hour, you probably aren’t probing enough or even asking the right questions. It also looks bad to candidates if the interview is over quickly. |
Start with the first question in the interview guide and make notes directly on the interview guide (written or typed) for each question. |
Take lots of notes! You think you’ll remember what was said, but you won’t. It also adds transparency and helps with documentation. |
Ask the questions in the order presented for interview consistency. Probe and clarify as needed (see next slide). |
Keep control of the interview by curtailing any irrelevant or long-winded responses. |
After all interview questions are complete, ask candidates if there was anything about their qualifications that was missed that they want to highlight. |
Lets you know they understand the job and gives them the feeling they’ve put everything on the table. |
Ask if the candidate has any questions. Respond to the questions asked. |
Answer candidate questions honestly because fit works both ways. Ensure candidates leave with a better sense of the job, expectations, and organizational culture. |
Review the compensation structure for the position and provide a realistic preview of the job and organization. |
Provide each candidate with a fair chance by maintaining a consistent interview process. |
Tell interviewees what happens next in the process, the expected time frame, and how they will be informed of the outcome. Escort them out and thank them for the interview. |
The subsequent slides provide additional detail on these eight steps to conducting an effective interview.
Like-me effect: An often-unconscious preference for, and unfairly positive evaluation of, a candidate based on shared interests, personalities, and experiences, etc.
Status effect: Overrating candidates based on the prestige of previously held positions, titles, or schools attended.
Recency bias: Placing greater emphasis on interviews held closer to the decision-making date.
Contrast effect: Rating candidates relative to those who precede or follow them during the interview process, rather than against previously determined data.
Solution
Assess candidates by using existing competency-based criteria.
Negative tone: Starting the interview on a negative or stressful note may derail an otherwise promising candidate.
Poor interview management: Letting the candidate digress may leave some questions unanswered and reduce the interview value.
Reliance of first impressions: Basing decisions on first impressions undermines the objectivity of competency-based selection.
Failure to ask probing questions: Accepting general answers without asking follow-up questions reduces the evidentiary value of the interview.
Solution
Follow the structured interview process you designed and practiced.
Do... |
Don’t… |
|---|---|
Take control of the interview by politely interrupting to clarify points or keep the interviewee on topic. Use probing to drill down on responses and ask for clarification. Ask who, what, when, why, and how. Be cognizant of confidentiality issues. Ask for a sample of work from a past position. Focus on knowledge or information gaps from previous interviews that need to be addressed in the interview. Ensure each member of a panel interview speaks in turn and the lead is given due respect to moderate. |
Be mean when probing. Intimidation actually works against you and is stressful for candidates. When you’re friendly, candidates will actually open up more. Interrupt or undermine other panel members. Their comments and questions are just as valid as yours are, and treating others unprofessionally gives a bad impression to the candidate. Ask illegal questions. Questions about things like religion, disability, and marital and family status are off limits. |
Do... |
While listening to responses, also watch out for red and yellow flags. |
|
Listen to how candidates talk about their previous bosses – you want it to be mainly positive. If their discussion of past bosses reflects a strong sense of self-entitlement or a consistent theme of victimization, this could be a theme in their behavior and make them hard to work with. |
Red Flag A concern about something that would keep you from hiring the person. |
Yellow Flag A concern that needs to be addressed, but wouldn’t keep you from hiring the person. |
Pay attention to body language and tone. They can tell you a lot about candidate motivation and interest. |
↓ |
|
Listen to what candidates want to improve. It’s an opportunity to talk about development and advancement opportunities in the organization. |
Not all candidates have red flags, but it is important to keep them in mind to identify potential issues with the candidate before they are hired. | |
Don’t… |
||
Talk too much! You are there to listen. Candidates should do about 80% of the talking so you can adequately evaluate them. Be friendly, but ensure to spend the time allotted assessing, not chatting. If you talk too much, you may end up hiring a weak candidate because you didn’t perceive weaknesses or not hire a strong candidate because you didn’t identify strengths. |
What if you think you sense a red or yellow flag? Following the interview, immediately discuss the situation with others involved in the recruitment process or those familiar with the position, such as HR, another hiring manager, or a current employee in the role. They can help evaluate if it’s truly a matter of concern. |
|
When the interviewer makes a positive impression on a candidate and provides a positive impression of the organization it carries forward after they are hired.
In addition, better candidates can be referred over the course of time due to higher quality networking.
As much as choosing the right candidate is important to you, make sure the right candidate wants to choose you and work for your organization.
Believe everything candidates say. Most candidates embellish and exaggerate to find the answers they think you want. Use probing to drill down to specifics and take them off their game. |
Ask gimmicky questions like “what color is your soul?” Responses to these questions won’t give you any information about the job. Candidates don’t like them either! |
Focus too much on the resume. If the candidate is smart, they’ve tailored it to match the job posting, so of course the person sounds perfect for the job. Read it in advance, highlight specific things you want to ask, then ignore it. |
Oversell the job or organization. Obviously you want to give candidates a positive impression, but don’t go overboard because this could lead to unhappy hires who don’t receive what you sold them. Candidates need to evaluate fit just as much as you. |
Get distracted by a candidate’s qualifications and focus only on their ability to do the job. Just because they are qualified does not mean they have the attitude or personality to fit the job or culture. |
Show emotion at any physical handicap. You can’t discriminate based on physical disability, so protect the organization by not drawing attention to it. Even if you don’t say anything, your facial expression may. |
Bring a bad day or excess baggage into the interview, or be abrupt, rushed, or uninterested in the interview. This is rude behavior and will leave a negative impression with candidates, which could impact your chances of hiring them. |
Submit to first impression bias because you’ll spend the rest of the interview trying to validate your first impression, wasting your time and the candidate’s. Remain as objective as possible and stick to the interview guide to stay focused on the task at hand. |
“To the candidate, if you are meeting person #3 and you’re hearing questions that person #1 and #2 asked, the company doesn’t look too hot or organized.” – President, Recruiting Firm
| Input | Output |
|
|
| Materials | Participants |
|
|
Download the Behavioral Interview Question Library
Strategic Planning
Professional Development
Onboarding should pick up where candidate experience leaves off
Onboarding ≠ Orientation
Onboarding is more than just orientation. Orientation is typically a few days of completing paperwork, reading manuals, and learning about the company’s history, strategic goals, and culture. By contrast, onboarding is three to twelve months dedicated to welcoming, acclimating, guiding, and developing new employees – with the ideal duration reflecting the time to productivity for the role.
A traditional orientation approach provides insufficient focus on the organizational identification, socialization, and job clarity that a new hire requires. This is a missed opportunity to build engagement, drive productivity, and increase organizational commitment. This can result in early disengagement and premature departure.
Over the long term, effective onboarding has a positive impact on revenue and decreases costs.
The benefits of onboarding:
Help new hires feel connected to the organization by clearly articulating the mission, vision, values, and what the company does. Help them understand the business model, the industry, and who their competitors are. Help them feel connected to their new team members by providing opportunities for socialization and a support network. |
Help put new hires on the path to high performance by clearly outlining their role in the organization and how their performance will be evaluated. |
Help new hires receive the experience and training they require to become high performers by helping them build needed competencies. |
We recommend a three-to-twelve-month onboarding program, with the performance management aspect of onboarding extending out to meet the standard organizational performance management cycle.
The length of the onboarding program should align with the average time to productivity for the role(s). Consider the complexity of the role, the industry, and the level of the new hire when determining program length.
For example, call center workers who are selling a straight-forward product may only require a three-month onboarding, while senior leaders may require a year-long program.
Our primary and secondary research identified the following as the most commonly stated reasons why employees leave organizations prematurely. These issues will be addressed throughout the next section.
Acclimate |
Guide |
Develop |
|
|
|
“Onboarding is often seen as an entry-level HR function. It needs to rise in importance because it’s the first impression of the organization and can be much more powerful than we sometimes give it credit for. It should be a culture building and branding program.” – Doris Sims, SPHR, The Succession Consultant, and Author, Creative Onboarding Programs
| Input | Output |
|
|
| Materials | Participants |
|
|
 |
Sample challenges |
Potential solutions |
|---|---|---|
Some paperwork cannot be completed digitally (e.g. I-9 form in the US). |
Where possible, complete forms with digital signatures (e.g. DocuSign). Where not possible, begin the process earlier and mail required forms to employees to sign and return, or scan and email for the employee to print and return. |
|
Required compliance training material is not available virtually. |
Seek online training options where possible. Determine the most-critical training needs and prioritize the replication of materials in audio/video format (e.g. recorded lecture) and distribute virtually. |
|
Employees may not have access to their equipment immediately due to shipping or supply issues. |
Delay employee start dates until you can set them up with the proper equipment and access needed to do their job. |
|
New hires can’t get answers to their questions about benefits information and setup. |
Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits. |
One of the biggest challenges for remote new hires is the inability to casually ask questions or have conversations without feeling like they’re interrupting. Until they have a chance to get settled, providing formal opportunities for questions can help address this.
 | Sample challenges | Potential solutions |
|---|---|---|
Key company information such as organizational history, charts, or the vision, mission, and values cannot be clearly learned by employees on their own. | Have the new hire’s manager call to walk through the important company information to provide a personal touch and allow the new hire to ask questions and get to know their new manager. | |
Keeping new hires up to date on crisis communications is important, but too much information may overwhelm them or cause unnecessary stress. | Sharing the future of the organization is a critical part of the company information stage of onboarding and the ever-changing nature of the COVID-19 crisis is informing many organizations’ future right now. Be honest but avoid over-sharing plans that may change. | |
New hires can’t get answers to their questions about benefits information and setup. | Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits. |
 | Sample challenges | Potential solutions |
|---|---|---|
Team introductions via a team lunch or welcome event are typically done in person. | Provide managers with a calendar of typical socialization events in the first few weeks of onboarding and provide instructions and ideas for how to schedule replacement events over videoconferencing. | |
New hires may not have a point of contact for informal questions or needs if their peers aren’t around them to help. | If it doesn’t already exist, create a virtual buddy program and provide instructions for managers to select a buddy from the new hire’s team. Explain that their role is to field informal questions about the company, team, and anything else and that they should book weekly meetings with the new hire to stay in touch. | |
New hires will not have an opportunity to learn or become a part of the informal decision-making networks at the organization. | Hiring managers should consider key network connections that new hires will need by going through their own internal network and asking other team members for recommendations. | |
New hires will not be able to casually meet people around the office. | Provide the employee with a list of key contacts for them to reach out to and book informal virtual coffee chats to introduce themselves. |
 | Sample challenges | Potential solutions |
|---|---|---|
Performance management (PM) processes have been paused given the current crisis. | Communicate to managers that new hires still need to be onboarded to the organization’s performance management process and that goals and feedback need to be introduced and the review process outlined even if it’s not currently happening. | |
Goals and expectations differ or have been reprioritized during the crisis. | Ask managers to explain the current situation at the organization and any temporary changes to goals and expectations as a result of new hires. | |
Remote workers often require more-frequent feedback than is mandated in current PM processes. | Revamp PM processes to include daily or bi-weekly touchpoints for managers to provide feedback and coaching for new hires for at least their first six months. | |
Managers will not be able to monitor new hire work as effectively as usual. | Ensure there is a formal approach for how employees will keep their managers updated on what they're working on and how it's going, for example, daily scrums or task-tracking software. |
For more information on adapting performance management to a virtual environment, see Info-Tech’s Performance Management for Emergency Work-From-Home research.
Categorize the different types of formal and informal training in the onboarding process into the following three categories. For departmental and individual training, speak to managers to understand what is required on a department and role basis:
Organizational |
Departmental |
Individual |
|---|---|---|
For example:
|
For example:
|
For example:
|
In a crisis, not every training can be translated to a virtual environment in the short term. It’s also important to focus on critical learning activities versus the non-critical. Prioritize the training activities by examining the learning outcomes of each and asking:
Lower priority or non-critical activities can be used to fill gaps in onboarding schedules or as extra activities to be completed if the new hire finds themselves with unexpected downtime to fill.
If there is a lack of resources, expertise, or time, outsource digital training to a content provider or through your LMS.
2021 Recruiter Nation Report. Survey Analysis, Jobvite, 2021. Web.
“5 Global Stats Shaping Recruiting Trends.” The Undercover Recruiter, 2022. Web.
Barr, Tavis, Raicho Bojilov, and Lalith Munasinghe. "Referrals and Search Efficiency: Who Learns What and When?" The University of Chicago Press, Journal of Labor Economics, vol. 37, no. 4, Oct. 2019. Web.
“How to grow your team better, faster with an employee referral program.” Betterup, 10 Jan. 2022. Web.
“Employee Value Proposition: How 25 Companies Define Their EVP.” Built In, 2021. Web.
Global Leadership Forecast 2021. Survey Report, DDI World, 2021. Web.
“Connecting Unemployed Youth with Organizations That Need Talent.” Harvard Business Review, 3 November 2016. Web.
Ku, Daniel. “Social Recruiting: Everything You Need To Know for 2022.” PostBeyond, 26 November 2021. Web.
Ladders Staff. “Shedding light on the job search.” Ladders, 20 May 2013. Web.
Merin. “Campus Recruitment – Meaning, Benefits & Challenges.” HR Shelf, 1 February 2022. Web.
Mobile Recruiting. Smart Recruiters, 2020. Accessed March 2022.
Roddy, Seamus. “5 Employee Referral Program Strategies to Hire Top Talent.” Clutch, 22 April 2020. Web.
Sinclair, James. “What The F*dge: That's Your Stranger Recruiting Budget?” LinkedIn, 11 November 2019. Web.
“Ten Employer Examples of EVPs.” Workology, 2022. Web
“The Higher Cost of a Bad Hire.” Robert Half, 15 March 2021. Accessed March 2022.
Trost, Katy. “Hiring with a 90% Success Rate.” Katy Trost, Medium, 8 August 2022. Web.
“Using Social Media for Talent Acquisition.” SHRM, 20 Sept. 2017. Web.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Understand the true drivers of customer satisfaction and build a process for managing and improving customer satisfaction.
EXECUTIVE BRIEF
“Healthy customer relationships are the paramount to long-term growth. When customers are satisfied, they remain loyal, spend more, and promote your company to others in their network. The key to high satisfaction is understanding and measuring the true drivers of satisfaction to enable the delivery of real customer value.
Most companies believe they know who their satisfied customers are and what keeps them satisfied, and 76% of B2B buyers expect that providers understand their unique needs (Salesforce Research, 2020). However, on average B2B companies have customer experience scores of less than 50% (McKinsey, 2016). This disconnect between customer expectations and provider experience indicates that businesses are not effectively measuring and monitoring satisfaction and therefore are not making meaningful enhancements to their service, offerings, and overall experience.
By focusing on the underlying drivers of customer satisfaction, organizations develop a truly accurate picture of what is driving deep satisfaction and loyalty, ensuring that their company will achieve sustainable growth and stay competitive in a highly competitive market.”
Emily Wright
Senior Research Analyst, Advisory
SoftwareReviews
Your Challenge |
Common Obstacles |
SoftwareReviews’ Approach |
|---|---|---|
Getting a truly accurate picture of satisfaction levels among customers, and where to focus efforts to improve satisfaction, is challenging. Providers often find themselves reacting to customer challenges and being blindsided when customers leave. More effective customer satisfaction measurement is possible when providers self-assess for the following challenges:
|
What separates customer success leaders from developing a full view of their customers are several nagging obstacles:
|
Through the SoftwareReviews’ approach, customer success leaders will:
|
All companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about. This will keep them coming back to you to have their needs met.
Measuring customer satisfaction is critical to understanding the overall health of your customer relationships and driving growth.
Through effective customer satisfaction measurement, organizations can:
Improve Customer Experience |
Increase Retention and CLV |
Increase Profitability |
Reduce Costs |
|---|---|---|---|
|
|
|
|
“Measuring customer satisfaction is vital for growth in any organization; it provides insights into what works and offers opportunities for optimization. Customer satisfaction is essential for improving loyalty rate, reducing costs and retaining your customers.”
-Ken Brisco, NICE, 2019
Direct and Indirect Costs |
Being unaware of true drivers of satisfaction that are never remedied costs your business directly through customer churn, service costs, etc. |
|---|---|
Tarnished Brand |
Tarnished brand through not resolving issues drives dissatisfaction; dissatisfied customers share their negative experiences, which can damage brand image and reputation. |
Waste Limited Resources |
Putting limited resources towards vanity programs and/or fixes that have little to no bearing on core satisfaction drivers wastes time and money. |
“When customer dissatisfaction goes unnoticed, it can slowly kill a company. Because of the intangible nature of customer dissatisfaction, managers regularly underestimate the magnitude of customer dissatisfaction and its impact on the bottom line.”
- Lakshmiu Tatikonda, “The Hidden Costs of Customer Dissatisfaction”, 2013
Most companies struggle to understand what’s truly driving customers to stay or leave. By understanding the true satisfaction drivers, tech providers can measure and monitor satisfaction more effectively, avoiding the numerous harmful consequences that result from average customer satisfaction measurement.
|
|
Surface-level satisfaction has immediate effects, but they are usually short-term or limited to certain groups of users. There are several factors that contribute to satisfaction including:
Deep satisfaction has long-term and meaningful impacts on the way that organizations work. Deep satisfaction has staying power and increases or maintains satisfaction over time, by reducing complexity and delivering exceptional quality for end-users and IT alike. This report found that the following capabilities provided the deepest levels of satisfaction:
The above solve issues that are part of everyday problems, and each drives satisfaction in deep and meaningful ways. While surface-level satisfaction is important, deep and impactful capabilities can sustain satisfaction for a longer time.
Driving deep satisfaction among software customers vs. surface-level measures is key
Vendor capabilities and product features correlate significantly to buyer satisfaction
Yet, it’s the emotional attributes – what we call the “Emotional Footprint”, that correlate more strongly
Software companies looking to improve customer satisfaction will focus on business value created and the Emotional Footprint attributes outlined here.
The essential ingredient is understanding how each is defined by your customers.
Leaders focus on driving improvements as described by customers.
These true drivers of satisfaction should be considered in your customer satisfaction measurement and monitoring efforts. The experience customers have with your product and brand is what will differentiate your brand from competitors, and ultimately, power business growth. Talk to a SoftwareReviews Advisor to learn how users rate your product on these satisfaction drivers in the SoftwareReviews Emotional Footprint Report.
“81% of organizations cite CX as a competitive differentiator. The top factor driving digital transformation is improving CX […] with companies reporting benefits associated with improving CX including:
– Dan Cote, “Advocacy Blooms and Business Booms When Customers and Employees Engage”, Influitive, 2021
1. Identify true customer satisfaction drivers |
2. Develop metrics dashboard |
3. Develop customer satisfaction measurement and management plan |
|
|---|---|---|---|
Phase Steps |
|
|
|
Phase Outcomes |
|
|
|
All software companies measure satisfaction in some way, but many lack understanding of what’s truly driving customers to stay or leave. By understanding the true drivers of satisfaction, solution providers can measure and monitor satisfaction more effectively, pull actionable insights and feedback, and make changes to products and services that customers really care about and which will keep them coming back to you to have their needs met.
Positive experiences drive satisfaction more so than features and cost
According to our analysis of software buyer reviews data*, the biggest drivers of satisfaction and likeliness to recommend are the positive experiences customers have with vendors and their products. Customers want to feel that:
Measure Key Relationship KPIs to gauge satisfaction
Key metrics to track include the Business Value Created score, Net Emotional Footprint, and the Love/Hate score (the strength of emotional connection).
Orient the organization around customer experience excellence
Have a designated committee for customer satisfaction measurement
Best in class organizations create customer satisfaction committees that meet regularly to measure and monitor customer satisfaction, resolve issues quickly, and work towards improved customer experience and profit outcomes.
Use metrics that align to top satisfaction drivers
This will give you a more accurate and fulsome view of customer satisfaction than standard satisfaction metrics alone will.
Identify True Customer Satisfaction Drivers |
Develop Metrics Dashboard | Develop Customer Satisfaction Measurement and Management Plan |
|---|---|---|
Call #1: Discuss current pain points and barriers to successful customer satisfaction measurement, monitoring and maintenance. Plan next call – 1 week. Call #2: Discuss all available data, noting any gaps. Develop plan to fill gaps, discuss feasibility and timelines. Plan next call – 1 week. Call #3: Walk through SoftwareReviews reports to understand EF and satisfaction drivers. Plan next call – 3 days. Call #4: Segment customers and document key satisfaction drivers. Plan next call – 2 week. |
Call #5: Document business goals and align them to metrics. Plan next call – 1 week. Call #6: Complete the SoftwareReviews satisfaction measurement diagnostic. Plan next call – 3 days. Call #7: Score list of metrics that align to satisfaction drivers. Plan next call – 2 days. Call #8: Develop metrics dashboard and definitions. Plan next call – 2 weeks. Call #9: Finalize metrics dashboard and definitions. Plan next call – 1 week. |
Call #10: Discuss committee and determine governance. Plan next call – 2 weeks. Call #11: Map out gaps in satisfaction along customer journey as they relate to top satisfaction drivers. Plan next call –2 weeks. Call #12: Develop plan and roadmap for satisfaction improvement. Plan next call – 1 week. Call #13: Finalize plan and roadmap. Plan next call – 1 week. Call # 14: Review and coach on communication deck. |
A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization.
For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst.
Your engagement managers will work with you to schedule analyst calls.
DIY Toolkit |
Guided Implementation |
Workshop |
Consulting |
|---|---|---|---|
| “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” | “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” | “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” | “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.” |
| Included within Advisory Membership | Optional add-ons | ||
“Are you experienced?” Bain & Company, Apr. 2015. Accessed 6 June. 2022.
Brisco, Ken. “Measuring Customer Satisfaction and Why It’s So Important.” NICE, Feb. 2019. Accessed 6 June. 2022.
CMO.com Team. “The Customer Experience Management Mandate.” Adobe Experience Cloud Blog, July 2019. Accessed 14 June. 2022.
Cote, Dan. “Advocacy Blooms and Business Booms When Customers and Employees Engage.” Influitive, Dec. 2021. Accessed 15 June. 2022.
Fanderl, Harald and Perrey, Jesko. “Best of both worlds: Customer experience for more revenues and lower costs.” McKinsey & Company, Apr. 2014. Accessed 15 June. 2022.
Gallemard, Jeremy. “Why – And How – Should Customer Satisfaction Be Measured?” Smart Tribune, Feb. 2020. Accessed 6 June. 2022.
Kumar, Swagata. “Customer Success Statistics in 2021.” Customer Success Box, 2021. Accessed 17 June. 2022.
Lakshmiu Tatikonda, “The Hidden Costs of Customer Dissatisfaction”, Management Accounting Quarterly, vol. 14, no. 3, 2013, pp 38. Accessed 17 June. 2022.
Loper, Matthew. “Why ‘Customer Satisfaction’ Misses the Mark – And What to Measure Instead.” Newsweek, Jan. 2022. Accessed 16 June. 2022.
Maechler, Nicolas, et al. “Improving the business-to-business customer experience.” McKinsey & Company, Mar. 2016. Accessed 16 June.
“New Research from Dimension Data Reveals Uncomfortable CX Truths.” CISION PR Newswire, Apr. 2017. Accessed 7 June. 2022.
Sheth, Rohan. 75 Must-Know Customer Experience Statistics to move Your Business Forward in 2022.” SmartKarrot, Feb. 2022. Accessed 17 June. 2022.
Smith, Mercer. “111 Customer Service Statistics and Facts You Shouldn’t Ignore.” HelpScout, May 2022. Accessed 17 June. 2022.
“State of the Connected Customer.” Salesforce, 2020. Accessed 14 June. 2022
“The true value of customer experiences.” Deloitte, 2018. Accessed 15 June. 2022.
Businesses are expected to balance achieving innovation through initiatives that transform the organization with effective risk management. While this is nothing new, added challenges arise due to:
Address digital risk to build digital resilience. In the process, you will drive transformation and maintain digital trust among your employees, end users, and consumers by:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Discover an overview of what digital risk is, learn how to assess risk factors for the five primary categories of digital risk, see several industry-specific scenarios, and explore how to plan for and mitigate identified risks.
Begin building the digital risk profile for your organization, identify where your key areas of risk exposure exist, and assign ownership and accountability among the organization’s business units.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Develop an understanding and standard definition of what digital risk is, who it impacts, and its relevance to the organization.
Understand what digital risk means and how it differs from traditional enterprise or cybersecurity risk.
Develop a definition of digital risk that recognizes the unique external and internal considerations of your organization.
1.1 Review the business context
1.2 Review the current roles of enterprise, IT, and cyber risk management within the organization
1.3 Define digital transformation and list transformation initiatives
1.4 Define digital risk in the context of the organization
1.5 Define digital resilience in the context of the organization
Digital risk drivers
Applicable definition of digital risk
Applicable definition of digital resilience
Understand the roles digital risk management and your digital risk profile have in helping your organization achieve safe, transformative growth.
An overview and understanding of digital risk categories and subsequent individual digital risk factors for the organization
Industry considerations that highlight the importance of managing digital risk
A structured approach to managing the categories of digital risk
2.1 Review and discuss industry case studies and industry examples of digital transformation and digital risk
2.2 Revise the organization's list of digital transformation initiatives (past, current, and future)
2.3 Begin to build your organization's Digital Risk Management Charter (with inputs from Module 1)
2.4 Revise, customize, and complete a Digital Risk Management Charter for the organization
Digital Risk Management Charter
Industry-specific digital risks, factors, considerations, and scenarios
The organization's digital risks mapped to its digital transformation initiatives
Develop an initial digital risk profile that identifies the organization’s core areas of focus in managing digital risk.
A unique digital risk profile for the organization
Digital risk management initiatives that are mapped against the organization's current strategic initiatives and aligned to meet your digital resilience objectives and benchmarks
3.1 Review category control questions within the Digital Risk Profile Tool
3.2 Complete all sections (tabs) within the Digital Risk Profile Tool
3.3 Assess the results of your Digital Risk Profile Tool
3.4 Discuss and assign initial weightings for ownership of digital risk among the organization's stakeholders
Completion of all category tabs within the Digital Risk Profile Tool
Initial stakeholder ownership assignments of digital risk categories
Refine the digital risk management plan for the organization.
A targeted, organization-specific approach to managing digital risk as a part of the organization's projects and initiatives on an ongoing basis
An executive presentation that outlines digital risk management for your senior leadership team
4.1 Conduct brief information sessions with the relevant digital risk stakeholders identified in Module 3.
4.2 Review and revise the organization's Digital Risk Profile as necessary, including adjusting weightings for the digital risk categories
4.3 Begin to build an actionable digital risk management plan
4.4 Present your findings to the organization's relevant risk leaders and executive team
A finalized and assessed Digital Risk Profile Tool
Stakeholder ownership for digital risk management
A draft Digital Risk Management plan and Digital Risk Management Executive Report
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Using the MITRE ATT&CK® framework, Info-Tech’s approach helps you understand your preparedness and effective detection and mitigation actions.
This blueprint and associated tool are scalable for all types of organizations within various industry sectors, allowing them to know what types of risk they are facing and what security services are recommended to mitigate those risks.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Review a breakdown of each of the various attack vectors and their techniques for additional context and insight into the most prevalent attack tactics.
Map your current security protocols against the impacts of various techniques on your network to determine your risk preparedness.
Use your prioritized attack vectors to plan your next threat modeling session with confidence that the most pressing security concerns are being addressed with substantive remediation actions.
As a software space, strategic portfolio management lacks a unified definition. In the same way that it took many years for project portfolio management to stabilize as a concept distinct from traditional enterprise project management, strategic portfolio management is experiencing a similar period of formational uncertainty. Unpacking what’s truly new and valuable in helping to define strategy and drive strategic outcomes versus what’s just repackaged as SPM is an important first step, but it's not an easy undertaking.
In this concise publication, we will cut through the marketing to unpack what strategic portfolio management is, and what makes it distinct from similar capabilities. We’ll help to situate you in the space and assess the extent to which your tooling needs can be met by a strategic portfolio management offering.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
In this concise publication we introduce you to strategic portfolio management and consider the extent to which your organization can leverage an SPM application to help drive strategic outcomes.
Use this Excel workbook to determine if your organization can benefit from the features and functionality of an SPM approach or whether you need something more like a traditional project portfolio management tool.
Travis Duncan
Research Director, PPM and CIO Strategy
Info-Tech Research Group
While the market is eager to get users into what they're calling "strategic portfolio management," there's a lot of uncertainty out there about what this market is and how it's different from other, more established portfolio disciplines – most significantly, project portfolio management.
Indeed, if you look at how the space is covered within the industry, you'll encounter a dog's breakfast of players, a comparison of apples and oranges: Jira in the same quadrants as Planisware, Smartsheets in the same profiles as Planview and ServiceNow. While each of the individual players is impressive, their areas of focus are unique and the extent to which they should be compared together under the category of strategic portfolio management is questionable.
It speaks to some of the grey area within the SPM space more generally, which is at a bit of a crossroads: Will it formally shed the guardrails of its antecedents to become its own space, or will it devolve into a bait and switch through which capabilities that struggled to gain much traction beyond IT settings seek to infiltrate the business and grow their market share under a different name?
Part of it is up to the rest of us as users and potential customers. Clarifying what we need before we jump into something simply because our prior attempts failed will help determine whether we need a unique space for strategic portfolio management or whether we simply need to do portfolio management more strategically.
| Your Challenge | Common Obstacles | Info-Tech's Approach |
|
|
|
Info-Tech Insight
In the same way that it took many years for PPM to stabilize as a concept distinct from traditional enterprise project management, strategic portfolio management is experiencing a similar period of formational uncertainty. In a space that can be all things to all users, clarify your actual needs before jumping onto a bandwagon and ending up with something that you don't need, and that the organization can't adopt.
While the concept of 'strategic portfolio management' has been written about within project portfolio management circles for nearly 20 years, SPM, as a distinct organizational competence and software category, is a relatively new and largely vendor-driven capability.
First emerging in the discourse during the mid-to-late 2010s, SPM has evolved from its roots in traditional enterprise project portfolio management. Though, as we will discuss, it has other antecedents not limited to PPM.
In this publication, we'll unpack what SPM is, how it is distinct (and, in turn, how it is not distinct) from PPM and other capabilities, and we will consider the extent to which your organization can and should leverage an SPM application to help drive strategic outcomes.
–The increasing need to deliver value from digital initiatives is giving rise to strategic portfolio management, a digital investment management discipline that enables strategy realization in complex dynamic environments."
– OnePlan, "Is Strategic Portfolio Management the Future of PPM?"
Only 2% of business leaders are confident that they will achieve 80% to 100% of their strategic objectives.
Source: Smith, 2022
SPM is a new stage in the history of project portfolio management more generally. While it's emerging as a distinct capability, and it borrows from capabilities beyond PPM, unpacking its distinctiveness is best done by first understanding its source.
Triggers for the emergence of strategic portfolio management in the discourse include the pace of technology-introduced change, the waning of enterprise project management, and challenges around enterprise PPM tool adoption.
| Project Portfolio Management | Differentiator | Strategic Portfolio Management |
|---|---|---|
| Work-Level (Tactical) | Primary Orientation | High-Level (Strategic) |
| CIO | Accountable for Outcomes | CxO |
| Project Manager | Responsible for Outcomes | Product Management Organization |
| Project Managers, PMO Staff | Targeted Users | Business Leaders, ePMO Staff |
| Project Portfolio(s) | Essential Scope | Multi-Portfolio (Project, Application, Product, Program, etc.) |
| IT Project Delivery and Business Results Delivery | Core Focus | Business Strategy and Change Delivery |
| Project Scope | Change Impact Sensitivity | Enterprise Scope |
| IT and/or Business Benefit | Language of Value | Value Stream |
| Project Timelines | Main View | Strategy Roadmaps |
| Resource Capacity | Primary Currency | Money |
| Work-Assignment Details | Modalities of Planning | Value Milestones & OKRs |
| Work Management | Modalities of Execution | Governance (Project, Product, Strategy, Program, etc.) |
| Project Completion | Definitions of "Done" | Business Capability Realization |
Info-Tech Insight
The distinction between the two capabilities is not necessarily as black and white as the table above would have it (some "PPM" tools offer what we're identifying above as "SPM" capabilities), but it can be helpful to think in these binaries when trying to distinguish the two capabilities. At the very least, SPM broadens its scope to target more executive and business users, and functions best when it's speaking at a higher level, to a business audience.
Perhaps the biggest evolution from traditional PPM that strategic portfolio management promises is that it casts a wider net in terms of the types of work it tracks (and how it tracks that work) and the types of portfolios it accommodates.
Not bound to the concepts of "projects" and a "project portfolio" specifically, SPM broadens its scope to encompass capabilities like product and product portfolio management, enterprise architecture management, security and risk management, and more.
"An SPM tool will capture business strategy, business capabilities, operating models, the enterprise architecture and the project portfolio with unmatched visibility into how they all relate. This will give...a robust understanding of the impact of a proposed IT change " and enable IT and business to act like cocreators driving innovation."
– Paula Ziehr
Sixty one percent of leaders acknowledge their companies struggle to bridge the gap between creating a strategy and executing on that strategy.
Source: StrategyBlocks, 2020
| ePMO or Strategy Realization Office | Senior Leadership and Executive Stakeholders | Business Leads and IT Directors and Managers |
|---|---|---|
| SPM tools are best facilitated through enterprise PMOs or strategy realization offices. After all, in enterprises, these are the entities charged with the planning, execution, and tracking of strategy.
Their roles within the tool typically entail:
|
As those with the accountability and authority to drive the organization's strategy, you could argue that these stakeholders are the primary stakeholders for an SPM tool.
Their roles within the tool typically entail:
|
SPM targets more business users as well as senior IT managers and directors.
Their roles within the tool typically entail:
|
| Name | Description |
| Analytics and Reporting | SPM should provide access to real-time dashboards and data interpretation, which can be exported as reports in a range of formats. |
| Strategy Mapping and Road Mapping | SPM should provide access to up-to-date timeline views of strategies and initiatives, including the ability to map such things as dependencies, market needs, funding, priorities, governance, and accountabilities. |
| Value Tracking and Measurement | SPM should include the ability to forecast, track, and measure return on investment for strategic investments. This includes accommodations for various paradigms of value delivery (e.g. traditional value delivery and measurement, OKRs, as well as value mapping and value streams). |
| Ideation and Innovation Management | SPM should include the ability to facilitate innovation management processes across the organization, including the ability to support stage gates from ideation through to approval; to articulate, socialize, and test ideas; perform impact assessments; create value canvas and OKR maps; and prioritize. |
| Multi-Portfolio Management | SPM should include the ability to perform various modalities of portfolio management and portfolio optimization, including project portfolio management, applications portfolio management, asset portfolio management, etc. |
| Interoperability/APIs | An SPM tool should enable seamless integration with other applications for data interoperability. |
| Name | Description |
| Product Management | SPM can include product-management-specific functionality, including the ability to connect product families, roadmaps, and backlogs to enterprise goals and priorities, and track team-level activities at the sprint, release, and campaign levels. |
| Enterprise Architecture Management | SPM can include the ability to define and map the structure and operation of an organization in order to effectively coordinate various domains of architecture and governance (e.g. business architecture, data architecture, application architecture, security architecture, etc.) in order to effectively plan and introduce change. |
| Security and Risk Management | SPM can include the ability to identify and track enterprise risks and ensure compliance controls are met. |
| Lean Portfolio Management | SPM can include the ability to plan and report on portfolio performance independent from task level details of product, program, or project delivery. |
| Investment and Financial Management | SPM can include the ability to forecast, track, and report on financials at various levels (strategy, product, program, project, etc.). |
| Multi-Methodology Delivery | SPM can include the ability to plan and execute work in a way that accommodates various planning and delivery paradigms (predictive, iterative, Kanban, lean, etc.). |
| 1. SPM accommodates various ways of working. |
|
| 2. SPM puts the focus on value and change. |
|
| 3. SPM fosters a coherent approach to demand management. |
|
| 1. The space is rife with IT buzzwords and, as a concept, is sometimes used as a repackaging of failing concepts. |
|
| 2. Some solutions that identify as SPM are not. |
|
| 3. SPM tools may have a capacity blind spot. |
|
Download Info-Tech's Strategic Portfolio Management Needs Assessment
10 to 20 minutes
This screenshot shows a sample output from the assessment. Based upon your inputs, you'll be grouped within three ranges:
| Input | Output |
|---|---|
|
|
| Materials | Participants |
|
|
If the analysis in the previous slides suggested you can benefit from an SPM tool, you can quick-start your vendor evaluation process with SoftwareReviews.
SoftwareReviews has extensive coverage of not just the SPM space, but of the project portfolio management (pictured to the top right) and project management spaces as well. So, from the tactical to the strategic, SoftwareReviews can help you find the right tools.
Further, as you settle in on a shortlist, you can begin your vendor analysis using our rapid application selection methodology (see framework on bottom right). For more information see our The Rapid Application Selection Framework blueprint.
Info-Tech's Rapid Application Selection Framework (RASF)
Develop a Project Portfolio Management Strategy
Drive IT project throughput by throttling resource capacity.
Prepare an Actionable Roadmap for your PMO
Turn planning into action with a realistic PMO timeline.
Maintain an Organized Portfolio
Align portfolio management practices with COBIT (APO05: Manage Portfolio)
Angliss, Katy, and Pete Harpum. Strategic Portfolio Management: In the Multi-Project and Program Organization. Book. Routledge. 30 Dec. 2022.
Anthony, James. "95 Essential Project Management Statistics: 2022 Market Share & Data Analysis." Finance Online. 2022. Web. Accessed 21 March 2022
Banham, Craig. "Integrating strategic planning with portfolio management." Sopheon. Webinar. Accessed 6 Feb. 2023.
Garfein, Stephen J. "Executive Guide to Strategic Portfolio Management: roadmap for closing the gap between strategy and results." PMI. Conference Paper. Oct. 2007. Accessed 6 Feb. 2023.
Garfein, Stephen J. "Strategic Portfolio Management: A smart, realistic and relatively fast way to gain sustainable competitive advantage." PMI. Conference Paper. 2 March 2005. Accessed 6 Feb. 2023.
Hontar, Yulia. "Strategic Portfolio Management." PPM Express. Blog 16 June 2022. Accessed 6 Feb. 2023.
Milsom, James. "6 Strategic Portfolio Management Trends for 2023." i-nexus. Blog. 25 Jan. 2022. Accessed 6 Feb. 2023.
Milsom, James. "Strategic Portfolio Management 101." i-nexus. 8 Dec. 2021. Blog . Accessed 6 Feb. 2023.
OnePlan, "Is Strategic Portfolio Management the Future of PPM?" YouTube. 17 Nov. 2022. Accessed 6 Feb. 2023.
OnePlan. "Strategic Portfolio Management for Enterprise Agile." YouTube. 27 May 2022. Accessed 6 Feb. 2023.
Piechota, Frank. "Strategic Portfolio Management: Enabling Successful Business Outcomes." Shibumi. Blog . 31 May 2022. Accessed 6 Feb. 2023.
ServiceNow. "Strategic Portfolio Management—The Thing You've Been Missing." ServiceNow. Whitepaper. 2021. Accessed 6 Feb. 2023.
Smith, Shepherd, "50+ Eye-Opening Strategic Planning Statistics" ClearPoint Strategy. Blog. 13 Sept. 2022. Accessed 6 Feb. 2023.
SoftwareAG. "What is Strategic Portfolio Management (SPM)?" SoftwareAG. Blog. Accessed 6 Feb. 2023.
Stickel, Robert. "What It Means to be Adaptive." OnePlan. Blog. 24 May 2021. Accessed 6 Feb. 2023.
UMT360. "What is Strategic Portfolio Management?" YouTube. Webinar. 22 Oct. 2020. Accessed 6 Feb. 2023.
Wall, Caroline. "Elevating Strategy Planning through Strategic Portfolio Management." StrategyBlocks. Blog. 26 Feb. 2020. Accessed 6 Feb. 2023.
Westmoreland, Heather. "What is Strategic Portfolio Management." Planview. Blog. 19 Oct 2002. Accessed 6 Feb. 2023.
Wiltshire, Andrew. "Shibumi Included in Gartner Magic Quadrant for Strategic Portfolio Management for the 2nd Straight Year." Shibumi. Blog. 20 Apr. 2022. Accessed 6 Feb. 2023.
Ziehr, Paula. "Keep your eye on the prize: Align your IT investments with business strategy." SoftwareAG. Blog. 5 Jul. 2022. Accessed 6 Feb. 2023.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this research to identify and quantify the potential financial impacts of vendors’ poor performance. Use Info-Tech’s approach to look at the financial impact from various perspectives to better prepare for issues that may arise.
By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
Vendors are becoming more influential and essential to the operation of organizations. Often the sole risk consideration of a business is whether the vendor meets a security standard, but vendors can negatively impact organizations’ budgets in various ways. Fortunately, though inherent risk is always present, organizations can offset the financial impacts of high-risk vendors by employing due diligence in their vendor management practices to help manage the overall risks.
Frank Sewell
Research Director, Vendor Management
Info-Tech Research Group
| Your Challenge
As vendors become more prevalent in organizations, organizations increasingly need to understand and manage the potential financial impacts of vendors’ actions. It is only a matter of time until a vendor mistake impacts your organization. Make sure you are prepared to manage the adverse financial consequences. |
Common Obstacles
Identifying and managing a vendor’s potential financial impact requires multiple people in the organization across several functions – and those people all need educating on the potential risks. Organizational leadership is often unaware of decisions on organizational risk appetite and tolerance, and they assume there are more protections in place against risk impact than there truly are. |
Info-Tech’s Approach
Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them. Prioritize and classify your vendors with quantifiable, standardized rankings. Prioritize focus on your high-risk vendors. Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool. |
Companies without good vendor management risk initiatives will take on more risk than they should. Solid vendor management practices are imperative –organizations must evolve to ensure that vendors deliver services according to performance objectives and that risks are managed accordingly.
This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.
Out of scope:
This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.
In this blueprint, we’ll explore financial risks and their impacts.
Identifying negative actions is paramount to assessing the overall financial impact on your organization, starting in the due diligence phase of the vendor assessment and continuing throughout the vendor lifecycle.
Loss of business represents the largest share of the breach
38%Avg. $1.59M |
Global average cost of a vendor breach
$4.2M |
Percentage of breaches in 2020 caused by business associates
40.2%23.2% YoY(year over year) |
| (Source: “Cost of a Data Breach Report 2021,” IBM, 2021) | (Source: “Vendor Risk Management – A Growing Concern,” Stern Security, 2021) | |
Hospitals often rely on vendors to manage their data center environments but rarely understand the downstream financial impacts if that vendor fails to perform.
For example, a vendor implements a patch out of cycle with no notice to the IT group. Suddenly all IT systems are down. It takes 12 hours for the IT teams to return systems to normal. The downstream impacts are substantial.
Assessing financial impacts is an ongoing, educative, and collaborative multidisciplinary process that vendor management initiatives are uniquely designed to coordinate and manage for organizations.
| Insight 1 | Vendors are becoming more and more crucial to organizations’ overall operations, and most organizations have a poor understanding of the potential impacts they represent.
Is your vendor solvent? Do they have enough staff to accommodate your needs? Has their long-term planning been affected by changes in the market? Are they unique in their space? |
| Insight 2 | Financial impacts from other risk types deserve just as much focus as security alone, if not more.
Examples include penalties and fines, loss of revenue due to operational impacts, vendor replacement costs, hidden costs in poorly understood contracts, and lack of contractual protections. |
| Insight 3 | There is always an inherent risk in working with a vendor, but organizations should financially quantify how much each risk may impact their budget.
A significant concern for organizations is quantifying different types of risks. When a risk occurs, the financial losses are often poorly understood, with unbudgeted financial impacts. |
Inherent risks from negative actions are pervasive throughout the entire vendor lifecycle. Collaboratively understanding those risks and working together to put proper management in place enables organizations to get the most value out of the relationship with the least amount of risk.
|
Visit Info-Tech’s VMO ROI Calculator and Tracker |
Input: List of identified potential risk scenarios scored by likelihood and financial impact, List of potential management of the scenarios to reduce the risk
Output: Comprehensive financial risk profile on the specific vendor solution
Materials: Whiteboard/flip charts, Financial Risk Impact Tool to help drive discussion
Participants: Vendor Management – Coordinator, IT Operations, Legal/Compliance/Risk Manager, Finance/Procurement
Vendor management professionals are in an excellent position to collaboratively pull together resources across the organization to determine potential risks. By playing the “what if” game and asking probing questions to draw out – or eliminate – possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.
Download the Financial Risk Impact Tool
Never underestimate the value of keeping the relationship moving forward.Examples of items and activities to monitor include; |  | |
|
| |
Info-Tech InsightMany organizations do not have the resources to dedicate to annual risk assessments of all vendors. Consider timing ongoing risk assessments to align with contract renewal, when you have the most leverage with the vendor. | Visit Info-Tech’s Risk Register Tool | |
|
 |
|
 |
 |
Design and Build an Effective Contract Lifecycle Management Process
|
 |
Identify and Reduce Agile Contract Risk
|
 |
Jump Start Your Vendor Management Initiative
|
With features such as messaging, collaboration tools, and video conferencing, UCaaS enables users to be more effective regardless of location and device. This can lead to quicker decision making and reduce communication delays.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
In addition to examining the benefits of UCaaS, this deck covers how to drive toward an RFP and convince the C-suite to champion your UCaaS strategy.
This questionnaire is a starting point. Sections include: 1) Current State Questionnaire, 2) IT Infrastructure Readiness Questionnaire, and 3) UCaaS Vendor Questionnaire. These questions can also be added to an RFP for UCaaS vendors you may want to work with.
Hybrid/remote work is a reality and there is little evidence to prove otherwise despite efforts to return employees to the office. A 2023 survey from Zippia says 74% of US companies are planning to or have implemented hybrid work policies. Given the reality of the new ways people work, there’s a genuine need for a UCaaS solution.
The days of on-premises private branch exchange (PBX) and legacy voice over internet protocol (VoIP) solutions are numbered, and organizations are examining alternative solutions to redundant desk phones. The stalwarts of voice solutions, Cisco and Avaya, have seen the writing on the wall for some time: the new norm must be a cloud-based solution that integrates via API with content resource management (CRM), email, chat, and collaboration tools.
Besides remaining agile when accommodating different work locations, it’s advantageous to be able to quickly scale and meet the needs of organizations and their employees. New technology is moving at such a pace that utilizing a UCaaS service is truly beneficial, especially given its AI, analytics, and mobile capabilities. Being held back by an on-premises solution that is capitalized over several years is not a wise option.
John Donovan
Principle Research Director, I&O Practice
Info-Tech Research Group
Improved integration and communication in a hybrid world
Unified communication as a service (UCaaS) integrates several tools into one platform to provide seamless voice, video, chat, collaboration, sharing and much more. The ability to work from anywhere and the ability to use application programming interfaces (APIs) to integrate content resource management (CRM) and other productivity tools into a unified environment is a key component of employee productivity, whether at the office or remote, or even on mobile devices.
Simplify your maintenance, management, and support
Communication and voice using a cloud provisioner has many benefits and makes life easier for your IT staff. No more ongoing maintenance, upgrades, patching and managing servers or private branch exchanges (PBXs). UCaaS is easy to deploy, and due to its scalability and flexibility, users can easily be added or removed. Now businesses can retire their legacy technical debt of voice hardware and old desk phones that clutter the office.
Oversight on security
The utilization of a software as a service (SaaS) platform in UCaaS form does by design risk data breaches, phishing, and third-party malware. Fortunately, you can safeguard your organization’s security by ensuring the vendor you choose features SOC2 certification, taking care of encryption, firewalls, two-factor authentication and security incident handling, and disaster recovery. The big players in the UCaaS world have these features.
Your ChallengeSo, your legacy PBX is ready to be replaced. It has no support or maintenance contract, and you face a critical decision. You could face these challenges:
|
Common ObstaclesBusinesses may worry about several obstacles when it’s time to choose a voice and collaboration solution. For example:
|
Info-Tech’s ApproachIt’s critically important to perform due diligence and build out requirements when deciding what UCaaS solution works for you. Even if you decide not to pursue this cloud-based service, at least you will:
In this advisory deck, you will see a set of questions you must ask including whether Teams is suitable for your business. |
Determine your communication and collaboration needs. Evaluate your current use of voice, video, chat, collaboration, sharing, and mobility whether for the office or remote work. Evaluate your security and regulatory requirements and needs. Determine the integration requirements when evaluating top vendors.
Flexibility and scalability
Ability to add/remove users and services as appropriate for changing business needs, allowing for quick adaptation to changing markets.
Productivity
Offering features like messaging, collaboration tools, and video conferencing enables users to be more effective regardless of location and device. May lead to quicker decision making and reduced communication delays.
Cost savings
Eliminating the need for on-premises hardware and software, reducing maintenance and support costs. Predictable monthly billing.
Business continuity
Reducing risks of disruption or disaster. Allowing users to work from anywhere when the physical office is unavailable. Additional features can include disaster recovery and backup services.
Enhanced security
UCaaS providers usually offer advanced security and compliance features including encryption, firewall, intrusion detection, and certifications like HIPAA and SOC 2.
What key metrics should businesses measure to demonstrate a successful UCaaS project?
What improvements are needed?
What can be optimized?
| KPI | Measurement |
| User adoption rate |
|
| Call quality and reliability |
|
| Cost savings |
|
| Improved productivity |
|
| Customer satisfaction |
|
| Scalability |
|
Collaboration: No Jitter’s study on team collaboration found that 95% of survey respondents think collaborative communication apps are a necessary component of a successful communications strategy.
Source: No Jitter, 2018.
Security: When deploying remote communication solutions, 95% of businesses say they want to use VPN connections to keep data private.
Source: Mitel, 2018.
Flexibility: While there are numerous advantages to cloud-based communications, 31% of companies intend to use UCaaS to eliminate technical debt from legacy systems and processes.
Source: Freshworks, 2019.
While many organizations are widely adopting UCaaS, they still have data security concerns
UCaaS is growing at a rate that shows the market for UC is moving toward cloud-based voice and collaboration solutions at a rate of 29% year over year.
Source: Synergy Research Group, 2017.
While it’s increasingly popular to adopt cloud-based unified communication solutions, 70% of those companies are still concerned about their data security.
Source: Masergy, 2022.
Concerns around security range from encrypting conversations to controlling who has access to what data in the organization’s network to how video is managed on emerging video communications platforms.
Ensure you maintain a robust security posture with your data regardless of where it is being stored. Security breaches can happen at any location.
Main benefits of UCaaS
There are five reasons you should migrate to UCaaS. They are advanced technology, easily scalable, cost efficiencies, highly available, and security. There are always outliers, but these five criteria are a reliable foundation when assessing a vendor/product.
Unified communications as a service (UCaaS) is a cloud-based subscription service primarily for communication tools such as voice, video, messaging, collaboration, content sharing, and other cloud services over the internet. It uses VoIP to process calls.
The popularity of UCaaS is increasing with the recent trend of users working remotely full or part-time and requiring collaboration tools for their work.
Must-haves vs. nice-to-haves
Decide what matters most to the organization when choosing the UC platform and applications. Divide criteria into must-have vs. nice-to-have categories.
What are the concerns? What is at risk?
SRTP
TLS
VPNs and firewalls
SIP
SSH
Encryption is a must for securing data and voice packets across the internet. These packets can be vulnerable to eavesdropping techniques and local area network (LAN) breaches. This risk must be mitigated from end to end.
Seven vendors competing with Microsoft’s integrated suite of collaboration tools
Best for large meetings and webinars
Key features:
Best for project management collaboration tools
Key features:
Best for CRM support, best-in-class functionality and features
Key features:
Best for integration with other business apps
Key features:
Best for small companies under 15 users
Key features:
Only vendor offering real-time translation & closed captioning
Key features:
Best for whole team collaboration for docs and slides
Key features:
Avaya offers the OneCloud UC platform. It is one of the last UC vendors to offer on-premises solutions. In a market which is moving to the cloud at a serious pace, Avaya retains a 14% share. It made a strategic partnership with RingCentral in 2019 and in February 2021 they formed a joint venture which is now called Avaya Cloud Office, a UCaaS solution that integrates Avaya’s communication and collaboration solution with the RingCentral cloud platform.
With around 33% of the UC market, Cisco also has a selection of UC products and services for on-premises deployment and the cloud, including WebEx Calling, Jabber, Unity Connections for voice messaging, and Single Number Reach for extensive telephony features.
Both vendors support on-premises and cloud-based solutions for UC.
Avaya Cloud Office
Cisco WebEx
INDUSTRY: All industries
SOURCE: Software reviews
RingCentral integrates with some popular contact centers such as Five 9, Talkdesk and Sharpen. They also have a built-in contact center solution that can be integrated with their messaging and video conferencing tools.
GoToConnect integrates with several leading customer service providers including Zendesk and Salesforce Service Cloud They also offer a built-in contact center solution with advanced call routing and management features.
WebEx integrates with a variety of contact center and customer service platforms including Five9, Genesys, and ServiceNow.
Dialpad integrates with contact center platforms such as Talkdesk and ServiceNow as well as CRM tools such as Salesforce and HubSpot.
Google Workspace integrates with third-party contact center platforms through their Google Cloud Contact Center AI offering.
* Some reported issues around sound and voice quality may be due to network
**Limited to certain plans
UCaaS |
CPaaS |
|
|
Defined |
Unified communication as a service – a cloud-based platform providing a suite of tools like voice, video messaging, file sharing & contact center. |
Communication platform as a service – a cloud-based platform allowing developers to use APIs to integrate real-time communications into their own applications. |
|
Functionality |
Designed for end users accessing a suite of tools for communication and collaboration through a unified platform. |
Designed for developers to create and integrate comms features into their own applications. |
|
Use cases |
Replace aging on-premises PBX systems with consolidated voice and collaboration services. |
Embedded communications capabilities into existing applications through SDKs, Java, and .NET libraries. |
|
Cost |
Often has a higher cost depending on services provided which can be quite comprehensive. |
Can be more cost effective than UCaaS if the business only requires a few communication features Integrated into their apps. |
|
Customization |
Offers less customization as it provides a predefined suite of tools that are rarely customized. |
Highly flexible and customizable so developers can build and integrate to fit unique use cases. |
|
Vendors |
Zoom, MS Teams, Cisco WebEx, RingCentral 8x8, GoTo Meeting, Slack, Avaya & many more. |
Twilio, Vonage, Pivo, MessageBird, Nexmo, SignalWire, CloudTalk, Avaya OneCloud, Telnyx, Voximplant, and others. |
Consider your approach to the telephony question. Microsoft incorporates telephony functionality with their broader collaboration suite. Other providers do the opposite.
These options allow you to plan for an all-cloud solution, connect to your own carrier, or use a combination of all cloud with a third-party carrier. Caveat: Calling plans must be available in your country or region.
How do you connect with the public switched telephone network (PSTN)?
Microsoft has three options for connecting the phone system to the PSTN:
This plan will work for you if:
This plan will work for you if:
This plan will work for you if:
For more information, go to Microsoft Teams call flows.
Microsoft Teams phone considerations when connecting to a PSTN
All in the cloud for Teams users
Infrastructure requirements:
| Requires uninterrupted connection with Microsoft 365 | Yes |
| Available worldwide* | No |
| Requires deploying and maintaining a supported session border controller (SBC) | No |
| Requires contract with third-party carrier | No |
*List of countries where calling plans are available: aka.ms/callingplans
Phone system in the cloud; connectivity to on-premises voice network for Teams users
Infrastructure requirements:
| Requires uninterrupted connection with Microsoft 365 | Yes |
| Available worldwide* | No |
| Requires deploying and maintaining a supported session border controller (SBC) | No |
| Requires contract with third-party carrier | Yes |
*List of countries where Operator Connect is available: aka.ms/operatorconnect
Phone system in the cloud; connectivity to on-premises voice network for Teams users
Infrastructure requirements:
| Requires uninterrupted connection with Microsoft 365 | Yes |
| Available worldwide | Yes |
| Requires deploying and maintaining a supported session border controller (SBC) | Yes |
| Requires contract with third-party carrier* | Yes |
*Unless deployed as an option to provide connection to third-party PBX, analog devices, or other voice equipment for users who are on Phone System with Calling Plans
A Metrigy study found that 70% of organizations adopting MS Teams are using direct routing to connect to the PSTN
Note: Complex organizations with varying needs can adopt all three options simultaneously.
Pros:
Cons:
Phone System is Microsoft’s answer to the premises-based private branch exchange (PBX) functionality that has traditionally required a large capital expenditure. The cloud-based Phone System, offered with Microsoft’s highest tier of Microsoft/Office 365 licensing, allows Skype/Teams customers access to the following features (among others):
Phone System, especially the Teams version, is a fully-featured telephony solution that integrates natively with a popular productivity solution. Phone System is worth exploring because many organizations already have Teams licenses.
“Plan your Teams voice solution,” Microsoft, 2022.
“Microsoft Calling Plans for Teams,” Microsoft, 2023.
“Plan Direct Routing,” Microsoft, 2023.
“Cisco vs. Microsoft Cloud Calling—Discussing the Options,” UC Today, 2022.
“Microsoft Teams Phone Systems: 5 Deployment Options in 2020,” AeroCom, 2020.
If you want to use a certified and direct routing solution for Teams Phone, use the Connect model.
If you want to use Azure bots and the Microsoft Graph Communication APIs that enable solution providers to create the Teams app, use the Extend model.
If you want to use the SDK that enables solution providers to embed native Teams experiences in their App, use the Power model (under development).
The Connect model features |
The Extend model features |
The Power model features (TBD) |
|
Office 365 authN for agents to connect to their MS tenant from their integrated CCaaS client |
Team graph APIs and Cloud Communication APIs for integration with Teams |
Goal: One app, one screen contact center experience |
|
Use Teams to see when agents are available |
Teams-based app for agent experience Chat and collaboration experience integrated with the Teams Client |
Goal: Adapt using software development kits (SDKs) |
|
Transfers and groups call support for Teams |
Teams as the primary calling endpoint for the agent |
Goal: One dashboard experience |
|
Teams Graph APIs and Cloud communication APIs for integration with Teams |
Teams' client calling for the all the call controls. Preserve performance & quality of Teams client experience |
|
|
Multi-tenant SIP trunking to support several customers on solution provider’s SBC |
Agent experience apps for both Teams web and mobile client |
|
|
Solution providers to use Microsoft certified session border controller (SBC) |
Analytics workflow management role-based experience for agents in the CaaS app in Teams |
Plan network basics
What internet speed do I need for Teams calls?
Key physical considerations
Prepare your organization's network for Microsoft Teams
Plan your Teams voice solution
Check your internet connection for Teams Phone System
Teams Phone Mobile
Input: Evaluate your current state, Network readiness
Output: Decisions on readiness, Gaps in infrastructure readiness, Develop a project plan
Materials: UCaaS Readiness Questionnaire
Participants: Infrastructure Manager, Project Manager, Network Engineer, Voice Engineer
As a group, read through the questions on Tabs 1 and 2 of the UCaaS Readiness Questionnaire workbook. The answers to the questions will determine if you have gaps to fill when determining your readiness to move forward on a UCaaS solution.
You may produce additional questions during the session that pertain to your specific business and situation. Please add them to the questionnaire as needed.
Record your answers to determine next steps and readiness.
When assessing potential vendors, use Tab 3 to determine suitability for your organization and requirements. This section may be left to a later date when building a request for proposal (RFP).
Call #1: Review client advisory deck and next steps.
Call #2: Assess readiness from answers to the Tab 1 questions.
Download the UCaaS Readiness Questionnaire here
![A diagram that shows [Insert Organization Name]’s Communications Guide](/images/ITMGF/infra-and-operations/end-user-computing/voice-video-management/assess-your-readiness-to-implement-ucaas/030-communications-guide-template.png)
|
|
Modernize Communications and Collaboration InfrastructureOrganizations are losing productivity from managing the limitations of yesterday’s technology. The business is changing and the current communications solution no longer adequately connects end users. A new communications and collaboration infrastructure is due to replace or update the legacy infrastructure in place today. |
|
|
Establish a Communication and Collaboration System StrategyCommunication and collaboration portfolios are overburdened with redundant and overlapping services. Between Office 365, Slack, Jabber, and WebEx, IT is supporting a collection of redundant apps. This redundancy takes a toll on IT, and on the user. |
|
|
Implement a Transformative IVR Experience That Empowers Your CustomersLearn the strategies that will allow you to develop an effective interactive voice response (IVR) framework that supports self-service and improves the customer experience. |
“8 Security Considerations for UCaaS.” Tech Guidance, Feb. 2022. Accessed March 2023.
“2022 UCaaS & CCaaS market trends snapshot.” Masergy, 2022. Web.
“All-in-one cloud communications.” Avaya, 2023. Accessed April 2023. Web.
Carter, Rebekah. “UC Case Study in Focus: Microsoft Teams and GroupM.” UC Today, 9 May 2022. Accessed Feb. 2023.
“Cisco Unified Communications Manager Cloud (Cisco UCM Cloud) Data Sheet.” Cisco, 15 Sept. 2021. Accessed Jan. 2023.
“Cloud Adoption as Viewed by European Companies: Assessing the Impact on Public, Hybrid and Private Cloud Communications.” Mitel, 2018. Web.
De Guzman, Marianne. “Unified Communications Security: The Importance of UCaaS Encryption.” Fit Small Business, 13 Dec. 2022. Accessed March 2023.
“Evolution of Unified Communications.” TrueConf, n.d. Accessed March 2023. Web.
Froehlich, Andrew. “Choose between Microsoft Teams vs. Zoom for conference needs.” TechTarget, 7 May 2021. Accessed March 2023.
Gerwig, Kate. “UCaaS explained: Guide to unified communications as a service.” TechTarget, 29 March 2022. Accessed Jan. 2023.
Irei, Alissa. “Emerging UCaaS trends include workflow integrations and AI.” TechTarget, 21 Feb 2020. Accessed Feb. 2023.
Kuch, Mike. “What Is Unified Communications as a Service (UCaaS)?” Avaya, 27 Dec. 2022. Accessed Jan. 2023.
Lazar, Irwin. “UC vendors extend mobile telephony capabilities.” TechTarget, 10 Feb. 2023. Accessed Mar 2023.
McCain, Abby. "30 Essential Hybrid Work Statistics [2023]: The Future of Work." Zippia, 20 Feb. 2023. Accessed Mar 2023.
“Meet the modern CIO: What CEOs expect from their IT leaders.” Freshworks, 2019. Web.
“A New Era of Workplace Communications: Will You Lead or Be Left Behind.” No Jitter, 2018. Web.
Plumley, Mike, et al. “Microsoft Teams IT architecture and voice solutions posters.’” Microsoft Teams, Microsoft, 14 Feb. 2023. Accessed March 2023.
Rowe, Carolyn, et al. “Plan your Teams voice solution” Microsoft Learn, Microsoft, 1 Oct. 2022.
Rowe, Carolyn, et al. “Microsoft Calling Plans for Teams.” Microsoft Learn, Microsoft, 23 May 2023.
Rowe, Carolyn, et al. “Plan Direct Routing.” Microsoft Learn, Microsoft, 20 Feb. 2023.
Scott, Rob. “Cisco vs. Microsoft Cloud Calling—Discussing the Options,” UC Today, 21 April 2022.
Smith, Mike. “Microsoft Teams Phone Systems: 5 Deployment Options in 2020.” YouTube, uploaded by AeroCom Inc, 23 Oct. 2020.
“UCaaS - Getting Started With Unified Communications As A Service.” Cloudscape, 10 Nov. 2022. Accessed March 2023.
“UCaaS Market Accelerating 29% per year; RingCentral, 8x8, Mitel, BroadSoft and Vonage Lead.” Synergy Research Group, 16 Oct. 2017. Web.
“UCaaS Statistics – The Future of Remote Work.” UC Today, 21 April 2022. Accessed Feb. 2023.
“Workplace Collaboration: 2021-22.” Metrigy, 27 Jan. 2021. Web.
The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this blueprint to hire or develop a world-class Chief Information Security Officer (CISO) with the competencies that suit your specific organizational needs. Once you have identified the right candidate, create a plan to develop your CISO.
This tool will help you determine which competencies are a priority for your organizational needs and which competencies your CISO needs to develop.
Use this template to identify stakeholders who are key to your security initiatives and to understand your relationships with them.
Create a strategy to cultivate your stakeholder relationships and manage each relationship in the most effective way.
This tool will help you create and implement a plan to remediate competency gaps.
The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.
The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.
A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.
Cameron Smith
Research Lead, Security & Privacy
Info-Tech Research Group
|
Your Challenge
|
Common Obstacles
|
Info-Tech’s Approach
|
Info-Tech Insight
The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.
Around one in five organizations don’t have an individual with the sole responsibility for security1
1 Navisite
Info-Tech Insight
Assigning security responsibilities to departments other than security can lead to conflicts of interest.
Source: Navisite
Only 36% of small businesses have a CISO (or equivalent position).
48% of mid-sized businesses have a CISO.
90% of large organizations have a CISO.
Source: Navisite
| Strategic CISO | Tactical CISO |
|---|---|
|
Proactive Focus is on protecting hyperdistributed business processes and data Elastic, flexible, and nimble Engaged in business design decisions Speaks the language of the audience (e.g. business, financial, technical) |
Reactive Focus is on protecting current state Perimeter and IT-centric approach Communicates with technical jargon |
1 Journal of Computer Science and Information Technology
To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.
Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.
Align
Aligning security enablement with business requirements
Enable
Enabling a culture of risk management
Manage
Managing talent and change
Info-Tech Insight
Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.
| 1. Launch | 2. Assess | 3. Plan | 4. Execute | |
|---|---|---|---|---|
| Phase Steps |
|
|
|
|
| Phase Outcomes |
At the end of this phase, you will have:
|
At the end of this phase, you will have:
|
At the end of this phase, you will have:
|
At the end of this phase, you will have:
|
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
CISO Core Competency Evaluation Tool
Assess the competency levels of a current or prospective CISO and identify areas for improvement.
Stakeholder Power Map Template
Visualize the importance of various stakeholders and their concerns.
Stakeholder Management Strategy Template
Document a plan to manage stakeholders and track actions.
Key deliverable:
CISO Development Plan Template
The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.
Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.
| Organizational Benefits | Individual Benefits |
|---|---|
|
|
Organizations with a CISO saw an average of $145,000 less in data breach costs.1
However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.
Organizations invest a median of around $375,000 annually in their CISO.2 The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.
Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.
| Tangible cost savings from having a world-class CISO | Intangible cost savings from having a world-class CISO |
|---|---|
|
|
1 IBM Security
2 Heidrick & Struggles International, Inc.
SOURCE
Kyle Kennedy
CISO, CyberSN.com
|
Challenge The decision was made to move to a new vendor. There were multiple options, but the best option in the CISO’s opinion was a substantially more expensive service that provided more robust protection and more control features. The CISO faced the challenge of convincing the board to make a financial investment in his IT security initiative to implement this new software. |
Solution He identified that the business has $100 million in revenue that would move through this data stream. This new software would help to ensure the security of all these transactions, which they would lose in the event of a breach. Furthermore, the CISO identified new business plans in the planning stage that could be protected under this initiative. |
Results This approach is the opposite of the cautionary tales that make news headlines, where new revenue streams are created before systems are put in place to secure them. This proactive approach is the core of the world-class CISO. |
| Launch | Assess | Plan | Execute |
|---|---|---|---|
|
Call #1: Review and discuss CISO core competencies. Call #2: Discuss Security Business Satisfaction and Alignment diagnostic results. |
Call #3: Discuss the CISO Stakeholder Power Map Template and the importance of relationships. Call #4: Discuss the CISO Core Competency Evaluation Tool. |
Call #5: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps. Call #6: Review organizational structure and key stakeholder relationships. |
Call #7: Discuss and create your CISO development plan and track your development |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 10 calls over the course of 3 to 6 months.
Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment
Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies
Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships
Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress
This phase will walk you through the following activities:
Hire or Develop a World-Class CISO
Mark Lester
InfoSec Manager, SC Ports Authority
An organization hires a new Information Security Manager into a static and well-established IT department.
Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.
| Challenges | Next Steps |
|---|---|
|
|
Follow this case study throughout the deck to see this organization’s results
Activities
Review core competencies the security leader must develop to become a strategic business partner
This step involves the following participants:
or
Outcomes of this step
Analysis and understanding of the eight strategic CISO competencies required to become a business partner
Launch
Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.
|
Business Acumen Leadership Communication Technical Knowledge |
Innovative Problem Solving Vendor Management Change Management Collaboration |
< 1 hour
Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.
| CISO Competencies | Description |
|---|---|
| Business Acumen |
A CISO must focus primarily on the needs of the business and how the business works, then determine how to align IT security initiatives to support business initiatives. This includes:
|
| Leadership |
A CISO must be a security leader, and not simply a practitioner. This requires:
|
| CISO Competencies | Description |
|---|---|
| Communication |
Many CISOs believe that using technical jargon impresses their business stakeholders – in fact, it only makes business stakeholders become confused and disinterested. A CISO must have executive communication skills. This involves:
|
| Technical Knowledge |
A CISO must have a broad technical understanding of IT security to oversee a successful security program. This includes:
|
| CISO Competencies | Description |
|---|---|
| Innovative Problem Solving |
A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.” This can include:
|
| Vendor Management |
With the growing use of “anything as a service,” negotiation, vendor, and financial management skills are critical to becoming a strategic CISO.
|
| CISO Competencies | Description |
|---|---|
| Change Management |
A world-class CISO improves security processes by being an agent of change for the organization. This involves:
|
| Collaboration |
A CISO must be able to use alliances and partnerships strategically to benefit both the business and themselves. This includes:
|
Activities
This step involves the following participants:
or
Outcomes of this step
Determine current gaps in satisfaction and alignment between information security and your organization.
If seeking to hire/develop a CISO: Your diagnostic results will help develop a profile of the ideal CISO candidate to use as a hiring and interview guide.
If developing a current CISO, use your diagnostic results to identify existing competency gaps and target them for improvement.
For the CISO seeking to upgrade capabilities: Use the core competencies guide to self-assess and identify competencies that require improvement.
Launch
| Suggested Time: | One week for distribution, completion, and collection of surveys One-hour follow-up with an Info-Tech analyst |
The primary goal of IT security is to protect the organization from threats. This does not simply mean bolting everything down, but it means enabling business processes securely. To do this effectively requires alignment between IT security and the overall business.
Call an analyst to review your results and provide you with recommendations.
Info-Tech Insight
Focus on the high-priority competencies for your organization. You may find a candidate with perfect 10s across the board, but a more pragmatic strategy is to find someone with strengths that align with your needs. If there are other areas of weakness, then target those areas for development.
After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.
Download the CISO Core Competency Evaluation Tool
After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.
Download the CISO Core Competency Evaluation Tool
After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.
Download the CISO Core Competency Evaluation Tool
Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment
Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies
Phase 3
3.2 Plan Approach to Improve Stakeholder Relationships
Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress
This phase will walk you through the following activities:
Hire or Develop a World-Class CISO
Mark Lester
InfoSec Manager, SC Ports Authority
The new Security Manager engages with employees to learn the culture.
Outcome: Understand what is important to individuals in order to create effective collaboration. People will engage with a project if they can relate it to something they value.
| Actions | Next Steps |
|---|---|
|
|
Follow this case study throughout the deck to see this organization’s results
Activities
Evaluate the power, impact, and support of key stakeholders
This step involves the following participants:
or
Outcomes of this step
Assess
Info-Tech Insight
Most organizations don’t exist for the sole purpose of doing information security. For example, if your organization is in the business of selling pencils, then information security is in business to enable the selling of pencils. All the security in the world is meaningless if it doesn’t enable your primary business processes. The CISO must always remember the fundamental goals of the business.
The above insight has two implications:
When people are not receptive to the CISO, it’s usually because the CISO has not been part of the discussion when plans were being made. This is the heart of proactivity.
You need to be involved from the start … from the earliest part of planning.
The job is not to come in late and say “No” ... the job is to be involved early and find creative and intelligent ways to say “Yes.”
The CISO needs to be the enabling security asset that drives business.
– Elliot Lewis, CEO at Keyavi Data
The CISO Stakeholder Power Map Template is meant to provide a visualization of the CISO’s relationships within the organization. This should be a living document that can be updated throughout the year as relationships develop and the structure of an organization changes.
At a glance, this tool should show:
Once this tool has been created, it provides a good reference as the CISO works to develop lagging relationships. It shows the landscape of influence and impact within the organization, which may help to guide the CISO’s strategy in the future.
Download the CISO Stakeholder Power Map Template
Info-Tech Insight
Some stakeholders must work closely with your incoming CISO. It is worth consideration to include these individuals in the interview process to ensure you will have partners that can work well together. This small piece of involvement early on can save a lot of headache in the future.
Once you know which competencies are a priority in your new CISO, the next step is to decide where to start looking. This person may already exist in your company.
|
Internal Take some time to review your current top information security employees or managers. It may be immediately clear that certain people will or will not be suitable for the CISO role. For those that have potential, proceed to Step 2.2 to map their competencies. |
Recruitment If you do not have any current employees that will fit your new CISO profile, or you have other reasons for wanting to bring in an outside individual, you can begin the recruitment process. This could start by posting the position for applications or by identifying and targeting specific candidates. |
Ready to start looking for your ideal candidate? You can use Info-Tech’s Chief Information Security Officer job description template.
|
Technical Counselor Seat In addition to having access to our research and consulting services, you can acquire a Technical Counselor Seat from our Security & Risk practice, where one of our senior analysts would serve with you on a retainer. You may find that this option saves you the expense of having to hire a new CISO altogether. |
Virtual CISO A virtual CISO, or vCISO, is essentially a “CISO as a service.” A vCISO provides an organization with an experienced individual that can, on a part-time basis, lead the organization’s security program through policy and strategy development. |
Why would an organization consider a vCISO?
Source: InfoSec Insights by Sectigo Store
Why would an organization not consider a vCISO?
Source: Georgia State University
Activities
Assess CISO candidates in terms of desired core competencies
or
Self-assess your personal core competencies
This step involves the following participants:
or
and
Outcomes of this step
Assess
Download the CISO Core Competency Evaluation Tool
Info-Tech Insight
The most important competencies should be your focus. Unless you are lucky enough to find a candidate that is perfect across the board, you will see some areas that are not ideal. Don’t forget the importance you assigned to each competency. If a candidate is ideal in the most critical areas, you may not mind that some development is needed in a less important area.
After deciding the importance of and requirements for each competency in Phase 1, assess your CISO candidates.
Your first pass on this tool will be to look at internal candidates. This is the develop a CISO option.
Download the CISO Core Competency Evaluation Tool
Download the CISO Core Competency Evaluation Tool
Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment
Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies
Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships
Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress
This phase will walk you through the following activities:
Hire or Develop a World-Class CISO
Mark Lester
InfoSec Manager, SC Ports Authority
The new Security Manager changes the security culture by understanding what is meaningful to employees.
Outcome: Engage with people on their terms. The CISO must speak the audience’s language and express security terms in a way that is meaningful to the audience.
| Actions | Next Steps |
|---|---|
|
|
Follow this case study throughout the deck to see this organization’s results
Activities
Create a plan to remediate competency gaps
This step involves the following participants:
or
Outcomes of this step
Plan
Info-Tech’s Cybersecurity Workforce Training develops critical cybersecurity skills missing within your team and organization. The leadership track provides the same deep coverage of technical knowledge as the analyst track but adds hands-on support and has a focus on strategic business alignment, program management, and governance.
The program builds critical skills through:
Info-Tech Insight
Investing in a current employee that has the potential to be a world-class CISO may take less time, effort, and money than finding a unicorn.
Learn more on the Cybersecurity Workforce Development webpage
< 2 hours
| CISO Competencies | Description |
|---|---|
| Business Acumen |
Info-Tech Workshops & Blueprints
Actions/Activities
|
< 2 hours
| CISO Competencies | Description |
|---|---|
| Leadership |
Info-Tech Training and Blueprints
Action/Activities
|
Info-Tech Insight
Surround yourself with great people. Insecure leaders surround themselves with mediocre employees that aren’t perceived as a threat. Great leaders are supported by great teams, but you must choose that great team first.
< 2 hours
| CISO Competencies | Description |
|---|---|
| Communication |
Info-Tech Workshops & Blueprints Build and Deliver an Optimized IT Update Presentation: Show IT’s value and relevance by dropping the technical jargon and speaking to the business in their terms. Master Your Security Incident Response Communications Program: Learn how to talk to your stakeholders about what’s going on when things go wrong. Develop a Security Awareness and Training Program That Empowers End Users: Your weakest link is between the keyboard and the chair, so use engaging communication to create positive behavior change. Actions/Activities Learn to communicate in the language of your audience (whether business, finance, or social), and frame security solutions in terms that are meaningful to your listener. |
| Technical Knowledge |
Actions/Activities
|
< 2 hours
| CISO Competencies | Description |
|---|---|
| Innovative Problem Solving |
Info-Tech Workshops & Blueprints
Actions/Activities
|
| Vendor Management |
Info-Tech Blueprints & Resources
Actions/Activities
|
< 2 hours
| CISO Competencies | Description |
|---|---|
| Change Management |
Info-Tech Blueprints
Actions/Activities
|
| Collaboration |
Info-Tech Blueprints
Actions/Activities
|
What you will need to complete this exercise
Activities
This step involves the following participants:
or
Outcomes of this step
Plan
A formalized security organizational structure assigns and defines the roles and responsibilities of different members around security. Use Info-Tech’s blueprint Implement a Security Governance and Management Program to determine the best structure for your organization.
Who the CISO reports to, by percentage of organizations3
Download the Implement a Security Governance and Management Program blueprint
1. Journal of Computer Science and Information
2. Proofpoint
3. Heidrick & Struggles International, Inc
Managing stakeholders requires engagement, communication, and relationship management. To effectively collaborate and gain support for your initiatives, you will need to build relationships with your stakeholders. Take some time to review the stakeholder engagement strategies for different stakeholder types.
| Influence | Mediators (Satisfy) |
Key Players (Engage) |
| Spectators (Monitor) |
Noisemakers (Inform) |
|
| Support for you | ||
When building relationships, I find that what people care about most is getting their job done. We need to help them do this in the most secure way possible.
I don’t want to be the “No” guy, I want to enable the business. I want to find to secure options and say, “Here is how we can do this.”
– James Miller, Information Security Director, Xavier University
Download the CISO Stakeholder Management Strategy Template
| Goal | Action |
|---|---|
| Get key players to help champion your initiative and turn your detractors into supporters. | Actively involve key players to take ownership. |
| Keep It Positive | Maintain a Close Relationship |
|
|
Info-Tech Insight
Listen to your key players. They understand what is important to other business stakeholders, and they can provide valuable insight to guide your future strategy.
| Goal | Action |
|---|---|
| Turn mediators into key players | Increase their support level. |
| Keep It Positive | Maintain a Close Relationship |
|
|
Info-Tech Insight
Don’t dictate to stakeholders. Make them feel like valued contributors by including them in development and decision making. You don’t have to incorporate all their input, but it is essential that they feel respected and heard.
| Goal | Action |
|---|---|
| Have noisemakers spread the word to increase their influence. | Encourage noisemakers to influence key stakeholders. |
| Keep It Positive | Maintain a Close Relationship |
|
|
| Goal | Action |
|---|---|
| Keep spectators content and avoid turning them into detractors. | Keep them well informed. |
| Keep It Positive | Maintain a Close Relationship |
|
|
Develop a strategy to manage key stakeholders in order to drive your personal development plan initiatives.
What you will need to complete this exercise
Download the CISO Stakeholder Management Strategy Template
Phase 1
1.1 Understand Core Competencies
1.2 Measure Security and Business Satisfaction and Alignment
Phase 2
2.1 Assess Stakeholder Relationships
2.2 Assess the Core Competencies
Phase 3
3.1 Identify Resources to Address Competency Gaps
3.2 Plan Approach to Improve Stakeholder Relationships
Phase 4
4.1 Decide Next Actions and Support Your CISO Moving Forward
4.2 Regularly Reassess to Measure Development and Progress
This phase will walk you through the following activities:
Hire or Develop a World-Class CISO
Mark Lester
InfoSec Manager, SC Ports Authority
The new Security Manager leverages successful cultural change to gain support for new security investments.
Outcome: Integrating with the business on a small level and building on small successes will lead to bigger wins and bigger change.
| Actions | Next Steps |
|---|---|
|
|
Activities
This step involves the following participants:
or
Outcomes of this step
Next actions for each of your development initiatives
Execute
The CISO Development Plan Template provides a simple but powerful way to focus on what really matters to execute your plan.
| Item to Develop (competency/process/tech) |
|---|
| First Action Toward Development |
| Desired Outcome, Including a Measurable Indicator |
Download the CISO Development Plan Template
Use Info-Tech’s CISO Development Plan Template to create a quick and simple yet powerful tool that you can refer to and update throughout your personal and professional development initiatives. As instructed in the template, you will document the following:
| Your Item to Develop | The Next Action Required | The Target Outcome |
|---|---|---|
| This could be a CISO competency, a security process item, a security technology item, or an important relationship (or something else that is a priority). | This could be as simple as “schedule lunch with a stakeholder” or “email Info-Tech to schedule a Guided Implementation call.” This part of the tool is meant to be continually updated as you progress through your projects. The strength of this approach is that it focuses your project into simple actionable steps that are easily achieved, rather than looking too far down the road and seeing an overwhelming task ahead. | This will be something measurable like “reduce spending by 10%” or “have informal meeting with leaders from each department.” |
Info-Tech Insight
A good plan doesn’t require anything that is outside of your control. Good measurable outcomes are behavior based rather than state based.
“Increase the budget by 10%” is a bad goal because it is ultimately reliant on someone else and can be derailed by an unsupportive executive. A better goal is “reduce spending by 10%.” This is something more within the CISO’s control and is thus a better performance indicator and a more achievable goal.
Below you will find sample content to populate your CISO Development Plan Template. Using this template will guide your CISO in achieving the goals identified here.
The template itself is a metric for assessing the development of the CISO. The number of targets achieved by the due date will help to quantify the CISO’s progress.
You may also want to include improvements to the organization’s security program as part of the CISO development plan.
| Area for Development | Item for Development | Next Action Required | Key Stakeholders/ Owners | Target Outcome | Due Date | Completed | |
|---|---|---|---|---|---|---|---|
| Core Competencies: Communication |
Executive communication |
Take economics course to learn business language | Course completed | [Insert date] | [Y/N] | ||
| Core Competencies: Communication |
Improve stakeholder relationships |
Email Bryce from finance to arrange lunch | Improved relationship with finance department | [Insert date] | [Y/N] | ||
| Technology Maturity: Security Prevention | Identity and access management (IAM) system | Call Info-Tech to arrange call on IAM solutions | 90% of employees entered into IAM system | [Insert date] | [Y/N] | ||
| Process Maturity: Response & Recovery | Disaster recovery | Read Info-Tech blueprint on disaster recovery | Disaster recovery and backup policies in place | [Insert date] | [Y/N] |
Check out the First 100 Days as CISO blueprint for guidance on bringing improvements to the security program
| Area for Development | Item for Development | Next Action Required | Key Stakeholders/ Owners | Target Outcome | Due Date | Completed |
|---|---|---|---|---|---|---|
| Core Competencies: Communication |
Executive communication |
Take economics course to learn business language | Course completed | [Insert date] | [Y/N] | |
| Core Competencies: Communication |
Improve stakeholder relationships |
Email Bryce from finance to arrange lunch | Improved relationship with finance department | [Insert date] | [Y/N] | |
| Technology Maturity: Security Prevention | Identity and access management (IAM) system | Call Info-Tech to arrange call on IAM solutions | 90% of employees entered into IAM system | [Insert date] | [Y/N] | |
| Process Maturity: Response & Recovery | Disaster recovery | Read Info-Tech blueprint on disaster recovery | Disaster recovery and backup policies in place | [Insert date] | [Y/N] |
Activities
Create a calendar event for you and your CISO, including which items you will reassess and when
This step involves the following participants:
or
Outcomes of this step
Scheduled reassessment of the CISO’s competencies
Execute
< 1 day
As previously mentioned, your CISO development plan is meant to be a living document. Your CISO will use this as a companion tool throughout project implementation, but periodically it will be necessary to re-evaluate the entire program to assess your progress and ensure that your actions are still in alignment with personal and organizational goals.
Info-Tech recommends performing the following assessments quarterly or twice yearly with the help of our executive advisors (either over the phone or onsite).
| Materials |
|---|
|
| Participants |
|
| Output |
|
If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation
Contact your account representative for more information
workshop@infotech.com
1-888-670-8889
Build an Information Security Strategy
Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context.
The First 100 Days as CISO
Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, but the approach to the new position will be relatively the same.
Implement a Security Governance and Management Program
Business and security goals should be the same. Businesses cannot operate without security, and security's goal is to enable safe business operations.
Dicker, William. "An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration." Dissertation, Georgia State University, May 2, 2021. Accessed 30 Sep. 2022.
Heidrick & Struggles. "2022 Global Chief Information Security Officer (CISO) Survey" Heidrick & Struggles International, Inc. September 6, 2022. Accessed 30 Sep. 2022.
IBM Security. "Cost of a Data Breach Report 2022" IBM. August 1, 2022. Accessed 9 Nov. 2022.
Mehta, Medha. "What Is a vCISO? Are vCISO Services Worth It?" Infosec Insights by Sectigo, June 23, 2021. Accessed Nov 22. 2022.
Milica, Lucia. “Proofpoint 2022 Voice of the CISO Report” Proofpoint. May 2022. Accessed 6 Oct. 2022.
Navisite. "The State of Cybersecurity Leadership and Readiness" Navisite. November 9, 2021. Accessed 9 Nov. 2022.
Shayo, Conrad, and Frank Lin. “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function” Journal of Computer Science and Information Technology, vol. 7, no. 1, June 2019. Accessed 28 Sep. 2022.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.
Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.
Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.
Evolve the program continually by developing metrics and formalizing a policy.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.
Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.
1.1 Define the scope & boundary of your organization’s security program.
1.2 Assign responsibility for vulnerability identification and remediation.
1.3 Develop a monitoring and review process of third-party vulnerability sources.
1.4 Review incident management and vulnerability management
Defined scope and boundaries of the IT security program
Roles and responsibilities defined for member groups
Process for review of third-party vulnerability sources
Alignment of vulnerability management program with existing incident management processes
We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.
A consistent, documented process for the evaluation of vulnerabilities in your environment.
2.1 Evaluate your identified vulnerabilities.
2.2 Determine high-level business criticality.
2.3 Determine your high-level data classifications.
2.4 Document your defense-in-depth controls.
2.5 Build a classification scheme to consistently assess impact.
2.6 Build a classification scheme to consistently assess likelihood.
Adjusted workflow to reflect your current processes
List of business operations and their criticality and impact to the business
Adjusted workflow to reflect your current processes
List of defense-in-depth controls
Vulnerability Management Risk Assessment tool formatted to your organization
Vulnerability Management Risk Assessment tool formatted to your organization
Identifying potential remediation options.
Developing criteria for each option in regard to when to use and when to avoid.
Establishing exception procedure for testing and remediation.
Documenting the implementation of remediation and verification.
Identifying and selecting the remediation option to be used
Determining what to do when a patch or update is not available
Scheduling and executing the remediation activity
Planning continuous improvement
3.1 Develop risk and remediation action.
List of remediation options sorted into “when to use” and “when to avoid” lists
You will determine what ought to be measured to track the success of your vulnerability management program.
If you lack a scanning tool this phase will help you determine tool selection.
Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.
Outline of metrics that you can then configure your vulnerability scanning tool to report on.
Development of an inaugural policy covering vulnerability management.
The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
4.1 Measure your program with metrics, KPIs, and CSFs.
4.2 Update the vulnerability management policy.
4.3 Create an RFP for vulnerability scanning tools.
4.4 Create an RFP for penetration tests.
List of relevant metrics to track, and the KPIs, CSFs, and business goals for.
Completed Vulnerability Management Policy
Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
Completed Request for Proposal (RFP) document that can be distributed to vendor proponents
|
4 Analyst Perspective 5 Executive Summary 6 Common Obstacles 8 Risk-based approach to vulnerability management 16 Step 1.1: Vulnerability management defined 24 Step 1.2: Defining scope and roles 34 Step 1.3: Cloud considerations for vulnerability management |
33 Step 1.4: Vulnerability detection 46 Step 2.1: Triage vulnerabilities 51 Step 2.2: Determine high-level business criticality 56 Step 2.3: Consider current security posture 61 Step 2.4: Risk assessment of vulnerabilities 71 Step 3.1: Assessing remediation options |
|
80 Step 3.2: Scheduling and executing remediation 85 Step 3.3: Continuous improvement 89 Step 4.1: Metrics, KPIs, and CSFs 94 Step 4.2: Vulnerability management policy 97 Step 4.3: Select & implement a scanning tool 107 Step 4.4: Penetration testing 118 Summary of accomplishment |
119 Additional Support 120 Bibliography |
In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.
The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.
A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!
Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.
 |
Jimmy Tom Research Advisor – Security, Privacy, Risk, and Compliance Info-Tech Research Group |
| Your Challenge
Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them. Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option. |
Common Obstacles
Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution. Some systems deemed vulnerable simply cannot be patched or easily replaced. Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself. |
Info-Tech’s Approach
Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities. Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls. Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion. |
Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.
These barriers make vulnerability management difficult to address for many organizations:
|
CVSS Score Distribution From the National Vulnerability Database:  (Source: NIST National Vulnerability Database Dashboard) |
Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.
An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.
Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.
Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.
Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.
Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.
All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.
Reduce the risk surface down below the risk threshold.
“For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)
“Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)
“Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)
“A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)
60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.
74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)
Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.
The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)
Vulnerability ManagementA risk-based approach |
Reduce the risk surface to avoid cost to your business, everything else is table stakes |
  |
1 |
Identify |
|
||||||||||||||||
| Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.) | Vulnerability information feeds:
|
|||||||||||||||||
2 |
Analyze |
|||||||||||||||||
| Assign actual risk (impact x urgency) to the organization based on current security posture
Triage based on risk › Your organization's risk tolerance threshold |
 |
|||||||||||||||||
3 |
Assess |
|||||||||||||||||
| Plan risk mitigation strategy › | Consider:
|
|||||||||||||||||
Focus on developing the most efficient processes.
The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.
Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.
Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.
When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.
Vulnerability management is not only patch management. Patching is only one aspect.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Key deliverable:Vulnerability Management SOPThe Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.  |
Vulnerability Management Policy
Template for your vulnerability management policy. |
 |
Vulnerability Tracking Tool
This tool offers a template to track vulnerabilities and how they are remedied. |
 |
| Vulnerability Scanning RFP Template
Request for proposal template for the selection of a vulnerability scanning tool. |
 |
Vulnerability Risk Assessment Tool
Methodology to assess vulnerability risk by determining impact and likelihood. |
 |
IT Benefits
|
Business Benefits
|
| Phase | Measured Value |
| Phase 1: Identify vulnerability sources |
|
| Phase 2: Triage vulnerabilities and assign urgencies |
|
| Phase 3: Remediate vulnerabilities |
|
| Phase 4: Continually improve the vulnerability management process |
|
| Potential financial savings from using Info-Tech resources | Phase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800 |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
What does a typical GI on this topic look like?
Phase 1 |
Phase 2 |
Phase 3 |
Phase 4 |
| Call #1: Scope requirements, objectives, and your specific challenges.
Call #2: Discuss current state and vulnerability sources. |
Call #3: Identify triage methods and business criticality.
Call #4:Review current defense-in-depth and discuss risk assessment. |
Call #5: Discuss remediation options and scheduling.
Call #6: Review release and change management and continuous improvement. |
Call #7: Identify metrics, KPIs, and CSFs.
Call #8: Review vulnerability management policy. |
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
| Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
| Activities |
Identify vulnerability sources1.1 What is vulnerability management? 1.2 Define scope and roles 1.3 Cloud considerations for vulnerability management 1.4 Vulnerability detection |
Triage and prioritize2.1 Triage vulnerabilities 2.2 Determine high-level business criticality 2.3 Consider current security posture 2.4 Risk assessment of vulnerabilities |
Remediate vulnerabilities3.1 Assess remediation options 3.2 Schedule and execute remediation 3.3 Drive continuous improvement |
Measure and formalize4.1 Metrics, KPIs & CSFs 4.2 Vulnerability Management Policy 4.3 Select & implement a scanning tool 4.4 Penetration testing |
Next Steps and Wrap-Up (offsite)5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
| Deliverables |
|
|
|
|
|
Phase 11.1 What is vulnerability management? |
Phase 22.1 Triage vulnerabilities |
||
Phase 33.1 Assessing remediation options |
Phase 44.1 Metrics, KPIs & CSFs |
Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.
None for this section
Establish a common understanding of vulnerability management and its place in the IT organization.
Foundational knowledge of vulnerability management in your organization.
Identify vulnerability sources| Step 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
|
“Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016) |
It’s not easy, but it’s much harder without a process in place.
|
You’re not just doing this for yourself. It’s also for your auditors.Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices. |
 |
Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.
Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities. |
Vulnerability Management Process Inputs/Outputs:
Arrows denote direction of information feed |
Vulnerability management serves as the input into a number of processes for remediation, including:
A two-way data flow exists between vulnerability management and:
|
|
|
Vulnerability management is a component of the Infrastructure Security section of Security Management
 |
For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.
Info-Tech InsightVulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces! |
Case Study |
 |
INDUSTRY: Manufacturing
|
One organization is seeing immediate benefits by formalizing its vulnerability management program.
| Challenge
Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable. |
Solution
The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports. |
Results
Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems. |
Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation
Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities
Identify vulnerability sources| Step 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
This will help you adjust the depth and breadth of your vulnerability management program.
|
 |
Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope
Output: Defined scope and boundaries of the IT security program
Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template
Participants: Business stakeholders, IT leaders, Security team members
The goal is to identify what your vulnerability management program is responsible for and document it.
Consider the following:
How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?
Download the Vulnerability Management SOP Template
|
If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.
Info-Tech InsightCreate a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program. |
Determine who is critical to effectively detecting and managing vulnerabilities.
|
 |
Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions
Output: Defined set of roles and responsibilities for member groups
Materials: Vulnerability Management SOP Template
Participants: CIO, CISO, IT Management representatives for each area of IT
If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.
| Download the Vulnerability Management SOP Template |  |
None for this section.
Review cloud considerations for vulnerability management
Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.
Identify vulnerability sources| Step 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
Cloud will change your approach to vulnerability management.
|
For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint. |
Cloud scanning is becoming a more common necessity but still requires special consideration.
| Private Cloud | |
| If your organization owns a private cloud, these environments can be tested normally. | |
| Public Cloud | |
| Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.
In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner. Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities. |
Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations. |
Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.
Determine how incident management and vulnerability management interoperate.
Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.
Identify vulnerability sources| Step 1.1 | Step 1.2 | Step 1.3 | Step 1.4 |
Vulnerabilities can be identified through numerous mediums.
Vulnerability Assessment and Scanning Tools
|
Penetration Tests
|
Open Source Monitoring
|
Security Incidents
|
Vulnerabilities are too numerous for manual scanning and detection.
|
Automation requires oversight.
For guidance on tool selectionRefer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint. |
Select a vulnerability scanning tool with the features you need to be effective.
|
For guidance on tool vendorsVisit SoftwareReviews for information on vulnerability management tools and vendors. |
One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.
The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.
Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.
| Continuous agent scanning
Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes. |
On-demand scanning
Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan. |
Cloud-based scanning
Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model. |
| What should be scanned | How to point a scanner |
The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
Mobile DevicesYou need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs. Several ways to scan mobile devices:
Virtualization
Cloud Environments
|
|
IT security forums and mailing lists are another source of vulnerability information.
By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.
Common sources:
|
 |
IT security forums and mailing lists are another source of vulnerability information.
Input: Third-party resources list
Output: Process for review of third-party vulnerability sources
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, SecOps team members, ITOps team members, CISO
| Download the Vulnerability Management SOP Template |  |
Incidents can also be a sources of vulnerabilities.
When any incident occurs, for example:
There can be underlying vulnerabilities that need to be processed.
Three Types of IT Incidents exist:
Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process. |
Info-Tech Related Resources: | |
| If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.
If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management. |
If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.
If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices. |
|
Input: Existing incident response processes, Existing crisis communications plans
Output: Alignment of vulnerability management program with existing incident management processes
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO
Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.
Download the Vulnerability Management SOP Template
Phase 11.1 What is vulnerability management? |
Phase 22.1 Triage vulnerabilities |
||
Phase 33.1 Assessing remediation options |
Phase 44.1 Metrics, KPIs & CSFs |
Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.
Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.
A consistent, documented process for the evaluation of vulnerabilities in your environment.
Triage & prioritize| Step 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:
Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.
Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.
Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.
This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.
| Triaging enables your vulnerability management program to focus on what it should focus on.
Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear. Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
|
The Info-Tech methodology for initial triaging of vulnerabilities:
Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant. |
Input: Visio workflow of Info-Tech’s vulnerability management process
Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO
Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.
The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.
Download the Vulnerability Management SOP Template
Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.
Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.
Triage & prioritize| Step 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
| Use the questions below to help assess which operations are critical for the business to continue functioning.
For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.
|
Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.
Analyst PerspectiveWhen assessing the criticality of business operations, most core business applications may be deemed business critical over the long term. Consider instead what the impact is over the first 24 or 48 hours of downtime. |
Input: List of business operations, Insight into business operations impacts to the business
Output: List of business operations and their criticality and impact to the business
Materials: Vulnerability Management SOP Template
Participants: Participants from the business, IT Security Manager, CISO, CIO
| Example prioritization of business operations for a manufacturing company: |  |
Questions to ask:
|
Download the Vulnerability Management SOP Template
To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint. |
How to determine data classification when CIA differs:
The overall ranking of the data will be impacted by the highest objective’s ranking. For example, if confidentiality and availability are low, but integrity is high, the overall impact is high. This process was developed in part by Federal Information Processing Standards Publication 199. |
Input: Knowledge of data use and sensitivity
Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool
Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template
Participants: IT Security Manager, CISO, CIO
If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:
Download the Vulnerability Management SOP Template
This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.
Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.
Understanding and documentation of your current defense-in-depth controls.
Triage & prioritize| Step 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
What you have today matters.
|
 |
What does your network look like?
|
What’s the relevance to vulnerability management?
For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question. Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit. This may potentially “buy time” for SecOps to address and remediate the vulnerability. |
Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems. |
Examples of defense-in-depth controls can consist of any of the following:
|
Input: List of technologies within your environment, List of IT security controls that are in place
Output: List of defense-in-depth controls
Materials: Whiteboard/flip charts, Vulnerability Management SOP Template
Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO
|
Download the Vulnerability Management SOP Template |
 |
Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.
A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.
Triage & prioritize| Step 2.1 | Step 2.2 | Step 2.3 | Step 2.4 |
Vulnerabilities must be addressed to mitigate risk to the business.
|
Info-Tech InsightRisk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line. |
CVSS scores are just the starting point!
Vulnerabilities are constant.
|
Info-Tech InsightVulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment. |
|
Mitigate the risk surface by reducing the time across the phases |
Risk = Impact x Likelihood
Info-Tech InsightRisk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting. |
A risk matrix is useful in calculating a risk rating for vulnerabilities.  |
Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service
Output: Vulnerability Management Risk Assessment Tool formatted to your organization
Materials: Vulnerability Management Risk Assessment Tool
Participants: Functional Area Managers, IT Security Manager, CISO
Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.
Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.
|
Download the Vulnerability Management Risk Assessment Tool |
 |
Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service
Output: Vulnerability Management Risk Assessment Tool formatted to your organization
Materials: Vulnerability Management Risk Assessment Tool
Participants: Functional Area Managers, IT Security Manager, CISO
Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.
Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.
|
Download the Vulnerability Management Risk Assessment Tool |
 |
| Select the best remediation option to minimize risk.
Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.
|
Prioritization
Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process. |
Phase 11.1 What is vulnerability management? |
Phase 22.1 Triage vulnerabilities |
||
Phase 33.1 Assessing remediation options |
Phase 44.1 Metrics, KPIs & CSFs |
This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program. |
It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities. |
With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.
List of remediation options and criteria on when to consider each.
Remediate vulnerabilities| Step 3.1 | Step 3.2 | Step 3.3 |
There are four options when it comes to vulnerability remediation.
| Patches and Updates
Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected. |
Configuration Changes
Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether. |
Remediation |
|
| Compensating Controls
By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term. |
Risk Acceptance
Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business. |
When to use
|
When to avoid
|
When to consider other remediation options
|
|
|
Examples of compensating controls
|
When to use
|
When to avoid
|
When to consider other remediation options
|
Info-Tech InsightRemember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes. |
Case StudyRemediation options do not have to be used separately. Use the Shellshock 2014 case as an example. |
INDUSTRY: All
|
| Challenge
Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014. This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it. This was rated a 10/10 by CVSS – the highest possible score. Within hours of the announcement, hackers began to exploit this vulnerability across many organizations. |
Solution
Organizations had to react quickly and multiple remediation options were identified:
|
Results
Companies began to protect themselves against these vulnerabilities. While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim. However, even today, many still have the Shellshock vulnerability and exploits continue to occur. |
Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.
Common criteria for vulnerabilities that are not remediated:
Risk acceptance is not uncommon…
|
Enterprise risk management
While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.
Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit. |
When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.
With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:
Cost not to mitigate = W * T * RWhere (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent. |
|
| As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:
“For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits: 1,000 computers * 8 hours * $70/hour = $560,000” |
Info-Tech InsightAlways consider the financial impact that can occur from an exploited vulnerability that was not remediated. |
Input: List of remediation options
Output: List of remediation options sorted into “when to use” and “when to avoid” lists
Materials: Whiteboard/flip charts, Vulnerability Management SOP Template
Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO
It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.
When to use:
|
When to avoid:
|
Download the Vulnerability Management SOP Template
None for this section.
Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.
Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!
Remediate vulnerabilities| Step 3.1 | Step 3.2 | Step 3.3 |
Vulnerability management converges with your IT operations functions.
|
 |
For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts. |
Info-Tech InsightMany organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process. For guidance on the change management process review our Optimize Change Management blueprint. |
Leverage change control, interruption management, approval, and scheduling.
For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts. |
“With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union) |
Vulnerability remediation isn’t a “set it and forget it” activity.
|
A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.
Info-Tech InsightAfter every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls. |
None for this section.
Although this section has no activities, it will review the process by which you may continually improve vulnerability management.
An understanding of the importance of ongoing improvements to the vulnerability management program.
Remediate vulnerabilities| Step 3.1 | Step 3.2 | Step 3.3 |
|
“The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014) |
Continuously re-evaluate the vulnerability management process.
As your systems and assets change, your vulnerability management program may need updates in two ways.
When new assets and systems are introduced:
Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help. Document any changes to the vulnerability management program in the Vulnerability Management SOP Template. |
When defense-in-depth capabilities are modified:
To assist in building a defense-in-depth model, review Build an Information Security Strategy. |
Phase 11.1 What is vulnerability management? |
Phase 22.1 Triage vulnerabilities |
||
Phase 33.1 Assessing remediation options |
Phase 44.1 Metrics, KPIs & CSFs |
After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.
Outline of metrics you can configure your vulnerability scanning tool to report on.
Measure and formalize| Step 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
|
 |
Tracking the right information and making the information relevant.
|
The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.
If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:
Your security systems can be similarly measured and tracked – transfer this skill! |
Business Goal |
Critical Success Factor |
Key Performance Indicator |
Metric to track |
| Minimize overall risk exposure | Reduction of overall risk due to vulnerabilities | Decrease in vulnerabilities | Track the number of vulnerabilities year after year. |
| Appropriate allocation of time and resources | Proper prioritization of vulnerability mitigation activities | Decrease of critical and high vulnerabilities | Track the number of high-urgency vulnerabilities. |
| Consistent timely remediation of threats to the business | Minimize risk when vulnerabilities are detected | Remediate vulnerabilities more quickly | Mean time to detect: track the average time between the identification to remediation. |
| Track effectiveness of scanning tool | Minimize the ratio, indicating that the tool sees everything | Ratio between known assets and what the scanner tracks | Scanner coverage compared to known assets in the organization. |
| Having effective tools to track and address | Accuracy of the scanning tool | Difference or ratio between reported vulnerabilities and verified ones | Number of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality. |
| Reduction of exceptions to ensure minimal exposure | Visibility into persistent vulnerabilities and risk mitigation measures | Number of exceptions granted | Number of vulnerabilities in which little or no remediation action was taken. |
Input: List of metrics current being measured by the vulnerability management tool
Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric
Materials: Whiteboard/flip charts, Vulnerability Management SOP Template
Participants: IT Security Manager, IT operations management, CISO
Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.
Download the Vulnerability Management SOP Template
If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.
An inaugural policy covering vulnerability management
Measure and formalize| Step 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
Policies provide governance and enforcement of processes.
|
 |
Input: Vulnerability Management SOP, HR guidance on policy creation and approval
Output: Completed Vulnerability Management Policy
Materials: Vulnerability Management SOP, Vulnerability Management Policy Template
Participants: IT Security Manager, IT operations management, CISO, Human resources representative
After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.
This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
|
 |
Download the Vulnerability Management Policy Template
If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).
The provisions needed for you to create and deploy an RFP for a vulnerability management tool.
Measure and formalize| Step 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
Similar in nature, yet provide different security functions.
| Vulnerability Scanning Tools
Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities. |
Exploitation Tools
These tools will look to exploit a detected vulnerability to validate it. |
Penetration Tests
A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test) |
|
| ‹————— What’s the difference again? —————› | |||
| Vulnerability scanning tools are just one type of tool. | When you add an exploitation tool to the mix, you move down the spectrum. | Penetration tests will use scanning tools, exploitation tools, and people. | |
What is the value of each?
|
What’s the implication for me?Info-Tech Recommends:
|
||
Scanning tools will benefit areas beyond just vulnerability management
Vulnerability Detection Use CaseMost organizations use scanners to identify and assess system vulnerabilities and prioritize efforts. Compliance Use CaseOthers will use scanners just for compliance, auditing, or larger GRC reasons. Asset Discovery Use CaseMany organizations will use scanners to perform active host and application identification. |
Scanning Tool Market TrendsVulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection. Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:
Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management. Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party. Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service. |
Vulnerability Exploitation Tools
|
Scanning Tool Market Trends
Web Application Scanning ToolsThese tools perform dynamic application security testing (DAST) and static application security testing (SAST). Application Scanning and Testing Tools
|
|
|
|||||||||||||||||||||
Common areas people mistake as tool differentiators:
For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews. |
||||||||||||||||||||||
Option |
Description |
Pros |
Cons |
Use Cases |
| On-Premises | Either an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning. |
|
|
|
| Cloud | Either hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.” |
|
|
|
| Managed | A third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere. |
|
|
|
Method |
Description |
Pros |
Cons |
Use Cases |
| Agent-Based Scanning | Locally installed software gives the information needed to evaluate the security posture of a device. |
|
|
|
| Authenticated Active Scanning | Tool uses authenticated credentials to log in to a device or application to perform scanning. |
|
|
|
| Unauthenticated Active Scanning | Scanning of devices without any authentication. |
|
|
|
| Passive Scanning | Scanning of network traffic. |
|
|
|
Scanning on IPv4Scanning tools create databases of systems and devices with IP addresses.
|
Current Problem With IP AddressesIP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties. Even if it is your range, chances are you don't do static IP ranges today. Info-Tech Recommends:
|
Scanning on IPv6First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations. If you are moving to IPv6, Info-Tech recommends the following:
If you are already on IPv6, Info-Tech recommends the following:
|
|
Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications
Output: Completed RFP document that can be distributed to vendor proponents
Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template
Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative
Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.
Download the Vulnerability Scanning Tool RFP Template
Things to Consider:
|
Info-Tech RFP Table of Contents:
|
Download the Vulnerability Scanning Tool RFP Template
We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.
We provide a request for proposal (RFP) template that we can review if this is an area of interest.
An understanding of penetration testing, and guidance on how to get started if there is interest to do so.
Measure and formalize| Step 4.1 | Step 4.2 | Step 4.3 | Step 4.4 |
Penetration tests are critical parts of any strong security program.
| Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.
Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability. The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems. Reasons to Test:
Regulatory Considerations:
|
How and where is the value being generated?Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone. “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group) |
| Network Penetration Tests
Conventional testing of network defences. Testing vectors include:
|
Application Penetration Tests
Core business functions are now being provided through web applications, either to external customers or to internal end users. Types: Web apps, non-web apps, mobile apps Application penetration and security testing encompasses:
|
Human-Centric Testing
|
Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.
Network, Application, or HumanEvaluate your need to perform different types of penetration testing.Some level of network and application testing is most likely appropriate. The more common decision point is to consider to what degree your organization requires human-centric penetration testing. |
External or InternalExternal: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.) Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached. |
Transparent, Semi-Transparent, or Opaque BoxOpaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability. Use cases: full assessment of security controls; testing of attacker traversal capabilities. |
Aggressiveness of the TestNot Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming. Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test. |
Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.
Organizations need to define boundaries, objectives, and key success factors.
For scope:
|
Boundaries to scope before a test:
|
Objectives and key success factors to scope:
|
Usual instances to conduct a penetration test:
Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed. |
Assess your threats to determine your appropriate test type:
Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.
ANALYST PERSPECTIVE: Do a test only after you take a first pass. |
Input: List of criteria and scope for the penetration test, Systems and application information if white box
Output: Completed RFP document that can be distributed to vendor proponents
Materials: Whiteboard/flip charts, Penetration Test RFP Template
Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative
Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.
Download the Penetration Test RFP Template
Steps of a penetration test:
|
Info-Tech RFP Table of Contents:
|
Download the Penetration Test RFP Template
Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.
Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.
Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.
Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.
Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.
Communication With Service Provider
|
Communication With Internal StaffDo you tell your internal staff that this is happening?This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring. Pros to notifying:
|
A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.
Expect four major sections:
Prioritization
|
Remediation
|
At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.
With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.
Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.
Contact your account representative for more information.
If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.
 |
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889 |
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
 Review of the Implement Vulnerability Management storyboard |
 Build your vulnerability management SOP |
Contributors from 2016 version of this project:
Contributors from current version of this project:
Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.
Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.
Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.
“CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.
Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.
Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.
Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.
Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.
“National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.
“OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.
“OVAL.” OVAL. Accessed 21 Oct. 2020.
Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.
Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.
“Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.
Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.
“The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.
“Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.
Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.
“Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.
“What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.
White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.
Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.
Product, service, and process design should always start with an intimate understanding of what the business is trying to accomplish and why it is important.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Identify goals and objectives for experience design, establish targeted stakeholders, and conduct discovery interviews.
Create the journey map, design a research study to validate your hypotheses, and iterate and ideate around a refined, data-driven understanding of stakeholder problems.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand the method and purpose of journey mapping.
Initial understanding of the journey mapping process and the concept of end-user empathy.
1.1 Introduce team and discuss workshop motivations and goals.
1.2 Discuss overview of journey mapping process.
1.3 Perform journey mapping case study activity.
Case Study Deliverables – Journey Map and Empathy Maps
Begin to understand the goals and motivations of your stakeholders using customer segmentation and an empathy mapping exercise.
Understand the demographic and psychographic factors driving stakeholder behavior.
2.1 Discuss psychographic stakeholder segmentation.
2.2 Create empathy maps for four segments.
2.3 Generate problem statements.
2.4 Identify target market.
Stakeholder personas
Target market of IT
Get first-hand knowledge of stakeholder needs and start to capture their perspective with a first-iteration journey map.
Capture the process stakeholders use to solve problems and empathize with their perspectives, pains, and gains.
3.1 Review discovery interviewing techniques.
3.2 Review and modify the discovery questionnaire
3.3 Demonstrate stakeholder interview.
3.4 Synthesize learnings and begin creating a journey map.
Customized discovery interview template
Results of discovery interviewing
Hypothesize the stakeholder journey, identify assumptions, plan a research study to validate your understanding, and ideate around critical junctures in the journey.
Understand the stakeholder journey and ideate solutions with the intention of improving their experience with IT.
4.1 Finish the journey map.
4.2 Identify assumptions and create hypotheses.
4.3 Discuss field research and hypothesis testing.
4.4 Design the research study.
4.5 Discuss concluding remarks and next steps.
Completed journey map for one IT process, product, or service
Research study design and action plan
There are many challenges for I&O when it comes to digital transformation, including:
These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.
By using the framework of culture, competencies, collaboration and capabilities, organizations can create dimensions in their I&O structure in order to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence though the effective integration of people, process, and technology.
By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers to success.
Many businesses fail in their endeavors to complete a digital transformation, but the reasons are complex, and there are many ways to fail, whether it is people, process, or technology. In fact, according to many surveys, 70% of digital transformations fail, and it’s mainly down to strategy – or the lack thereof.
A lot of organizations think of digital transformation as just an investment in technology, with no vision of what they are trying to achieve or transform. So, out of the gate, many organizations fail to undergo a meaningful transformation, change their business model, or bring about a culture of digital transformation needed to be seriously competitive in their given market.
When it comes to I&O leaders who have been given a mandate to drive digital transformation projects, they still must align to the vision and mission of the organization; they must still train and hire staff that will be experts in their field; they must still drive process improvements and align the right technology to meet the needs of a digital transformation.
Principal Research Director, I&O
Info-Tech Research Group
Digital transformation requires I&O teams to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence through effective integration of people, process, and technology.
Collaboration is a key component of I&O – Promote strong collaboration between I&O and other business functions. When doing a digital transformation, it is clear that this is a cross-functional effort. Business leaders and IT teams need to align their objectives, prioritize initiatives, and ensure that you are seamlessly integrating technologies with the new business functions.
Embrace agility and adaptability as core principles – As the digital landscape continues to evolve, it is paramount that I&O leaders are agile and adaptable to changing business needs, adopting new technology and implementing new innovative solutions. The culture of continuous improvement and openness to experimentation and learning will assist the I&O leaders in their journey.
Future-proof your infrastructure and operations – By anticipating emerging technologies and trends, you can proactively plan and organize your team for future needs. By investing in scalable, flexible infrastructure such as cloud services, automation, AI technologies, and continuously upskilling the IT staff, you can stay relevant and forward-looking in the digital space.
An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployment of services.
Having a clear strategy, with leadership commitment along with hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.
Your ChallengeThere are a lot of challenges for I&O when it comes to digital transformation, including:
These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation. |
Common ObstaclesMany obstacles to digital transformation begin with non-I&O activities, including:
By addressing these obstacles, I&O will have a better chance of a successful transformation and delivering the full potential of digital technologies. |
Info-Tech's ApproachBuilding a culture of innovation by developing clear goals and creating a vision will be key.
By completing the Info-Tech digital readiness questionnaire, you will see where you are in terms of maturity and areas you need to concentrate on. |
By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.
The challenges that stand in the way of your success, and what is needed to reverse the risk
26% of those CIOs surveyed cite resistance to change, with entrenched viewpoints demonstrating a real need for a cultural shift to enhance the digital transformation journey.
Source: Prophet, 2019.
70% of digital transformation projects fall short of their objectives – even when their leadership is aligned, often with serious consequences.
Source: BCG, 2020.
Having a clear strategy and commitment from leadership, hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.
Info-Tech InsightCultural change, business alignment, skills training, and setting a clear strategy with KPIs to demonstrate success are all key to being successful in your digital journey.
57% of small business owners feel they must improve their IT infrastructure to optimize their operations.
Source: SMB Story, 2023.
64% of CEOs believe driving digital transformation at a rapid pace is critical to attracting and retaining talent and customers.
Source: KPMG, 2022.
An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployments.
Without the control over the areas in which employees are working, businesses are opening themselves up to a greater degree of risk during the pandemic. How does a business raise awareness for employees who are going to be working remotely?
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use Info-Tech’s training materials to get you started on remote training and awareness.
Realize the benefits of a diverse workforce by embedding inclusion into work practices, behaviors, and values, ensuring accountability throughout the department.
Understand what it means to be inclusive: reassess work practices and learn how to apply leadership behaviors to create an inclusive environment
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Learn, evaluate, and understand what it means to be inclusive, examine biases, and apply inclusive leadership behaviors.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use Info-Tech’s methodology to establish an effective service management program with proper oversight.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Evaluate the business, user, and infrastructure requirements to ensure that all needs are clearly defined and the best fit-for-purpose migration plan can be decided on.
Expose key cloud risks across five major areas and build mitigation strategies to counter risk and gain foresight for migration.
Outline major milestones of migration and build the communication plan to transition users smoothly. Complete the Office 365 migration plan report to present to business stakeholders.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Review corporate and project goals.
Review and prioritize relevant services and applications to shape the migration path.
Review Office 365 license models.
Profile end users to rightsize licensing.
Estimate dollar impact of new licensing model.
Corporate goals for Office 365.
Prioritized migration path of applications.
Decision on user licensing structure.
Projected cost of licensing.
1.1 Outline corporate and project goals to paint the starting line.
1.2 Review and prioritize services.
1.3 Rightsize licensing.
Clear goals and metrics for migration
Prioritized list of applications
Effective licensing structure
Conduct value and readiness assessment of current on-premises services.
Identify and evaluate risks and challenges.
Assess IT’s readiness to own and manage Office 365.
Completed value and readiness assessment.
Current targets for service and deployment models.
List of perceived risks according to five major risk areas.
Assessed IT’s readiness to own and manage Office 365.
Established go/caution/stop for elected Office 365 services.
2.1 Assess value and readiness.
2.2 Identify key risks.
2.3 Identify changes in IT skills and roles.
Cloud service appropriateness assessment
Completed risk register
Reorganization of IT roles
Review Office 365 risks and discuss mitigation strategies.
Completed risks and mitigation strategies report.
3.1 Build mitigation strategies.
3.2 Identify key service requests.
3.3 Build workflows.
Defined roles and responsibilities
Assigned decision rights
List of staffing gaps
Build a timeline of major milestones.
Plan and prioritize projects to bridge gaps.
Build a communication plan.
Review Office 365 strategy and roadmap.
Milestone roadmap.
Critical path of milestone actions.
Communication plan.
Executive report.
4.1 Outline major milestones.
4.2 Finalize roadmap.
4.3 Build and refine the communication plan.
Roadmap plotted projects, decisions, mitigations, and user engagements
Finalized roadmap across timeline
Communication and training plan
Understand what your department’s purpose is through articulating its strategy in three steps:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Consider and record your department’s values, principles, orientation, and capabilities.
Define your department’s strategy through your understanding of your department combined with everything that you do and are working to do.
Communicate your department’s strategy to your key stakeholders.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Understand what makes up your application department beyond the applications and services provided.
Articulating your guiding principles, values, capabilities, and orientation provides a foundation for expressing your department strategy.
1.1 Identify your team’s values and guiding principles.
1.2 Define your department’s orientation.
A summary of your department’s values and guiding principles
A clear view of your department’s orientation and supporting capabilities
Lay out all the details that make up your application department strategy.
A completed application department strategy canvas containing everything you need to communicate your strategy.
2.1 Write your application department vision statement.
2.2 Define your application department goals and metrics.
2.3 Specify your department capabilities and orientation.
2.4 Prioritize what is most important to your department.
Your department vision
Your department’s goals and metrics that contribute to achieving your department’s vision
Your department’s capabilities and orientation
A prioritized roadmap for your department
Lay out your strategy’s communication plan.
Your application department strategy presentation ready to be presented to your stakeholders.
3.1 Identify your stakeholders.
3.2 Develop a communication plan.
3.3 Wrap-up and next steps
List of prioritized stakeholders you want to communicate with
A plan for what to communicate to each stakeholder
Communication is only the first step – what comes next?
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Consistent, high-quality disclosure of ESG practices is the means by which organizations can demonstrate they are acting responsibly and in the best interest of their customers and society. Organizations may struggle with these challenges when implementing an ESG reporting program:
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard provides a three-phased approach to establishing a comprehensive ESG reporting framework to drive sustainable corporate performance. It will help you identify what to report, understand how to implement your reporting program, and review in-house and external software and tooling options.
The workbook allows IT and business leaders to document decisions as they work through the steps to establish a comprehensive ESG reporting framework.
This planning tool guides IT and business leaders in planning, prioritizing, and addressing gaps to build an ESG reporting program.
Use this template to create a presentation that explains the drivers behind the strategy, communicates metrics, demonstrates gaps and costs, and lays out the timeline for the implementation plan.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine material ESG factors.
Learn how to identify your key stakeholders and material ESG risks.
1.1 Create a list of stakeholders and applicable ESG factors.
1.2 Create a materiality map.
List of stakeholders and applicable ESG factors
Materiality map
Define performance and reporting metrics.
Align your ESG strategy with key performance metrics.
2.1 Create a list of SMART metrics.
2.2 Create a list of reporting obligations.
SMART metrics
List of reporting obligations
Assess data and implementation gaps.
Surface data and technology gaps.
3.1 Create a list of high-priority data gaps.
3.2 Summarize high-level implementation considerations.
List of high-priority data gaps
Summary of high-level implementation considerations
Select software and tooling options and develop implementation plan.
Complete your roadmap and internal communication document.
4.1 Review tooling and technology options.
4.2 Prepare ESG reporting implementation plan.
4.3 Prepare the ESG reporting program presentation.
Selected tooling and technology
ESG reporting implementation plan
ESG reporting strategy presentation
The shift toward stakeholder capitalism cannot be pinned on one thing; rather, it is a convergence of forces that has reshaped attitudes toward the corporation. Investor attention on responsible investing has pushed corporations to give greater weight to the achievement of corporate goals beyond financial performance.
Reacting to the new investor paradigm and to the wider systemic risk to the financial system of climate change, global regulators have rapidly mobilized toward mandatory climate-related disclosure.
IT will be instrumental in meeting the immediate regulatory mandate, but their role is much more far-reaching. IT has a role to play at the leadership table shaping strategy and assisting the organization to deliver on purpose-driven goals.
Delivering high-quality, relevant, and consistent disclosure is the key to unlocking and driving sustainable corporate performance. IT leaders should not underestimate the influence they have in selecting the right technology and data model to support ESG reporting and ultimately support top-line growth.
Yaz Palanichamy
Senior Research Analyst
Info-Tech Research Group
Donna Bales
Principal Research Director
Info-Tech Research Group
Your ChallengeYour organization needs to define a ESG reporting strategy that is driven by corporate purpose. Climate-related disclosure mandates are imminent; you need to prepare for them by building a sustainable reporting program now. There are many technologies available to support your ESG program plans. How do you choose the one that is right for your organization? |
Common ObstaclesKnowing how to narrow down ESG efforts to material ESG issues for your organization. Understanding the key steps to build a sustainable ESG reporting program. Assessing and solving for data gaps and data quality issues. Being aware of the tools and best practices available to support regulatory and performance reporting. |
Info-Tech’s ApproachLearn best-practice approaches to develop and adopt an ESG reporting program approach to suit your organization’s unique needs. Understand the key features, tooling options, and vendors in the ESG software market. Learn through analyst insights, case studies, and software reviews on best-practice approaches and tool options. |
Implementing a robust reporting program takes time. Start early, remain focused, and plan to continually improve data quality and collection and performance metrics
Environmental, social, and governance are the components of a sustainability framework that is used to understand and measure how an organization impacts or is affected by society as a whole.
Human activities, particularly fossil fuel burning since the middle of the twentieth century, have increased greenhouse gas concentration, resulting in observable changes to the atmosphere, ocean, cryosphere, and biosphere. The “E” in ESG relates to the positive and negative impacts an organization may have on the environment, such as the energy it takes in and the waste it discharges.
The “S” in ESG is the most ambiguous component in the framework, as social impact relates not only to risks but also to prosocial behavior. It’s the most difficult to measure but can have significant financial and reputational impact on corporations if material and poorly managed.
The “G” in ESG is foundational to the realization of “S” and “E.” It encompasses how well an organization integrates these considerations into the business and how well the organization engages with key stakeholders, receives feedback, and is transparent with its intentions.
Organizational Reputation: Seventy-four percent of those surveyed were concerned that failing to improve their corporate ESG performance would negatively impact their organization’s branding and overall reputation in the market (Intelex, 2022).
Ethical Business Compliance: Adherence to well-defined codes of business conduct and implementation of anti-corruption and anti-bribery practices is a great way to distinguish between organizations with good/poor governance intentions.
Shifting Consumer Preferences: ESG metrics can also largely influence consumer preferences in buying behavior intentions. Research from McKinsey shows that “upward of 70 percent” of consumers surveyed on purchases in multiple industries said they would pay an additional 5 percent for a green product if it met the same performance standards as a nongreen alternative (McKinsey, 2019).
Responsible Supply Chain Management: The successful alignment of ESG criteria with supply chain operations can lead to several benefits (e.g. producing more sustainable product offerings, maintaining constructive relationships with more sustainability-focused suppliers).
Environmental Stewardship: The growing climate crisis has forced companies of all sizes to rethink how they plan their corporate environmental sustainability practices.
Compliance With Regulatory Guidelines: An increasing emphasis on regulations surrounding ESG disclosure rates may result in some institutional investors taking a more proactive stance toward ESG-related initiatives.
Sustaining Competitive Advantage: Given today’s globalized economy, many businesses are constantly confronted with environmental issues (e.g. water scarcity, air pollution) as well as social problems (e.g. workplace wellness issues). Thus, investment in ESG factors is simply a part of maintaining competitive advantage.
The perceived importance of ESG has dramatically increased from 2020 to 2023
In a survey commissioned by Schneider Electric, researchers categorized the relative importance of ESG planning initiatives for global IT business leaders. ESG was largely identified as a critical factor in sustaining competitive advantage against competitors and maintaining positive investor/public relations.
Source: S&P Market Intelligence, 2020; N=825 IT decision makers
“74% of finance leaders say investors increasingly use nonfinancial information in their decision-making.”
Source: EY, 2020
The Evolving Regulatory Landscape
Canada
United States
Europe
New Zealand
ESG reporting is the disclosure of environmental, social, and governance (ESG) data via qualitative and quantitative reports.
It is how organizations make their sustainability commitments and strategies transparent to stakeholders.
For investors it provides visibility into a company's ESG activities, enabling them to align investments to their values and avoid companies that cause damage to the environment or are offside on social and governance issues.
Despite the growing practice of ESG reporting, reporting standards and frameworks are still evolving and the regulatory approach for climate-related disclosure is inconsistent across jurisdictions, making it challenging for organizations to develop a robust reporting program.
|
“Environmental, social and governance (ESG) commitments are at the core a data problem.” Source: EY, 2022 |
Despite the commitment to support an ESG Initiative, less than a quarter of IT professionals say their organization can accurately report on the impact of its ESG initiatives, and 44% say their reporting on impacts is not accurate.
Reporting accuracy was even worse for reporting on carbon footprint with 46% saying their organization could not report on its carbon footprint accurately. This despite most IT professionals saying they are working to support environmental mandates.
Country Sustainability Scores (CSR) as of October 2021
Scores range from 1 (poor) to 10 (best)
Source: Robeco, 2021
Finland has ranked consistently as a leading sustainability performer in recent years. Finland's strongest ESG pillar is the environment, and its environmental ranking of 9.63/10 is the highest out of all 150 countries.
Brazil, France, and India are among the countries whose ESG score rankings have deteriorated significantly in the past three years.
Increasing political tensions and risks as well as aftershock effects of the COVID-19 pandemic (e.g. high inequality and insufficient access to healthcare and education) have severely impacted Brazil’s performance across the governance and social pillars of the ESG framework, ultimately causing its overall ESG score to drop to a CSR value of 5.31.
Canada has received worse scores for corruption, political risk, income inequality, and poverty over the past three years.
Taiwan has seen its rankings improve in terms of overall ESG scores. Government effectiveness, innovation, a strong semiconductor manufacturing market presence, and stronger governance initiatives have been sufficient to compensate for a setback in income and economic inequality.
Source: Robeco, 2021
Business Benefits
IT Benefits
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
|
Key deliverable: Executive PresentationLeverage this presentation deck to improve corporate performance by implementing a holistic and proactive ESG reporting program. |
|
WorkbookAs you work through the activities, use this workbook to document decisions and rationale and to sketch your materiality map. |
|
Implementation PlanUse this implementation plan to address organizational, technology, and tooling gaps. |
|
RFP TemplateLeverage Info-Tech’s RFP Template to source vendors to fill technology gaps. |
DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 8 to 12 calls over the course of 4 to 6 months.
Day 1 |
Day 2 |
Day 3 |
Day 4 |
Day 5 |
|
Activities |
Determine Material ESG Factors 1.1 Review ESG drivers. |
Define Performance and Reporting Metrics 2.1 Understand common program metrics for each ESG component. |
Assess Data and Implementation Gaps 3.1 Assess magnitude and prioritize data gaps. |
Software and Tooling Options 4.1 Review technology options. |
Next Steps and Wrap-Up (offsite) 5.1 Complete in-progress deliverables from previous four days. |
Deliverables |
1. Customized list of key stakeholders and material ESG risks
|
1. SMART metrics
|
1. High-priority data gaps
|
1. Technology and tooling opportunities
|
1. ESG Reporting Workbook
|
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
This phase will walk you through the following:
This phase involves the following participants: CIO, CCO, CSO, business leaders, legal, marketing and communications, head of ESG reporting, and any dedicated ESG team members
Measuring and tracking incremental change among dimensions such as carbon emissions reporting, governance, and diversity, equity, and inclusion (DEI) requires organizations to acquire, analyze, and synthesize data from beyond their internal organizational ecosystems
This section will walk you through some key considerations for establishing your ESG reporting strategy. The first step in this process is to identify the scope of your reporting program.
Evaluate your stakeholder landscape
Consider each of these areas of the ESG Stakeholder Wheel and identify your stakeholders. Once stakeholders are identified, consider how the ESG factors might be perceived by delving into the ESG factors that matter to each stakeholder and what drives their behavior.
Determine ESG impact on stakeholders
Review materiality assessment frameworks for your industry to surface ESG factors for your segment and stakeholder group(s).
Perform research and analysis of the competition and stakeholder trends, patterns, and behavior
Support your findings with stakeholder interviews.
27%: Support for social and environmental proposals at shareholder meetings of US companies rose to 27% in 2020 (up from 21% in 2017).
Source: Sustainable Investments Institute, 2020.
79%: of investors consider ESG risks and opportunities an important factor in investment decision making.
Source: “Global Investor Survey,” PwC, 2021.
33%: of survey respondents cited that a lack of attention or support from senior leadership was one of the major barriers preventing their companies from making any progress on ESG issues.
Source: “Consumer Intelligence Survey,” PwC, 2021.
To succeed with ESG reporting it is essential to understand who we hold ourselves accountable to and to focus ESG efforts in areas with the optimal balance between people, the planet, and profits
Input: Internal documentation (e.g. strategy, annual reports), ESG Stakeholder Wheel
Output: List of key stakeholders and applicable ESG factors
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Chief Compliance Officer, Head of ESG Reporting, Business leaders
Download the ESG Reporting Workbook
The concept of materiality as it relates to ESG is the process of gaining different perspectives on ESG issues and risks that may have significant impact (both positive and negative) on or relevance to company performance.
The objective of a materiality assessment is to identify material ESG issues most critical to your organization by looking at a broad range of social and environmental factors. Its purpose is to narrow strategic focus and enable an organization to assess the impact of financial and non-financial risks aggregately.
It helps to make the case for ESG action and strategy, assess financial impact, get ahead of long-term risks, and inform communication strategies.
Organizations can use assessment tools from Sustainalytics or GRI, SASB Standards, or guidance and benchmarking information from industry associations to help assess ESG risks .
The materiality assessment informs your risk management approach. Material ESG risks identified should be integrated into your organization’s risk reporting framework.
|
How you communicate the results of your ESG assessment may vary depending on whether you’re communicating to internal or external stakeholders and their communication delivery preferences. |
Using the results from your materiality assessment, narrow down your key stakeholders list. Enhance your strategy for disclosure and performance measurement through direct and indirect stakeholder engagement. Decide on the most suitable format to reach out to these stakeholders. Smaller groups lend themselves to interviews and forums, while surveys and questionnaires work well for larger groups. Develop relevant questions tailored to your company and the industry and geography you are in. Once you receive the results, decide how and when you will communicate them. Determine how they will be used to inform your strategy. |
Step 1Select framework
Review reporting frameworks and any industry guidance and select a baseline reporting framework to begin your materiality assessment. |
Step 2Begin to narrow down
Work with stakeholders to narrow down your list to a shortlist of high-priority material ESG issues. |
Step 3Consolidate and group
Group ESG issues under ESG components, your company’s strategic goals, or the UN’s Sustainable Development Goals. |
Step 4Rate the risks of ESG factors
Assign an impact and likelihood scale for each risk and assign your risk threshold. |
Step 5Map
Use a material map framework such as GRI or SASB or Info-Tech’s materiality map to visualize your material ESG risks. |
The materiality assessment is a strategic tool used to help identify, refine, and assess the numerous ESG issues in the context of your organization.
There is no universally accepted approach to materiality assessments. Although the concept of materiality is often embedded within a reporting standard, your approach to conducting the materiality assessment does not need to link to a specific reporting standard. Rather, it can be used as a baseline to develop your own.
To arrive at the appropriate outcome for your organization, careful consideration is needed to tailor the materiality assessment to meet your organization’s objectives.
When defining the scope of your materiality assessment consider:
Consider your stakeholders and your industry when selecting your materiality assessment tool – this will ensure you provide relevant disclosure information to the stakeholders that need it.
Double materiality is an extension of the financial concept of materiality and considers the broader impact of an organization on the world at large – particularly to people and climate.
Using internal information (e.g. strategy, surveys) and external information (e.g. competitors, industry best practices), create a longlist of ESG issues.
Discuss and narrow down the list. Be sure to consider opportunities – not just material risks!
Group the issues under ESG components or defined strategic goals for your organization. Another option is to use the UN’s Sustainable Development Goals to categorize.
Differentiate ESG factors that you already measure and report.
The benefit of clustering is that it shows related topics and how they may positively or negatively influence one another.
ESG risks are good predictors of future risks and are therefore key inputs to ensure long-term corporate success.
Regardless of the size of your organization, it’s important to build resilience against ESG risks.
To protect an organization against an ESG incident and potential liability risk, ESG risks should be treated like any other risk type and incorporated into risk management and internal reporting practices, including climate scenario analysis.
Some regulated entities will be required to meet climate-related financial disclosure expectations, and sound risk management practices will be prescribed through regulatory guidance. However, all organizations should instill sound risk practices.
ESG risk management done right will help protect against ESG mishaps that can be expensive and damaging while demonstrating commitment to stakeholders that have influence over all corporate performance.
Source: GreenBiz, 2022.
IT has a role to play to provide the underlying data and technology to support good risk decisions.
|
GRI’s Materiality Matrix
|
SASB’s Materiality Map
|
Info-Tech’s Materiality Map
|
Input: ESG corporate purpose or any current ESG metrics; Customer satisfaction or employee engagement surveys; Materiality assessment tools from SASB, Sustainalytics, GRI, or industry frameworks; Outputs from stakeholder outreach/surveys
Output: Materiality map, a list of material ESG issues
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Chief Compliance Officer, Head of ESG Reporting, Business leaders, Participants from marketing and communications
Download the ESG Reporting Workbook
Novartis, a leading global healthcare company based in Switzerland, stands out as a leader in providing medical consultancy services to address the evolving needs of patients worldwide. As such, its purpose is to use science and technologically innovative solutions to address some of society’s most debilitating, challenging, and ethically significant healthcare issues.
The application of Novartis’ materiality assessment process in understanding critical ESG topics important to their shareholders, stakeholder groups, and society at large enables the company to better quantify references to its ESG sustainability metrics.
Novartis applies its materiality assessment process to better understand relevant issues affecting its underlying business operations across its entire value chain. Overall, employing Novartis’s materiality assessment process helps the company to better manage its societal, environmental, and economic impacts, thus engaging in more socially responsible governance practices.
In 2021, Novartis had completed its most recent materiality assessment. From this engagement, both internal and external stakeholders had ranked as important eight clusters that Novartis is impacting on from an economic, societal, and environmental standpoint. The top four clusters were patient health and safety, access to healthcare, innovation, and ethical business practices.
Another benefit of the materiality assessment is that it helps to make the case for ESG action and provides key information for developing a purpose-led strategy.
An internal ESG strategy should drive toward company-specific goals such as green-house gas emission targets, use of carbon neutral technologies, focus on reusable products, or investment in DEI programs.
Most organizations focus on incremental goals of reducing negative impacts to existing operations or improving the value to existing stakeholders rather than transformative goals.
Yet, a strategy that is authentic and aligned with key stakeholders and long-term goals will bring sustainable value.
The strategy must be supported by an accountability and performance measurement framework such as SMART metrics.
Input: ESG corporate purpose or any current ESG metrics, Outputs from activities 1 and 2, Internally defined metrics (i.e. risk metrics or internal reporting requirements)
Output: SMART metrics
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Chief Compliance Officer, Chief Risk officer/Risk leaders, Head of ESG Reporting, Business leaders, Participants from marketing and communications
Download the ESG Reporting Workbook
Environmental
Social
Governance
Attach metrics to your goals to gauge the success of the ESG program.
Sample Metrics
High-level overview of reporting requirements:
Refer to your legal and compliance team for the most up-to-date and comprehensive requirements.
The focus of regulators is to move to mandatory reporting of material climate-related financial information.
There is some alignment to the TCFD* framework, but there is a lack of standardization in terms of scope across jurisdictions.
*TCFD is the Task Force on Climate-Related Financial Disclosures.
Input: Corporate strategy documents; Compliance registry or internal governance, risk, and compliance (GRC) tool
Output: A list of regulatory obligations
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Chief Compliance Officer, Chief Legal Officer, Head of ESG Reporting, Business leaders
Download the ESG Reporting Workbook
Once the scope of your ESG reporting framework has been identified, further assessment is needed to determine program direction and to understand and respond to organizational impact.
Reporting standards are available to enable relevant, high-quality, and comparable information. It’s the job of the reporting entity to decide on the most suitable framework for their organization.
The most established standard for sustainability reporting is the Global Reporting Initiative (GRI), which has supported sustainability reporting for over 20 years.
The Task Force on Climate-Related Financial Disclosures (TCFD) was created by the Financial Stability Board to align ESG disclosure with financial reporting. Many global regulators support this framework.
The International Sustainability Standards Board (ISSB) is developing high-quality, understandable, and enforceable global standards using the Sustainability Accounting Standards Board (SASB) as a baseline. It is good practice to use SASB Standards until the ISSB standards are available.
ESG ratings are provided by third-party agencies and are increasingly being used for financing and transparency to investors. ESG ratings provide both qualitative and quantitative information.
However, there are multiple providers, so organizations need to consider which ones are the most important and how many they want to use.
Some of the most popular rating agencies include Sustainalytics, MSCI, Bloomberg, Moody's, S&P Global, and CDP.
Reference Appendix Below
To meet ESG objectives, corporations are challenged with collecting non-financial data from across functional business and geographical locations and from their supplier base and supply chains.
One of the biggest impediments to ESG implementation is the lack of high-quality data and of mature processes and tools to support data collection.
An important step for delivering reporting requirements is to perform a gap analysis early on to surface gaps in the primary data needed to deliver your reporting strategy.
The output of this exercise will also inform and help prioritize implementation, as it may show that new data sets need to be sourced or tools purchased to collect and aggregate data.
Conduct a gap analysis to determine gaps in primary data
Input: Business (ESG) strategy, Data inventory (if exists), Output from Activity 1: Key stakeholders, Output from Activity 2: Materiality map, Output of Activity 3: SMART metrics, Output of Activity 4: Regulatory obligations
Output: List of high-priority data gaps
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Chief Compliance Officer, Chief Legal Officer, Head of ESG Reporting, Business leaders, Data analysts
Download the ESG Reporting Workbook
Source: “2023 Canadian ESG Reporting Insights,” PwC.
When implementing an ESG reporting framework, it is important not to implement in silos but to take a strategic approach that considers the evolving nature of ESG and the link to value creation and sound decision making.
“The future of sustainability reporting is digital – and tagged.”
Source: “XBRL Is Coming,” Novisto, 2022.
In the last few years, global regulators have proposed or effected legislation requiring public companies to disclose climate-related information.
Yet according to Info-Tech’s 2023 Trends and Priorities survey, most IT professionals expect to support environmental mandates but are not prepared to accurately report on their organization’s carbon footprint.
IT groups have a critical role to play in helping organizations develop strategic plans to meet ESG goals, measure performance, monitor risks, and deliver on disclosure requirements.
To future-proof your reporting structure, your data should be readable by humans and machines.
eXtensible Business Reporting Language (XBRL) tagging is mandated in several jurisdictions for financial reporting, and several reporting frameworks are adopting XBRL for sustainability reporting so that non-financial and financial disclosure frameworks are aligned.
Example environmental metrics
“59% of businesses only talk about their positive performance, missing opportunities to build trust with stakeholders through balanced and verifiable ESG reporting.”
Source: “2023 Canadian ESG Reporting Insights,” PwC.
To date, regulatory focus has been on climate-related disclosure, although we are beginning to see signals in Europe and the UK that they are turning their attention to social issues.
Social reporting focuses on the socioeconomic impacts of an organization’s initiatives or activities on society (indirect or direct).
The “social” component of ESG can be the most difficult to quantify, but if left unmonitored it can leave your organization open to litigation from consumers, employees, and activists.
Although organizations have been disclosing mandated metrics such as occupational health and safety and non-mandated activities such as community involvement for years, the scope of reporting is typically narrow and hard to measure in financial terms.
This is now changing with the recognition by companies of the value of social reporting to brand image, traceability, and overall corporate performance.
Example social metrics
McDonald’s Corporation is the leading global food service retailer. Its purpose is not only providing burgers to dinner tables around the world but also serving its communities, customers, crew, farmers, franchisees, and suppliers alike. As such, not only is the company committed to having a positive impact on communities and in maintaining the growth and success of the McDonald's system, but it is also committed to conducting its business operations in a way that is mindful of its ESG commitments.
McDonald’s Better Together: Gender Balance & Diversity strategy and Women in Tech initiative
In 2019, MCD launched its Better Together: Gender Balance & Diversity strategy as part of a commitment to improving the representation and visibility of women at all levels of the corporate structure by 2023.
In conjunction with the Better Together strategy, MCD piloted a “Women in Tech” initiative through its education and tuition assistance program, Archways to Opportunity. The initiative enabled women from company-owned restaurants and participating franchisee restaurants to learn skills in areas such as data science, cybersecurity, artificial intelligence. MCD partnered with Microsoft and Colorado Technical University to carry out the initiative (McDonald’s, 2019).
Both initiatives directly correlate to the “S” of the ESG framework, as the benefits of gender-diverse leadership continue to be paramount in assessing the core strengths of a company’s overreaching ESG portfolio. Hence, public companies will continue to face pressure from investors to act in accordance with these social initiatives.
MCD’s Better Together and Women in Tech programs ultimately helped improve recruitment and retention rates among its female employee base. After the initialization of the gender balance and diversification strategy, McDonald’s signed on to the UN Women’s Empowerment Principles to help accelerate global efforts in addressing the gender disparity problem.
Strong governance is foundational element of a ESG program, yet governance reporting is nascent and is often embedded in umbrella legislation pertaining to a particular risk factor.
A good example of this is the recent proposal by the Securities and Exchange Commission in the US (CFR Parts 229, 232, 239, 240, and 249, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure), which will require public companies to:
The "G” component includes more than traditional governance factors and acts as a catch-all for other important ESG factors such as fraud, cybersecurity, and data hygiene. Make sure you understand how risk may manifest in your organization and put safeguards in place.
Example governance metrics
The "G" in ESG may not be capturing the limelight under ESG legislation yet, but there are key governance factors that are that are under regulatory radar, including data, cybersecurity, fraud, and DEI. Be sure you stay on top of these issues and include performance metrics into your internal and external reporting frameworks.
48% of investment decision makers, including 58% of institutional investors, say companies’ self-reported ESG performance data is “much more important” than companies’ conventional financial data when informing their investment decisions (Benchmark ESG, 2021). |
Due to the nascent nature of climate-related reporting, data challenges such as the availability, usability, comparability, and workflow integration surface early in the ESG program journey when sourcing and organizing data:
In addition to good, reliable inputs, organizations need to have the infrastructure to access new data sets and convert raw data into actionable insights.
The establishment of data model and workflow processes to track data lineage is essential to support an ESG program. To be successful, it is critical that flexibility, scalability, and transparency exist in the architectural design. Data architecture must scale to capture rapidly growing volumes of unstructured raw data with the associated file formats.
Download Info-Tech’s Create and Manage Enterprise Data Models blueprint
Building and operating an ESG program requires the execution of a large number of complex tasks.
IT leaders have an important role to play in selecting the right technology approach to support a long-term strategy that will sustain and grow corporate performance.
The decision to buy a vendor solution or build capabilities in-house will largely depend on your organization’s ESG ambitions and the maturity of in-house business and IT capabilities.
For large, heavily regulated entities an integrated platform for ESG reporting can provide organizations with improved risk management and internal controls.
Example considerations when deciding to meet ESG reporting obligations in-house
Executive leadership should take a more holistic and proactive stance to not only accurately reporting upon baseline corporate financial metrics but also capturing and disclosing relevant ESG performance metrics to drive alternative streams of valuation across their respective organizational environments.
Input: Business (ESG) strategy, Data inventory (if exists), Asset inventory (if exists), Output from Activity 5
Output: Summary of high-level implementation considerations
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Head of ESG Reporting, Business leaders, Data analysts, Data and IT architect/leaders,
Download the ESG Reporting Workbook
Communication: Teams must have some type of communication strategy. This can be broken into:
Proximity: Distributed teams create complexity as communication can break down. This can be mitigated by:
Trust: Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:
Your communication of ESG performance is intricately linked to corporate value creation. When designing your communications strategy, consider:
A recent BDC survey of 121 large companies and public-sector buyers found that 82% require some disclosure from their suppliers on ESG, and that's expected to grow to 92% by 2024.
Source: BDC, 2023
ESG's link to corporate performance means that organizations must stay on top of ESG issues that may impact the long-term sustainability of their business.
ESG components will continue to evolve, and as they do so will stakeholder views. It is important to continually survey your stakeholders to ensure you are optimally managing ESG risks and opportunities.
To keep ESG on the strategy agenda, we recommend that organizations:
Download The ESG Imperative and Its Impact on Organizations
This phase will walk you through the following activities:
This phase involves the following participants: CIO, CCO, CSO, EA, IT application and data leaders, procurement, business leaders, marketing and communications, head of ESG reporting, and any dedicated ESG team members
Before sourcing any technology, it’s important to have a good understanding of your requirements.
Key elements to consider:
The importance of ESG is something that will need to be considered for most, if not every decision in the future, and having reliable and available information is essential. While the industry will continue to see investment and innovation that drives operational efficiency and productivity, we will also see strong ESG themes in these emerging technologies to ensure they support both sustainable and socially responsible operations.
With the breadth of technology Datamine already has addressing the ESG needs for the mining industry combined with our new technology, our customers can make effective and timely decisions through incorporating ESG data into their planning and scheduling activities to meet customer demands, while staying within the confines of their chosen ESG targets.
Chris Parry
VP of ESG, Datamine
Technological Solutions Feature Bucket |
Basic Feature Description |
Advanced Feature Description |
Natural language processing (NLP) tools |
Ability to use NLP tools to track and monitor sentiment data from news and social media outlets. |
Leveraging NLP toolsets can provide organizations granular insights into workplace sentiment levels, which is a core component of any ESG strategy. A recent study by MarketPsych, a company that uses NLP technologies to analyze sentiment data from news and social media feeds, linked stock price performance to workplace sentiment levels. |
Distributed ledger technologies (DLTs) |
DLTs can help ensure greater reporting transparency, in line with stringent regulatory reporting requirements. |
DLT as an ESG enabler, with advanced capabilities such as an option to provide demand response services linked to electricity usage and supply forecasting. |
Cloud-based data management and reporting systems |
Cloud-based data management and reporting can support ESG initiatives by providing increased reporting transparency and a better understanding of diverse social and environmental risks. |
Leverage newfound toolsets such as Microsoft Cloud for Sustainability – a SaaS offering that enables organizations to seamlessly record, report, and reduce their emissions on a path toward net zero. |
IoT technologies |
Integration of IoT devices can help enhance the integrity of ESG reporting through the collection of descriptive and accurate ESG metrics (e.g. energy efficiency, indoor air quality, water quality and usage). |
Advanced management of real-time occupancy monitoring: for example, the ability to reduce energy consumption rates by ensuring energy is only used when spaces and individual cubicles are occupied. |
In a recent survey of over 1,000 global public- and private-sector leaders, 87% said they see AI as a helpful tool to fight climate change.
Source: Boston Consulting Group
Technology providers are part of the solution and can be leveraged to collect, analyze, disclose, track, and report on the vast amount of data.
Increasingly organizations are using artificial intelligence to build climate resiliency:
And protect organizations from vulnerabilities:
Our definition: ESG reporting software helps organizations improve the transparency and accountability of their ESG program and track, measure, and report their sustainability efforts.
Key considerations for reporting software selection:
Adoption of ESG reporting software has historically been low, but these tools will become critical as organizations strive to meet increasing ESG reporting requirements.
In a recent ESG planning and performance survey conducted by ESG SaaS company Diligent Corporation, it was found that over half of all organizations surveyed do not publish ESG metrics of any kind, and only 9% of participants are actively using software that supports ESG data collection, analysis, and reporting.
Source: Diligent, 2021.
Understanding business needs through requirements gathering is the key to defining everything about what is being purchased. However, it is an area where people often make critical mistakes.
Poorly scoped requirementsFail to be comprehensive and miss certain areas of scope. Focus on how the solution should work instead of what it must accomplish. Have multiple levels of detail within the requirements that are inconsistent and confusing. Drill all the way down into system-level detail. Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow. Omit constraints or preferences that buyers think are obvious. |
Best practicesGet a clear understanding of what the system needs to do and what it is expected to produce. Test against the principle of MECE – requirements should be “mutually exclusive and collectively exhaustive.” Explicitly state the obvious and assume nothing. Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes. Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors. |
Download Info-Tech's Improve Requirements Gathering blueprint
Central Data Repository: Collection of stored data from existing databases merged into one location that can then be shared, analyzed, or updated.
Automatic Data Collection: Ability to automate data flows, collect responses from multiple sources at specified intervals, and check them against acceptance criteria.
Automatic KPI Calculations, Conversions, and Updates: Company-specific metrics can be automatically calculated, converted, and tracked.
Built-In Indicator Catalogs and Benchmarking: Provides common recognized frameworks or can integrate a catalog of ESG indicators.
Custom Reporting: Ability to create reports on company emissions, energy, and asset data in company-branded templates.
User-Based Access and Permissions: Ability to control access to specific content or data sets based on the end user’s roles.
Real-Time Capabilities: Ability to analyze and visualize data as soon as it becomes available in underlying systems.
Version Control: Tracking of document versions with each iteration of document changes.
Intelligent Alerts and Notifications: Ability to create, manage, send, and receive notifications, enhancing efficiency and productivity.
Audit Trail: View all previous activity including any recent edits and user access.
Encrypted File Storage and Transfer: Ability to encrypt a file before transmitting it over the network to hide content from being viewed or extracted.
Input: Business (ESG) strategy, Data inventory (if exists), Asset inventory (if exists), Output from Activity 5, Output from Activity 6,
Output: List of tooling options
Materials: Whiteboard/flip charts, ESG Reporting Workbook
Participants: Chief Sustainability Officer, Head of ESG Reporting, Business leaders, Data analysts, Data and IT architect/leaders
Download the ESG Reporting Workbook
Input: Business (ESG) strategy, Output from Activity 5, Output from Activity 6, Output from Activity 7
Output: ESG Reporting Implementation Plan
Materials: Whiteboard/flip charts, ESG Reporting Implementation Plan Template
Participants: Chief Sustainability Officer, Head of ESG Reporting, Business leaders, Data analysts, PMO, Data and IT architect/leaders
Download the ESG Reporting Implementation Plan Template
Input: Business (ESG) strategy, ESG Reporting Workbook, ESG reporting implementation plan
Output: ESG Reporting Presentation Template
Materials: Whiteboard/flip charts, ESG Reporting Presentation Template, Internal communication templates
Participants: Chief Sustainability Officer, Head of Marketing/ Communications, Business leaders, PMO
Since a purpose-driven ESG program presents a significant change in how organizations operate, the goals and intentions need to be understood throughout the organization. Once you have developed your ESG reporting strategy it is important that it is communicated, understood, and accepted. Use the ESG Reporting Presentation Template as a guide to deliver your story.
Download the ESG Reporting Presentation Template
This phase will provide additional material on Info-Tech’s expertise in the following areas:
Review Info-Tech’s process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP.
Expert Analyst Guidance over5 weeks on average to select and negotiate software.
Save Money, Align Stakeholders, Speed Up the Process & make better decisions.
Use a Repeatable, Formal Methodology to improve your application selection process.
Better, Faster Results, guaranteed, included in membership.
You may be faced with multiple products, services, master service agreements, licensing models, service agreements, and more.
Use the Contract Review Service to gain insights on your agreements.
Consider the aspects of a contract review:
Validate that a contract meets IT’s and the business’ needs by looking beyond the legal terminology. Use a practical set of questions, rules, and guidance to improve your value for dollar spent.
Click here to book The Contract Review Service
Download blueprint Master Contract Review and Negotiation for Software Agreements
The purpose of this section is to showcase various vendors and companies that provide software solutions to help users manage and prioritize their ESG reporting initiatives.
This section showcases the core capabilities of each software platform to provide Info-Tech members with industry insights regarding some of the key service providers that operate within the ESG vendor market landscape.
Info-Tech members who are concerned with risks stemming from the inability to sort and disseminate unstructured ESG data reporting metrics or interested in learning more about software offerings that can help automate the data collection, processing, and management of ESG metrics will find high-level insights into the ESG vendor market space.
The establishment of the Datamine ESG unit comes at the same time the mining sector is showing an increased interest in managing ESG and its component systems as part of a single scope.
With miners collecting and dealing with ever-increasing quantities of data and looking for ways to leverage it to make data-driven decisions that enhance risk management and increase profitability, integrated software solutions are – now more than ever – essential in supporting continuous improvement and maintaining data fidelity and data integrity across the entire mining value chain.
Key Features:
Benchmark ESG provides industry-leading ESG data management and reporting software that can assist organizations in managing operational risk and compliance, sustainability, product stewardship, and ensuring responsible sourcing across complex global operations.
Key Features:
PwC’s ESG Management Solution provides quick insights into ways to improve reporting transparency surrounding your organization’s ESG commitments.
According to PwC’s most recent CEO survey, the number one motivator for CEOs in mitigating climate change risks is their own desire to help solve this global problem and drive transparency with stakeholders.
Source: “Annual Global CEO Survey,” PwC, 2022.
Key Features:
ServiceNow ESG Management (ESGM) and reporting platform helps organizations transform the way they manage, visualize, and report on issues across the ESG spectrum.
The platform automates the data collection process and the organization and storage of information in an easy-to-use system. ServiceNow’s ESGM solution also develops dashboards and reports for internal user groups and ensures that external disclosure reports are aligned with mainstream ESG standards and frameworks.
We know that doing well as a business is about more than profits. One workflow at a time, we believe we can change the world – to be more sustainable, equitable, and ethical.
Source: ServiceNow, 2021.
Key Features:
|
The ESG Imperative and Its Impact on OrganizationsUse this blueprint to educate yourself on ESG factors and the broader concept of sustainability. Identify changes that may be needed in your organizational operating model, strategy, governance, and risk management approach. Learn about Info-Tech’s ESG program approach and use it as a framework to begin your ESG program journey. |
|
Private Equity and Venture Capital Growing Impact of ESG ReportIncreasingly, new capital has a social mandate attached to it due to the rise of ESG investment principles. Learn about how the growing impact of ESG affects both your organization and IT specifically, including challenges and opportunities, with expert assistance. |
Terms |
Definition |
Corporate Social Responsibility |
Management concept whereby organizations integrate social and environmental concerns in their operations and interactions with their stakeholders. |
Chief Sustainability Officer |
Steers sustainability commitments, helps with compliance, and helps ensure internal commitments are met. Responsibilities may extend to acting as a liaison with government and public affairs, fostering an internal culture, acting as a change agent, and leading delivery. |
ESG |
An acronym that stands for environment, social, and governance. These are the three components of a sustainability program. |
ESG Standard |
Contains detailed disclosure criteria including performance measures or metrics. Standards provide clear, consistent criteria and specifications for reporting. Typically created through consultation process. |
ESG Framework |
A broad contextual model for information that provides guidance and shapes the understanding of a certain topic. It sets direction but does not typically delve into the methodology. Frameworks are often used in conjunction with standards. |
ESG Factors |
The factors or issues that fall under the three ESG components. Measures the sustainability performance of an organization. |
ESG Rating |
An aggregated score based on the magnitude of an organization’s unmanaged ESG risk. Ratings are provided by third-party rating agencies and are increasingly being used for financing, transparency to investors, etc. |
ESG Questionnaire |
ESG surveys or questionnaires are administered by third parties and used to assess an organization’s sustainability performance. Participation is voluntary. |
Key Risk Indicator (KRI) |
A measure to indicate the potential presence, level, or trend of a risk. |
Key Performance Indicator (KPI) |
A measure of deviation from expected outcomes to help a firm see how it is performing. |
Materiality |
Material topics are topics that have a direct or indirect impact on an organization's ability to create, preserve, or erode economic, environmental, and social impact for itself and its stakeholder and society as a whole. |
Materiality Assessment |
A tool to identify and prioritize the ESG issues most critical to the organization. |
Risk Sensing |
The range of activities carried out to identify and understand evolving sources of risk that could have a significant impact on the organization (e.g. social listening). |
Sustainability |
The ability of an organization and broader society to endure and survive over the long term by managing adverse impacts well and promoting positive opportunities. |
Sustainalytics |
Now part of Morningstar. Sustainalytics provides ESG research, ratings, and data to institutional investors and companies. |
UN Guiding Principles on Business and Human Rights (UNGPs) |
An essential methodological foundation for how impacts across all dimensions should be assessed. |
Standard |
Definition and focus |
|
CDP |
CDP has created standards and metrics for comparing sustainability impact. Focuses on environmental data (e.g. carbon, water, and forests) and on data disclosure and benchmarking. Audience: All stakeholders |
|
Dow Jones Sustainability Indices (DJSI) |
Heavy on corporate governance and company performance. Equal balance of economic, environmental, and social. Audience: All stakeholders |
|
Global Reporting Initiative (GRI) |
International standards organization that has a set of standards to help organizations understand and communicate their impacts on climate change and social responsibility. The standard has a strong emphasis on transparency and materiality, especially on social issues. Audience: All stakeholders |
|
International Sustainability Standards Board (ISSB) |
Standard-setting board that sits within the International Financial Reporting Standards (IFRS) Foundation. The IFRS Foundation is a not-for-profit, public-interest organization established to develop high-quality, understandable, enforceable, and globally accepted accounting and sustainability disclosure standards. Audience: Investor-focused |
|
United Nations Sustainable Development Goals (SDGs) |
Global partnership across sectors and industries that sets out 17 goals to achieve sustainable development for all. Audience: All stakeholders |
|
Sustainability Accounting Standards Board (SASB) |
Industry-specific standards to help corporations select topics that may impact their financial performance. Focus on material impacts on financial condition or operating performance. Audience: Investor-focused |
|
Task Force on Climate-Related Financial Disclosures (TCFD; created by the Financial Stability Board) |
Standards framework focused on the impact of climate risk on financial and operating performance. More broadly the disclosures inform investors of positive and negative measures taken to build climate resilience and make transparent the exposure to climate-related risk. Audience: Investors, financial stakeholders |
"2021 Global Investor Survey: The Economic Realities of ESG." PwC, Dec. 2021. Accessed May 2022.
"2023 Canadian ESG Reporting Insights." PwC, Nov. 2022. Accessed Dec. 2022.
Althoff, Judson. "Microsoft Cloud for Sustainability: Empowering Organizations On Their Path To Net Zero." Microsoft Blog, 14 July 2021. Accessed May 2022.
"Balancing Sustainability and Profitability." IBM, Feb. 2022. Accessed June. 2022.
"Beyond Compliance: Consumers and Employees Want Business to Do More on ESG." PwC, Nov. 2021. Accessed July 2022.
Bizo, Daniel. "Multi-Tenant Datacenters and Sustainability: Ambitions and Reality." S&P Market Intelligence, Sept. 2020. Web.
Bolden, Kyle. "Aligning nonfinancial reporting with your ESG strategy to communicate long-term value." EY, 18 Dec. 2020. Web.
Carril, Christopher, et al. "Looking at Restaurants Through an ESG Lens: ESG Stratify – Equity Research Report." RBC Capital Markets, 5 Jan. 2021. Accessed Jun. 2022.
"Celebrating and Advancing Women." McDonald’s, 8 March 2019. Web.
Clark, Anna. "Get your ESG story straight: A sustainability communication starter kit." GreenBiz, 20 Dec. 2022, Accessed Dec. 2022.
Courtnell, Jane. “ESG Reporting Framework, Standards, and Requirements.” Corporate Compliance Insights, Sept. 2022. Accessed Dec. 2022.
“Country Sustainability Ranking. Country Sustainability: Visibly Harmed by Covid-19.” Robeco, Oct. 2021. Accessed June 2022.
“Defining the “G” in ESG Governance Factors at the Heart of Sustainable Business.” World Economic Forum, June 2022. Web.
“Digital Assets: Laying ESG Foundations.” Global Digital Finance, Nov. 2021. Accessed April 2022.
“Dow Jones Sustainability Indices (DJCI) Index Family.” S&P Global Intelligence, n.d. Accessed June 2022.
"ESG in Your Business: The Edge You Need to Land Large Contracts." BDC, March 2023, Accessed April 2023.
“ESG Performance and Its Impact on Corporate Reputation.” Intelex Technologies, May 2022. Accessed July 2022.
“ESG Use Cases. IoT – Real-Time Occupancy Monitoring.” Metrikus, March 2021. Accessed April 2022.
Fanter, Tom, et al. “The History & Evolution of ESG.” RMB Capital, Dec. 2021. Accessed May 2022.
Flynn, Hillary, et al. “A guide to ESG materiality assessments.” Wellington Management, June 2022, Accessed September 2022
“From ‘Disclose’ to ‘Disclose What Matters.’” Global Reporting Initiative, Dec. 2018. Accessed July 2022.
“Getting Started with ESG.” Sustainalytics, 2022. Web.
“Global Impact ESG Fact Sheet.” ServiceNow, Dec. 2021. Accessed June 2022.
Gorley, Adam. “What is ESG and Why It’s Important for Risk Management.” Sustainalytics, March 2022. Accessed May 2022.
Hall, Lindsey. “You Need Near-Term Accountability to Meet Long-Term Climate Goals.” S&P Global Sustainable1, Oct. 2021. Accessed April 2022.
Henisz, Witold, et al. “Five Ways That ESG Creates Value.” McKinsey, Nov. 2019. Accessed July 2022.
“Integrating ESG Factors in the Investment Decision-Making Process of Institutional Investors.” OECD iLibrary, n.d. Accessed July 2022.
“Investor Survey.” Benchmark ESG, Nov. 2021. Accessed July 2022.
Jackson, Brian. Tech Trends 2023, Info-Tech Research Group, Dec. 2022, Accessed Dec. 2022.
Keet, Lior. “What Is the CIO’s Role in the ESG Equation?” EY, 2 Feb. 2022. Accessed May 2022.
Lev, Helee, “Understanding ESG risks and why they matter” GreenBiz, June 2022. Accessed Dec 2022.
Marsh, Chris, and Simon Robinson. “ESG and Technology: Impacts and Implications.” S&P Global Market Intelligence, March 2021. Accessed April 2022.
Martini, A. “Socially Responsible Investing: From the Ethical Origins to the Sustainable Development Framework of the European Union.” Environment, Development and Sustainability, vol. 23, Nov. 2021. Web.
Maher, Hamid, et al. “AI Is Essential for Solving the Climate Crisis.” Boston Consulting Group, 7 July 2022. Web.
“Materiality Assessment. Identifying and Taking Action on What Matters Most.” Novartis, n.d. Accessed June. 2022.
Morrow, Doug, et al. “Understanding ESG Incidents: Key Lessons for Investors.” Sustainalytics, July 2017. Accessed May 2022.
“Navigating Climate Data Disclosure.” Novisto, July 2022. Accessed Nov. 2022.
Nuttall, Robin, et al. “Why ESG Scores Are Here to Stay.” McKinsey & Company, May 2020. Accessed July 2022.
“Opportunities in Sustainability – 451 Research’s Analysis of Sustainability Perspectives in the Data Center Industry.” Schneider Electric, Sept. 2020. Accessed May 2022.
Peterson, Richard. “How Can NLP Be Used to Quantify ESG Analytics?” Refinitiv, Feb. 2021. Accessed June 2022.
“PwC’s 25th Annual Global CEO Survey: Reimagining the Outcomes That Matter.” PwC, Jan. 2022. Accessed June 2022.
“SEC Proposes Rules on Cybersecurity, Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” Securities and Exchange Commission, 9 May 2022. Press release.
Serafeim, George. “Social-Impact Efforts That Create Real Value.” Harvard Business Review, Sept. 2020. Accessed May 2022.
Sherrie, Gonzalez. “ESG Planning and Performance Survey.” Diligent, 24 Sept. 2021. Accessed July 2022.
“Special Reports Showcase, Special Report: Mid-Year Report on Proposed SEC Rule 14-8 Change.” Sustainable Investments Institute, July 2020. Accessed April 2022.
“State of European Tech. Executive Summary Report.” Atomico, Nov. 2021. Accessed June 2022.
“Top Challenges in ESG Reporting, and How ESG Management Solution Can Help.” Novisto, Sept. 2022. Accessed Nov. 2022.
Vaughan-Smith, Gary. “Navigating ESG data sets and ‘scores’.” Silverstreet Capital, 23 March 2022. Accessed Dec. 2022.
Waters, Lorraine. “ESG is not an environmental issue, it’s a data one.” The Stack, 20 May 2021. Web.
Wells, Todd. “Why ESG, and Why Now? New Data Reveals How Companies Can Meet ESG Demands – And Innovate Supply Chain Management.” Diginomica, April 2022. Accessed July 2022.
“XBRL is coming to corporate sustainability Reporting.” Novisto, Aug. 2022. Accessed Dec. 2022.
Chris Parry
VP of ESG, Datamine
Chris Parry has recently been appointed as the VP of ESG at Datamine Software. Datamine’s dedicated ESG division provides specialized ESG technology for sustainability management by supporting key business processes necessary to drive sustainable outcomes.
Chris has 15 years of experience building and developing business for enterprise applications and solutions in both domestic and international markets.
Chris has a true passion for business-led sustainable development and is focused on helping organizations achieve their sustainable business outcomes through business transformation and digital software solutions.
Datamine’s comprehensive ESG capability supports ESG issues such as the environment, occupational health and safety, and medical health and wellbeing. The tool assists with risk management, stakeholder management and business intelligence.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Standardize your product quality definition and your QA roles, processes, and guidelines according to your business and IT priorities.
Build a solid set of good practices to define your defect tolerances, recognize the appropriate test coverage, and communicate your test results.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Discuss your quality definition and how quality is interpreted from both business and IT perspectives.
Review your case for strengthening your QA practice.
Review the standardization of QA roles, processes, and guidelines in your organization.
Grounded understanding of quality that is accepted across IT and between the business and IT.
Clear QA roles and responsibilities.
A repeatable QA process that is applicable across the delivery pipeline.
1.1 List your QA objectives and metrics.
1.2 Adopt your foundational QA process.
Quality definition and QA objectives and metrics.
QA guiding principles, process, and roles and responsibilities.
Discuss the practices to reveal the sufficient degree of test coverage to meet your acceptance criteria, defect tolerance, and quality definition.
Review the technologies and tools to support the execution and reporting of your tests.
QA practices aligned to industry good practices supporting your quality definition.
Defect tolerance and acceptance criteria defined against stakeholder priorities.
Identification of test scenarios to meet test coverage expectations.
2.1 Define your defect tolerance.
2.2 Model and prioritize your tests.
2.3 Develop and execute your QA activities.
2.4 Communicate your QA activities.
Defect tolerance levels and courses of action.
List of test cases and scenarios that meet test coverage expectations.
Defined test types, environment and data requirements, and testing toolchain.
Test dashboard and communication flow.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Create the foundation that enables management, monitoring, and control of all AI activities within the organization. The AI governance framework will allow you to define an AI risk management approach and defines methodology for managing and monitoring the AI/ML models in production.
| In recent years, following technological breakthroughs and advances in development of machine learning (ML) models and management of large volumes of data, organizations are scaling their use of artificial intelligence (AI) technologies.
The use of AI and ML has gained momentum as organizations evaluate the potential applications of AI to enhance the customer experience, improve operational efficiencies, and automate business processes. Growing applications of AI have reinforced concerns about ethical, fair, and responsible use of the technology that assists or replaces human decision-making. Implementing AI systems requires careful management of the AI lifecycle, governing data, and machine learning model to prevent unintentional outcomes not only to an organization’s brand reputation but also, more importantly, to workers, individuals, and society. When adopting AI, it is important to have strong ethical and risk management frameworks surrounding its use. |
“Responsible AI is the practice of designing, building and deploying AI in a manner that empowers people and businesses, and fairly impacts customers and society – allowing companies to engender trust and scale AI with confidence.” (World Economic Forum) |
Source of data: OECD.AI (2021), powered by EC/OECD (2021), database of national AI policies, accessed on 7/09/2022, https://oecd.ai.
| To ensure responsible, transparent, and ethical AI systems, organizations will need to review existing risk control frameworks and update them to include AI risk management and impact assessment frameworks and processes.
As ML and AI technologies are constantly evolving, the AI governance and AI risk management frameworks will need to evolve to ensure the appropriate safeguards and controls are in place. This applies not only to the machine learning models and AI system custom built by the organization’s data science and AI team, but it also includes AI-powered vendor tools and technologies. The vendors should be able to explain how AI is used in their products, how the model was trained, and what data was used to train the model. AI governance enables management, monitoring, and control of all AI activities within an organization. |
|
Machine learning systems learn from experience and without explicit instructions. They learn patterns from data, then analyze and make predictions based on past behavior and the patterns learned.
Artificial intelligence is a combination of technologies and can include machine learning. AI systems perform tasks that mimic human intelligence, such as learning from experience and problem solving. Most importantly, AI makes its own decisions without human intervention.
We use the definition of data ethics by Open Data Institute: “Data ethics is a branch of ethics that considers the impact of data practices on people, society and the environment. The purpose of data ethics is to guide the values and conduct of data practitioners in data collection, sharing and use.”
Algorithmic or machine bias is systematic and repeatable errors in a computer system that create unfair outcomes, such as privileging one arbitrary group of users over others. Algorithmic bias is not a technical problem. It’s a social and political problem, and in the context of implementing AI for business benefits, it’s a business problem.
Download the blueprint Mitigate Machine Bias blueprint for detailed discussion on bias, fairness, and transparency in AI systems
| “Responsible AI is the practice of designing, building and deploying AI in a manner that empowers people and businesses and fairly impacts customers and society – allowing companies to engender trust and scale AI with confidence” (CIFAR).
The AI system is considered trustworthy when people understand how the technology works and when we can assess that it’s safe and reliable. We must be able to trust the output of the system and understand how the system was designed, what data was used to train it, and how it was implemented. Explainable AI, sometimes abbreviated as XAI, refers to the ability to explain how an AI model makes predictions, its anticipated impact, and its potential biases. Transparency means communicating with and empowering users by sharing information internally and with external stakeholders, including beneficiaries and people impacted by the AI-powered product or service. |
68% [of Canadians] are concerned they don’t understand the technology well enough to know the risks. 77% say they are concerned about the risks AI poses to society (TD, 2019) |
|
Monitoring
Tools & Technologies
Model Governance
|
|
Organization
Structure, roles, and responsibilities of the AI governance organization Operating Model
Risk and Compliance
Policies and procedures to support implementation of AI governance |
22B hash/s">
