Modernize Data Architecture for Measurable Business Results

  • Buy Link or Shortcode: {j2store}387|cart{/j2store}
  • member rating overall impact: 9.5/10 Overall Impact
  • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • member rating average days saved: Read what our members are saying
  • Parent Category Name: Data Management
  • Parent Category Link: /data-management
  • Data architecture projects have often failed in the past, causing businesses today to view the launch of a new project as a costly initiative with unclear business value.
  • New technologies in big data and analytics are requiring organizations to modernize their data architecture, but most organizations have failed to spend the time and effort refining the appropriate data models and blueprints that enable them to do so.
  • As the benefits for data architecture are often diffused across an organization’s information management practice, it can be difficult for the business to understand the value and necessity of data architecture.

Our Advice

Critical Insight

  • At the heart of tomorrow’s insights-driven enterprises is a modern data environment anchored in fit-for-purpose data architectures.
  • The role of traditional data architecture is transcending beyond organizational boundaries and its focus is shifting from “keeping the lights on” (i.e. operational data and BI) to providing game-changing insights gleaned from untapped big data.

Impact and Result

  • Perform a diagnostic assessment of your present day architecture and identify the capabilities of your future “to be” environment to position your organization to capitalize on new opportunities in the data space.
  • Use Info-Tech’s program diagnostic assessment and guidance for developing a strategic roadmap to support your team in building a fit-for purpose data architecture practice.
  • Create a data delivery architecture that harmonizes traditional and modern architectural opportunities.

Modernize Data Architecture for Measurable Business Results Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should modernize your data architecture, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Develop a data architecture vision

Plan your data architecture project and align it with the business and its strategic vision.

  • Modernize Data Architecture for Measurable Business Results – Phase 1: Develop a Data Architecture Vision
  • Modernize Data Architecture Project Charter
  • Data Architecture Strategic Planning Workbook

2. Assess data architecture capabilities

Evaluate the current and target capabilities of your data architecture, using the accompanying diagnostic assessment to identify performance gaps and build a fit-for-purpose practice.

  • Modernize Data Architecture for Measurable Business Results – Phase 2: Assess Data Architecture Capabilities
  • Data Architecture Assessment and Roadmap Tool
  • Initiative Definition Tool

3. Develop a data architecture roadmap

Translate your planned initiatives into a sequenced roadmap.

  • Modernize Data Architecture for Measurable Business Results – Phase 3: Develop a Data Architecture Roadmap
  • Modernize Data Architecture Roadmap Presentation Template
[infographic]

Workshop: Modernize Data Architecture for Measurable Business Results

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Develop a Data Architecture (DA) Vision

The Purpose

Discuss key business drivers and strategies.

Identify data strategies.

Develop a data architecture vision.

Assess data architecture practice capabilities. 

Key Benefits Achieved

A data architecture vision aligned with the business.

A completed assessment of the organization’s current data architecture practice capabilities.

Identification of "to be" data architecture practice capabilities.

Identification of key gaps. 

Activities

1.1 Explain approach and value proposition

1.2 Discuss business vision and key drivers

1.3 Discover business pain points and needs

1.4 Determine data strategies

1.5 Assess DA practice capabilities

Outputs

Data strategies

Data architecture vision

Current and target capabilities for the modernized DA practice

2 Assess DA Core Capabilities (Part 1)

The Purpose

Assess the enterprise data model (EDM).

Assess current and target data warehouse, BI/analytics, and big data architectures.

Key Benefits Achieved

A completed assessment of the organization’s current EDM, data warehouse, BI and analytics, and big data architectures.

Identification of "to be" capabilities for the organization’s EDM, data warehouse, BI and analytics, and big data architectures.

Identification of key gaps.

Activities

2.1 Present an overarching DA capability model

2.2 Assess current and target EDM capabilities

2.3 Assess current/target data warehouse, BI/analytics, and big data architectures

2.4 Identify gaps and high level strategies

Outputs

Target capabilities for EDM

Target capabilities for data warehouse architecture, BI architecture, and big data architecture

3 Assess DA Core Capabilities (Part 2)

The Purpose

Assess EDM.

Assess current/target MDM, metadata, data integration, and content architectures.

Assess dynamic data models.

Key Benefits Achieved

A completed assessment of the organization’s current MDM, metadata, data integration, and content architectures.

Identification of “to be” capabilities for the organization’s MDM, metadata, data integration, and content architectures.

Identification of key gaps.

Activities

3.1 Present an overarching DA capability model

3.2 Assess current and target MDM, metadata, data integration, and content architectures

3.3 Assess data lineage and data delivery model

3.4 Identify gaps and high level strategies

Outputs

Target capabilities for MDM architecture, metadata architecture, data integration architecture, and document & content architecture

Target capabilities for data lineage/delivery

4 Analyze Gaps and Formulate Strategies

The Purpose

Map performance gaps and document key initiatives from the diagnostic assessment.

Identify additional gaps and action items.

Formulate strategies and initiatives to address priority gaps. 

Key Benefits Achieved

Prioritized gap analysis.

Improvement initiatives and related strategies.

Activities

4.1 Map performance gaps to business vision, pain points, and needs

4.2 Identify additional gaps

4.3 Consolidate/rationalize/prioritize gaps

4.4 Formulate strategies and actions to address gaps

Outputs

Prioritized gaps

Data architecture modernization strategies

5 Develop a Data Architecture Roadmap

The Purpose

Plot initiatives and strategies on a strategic roadmap.

Key Benefits Achieved

A roadmap with prioritized and sequenced initiatives.

Milestone plan.

Executive report. 

Activities

5.1 Transform strategies into a plan of action

5.2 Plot actions on a prioritized roadmap

5.3 Identify and discuss next milestone plan

5.4 Compile an executive report

Outputs

Data architecture modernization roadmap

Data architecture assessment and roadmap report (from analyst team)

Become a Strategic CIO

  • Buy Link or Shortcode: {j2store}80|cart{/j2store}
  • member rating overall impact: 9.5/10 Overall Impact
  • member rating average dollars saved: $10,000 Average $ Saved
  • member rating average days saved: 15 Average Days Saved
  • Parent Category Name: IT Strategy
  • Parent Category Link: /it-strategy
  • As a CIO, you are currently operating in a stable and trusted IT environment, but you would like to advance your role to strategic business partner.
  • CIOs are often overlooked as a strategic partner by their peers, and therefore face the challenge of proving they deserve a seat at the table.

Our Advice

Critical Insight

  • To become a strategic business partner, you must think and act as a business person that works in IT, rather than an IT person that works for the business.
  • Career advancement is not a solo effort. Building relationships with your executive business stakeholders will be critical to becoming a respected business partner.

Impact and Result

  • Create a personal development plan and stakeholder management strategy to accelerate your career and become a strategic business partner. For a CIO to be considered a strategic business partner, he or she must be able to:
    • Act as a business person that works in IT, rather than an IT person that works for the business. This involves meeting executive stakeholder expectations, facilitating innovation, and managing stakeholder relationships.
    • Align IT with the customer. This involves providing business stakeholders with information to support stronger decision making, keeping up with disruptive technologies, and constantly adapting to the ever-changing end-customer needs.
    • Manage talent and change. This involves performing strategic workforce planning, and being actively engaged in identifying opportunities to introduce change in your organization, suggesting ways to improve, and then acting on them.

Become a Strategic CIO Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should become a strategic CIO, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Launch

Analyze strategic CIO competencies and assess business stakeholder satisfaction with IT using Info-Tech's CIO Business Vision Diagnostic and CXO-CIO Alignment Program.

  • Become a Strategic CIO – Phase 1: Launch

2. Assess

Evaluate strategic CIO competencies and business stakeholder relationships.

  • Become a Strategic CIO – Phase 2: Assess
  • CIO Strategic Competency Evaluation Tool
  • CIO Stakeholder Power Map Template

3. Plan

Create a personal development plan and stakeholder management strategy.

  • Become a Strategic CIO – Phase 3: Plan
  • CIO Personal Development Plan
  • CIO Stakeholder Management Strategy Template

4. Execute

Develop a scorecard to track personal development initiatives.

  • Become a Strategic CIO – Phase 4: Execute
  • CIO Strategic Competency Scorecard
[infographic]

Workshop: Become a Strategic CIO

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Assess Competencies & Stakeholder Relationships

The Purpose

Gather and review information from business stakeholders.

Assess strategic CIO competencies and business stakeholder relationships.

Key Benefits Achieved

Gathered information to create a personal development plan and stakeholder management strategy.

Analyzed the information from diagnostics and determined the appropriate next steps.

Identified and prioritized strategic CIO competency gaps.

Evaluated the power, impact, and support of key business stakeholders.

Activities

1.1 Conduct CIO Business Vision diagnostic

1.2 Conduct CXO-CIO Alignment program

1.3 Assess CIO competencies

1.4 Assess business stakeholder relationships

Outputs

CIO Business Vision results

CXO-CIO Alignment Program results

CIO competency gaps

Executive Stakeholder Power Map

2 Take Control of Your Personal Development

The Purpose

Create a personal development plan and stakeholder management strategy.

Track your personal development and establish checkpoints to revise initiatives.

Key Benefits Achieved

Identified personal development and stakeholder engagement initiatives to bridge high priority competency gaps.

Identified key performance indicators and benchmarks/targets to track competency development.

Activities

2.1 Create a personal development plan

2.2 Create a stakeholder management strategy

2.3 Establish key performance indicators and benchmarks/targets

Outputs

Personal Development Plan

Stakeholder Management Strategy

Strategic CIO Competency Scorecard

IBM i Migration Considerations

  • Buy Link or Shortcode: {j2store}109|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Strategy and Organizational Design
  • Parent Category Link: /strategy-and-organizational-design

IBM i remains a vital platform and now many CIOs, CTOs, and IT leaders are faced with the same IBM i challenges regardless of industry focus: how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

Our Advice

Critical Insight

For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more pro-active in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

Impact and Result

The most common tactic is for the organization to better understand their IBM i options and adopt some level of outsourcing for the non-commodity platform retaining the application support/development in-house. To make the evident, obvious; the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed and public cloud services.

IBM i Migration Considerations Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. IBM i Migration Considerations – A brief deck that outlines key migration options for the IBM i platforms.

This project will help you evaluate the future viability of this platform; assess the fit, purpose, and price; develop strategies for overcoming potential challenges; and determine the future of this platform for your organization.

  • IBM i Migration Considerations Storyboard

2. Infrastructure Outsourcing IBM i Scoring Tool – A tool to collect vendor responses and score each vendor.

Use this scoring sheet to help you define and evaluate IBM i vendor responses.

  • Infrastructure Outsourcing IBM i Scoring Tool
[infographic]

Further reading

IBM i Migration Considerations

Don’t be overwhelmed by IBM i migration options.

Executive Summary

Your Challenge

IBM i remains a vital platform and now many CIO, CTO, and IT leaders are faced with the same IBM i challenges regardless of industry focus; how do you evaluate the future viability of this platform, assess the future fit and purpose, develop strategies, and determine the future of this platform for your organization?

Common Obstacles

For organizations that are struggling with the iSeries/IBM i platform, resourcing challenges are typically the culprit. An aging population of RPG programmers and system administrators means organizations need to be more proactive in maintaining in-house expertise. Migrating off the iSeries/IBM i platform is a difficult option for most organizations due to complexity, switching costs in the short term, and a higher long-term TCO.

Info-Tech Approach

The most common tactic is for the organization to better understand its IBM i options and adopt some level of outsourcing for the non-commodity platform, retaining the application support/development in-house. To make the evident, obvious: the options here for the non-commodity are not as broad as with commodity server platforms. Options include co-location, onsite outsourcing, managed hosting, and public cloud services.

Info-Tech Insight

“For over twenty years, IBM was ‘king,’ dominating the large computer market. By the 1980s, the world had woken up to the fact that the IBM mainframe was expensive and difficult, taking a long time and a lot of work to get anything done. Eager for a new solution, tech professionals turned to the brave new concept of distributed systems for a more efficient alternative. On June 21, 1988, IBM announced the launch of the AS/400, their answer to distributed computing.” (Dale Perkins)

Review

We help IT leaders make the most of their IBM i environment.

Problem Statement:

The IBM i remains a vital platform for many businesses and continues to deliver exceptional reliability and performance and play a key role in the enterprise. With the limited resources at hand, CIOs and the like must continually review and understand their migration path with the same regard as any other distributed system roadmap.

This research is designed for:

  • IT strategic direction decision makers
  • IT managers responsible for an existing iSeries or IBM i platform
  • Organizations evaluating platforms for mission-critical applications

This research will help you:

  1. Evaluate the future viability of this platform.
  2. Assess the fit, purpose, and price.
  3. Develop strategies for overcoming potential challenges.
  4. Determine the future of this platform for your organization.

The “fit for purpose” plot

Thought Model

We will investigate the aspect of different IBM i scenarios as they impact business, what that means, and how that can guide the questions that you are asking as you move to an aligned IBM i IT strategy. Our model considers:

  • Importance to Business Outcomes
    • Important to strategic objectives
    • Provides competitive advantage
    • Non-commodity IT service or process
    • Specialized in-house knowledge required
  • Vendor’s Performance Advantage
    • Talent or access to skills
    • Economies of scale or lower cost at scale
    • Access to technology

Info-Tech Insights

With multiple control points to be addressed, care must be taken in simplifying your options while addressing all concerns to ease operational load.

Map different 'IBM i' scenarios with axes 'Importance to Business Outcomes - Low to High' and 'Vendor’s Performance Advantage - Low to High'. Quadrant labels are '[LI/LA] Potentially Outsource: Service management, Help desk, desk-side support, Asset management', '[LI/HA] Outsource: Application & Infra Support, Web Hosting, SAP Support, Email Services, Infrastructure', '[HI/LA] Insource (For Now): Application development tech support', and '[HI/HA] Potentially Outsource: Onshore or offshore application maintenance'.

IBM i environments are challenging

“The IBM i Reality” – Darin Stahl

Most members relying on business applications/workloads running on non-commodity platforms (zSeries, IBM i, Solaris, AIX, etc.) are first motivated to get out from under the perceived higher costs for the hardware platform.

An additional challenge for non-commodity platforms is that from an IT Operations Management perspective they become an island with a diminishing number of integrated operations skills and solutions such as backup/restore and monitoring tools.

The most common tactic is for the organization to adopt some level of outsourcing for the non-commodity platform, retaining the application support and development in-house.

Key challenges with current IBM i environments:
  1. DR Requirements
    Understand what the business needs are and where users and resources are located.
  2. Market Lack of Expertise
    Skilled team members are hard to find.
  3. Cost Management
    There is a perceived cost disadvantage to managing on-prem solutions.
  4. Aging Support Teams
    Current support teams are aging with little backfill in skill and experience.

Understand your options

Co-Location

A customer transitions their hardware environment to a provider’s data center. The provider can then manage the hardware and “system.”

Onsite Outsourcing

A provider will support the hardware/system environment at the client’s site.

Managed Hosting

A customer transitions their legacy application environment to an off-prem hosted, multi-tenanted environment.

Public Cloud

A customer can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.”

Co-Location

Provider manages the data center hardware environment.

Abstract

Here a provider manages the system data center environment and hardware; however, the client’s in-house IBM i team manages the IBM i hardware environment and the system applications. The client manages all of the licenses associated with the platform as well as the hardware asset management considerations. This is typically part of a larger services or application transformation. This effectively outsources the data center management while maintaining all IBM i technical operations in-house.

Advantages

  • On-demand bandwidth
  • Cost effective
  • Secure and compliant environment
  • On-demand remote “hands and feet” services
  • Improved IT DR services
  • Data center compliance

Considerations

  • Application transformation
  • CapEx cost
  • Fluctuating network bandwidth costs
  • Secure connectivity
  • Disaster recovery and availability of vendor
  • Company IT DR and BC planning
  • Remote system maintenance (HW)

Info-Tech Insights

This model is extremely attractive for organizations looking to reduce their data center management footprint. Idea for the SMB.

Onsite Sourcing

A provider will support the hardware/system environment at the client’s site.

Abstract

Here a provider will support and manage the hardware/system environment at the client’s site. The provider may acquire the customer’s hardware and provide software licenses. This could also include hiring or “rebadging” staff supporting the platform. This type of arrangement is typically part of a larger services or application transformation. While low risk, it is not as cost-effective as other deployment models.

Advantages

  • Managed environment within company premises
  • Cost effective (OpEx expense)
  • Economies of scale
  • On-demand “as-a-service” model
  • Improved IT DR staffing services
  • 24x7 monitoring and support

Considerations

  • Outsourced IT talent
  • Terms and contract conditions
  • IT staff attrition
  • Increased liability
  • Modified technical support and engagement
  • Secure connectivity and communication
  • Internal problem and change management

Info-Tech Insights

Depending on the application lifecycle and viability, in-house skill and technical depth is a key consideration when developing your IBM i strategy.

Managed Hosting

Transition legacy application environment to an off-prem hosted multi-tenanted environment.

Abstract

This type of arrangement is typically part of an application migration or transformation. In this model, a client can “re-platform” the application into an off-premises-hosted provider platform. This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux) and the associated application.

Advantages

  • Turns CapEx into OpEx
  • Reduces in-house need for diminishing or scarce human resources
  • Allows the enterprise to focus on the value of the IBM i platform through the reduction of system administrative toil
  • Improved IT DR services
  • Data center compliance

Considerations

  • Application transformation
  • Network bandwidth
  • Contract terms and conditions
  • Modified technical support and engagement
  • Secure connectivity and communication
  • Technical security and compliance
  • Limited providers; reduced options

Info-Tech Insights

There is a difference between a “re-host” and “re-platform” migration strategy. Determine which solution aligns to the application requirements.

Public Cloud

Leverage “public cloud” alternatives with AWS, Google, or Microsoft AZURE.

Abstract

This type of arrangement is typically part of a larger migration or application transformation. While low risk, it is not as cost-effective as other deployment models. In this model, client can “re-platform” the non-commodity workload into public cloud offerings or in a few offerings “re-host.” This would yield many of the cloud benefits however in a different scaling capacity as experienced with commodity workloads (e.g. Windows, Linux).

Advantages

  • Remote workforce accessibility
  • OpEx expense model
  • Improved IT DR services
  • Reduced infrastructure and system administration
  • Vendor management
  • 24x7 monitoring and support

Considerations

  • Contract terms and conditions
  • Modified technical support and engagement
  • Secure connectivity and communication
  • Technical security and compliance
  • Limited providers; reduced options
  • Vendor/cloud lock-in
  • Application migration/”re-platform”
  • Application and system performance

Info-Tech Insights

This model is extremely attractive for organizations that consume primarily cloud services and have a large remote workforce.

Understand your vendors

  • To best understand your options, you need to understand what IBM i services are provided by the industry vendors.
  • Within the following slides, you will find a defined activity with a working template that will create “vendor profiles” for each vendor.
  • As a working example, you can review the following partners:
  • Connectria (United States)
  • Rowton IT Solutions Ltd (United Kingdom)
  • Mid-Range (Canada)

Info-Tech Insights

Creating vendor profiles will help quickly filter the solution providers that directly meet your IBM i needs.

Vendor Profile #1

Rowton IT

Summary of Vendor

“Rowton IT thrive on creating robust and simple solutions to today's complex IT problems. We have a highly skilled and motivated workforce that will guarantee the right solution.

Working with select business partners, we can offer competitive and cost effective packages tailored to suit your budget and/or business requirements.

Our knowledge and experience cover vast areas of IT including technical design, provision and installation of hardware (Wintel and IBM Midrange), technical engineering services, support services, IT project management, application testing, documentation and training.”

IBM i Services

  • ✔ IBM Power Hardware Sales
  • ✔ Co-Managed Services
  • ✔ DR/High Available Config
  • ✔ Full Managed Services
  • ✖ Co-Location Services
  • ✔ Public Cloud Services (AWS)

URL
rowtonit.com

Regional Coverage:
United Kingdom

Logo for RowtonIT.com.

Vendor Profile #2

Connectria

Summary of Vendor

“Every journey starts with a single step and for Connectria, that step happened to be with the world’s largest bank, Deutsche Bank. Followed quickly by our second client, IBM. Since then, we have added over 1,000 clients worldwide. For 25 years, each customer, large or small, has relied on Connectria to deliver on promises made to make it easy to do business with us through flexible terms, scalable solutions, and straightforward pricing. Join us on our journey.”

IBM i Services

  • ✔ IBM Power Hardware Sales
  • ✔ Co-Managed Services
  • ✔ DR/High Available Config
  • ✔ Full Managed Services
  • ✔ Co-Location Services
  • ✔ Public Cloud Services (AWS)

URL
connectria.com

Regional Coverage:
United States

Logo for Connectria.

Vendor Profile #3

Mid-Range

Summary of Vendor

“Founded in 1988 and profitable throughout all of those 31 years, we have a solid track record of success. At Mid-Range, we use our expertise to assess your unique needs, in order to proactively develop the most effective IT solution for your requirements. Our full-service approach to technology and our diverse and in-depth industry expertise keep our clients coming back year after year.

Serving clients across North America in a variety of industries, from small and emerging organizations to large, established enterprises – we’ve seen it all. Whether you need hardware or software solutions, disaster recovery and high availability, managed services or hosting or full ERP services with our JD Edwards offerings – we have the methods and expertise to help.”

IBM i Services

  • ✔ IBM Power Hardware Sales
  • ✔ Co-Managed Services
  • ✔ DR/High Available Config
  • ✔ Full Managed Services
  • ✔ Co-Location Services
  • ✔ Public Cloud Services (AWS)

URL
midrange.ca

Regional Coverage:
Canada

Logo for Mid-Range.

Activity

Understand your vendor options

Activities:
  1. Create your vendor profiles
  2. Score vendor responses
  3. Develop and manage your vendor agenda

This activity involves the following participants:

  • IT strategic direction decision makers
  • IT managers responsible for an existing iSeries or IBM i platform

Outcomes of this step:

  • Vendor Profile Template
  • Completed IT Infrastructure Outsourcing Scoring Tool

Info-Tech Insights

This check-point process creates transparency around agreement costs with the business and gives the business an opportunity to re-evaluate its requirements for a potentially leaner agreement.

1. Create your vendor profiles

Define what you are looking for:

  • Create a vendor profile for every vendor of interest.
  • Leverage our starting list and template to track and record the advantages of each vendor.

Mindshift

First National Technology Solutions

Key Information Systems

MainLine

Direct Systems Support

T-Systems

Horizon Computer Solutions Inc.

Vendor Profile Template

[Vendor Name]

Summary of Vendor

[Vendor Summary]
*Detail the Vendor Services as a Summary*

IBM i Services

  • ✔ IBM Power Hardware Sales
  • ✔ Co-Managed Services
  • ✔ DR/High Available Config
  • ✔ Full Managed Services
  • ✔ Co-Location Services
  • ✔ Public Cloud Services (AWS)
*Itemize the Vendor Services specific to your requirements*

URL
https://www.url.com/
*Insert the Vendor URL*

Regional Coverage:
[Country\Region]
*Insert the Vendor Coverage & Locations*

*Insert the Vendor Logo*

2. Score your vendor responses

Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.
Use Info-Tech’s IT Infrastructure Outsourcing Scoring Tool to systematically score your vendor responses.

The overall quality of the IBM i questions can help you understand what it might be like to work with the vendor.

Consider the following questions:

  • Is the vendor clear about what it’s able to offer? Is its response transparent?
  • How much effort did the vendor put into answering the questions?
  • Does the vendor seem like someone you would want to work with?

Once you have the vendor responses, you will select two or three vendors to continue assessing in more depth leading to an eventual final selection.

Screenshot of the IT Infrastructure Outsourcing Scoring Tool's Scoring Sheet. There are three tables: 'Scoring Scale', 'Results', and one with 'RFP Questions'. Note on Results table says 'Top Scoring Vendors', and note on questions table says 'List your IBM i questions (requirements)'.

Info-Tech Insights

Watch out for misleading scores that result from poorly designed criteria weightings.

3. Develop your vendor agenda

Vendor Conference Call

Develop an agenda for the conference call. Here is a sample agenda:
  • Review the vendor questions.
  • Go over answers to written vendor questions previously submitted.
  • Address new vendor questions.

Commonly Debated Question:
Should vendors be asked to remain anonymous on the call or should each vendor mention their organization when they join the call?

Many organizations worry that if vendors can identify each other, they will price fix. However, price fixing is extremely rare due to its consequences and most vendors likely have a good idea which other vendors are participating in the bid. Another thought is that revealing vendors could either result in a higher level of competition or cause some vendors to give up:

  • A vendor that hears its rival is also bidding may increase the competitiveness of its bid and response.
  • A vendor that feels it doesn’t have a chance may put less effort into the process.
  • A vendor that feels it doesn’t have real competition may submit a less competitive or detailed response than it otherwise would have.

Vendor Workshop

A vendor workshop day is an interactive way to provide context to your vendors and to better understand the vendors’ offerings. The virtual or in-person interaction also offers a great way to understand what it’s like to work with each vendor and decide whether you could build a partnership with them in the long run.

The main focus of the workshop is the vendors’ service solution presentation. Here is a sample agenda for a two-day workshop:

Day 1
  • Meet and greet
  • Welcome presentation with objectives, acquisition strategy, and company overview
  • Overview of the current IT environment, technologies, and company expectations
  • Question and answer session
  • Site walk
Day 2
  • Review Day 1 activities
  • Vendor presentations and solution framing
Use the IT Infrastructure Outsourcing Scoring Tool to manage vendor responses.

Related Info-Tech Research

Effectively Acquire Infrastructure Services
Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery
There are very few IT infrastructure components you should be housing internally – outsource everything else.

Build Your Infrastructure Roadmap
Move beyond alignment: Put yourself in the driver’s seat for true business value.

Define Your Cloud Vision
Make the most of cloud for your organization.

Document Your Cloud Strategy
Drive consensus by outlining how your organization will use the cloud.

Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.

Create a Better RFP Process
Improve your RFPs to gain leverage and get better results.

Research Authors

Photo of Darin Stahl, Principal Research Advisor, Info-Tech Research Group.Darin Stahl, Principal Research Advisor, Info-Tech Research Group

Principal Research Advisor within the Infrastructure Practice and leveraging 38+ years of experience, his areas of focus include: IT Operations Management, Service Desk, Infrastructure Outsourcing, Managed Services, Cloud Infrastructure, DRP/BCP, Printer Management, Managed Print Services, Application Performance Monitoring (APM), Managed FTP, and non-commodity servers (zSeries, mainframe, IBM i, AIX, Power PC).

Photo of Troy Cheeseman, Practice Lead, Info-Tech Research Group.Troy Cheeseman, Practice Lead, Info-Tech Research Group

Troy has over 24 years of experience and has championed large, enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT Operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) start-ups.

Research Contributors

Photo of Dan Duffy, President & Owner, Mid-Range.Dan Duffy, President & Owner, Mid-Range

Dan Duffy is the President and Founder of Mid-Range Computer Group Inc., an IBM Platinum Business Partner. Dan and his team have been providing the Canadian and American IBM Power market with IBM infrastructure solutions including private cloud, hosting and disaster recovery, high availability and data center services since 1988. He has served on numerous boards and associations including the Toronto Users Group for Mid-Range Systems (TUG), the IBM Business Partners of the Americas Advisory Council, the Cornell Club of Toronto, and the Notre Dame Club of Toronto. Dan holds a Bachelor of Science from Cornell University.

Photo of George Goodall, Executive Advisor, Info-Tech Research Group.George Goodall, Executive Advisor, Info-Tech Research Group

George Goodall is an Executive Advisor in the Research Executive Services practice at Info-Tech Research Group. George has over 20 years of experience in IT consulting, enterprise software sales, project management, and workshop delivery. His primary focus is the unique challenges and opportunities in organizations with small and constrained IT operations. In his long tenure at Info-Tech, George has covered diverse topics including voice communications, storage, and strategy and governance.

Bibliography

“Companies using IBM i (formerly known as i5/OS).” Enlyft, 21 July 2021. Web.

Connor, Clare. “IBM i and Meeting the Challenges of Modernization.” Ensono, 22 Mar. 2022. Web.

Huntington, Tom. “60+ IBM i User Groups and Communities to Join?” HelpSystems, 16 Dec. 2021. Web.

Perkins, Dale. “The Road to Power Cloud: June 21st 1988 to now. The Journey Continues.” Mid-Range, 1 Nov. 2021. Web.

Prickett Morgan, Timothy. “How IBM STACKS UP POWER8 AGAINST XEON SERVERS.” The Next Platform, 13 Oct. 2015. Web.

“Why is AS/400 still used? Four reasons to stick with a classic.” NTT, 21 July 2016. Web.

Appendix

Public Cloud Provider Notes

Appendix –
Cloud
Providers


“IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

AWS

Appendix –
Cloud
Providers



“IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

Google

  • Google Cloud console supports IBM Power Systems.
  • This offering provides cloud instances running on IBM Power Systems servers with PowerVM.
  • The service uses a per-day prorated monthly subscription model for cloud instance plans with different capacities of compute, memory, storage, and network. Standard plans are listed below and custom plans are possible.
  • There is no IBM i offering yet that we are aware of.
  • For AIX on Power, this would appear to be a better option than AWS (Converge Enterprise Cloud with IBM Power for Google Cloud).

Appendix –
Cloud
Providers



“IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

Azure

  • Azure has partners using the Azure Dedicated Host offerings to deliver “native support for IBM POWER Systems to Azure data centres” (PowerWire).
  • Microsoft has installed Power servers in an couple Azure data centers and Skytap manages the IBM i, AIX, and Linux environments for clients.
  • As far as I am aware there is no ability to install IBM i or AIX within an Azure Dedicated Host via the retail interfaces – these must be worked through a partner like Skytap.
  • The cloud route for IBM i or AIX might be the easiest working with Skytap and Azure. This would appear to be a better option than AWS in my opinion.

Appendix –
Cloud
Providers



“IBM Power (IBM i and AIX) workloads are also available in the so-called ‘cloud.’” (Darin Stahl)

IBM

Develop a Plan to Pilot Enterprise Service Management

  • Buy Link or Shortcode: {j2store}279|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Service Management
  • Parent Category Link: /service-management
  • Many business groups in the organization are siloed and have disjointed services that lead to a less than ideal customer experience.
  • Service management is too often process-driven and is implemented without a holistic view of customer value.
  • Businesses get caught up in the legacy of their old systems and find it difficult to move with the evolving market.

Our Advice

Critical Insight

  • Customer experience is the new battleground. Parity between products is creating the need to differentiate via customer experience.
  • Don’t forget your employees! Enterprise service management (ESM) is also about delivering exceptional experiences to your employees so they can deliver exceptional services to your customers.
  • ESM is not driven by tools and processes. Rather, ESM is about pushing exceptional services to customers by pulling from organizational capabilities.

Impact and Result

  • Understand ESM concepts and how they can improve customer service.
  • Use Info-Tech’s advice and tools to perform an assessment of your organization’s state for ESM, identify the gaps, and create an action plan to move towards an ESM pilot.
  • Increase business and customer satisfaction by delivering services more efficiently.

Develop a Plan to Pilot Enterprise Service Management Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should move towards ESM, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Understand ESM and get buy-in

Understand the concepts of ESM, determine the scope of the ESM program, and get buy-in.

  • Develop a Plan to Pilot Enterprise Service Management – Phase 1: Understand ESM and Get Buy-in
  • Enterprise Service Management Executive Buy-in Presentation Template
  • Enterprise Service Management General Communications Presentation Template

2. Assess the current state for ESM

Determine the current state for ESM and identify the gaps.

  • Develop a Plan to Pilot Enterprise Service Management – Phase 2: Assess the Current State for ESM
  • Enterprise Service Management Assessment Tool
  • Enterprise Service Management Assessment Tool Action Plan Guide
  • Enterprise Service Management Action Plan Tool

3. Identify ESM pilot and finalize action plan

Create customer journey maps, identify an ESM pilot, and finalize the action plan for the pilot.

  • Develop a Plan to Pilot Enterprise Service Management – Phase 3: Identify ESM Pilot and Finalize Action Plan
  • Enterprise Service Management Customer Journey Map Template
[infographic]

Workshop: Develop a Plan to Pilot Enterprise Service Management

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Understand ESM and Get Buy-In

The Purpose

Understand what ESM is and how it can improve customer service.

Determine the scope of your ESM initiative and identify who the stakeholders are for this program.

Key Benefits Achieved

Understanding of ESM concepts.

Understanding of the scope and stakeholders for your ESM initiative.

Plan for getting buy-in for the ESM program.

Activities

1.1 Understand the concepts and benefits of ESM.

1.2 Determine the scope of your ESM program.

1.3 Identify your stakeholders.

1.4 Develop an executive buy-in presentation.

1.5 Develop a general communications presentation.

Outputs

Executive buy-in presentation

General communications presentation

2 Assess the Current State for ESM

The Purpose

Assess your current state with respect to culture, governance, skills, and tools.

Identify your strengths and weaknesses from the ESM assessment scores.

Key Benefits Achieved

Understanding of your organization’s current enablers and constraints for ESM.

Determination and analysis of data needed to identify strengths or weaknesses in culture, governance, skills, and tools.

Activities

2.1 Understand your organization’s mission and vision.

2.2 Assess your organization’s culture, governance, skills, and tools.

2.3 Identify the gaps and determine the necessary foundational action items.

Outputs

ESM assessment score

Foundational action items

3 Define Services and Create Custom Journey Maps

The Purpose

Define and choose the top services at the organization.

Create customer journey maps for the chosen services.

Key Benefits Achieved

List of prioritized services.

Customer journey maps for the prioritized services.

Activities

3.1 Make a list of your services.

3.2 Prioritize your services.

3.3 Build customer journey maps.

Outputs

List of services

Customer journey maps

Automate Work Faster and More Easily With Robotic Process Automation

  • Buy Link or Shortcode: {j2store}237|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Optimization
  • Parent Category Link: /optimization
  • Your organization has many business processes that rely on repetitive, routine manual data collection and processing work, and there is high stakeholder interest in automating them.
  • You’re investigating whether robotic process automation (RPA) is a suitable technological enabler for automating such processes.
  • Being a trending technology, especially with its association with artificial intelligence (AI), there is much marketing fluff, hype, and misunderstanding about RPA.
  • Estimating the potential impact of RPA on business is difficult, as the relevant industry statistics often conflict each other and you aren’t sure how applicable it is to your business.

Our Advice

Critical Insight

  • There are no physical robots in RPA. RPA is about software “bots” that interact with applications as if they were human users to perform routine, repetitive work in your place. It’s for any business in any industry, not just for manufacturing.
  • RPA is lightweight IT; it reduces the cost of entry, maintenance, and teardown of automation as well as the technological requirement of resources that maintain it, as it complements existing automation solutions in your toolkit.
  • RPA is rules-based. While AI promises to relax the rigidity of rules, it adds business risks that are poorly understood by both businesses and subject-matter experts. Rules-based “RPA 1.0” is mature and may pose a stronger business case than AI-enabled RPA.
  • RPA’s sweet spot is “swivel chair automation”: processes that require human workers to act as a conduit between several systems, moving between applications, manually keying, re-keying, copying, and pasting information. A bot can take their place.

Impact and Result

  • Discover RPA and how it differentiates from other automation solutions.
  • Understand the benefits and risks of complementing RPA with AI.
  • Identify existing business processes best suited for automation with RPA.
  • Communicate RPA’s potential business benefits to stakeholders.

Automate Work Faster and More Easily With Robotic Process Automation Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should use RPA to automate routine, repetitive data collection and processing work, review Info-Tech’s methodology, and understand the ways we can support you.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Discover robotic process automation

Learn about RPA, including how it compares to IT-led automation rooted in business process management practices and the role of AI.

  • Automate Work Faster and More Easily With Robotic Process Automation – Phase 1: Discover Robotic Process Automation
  • Robotic Process Automation Communication Template

2. Identify processes best suited for robotic process automation

Identify and prioritize candidate processes for RPA.

  • Automate Work Faster and More Easily With Robotic Process Automation – Phase 2: Identify Processes Best Suited for Robotic Process Automation
  • Process Evaluation Tool for Robotic Process Automation
  • Minimum Viable Business Case Document
[infographic]

Create a Work-From-Anywhere Strategy

  • Buy Link or Shortcode: {j2store}323|cart{/j2store}
  • member rating overall impact: 9.0/10 Overall Impact
  • member rating average dollars saved: 33 Average Days Saved
  • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • Parent Category Name: IT Strategy
  • Parent Category Link: /it-strategy

Work-from-anywhere isn’t going anywhere. During the initial rush to remote work, tech debt was highlighted and the business lost faith in IT. IT now needs to:

  • Rebuild trust with the CXO.
  • Identify gaps created from the COVID-19 rush to remote work.
  • Identify how IT can better support remote workers.

IT went through an initial crunch to enable remote work. It’s time to be proactive and learn from our mistakes.

Our Advice

Critical Insight

  • It’s not about embracing the new normal; it’s about resiliency and long-term success. Your strategy needs to not only provide short-term operational value but also make the organization more resilient for the unknown risks of tomorrow.
  • The nature of work has fundamentally changed. IT departments must ensure service continuity, not for how the company worked in 2019, but for how the company is working now and will be working tomorrow.
  • Ensure short-term survival. Don’t focus on becoming an innovator until you are no longer stuck in firefighting.
  • Aim for near-term innovation. Once you’re a trusted operator, become a business partner by helping the business better adapt business processes and operations to work-from-anywhere.

Impact and Result

Follow these steps to build a work-from-anywhere strategy that resonates with the business:

  • Identify a vision that aligns with business goals.
  • Design the work-from-anywhere value proposition for critical business roles.
  • Benchmark your current maturity.
  • Build a roadmap for bridging the gap.

Benefit employees’ remote working experience while ensuring that IT heads in a strategic direction.

Create a Work-From-Anywhere Strategy Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should create a work-from-anywhere strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Define a target state

Identify a vision that aligns with business goals, not for how the company worked in 2019, but for how the company is working now and will be working tomorrow.

  • Work-From-Anywhere Strategy Template
  • Work-From-Anywhere Value Proposition Template

2. Analyze current fitness

Don’t focus on becoming an innovator until you are no longer stuck in firefighting mode.

3. Build a roadmap for improving enterprise apps

Use these blueprints to improve your enterprise app capabilities for work-from-anywhere.

  • Microsoft Teams Cookbook – Sections 1-2
  • Rationalize Your Collaboration Tools – Phases 1-3
  • Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Storyboard
  • The Rapid Application Selection Framework Deck

4. Build a roadmap for improving strategy, people & leadership

Use these blueprints to improve IT’s strategy, people & leadership capabilities for work-from-anywhere.

  • Define Your Digital Business Strategy – Phases 1-4
  • Training Deck: Equip Managers to Effectively Manage Virtual Teams
  • Sustain Work-From-Home in the New Normal Storyboard
  • Develop a Targeted Flexible Work Program for IT – Phases 1-3
  • Maintain Employee Engagement During the COVID-19 Pandemic Storyboard
  • Adapt Your Onboarding Process to a Virtual Environment Storyboard
  • Manage Poor Performance While Working From Home Storyboard
  • The Essential COVID-19 Childcare Policy for Every Organization, Yesterday Storyboard

5. Build a roadmap for improving infrastructure & operations

Use these blueprints to improve infrastructure & operations capabilities for work-from-anywhere.

  • Stabilize Infrastructure & Operations During Work-From-Anywhere – Phases 1-3
  • Responsibly Resume IT Operations in the Office – Phases 1-5
  • Execute an Emergency Remote Work Plan Storyboard
  • Build a Digital Workspace Strategy – Phases 1-3

6. Build a roadmap for improving IT security & compliance capabilities

Use these blueprints to improve IT security & compliance capabilities for work-from-anywhere.

  • Cybersecurity Priorities in Times of Pandemic Storyboard
  • Reinforce End-User Security Awareness During Your COVID-19 Response Storyboard

Infographic

Workshop: Create a Work-From-Anywhere Strategy

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Define a Target State

The Purpose

Define the direction of your work-from-anywhere strategy and roadmap.

Key Benefits Achieved

Base your decisions on senior leadership and user needs.

Activities

1.1 Identify drivers, benefits, and challenges.

1.2 Perform a goals cascade to align benefits to business needs.

1.3 Define a vision and success metrics.

1.4 Define the value IT brings to work-from-anywhere.

Outputs

Desired benefits for work-from-anywhere

Vision statement

Mission statement

Success metrics

Value propositions for in-scope user groups

2 Review In-Scope Capabilities

The Purpose

Focus on value. Ensure that major applications and IT capabilities will relieve employees’ pains and provide them with gains.

Key Benefits Achieved

Learn from past mistakes and successes.

Increase adoption of resulting initiatives.

Activities

2.1 Review work-from-anywhere framework and identify capability gaps.

2.2 Review diagnostic results to identify satisfaction gaps.

2.3 Record improvement opportunities for each capability.

2.4 Identify deliverables and opportunities to provide value for each.

2.5 Identify constraints faced by each capability.

Outputs

SWOT assessment of work-from-anywhere capabilities

Projects and initiatives to improve capabilities

Deliverables and opportunities to provide value for each capability

Constraints with each capability

3 Build the Roadmap

The Purpose

Build a short-term plan that allows you to iterate on your existing strengths and provide early value to your users.

Key Benefits Achieved

Provide early value to address operational pain points.

Build a plan to provide near-term innovation and business value.

Activities

3.1 Organize initiatives into phases.

3.2 Identify tasks for short-term initiatives.

3.3 Estimate effort with Scrum Poker.

3.4 Build a timeline and tie phases to desired business benefits.

Outputs

Prioritized list of initiatives and phases

Profiles for short-term initiatives

The latest burning platform: Exit Plans in a shifting world

  • Large vertical image:
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Byline body: The new geopolitical reality brings the possibility that we will have to execute our exit plans closer to home. In this research, we delve deeper into exit plans and their implementation and execution.

The current global situation, marked by significant trade tensions and retaliatory measures between major economic powers, has elevated the importance of more detailed, robust, and executable exit plans for businesses in nearly all industries. The current geopolitical headwinds create an unpredictable environment that can severely impact supply chains, technology partnerships, and overall business operations. What was once a prudent measure is now a critical necessity – a “burning platform” – for ensuring business continuity and resilience.

Here I will delve deeper into the essential components of an effective exit plan, outline the practical steps for its implementation, and explain the crucial role of testing in validating its readiness.

exit plan

Continue reading

Streamline Your Workforce During a Pandemic

  • Buy Link or Shortcode: {j2store}515|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Lead
  • Parent Category Link: /lead

Reduced infection rates in compromised areas are providing hope that these difficult times will pass. However, organizations are facing harsh realities in real time. With significant reductions in revenue, employers are facing pressure to quickly implement cost-cutting strategies, resulting in mass layoffs of valuable employees.

Our Advice

Critical Insight

Employees are an organization’s greatest asset. When faced with cost-cutting pressures, look for redeployment opportunities that use talent as a resource to get through hard times before resorting to difficult layoff decisions.

Impact and Result

Make the most of your workforce in this unprecedented situation by following McLean & Company’s process to initiate redeployment efforts and reduce costs. If all else fails, follow our guidance on planning for layoffs and considerations when doing so.

Streamline Your Workforce During a Pandemic Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Meet with leadership

Set a strategy with senior leadership, brainstorm underused and understaffed employee segments and departments, then determine an approach to redeployments and layoffs.

  • Streamline Your Workforce During a Pandemic Storyboard
  • Redeployment and Layoff Strategy Workbook

2. Plan individual and department redeployment

Collect key information, prepare and redeploy, and roll up information across the organization.

  • Short-Term Survival Segment Evaluation Tool
  • Skills Inventory for Redeployment Tool
  • Redeployment Action and Communication Plan
  • Crisis Communication Guide for HR
  • Crisis Communication Guide for Leaders
  • Leadership Crisis Communication Guide Template
  • 3i's of Engaging Management – Manager Guide
  • Feedback and Coaching Guide for Managers
  • Redeployment Communication Roll-up Template

3. Plan individual and department layoffs

Plan for layoffs, execute on the layoff plan, and communicate to employees.

  • Employee Departure Checklist Tool
  • 10 Communication Best Practices in the Face of Crisis
  • Termination Logistics Tool
  • Termination Costing Tool
  • COVID-19: Employee-Facing Frequently Asked Questions Template
  • COVID-19: Employee-Facing Frequently Asked Questions
  • Standard Internal Communications Plan

4. Monitor and manage departmental effectiveness

Monitor departmental performance, review organizational performance, and determine next steps.

  • HR Metrics Library
  • Standard HR Scorecard
[infographic]

Beyond Survival

  • Buy Link or Shortcode: {j2store}204|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Big Data
  • Parent Category Link: /big-data
  • Consumer, customer, employee, and partner behavior has changed; new needs have arisen as a result of COVID-19. Entire business models had to be rethought and revised – in real time with no warning.
  • And worse, no one knows when (or even if) the pandemic will end. The world and the economy will continue to be highly uncertain, unpredictable, and vulnerable for some time.
  • Business leaders need to continue experimenting to stay in business, protect employees and supply chains, manage financial obligations, allay consumer and employee fears, rebuild confidence, and protect trust.
  • How do organizations know whether their new business tactics are working?

Our Advice

Critical Insight

  • We can learn many lessons from those who have survived and are succeeding.
  • They have one thing in common though – they rely on data and analytics to help people think and know how to respond, evaluate effectiveness of new business tactics, uncover emerging trends to feed innovation, and minimize uncertainty and risk.
  • This mini-blueprint highlights organizations and use cases where data, analytics, and AI deliver tangible business and human value now and in the future.

Impact and Result

  • Learn from the pandemic survivors and super-achievers so that you too can hit the ground running in the new normal. Even better – go beyond survival, like many of them have done. Create your future by leveraging and scaling up your data and analytics investments. It is not (yet) too late, and Info-Tech can help.

Beyond Survival Research & Tools

Beyond Survival

Use data, analytics, and AI to reimagine the future and thrive in the new normal.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

  • Beyond Survival Storyboard
[infographic]

Knowledge Management

  • Buy Link or Shortcode: {j2store}33|cart{/j2store}
  • Related Products: {j2store}33|crosssells{/j2store}
  • member rating overall impact: 9.0/10
  • member rating average dollars saved: $10,000
  • member rating average days saved: 2
  • Parent Category Name: People and Resources
  • Parent Category Link: /people-and-resources
  • byline: Transfer IT knowledge before it's gone.
Mitigate Key IT Employee Knowledge Loss

Data Architecture

  • Buy Link or Shortcode: {j2store}17|cart{/j2store}
  • Related Products: {j2store}17|crosssells{/j2store}
  • member rating overall impact: 9.5/10
  • member rating average dollars saved: $30,159
  • member rating average days saved: 5
  • Parent Category Name: Data and Business Intelligence
  • Parent Category Link: /data-and-business-intelligence
  • byline: Modernize your data architecture for measurable business value.
Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice

Don’t Allow Software Licensing to Derail Your M&A

  • Buy Link or Shortcode: {j2store}135|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Vendor Management
  • Parent Category Link: /vendor-management
  • Assuming that all parties are compliant in their licensing is a risky proposition. Most organizations are deficient in some manner of licensing. Know where those gaps are before finalizing M&A activity and have a plan in place to mitigate them right away.
  • Vendors will target companies that have undergone recent M&A activity with an audit. Vendors know that the many moving parts of M&A activity often result in license shortfall, and they may look to capitalize during the transition with audit revenue.
  • New organizational structure can offer new licensing opportunities. Take advantage of the increased volume discounting, negotiation leverage, and consolidation opportunities afforded by a merger or acquisition.

Our Advice

Critical Insight

  • To mitigate risks and create accurate cost estimates, create a contingency fund to compensate for unavailability of information.
  • Gathering and analyzing information is an iterative process that is ongoing throughout due diligence. Update your assumptions, risks, and budget as you obtain new information.
  • Communication with the M&A team and business process owners should be constant throughout due diligence. IT integration does not exist in isolation.

Impact and Result

  • CIOs must be part of the conversation during the exploration/due diligence phase before the deal is closed to examine licensing compliance and software costs that could have a direct result on the valuation of the new organization.
  • Both organizations must conduct thorough due diligence (such as internal SAM audits), analyze the information, and define critical assumptions to create a strategy for the resultant IT enterprise.
  • The IT team is involved in integration, synergy realization, and cost considerations that the business often does not consider or take into account with respect to IT. License transfer, assignability, use, and geographic rights all come into play and can be overlooked.

Don’t Allow Software Licensing to Derail Your M&A Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you shouldn’t allow software licensing to derail your M&A deal, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Understand the M&A process with respect to software licensing

Grasp the key pain points of software licensing and the effects it has on an M&A. Review the benefits of early IT involvement and identify IT’s capabilities.

  • Don’t Allow Software Licensing to Derail Your M&A – Phase 1: M&A Overview
  • M&A Software Asset Maturity Assessment

2. Perform due diligence

Understand the various steps and process when conducting due diligence. Request information and assess risks, make assumptions, and budget costs.

  • Don’t Allow Software Licensing to Derail Your M&A – Phase 2: Due Diligence
  • License Inventory
  • IT Due Diligence Report
  • M&A Software Asset RACI Template

3. Prepare for integration

Take a deeper dive into the application portfolios and vendor contracts of both organizations. Review integration strategies and design the end-state of the resultant organization.

  • Don’t Allow Software Licensing to Derail Your M&A – Phase 3: Pre-Integration Planning
  • Effective Licensing Position Tool
  • IT Integration Roadmap Tool

4. Execute on the integration plan

Review initiatives being undertaken to ensure successful integration execution. Discuss long-term goals and how to communicate with vendors to avoid licensing audits.

  • Don’t Allow Software Licensing to Derail Your M&A – Phase 4: Integration Execution
[infographic]

Workshop: Don’t Allow Software Licensing to Derail Your M&A

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 M&A Overview

The Purpose

Identify the goals and objectives the business has for the M&A.

Understand cultural and organizational structure challenges and red flags.

Identify SAM/licensing challenges and red flags.

Conduct maturity assessment.

Clarify stakeholder responsibilities.

Build and structure the M&A team.

Key Benefits Achieved

The capabilities required to successfully examine software assets and licensing during the M&A transaction.

M&A business goals and objectives identified.

IT M&A team selected.

Severity of SAM challenges and red flags examined.

Activities

1.1 Document pain points from previous experience.

1.2 Identify IT opportunities during M&A.

Outputs

M&A Software Asset Maturity Assessment

2 Due Diligence

The Purpose

Take a structured due diligence approach that properly evaluates the current state of the organization.

Review M&A license inventory and use top five vendors as example sets.

Identify data capture and reporting methods/tools.

Scheduling challenges.

Scope level of effort and priority list.

Common M&A pressures (internal/external).

Key Benefits Achieved

A clear understanding of the steps that are involved in the due diligence process.

Recognition of the various areas from which information will need to be collected.

Licensing pitfalls and compliance risks to be examined.

Knowledge of terms and conditions that will limit ability in pre-integration planning.

Activities

2.1 Identify IT capabilities for an M&A.

2.2 Create your due diligence team and assign accountability.

2.3 Use Info-Tech’s IT Due Diligence Report Template to track key elements.

2.4 Document assumptions to back up cost estimates and risk.

Outputs

M&A Software Asset RACI Template

IT Due Diligence Report

3 Pre-Integration Planning

The Purpose

Review and map legal operating entity structure for the resultant organization.

Examine impact on licensing scenarios for top five vendors.

Identify alternative paths and solutions.

Complete license impact for top five vendors.

Brainstorm action plan to mitigate negative impacts.

Discuss and explore the scalable process for second level agreements.

Key Benefits Achieved

Identification of the ideal post-M&A application portfolio and licensing structures.

Recognition of the key considerations when determining the appropriate combination of IT integration strategies.

Design of vendor contracts for the resultant enterprise.

Recognition of how to create an IT integration budget.

Activities

3.1 Work with the senior management team to review how the new organization will operate.

3.2 Document the strategic goals and objectives of IT’s integration program.

3.3 Interview business leaders to understand how they envision their business units.

3.4 Perform internal SAM audit.

3.5 Create a library of all IT processes in the target organization as well as your own.

3.6 Examine staff using two dimensions: competency and capacity.

3.7 Design the end-state.

3.8 Communicate your detailed pre-integration roadmap with senior leadership and obtain sign-off.

Outputs

IT Integration Roadmap Tool

Effective License Position

4 Manage Post-M&A Activities

The Purpose

Finalize path forward for top five vendors based on M&A license impact.

Disclose findings and financial impact estimate to management.

Determine methods for second level agreements to be managed.

Provide listing of specific recommendations for top five list.

Key Benefits Achieved

Initiatives generated and executed upon to achieve the technology end-state of each IT domain.

Vendor audits avoided.

Contracts amended and vendors spoken to.

Communication with management on achievable synergies and quick wins.

Activities

4.1 Identify initiatives necessary to realize the application end-state.

4.2 Identify initiatives necessary to realize the end-state of IT processes.

4.3 Identify initiatives necessary to realize the end-state of IT staffing.

4.4 Prioritize initiatives based on ease of implementation and overall business impact.

4.5 Manage vendor relations.

Outputs

IT Integration Roadmap Tool

Maximize Value From Your Value-Added Reseller (VAR)

  • Buy Link or Shortcode: {j2store}215|cart{/j2store}
  • member rating overall impact: 10.0/10 Overall Impact
  • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
  • member rating average days saved: Read what our members are saying
  • Parent Category Name: Vendor Management
  • Parent Category Link: /vendor-management

Organizations need to understand their value-added reseller (VAR) portfolio and the greater VAR landscape to better:

  • Manage the VAR portfolio.
  • Understand additional value each VAR can provide.
  • Maximize existing VAR commitments.
  • Evaluate the VARs’ performance.

Our Advice

Critical Insight

VARs typically charge more for products because they are in some way adding value. If you’re not leveraging any of the provided value, you’re likely wasting money and should use a basic commodity-type reseller for procurement.

Impact and Result

This project will provide several benefits to Vendor Management and Procurement:

  • Defined VAR value and performance tracking.
  • Manageable portfolio of VARs that fully benefit the organization.
  • Added training, licensing advice, faster quoting, and invoicing resolution.
  • Reduced deployment and logistics costs.

Maximize Value From Your Value-Added Reseller (VAR) Research & Tools

Start here – read the Executive Brief

Read our informative Executive Brief to find out why you should maximize value from your value-added reseller, review Info-Tech’s methodology, and understand the three ways to better manage your VARs improve performance and reduce costs.

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Organize and prioritize

Organize all your VARs and create a manageable portfolio detailing their value, specific, product, services, and certifications.

  • Maximize Value From Your Value-Added Reseller – Phase 1: Organize and Prioritize
  • VAR Listing and Prioritization Tool

2. “EvaluRate” your VARs

Create an in-depth evaluation of the VARs’ capabilities.

  • Maximize Value From Your Value-Added Reseller – Phase 2: EvaluRate Your VARs
  • VAR Features Checklist Tool
  • VAR Profile and EvaluRation Tool

3. Consolidate and reduce

Assess each VAR for low performance and opportunity to increase value or consolidate to another VAR and reduce redundancy.

  • Maximize Value From Your Value-Added Reseller – Phase 3: Consolidate and Reduce

4. Maximize their value

Micro-manage your primary VARs to ensure performance to commitments and maximize their value.

  • Maximize Value From Your Value-Added Reseller – Phase 4: Maximize Their Value
  • VAR Information and Scorecard Workbook
[infographic]

Enable Product Delivery – Executive Leadership Workshop

  • Buy Link or Shortcode: {j2store}353|cart{/j2store}
  • member rating overall impact: N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Development
  • Parent Category Link: /development
  • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.
  • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This conflicts with product delivery, which continuously delivers value over the lifetime of a product.
  • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.

Our Advice

Critical Insight

  • Empowered product managers and product owners are the key to ensuring your delivery teams are delivering the right value at the right time to the right stakeholders.
  • Establishing operationally aligned product families helps bridge the gap between enterprise priorities and product enhancements.
  • Leadership must be aligned to empower and support Agile values and product teams to unlock the full value realization within your organization.

Impact and Result

  • Common understanding of product management and Agile delivery.
  • Commitment to support and empower product teams.

Enable Product Delivery – Executive Leadership Workshop Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Enabling Product Delivery – Executive workshop to align senior leadership with their transition to product management and delivery.

  • Enabling Product Delivery – Executive Workshop Storyboard

2. Enabling Product Delivery –Executive Workshop Outcomes.

  • Enabling Product Delivery – Executive Workshop Outcomes
[infographic]

Workshop: Enable Product Delivery – Executive Leadership Workshop

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Understanding Your Top Challenges

The Purpose

Understand the drivers for your product transformation.

Key Benefits Achieved

Define the drivers for your transition to product-centric delivery.

Activities

1.1 What is driving your organization to become product focused?

Outputs

List of challenges and drivers

2 Transitioning From Projects to Product-Centric Delivery

The Purpose

Understand the product transformation journey and differences.

Key Benefits Achieved

Identify the cultural, behavioral, and leadership changes needed for a successful transformation.

Activities

2.1 Define the differences between projects and product delivery

Outputs

List of differences

3 Enterprise Agility and the Value of Change

The Purpose

Understand why smaller iterations increase value realization and decrease accumulated risk.

Key Benefits Achieved

Leverage smaller iterations to reduce time to value and accumulated risk to core operations.

Activities

3.1 What is business agility?

Outputs

Common understanding about the value of smaller iterations

4 Defining Products and Product Management in Your Context

The Purpose

Establish an organizational starting definition of products.

Key Benefits Achieved

Tailor product management to meet the needs and vision of your organization.

Activities

4.1 What is a product? Who are your consumers?

4.2 Identify enablers and blockers of product ownership

4.3 Define a set of guiding principles for product management

Outputs

Product definition

List of enablers and blockers of product ownership

Set of guiding principles for product management

5 Connecting Product Management to Agile Practices

The Purpose

Understand the relationship between product management and product delivery.

Key Benefits Achieved

Optimize product management to prioritize the right changes for the right people at the right time.

Activities

5.1 Discussions

Outputs

Common understanding

6 Commit to Empowering Agile Product Teams

The Purpose

Personalize and commit to supporting product teams.

Key Benefits Achieved

Embrace leadership and cultural changes needed to empower and support teams.

Activities

6.1 Your management culture

6.2 Personal Cultural Stop, Start, and Continue

6.3 Now, Next, Later to support product owners

Outputs

Your management culture map

Personal Cultural Stop, Start, and Continue list

Now, Next, Later roadmap

Further reading

Enable Product Delivery – Executive Leadership Workshop

Strengthen product management in your organization through effective executive leadership by focusing on product teams, core capabilities, and proper alignment.

Objective of this workshop

To develop a common understanding and foundation for product management so we, as leaders, better understand how to lead product owners, product managers, and their teams.

Enable Product Delivery - Executive Leadership Workshop

Learn how enterprise agility can provide lasting value to the organization

Clarify your role in supporting your teams to deliver lasting value to stakeholders and customers

  1. Understanding Your Top Challenges
    • Define your challenges, goals, and opportunities Agile and product management will impact.
  2. Transitioning from Projects to Product-centric Delivery
    • Understand the shift from fixed delivery to continuous improvement and delivery of value.
  3. Enterprise Agility and the Value of Change
    • Organizations need to embrace change and leverage smaller delivery cycles.
  4. Defining Your "Products" and Product Management
    • Define products in your culture and how to empower product delivery teams.
  5. Connecting Product Management to Agile Practices
    • Use product ownership to drive increased ROI into your product delivery teams and lifecycles.
  6. Commit to Empowering Agile Product Teams
    • Define the actions and changes you must make for this transformation to be successful.

Your Product Transformation Journey

  1. Make the Case for Product Delivery
    • Align your organization with the practices to deliver what matters most
  2. Enable Product Delivery – Executive Workshop
    • One-day executive workshop – align and prepare your leadership
    • Audience: Senior executives and IT leadership.
      Size: 8-16 people
      Time: 6 hours
  3. Deliver on Your Digital Product Vision
    • Enhance product backlogs, roadmapping, and strategic alignment
    • Audience: Product Owners/Mangers
      Size: 10-20 people
      Time: 3-4 days
  4. Deliver Your Digital Products at Scale
    • Scale Product Families to Align Enterprise Goals
    • Audience: Product Owners/Mangers
      Size: 10-20 people
      Time: 3-4 days
  5. Mature and Scale Product Ownership
    • Align and mature your product owners
    • Audience: Product Owners/Mangers
      Size: 8-16 people
      Time: 2-4 days

Repeat workshops with different companies, operating units, departments, or teams as needed.

What is a workshop?

We WILL ENGAGE in discussions and activities:

  • Flexible, to accommodate the needs of the group.
  • Open forum for discussion and questions.
  • Share your knowledge, expertise, and experiences (roadblocks and success stories).
  • Everyone is part of the process.
  • Builds upon itself.

This workshop will NOT be:

  • A lecture or class.
  • A monologue that never ends.
  • Technical training.
  • A presentation.
  • Us making all the decisions.

Roles within the workshop

We each have a role to play to make our workshop successful!

Facilitators

  • Introduce the best practice framework used by Info-Tech.
  • Ask questions about processes, procedures, and assumptions.
  • Guide for the methodology.
  • Liaison for any other relevant Info-Tech research or services.

Participants

  • Contribute and speak out as much as needed.
  • Provide expertise on the current processes and technology.
  • Ask questions.
  • Provide feedback.
  • Collaborate and work together to produce solutions.

Understanding Your Top Challenges

  • Understanding Your Top Challenges
  • Transitioning From Projects to Product-Centric Delivery
  • Enterprise Agility and the Value of Change
  • Defining Your Products and Product Management
  • Connecting Product Management to Agile Practices
  • Commit to Empowering Agile Product Teams
  • Wrap-Up and Retrospective

Executive Summary

Your Challenge

  • Products are the lifeblood of an organization. They deliver the capabilities needed to deliver value to customers, internal users, and stakeholders.
  • The shift to becoming a product organization is intended to continually increase the value you provide to the broader organization as you grow and evolve.
  • You need to clearly convey the direction and strategy of your product portfolio to gain alignment, support, and funding from your organization.

Common Obstacles

  • IT organizations are traditionally organized to deliver initiatives in specific periods of time. This conflicts with product delivery, which continuously delivers value over the lifetime of a product.
  • Delivering multiple products together creates additional challenges because each product has its own pedigree, history, and goals.
  • Product owners struggle to prioritize changes to deliver product value. This creates a gap and conflict between product and enterprise goals.

Info-Tech's Approach

Info-Tech's approach will guide you through:

  • Understanding the top challenges driving your product initiative.
  • Improving your transitioning from projects to product-centric delivery.
  • Enhancing enterprise agility and the value of change.
  • Defining products and product management in your context.
  • Connecting product management to Agile practices.
  • Committing to empowering Agile Product teams.
This is an image of an Info-Tech Thought Map for Accelerate Your Transition to Product Delivery
This is an image of an Info-Tech Thought Map for Delier on your Digital Product Vision
This is an image of an Info-Tech Thought Map for Deliver Digital Products at Scale via Enterprise Product Families.
This is an image of an Info-Tech Thought Map for What We Mean by an Applcation Department Strategy.

What is driving your organization to become product focused?

30 minutes

  • Team introductions:
    • Share your name and role
    • What are the key challenges you are looking to solve around product management?
    • What blockers or challenges will we need to overcome?

Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.

Input

  • Organizational knowledge
  • Goals and challenges

Output

  • List of key challenges
  • List of workshop expectations
  • Parking lot items

Transitioning From Projects to Product-Centric Delivery

  • Understanding Your Top Challenges
  • Transitioning From Projects to Product-Centric Delivery
  • Enterprise Agility and the Value of Change
  • Defining Your Products and Product Management
  • Connecting Product Management to Agile Practices
  • Commit to Empowering Agile Product Teams
  • Wrap-Up and Retrospective

Define the differences between projects and product delivery

30 minutes

  • Consider project delivery and product delivery.
  • Discussion:
    • What are some differences between the two?

Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.

Input

  • Organizational knowledge
  • Internal terms and definitions

Output

  • List of differences between projects and product delivery

Define the differences between projects and product delivery

15 minutes

Project Delivery

vs

Product Delivery

Point in time

What is changed

Method of funding changes

Needs an owner

Input

  • Organizational knowledge
  • Internal terms and definitions

Output

  • List of differences between projects and product delivery

Capture in the Enable Product Delivery – Executive Leadership Workshop Outcomes and Next Steps.

Identify the differences between a project-centric and a product-centric organization

Project

Product

Fund Projects

Funding

Fund Products or Teams

Line of Business Sponsor

Prioritization

Product Owner

Makes Specific Changes
to a Product

Product Management

Improve Product Maturity
and Support

Assign People to Work

Work Allocation

Assign Work
to Product Teams

Project Manager Manages

Capacity Management

Team Manages Capacity

Info-Tech Insight

Product delivery requires significant shifts in the way you complete development work and deliver value to your users. Make the changes that support improving end user value and enterprise alignment.

Projects can be a mechanism for funding product changes and improvements

This is an image showing the relationship between the project lifecycle, a hybrid lifecycle, and a product lifecycle.

Projects within products

Regardless of whether you recognize yourself as a "product-based" or "project-based" shop, the same basic principles should apply.

You go through a period or periods of project-like development to build a version of an application or product.

You also have parallel services along with your project development, which encompass the more product-based view. These may range from basic support and maintenance to full-fledged strategy teams or services like sales and marketing.

While Agile and product are intertwined, they are not the same!

Delivering products does not necessarily require an Agile mindset. However, Agile methods help facilitate the journey because product thinking is baked into them.

This image shows the product delivery maturity process from waterfall to continuous integration and delivery.

Product roadmaps guide delivery and communicate your strategy

In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

This is an image adapted from Pichler, What is Product Management.

Adapted from: Pichler, "What Is Product Management?"

Info-Tech Insight

The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

Build a Zero Trust Roadmap

  • Buy Link or Shortcode: {j2store}253|cart{/j2store}
  • member rating overall impact: 9.3/10 Overall Impact
  • member rating average dollars saved: $48,932 Average $ Saved
  • member rating average days saved: 42 Average Days Saved
  • Parent Category Name: Security Strategy & Budgeting
  • Parent Category Link: /security-strategy-and-budgeting
  • Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
  • The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.
  • Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
  • Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Our Advice

Critical Insight

Apply zero trust to key protect surfaces. A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Impact and Result

Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined. Our unique approach:

  • Assess resources and determine zero trust readiness.
  • Prioritize initiatives and build out roadmap.
  • Deploy zero trust and monitor with zero trust progress metrics.

Build a Zero Trust Roadmap Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Build a Zero Trust Roadmap Deck – The purpose of the storyboard is to provide a detailed description of the steps involving in building a roadmap for implementing zero trust.

The storyboard contains five easy-to-follow steps on building a roadmap for implementing zero trust, from aligning initiatives to business goals to establishing metrics for measuring the progress and effectiveness of a zero trust implementation.

  • Build a Zero Trust Roadmap – Phases 1-5

2. Zero Trust Protect Surface Mapping Tool – A tool to identify key protect surfaces and map them to business goals.

Use this tool to develop your zero trust strategy by having it focus on key protect surfaces that are aligned to the goals of the business.

  • Zero Trust Protect Surface Mapping Tool

3. Zero Trust Program Gap Analysis Tool – A tool to perform a gap analysis between the organization's current implementation of zero trust controls and its desired target state and to build a roadmap to achieve the target state.

Use this tool to develop your zero trust strategy by creating a roadmap that is aligned with the current state of the organization when it comes to zero trust and its desired target state.

  • Zero Trust Program Gap Analysis Tool

4. Zero Trust Candidate Solutions Selection Tool – A tool to identify and evaluate solutions for identified zero trust initiatives.

Use this tool to develop your zero trust strategy by identifying the best solutions for zero trust initiatives.

  • Zero Trust Candidate Solutions Selection Tool

5. Zero Trust Progress Monitoring Tool – A tool to identify metrics to measure the progress and efficiency of the zero trust implementation.

Use this tool to develop your zero trust strategy by identifying metrics that will allow the organization to monitor how the zero trust implementation is progressing, and whether it is proving to be effective.

  • Zero Trust Progress Monitoring Tool

6. Zero Trust Communication Deck – A template to present the zero trust template to key stakeholders.

Use this template to present the zero trust strategy and roadmap to ensure all key elements are captured.

  • Zero Trust Communication Deck

Infographic

Workshop: Build a Zero Trust Roadmap

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

1 Define Business Goals and Protect Surfaces

The Purpose

Align business goals to protect surfaces.

Key Benefits Achieved

A better understanding of how business goals can map to key protect surfaces and their associated DAAS elements.

Activities

1.1 Understand business and IT strategy and plans.

1.2 Define business goals.

1.3 Identify five critical protect surfaces and their associated DAAS elements.

1.4 Map business goals and protect surfaces.

Outputs

Mapping of business goals to key protect surfaces and their associated DAAS elements.

2 Begin Gap Analysis

The Purpose

Identify and define zero trust initiatives.

Key Benefits Achieved

A list of zero trust initiatives to be prioritized and set into a roadmap.

Activities

2.1 Assess current security capabilities and define the zero trust target state for a set of controls.

2.2 Identify tasks to close maturity gaps.

2.3 Assign tasks to zero trust initiatives.

Outputs

Security capabilities current state assessment

Zero trust target state

Tasks to address maturity gaps

3 Complete Gap Analysis

The Purpose

Complete the zero trust gap analysis and prioritize zero trust initiatives.

Key Benefits Achieved

A prioritized list of zero trust initiatives aligned to business goals and key protect surfaces.

Activities

3.1 Align initiatives to business goals and key protect surfaces.

3.2 Conduct cost/benefit analysis on zero trust initiatives.

3.3 Prioritize initiatives.

Outputs

Zero trust initiative list mapped to business goals and key protect surfaces

Prioritization of zero trust initiatives

4 Finalize Roadmap and Formulate Policies

The Purpose

Finalize the zero trust roadmap and begin to formulate zero trust policies for roadmap initiatives.

Key Benefits Achieved

A zero trust roadmap of prioritized initiatives.

Activities

4.1 Define solution criteria.

4.2 Identify candidate solutions.

4.3 Evaluate candidate solutions.

4.4 Finalize roadmap.

4.5 Formulate policies for critical DAAS elements.

4.6 Establish metrics for high-priority initiatives.

Outputs

Zero trust roadmap

Zero trust policies for critical protect surfaces

Method for defining zero trust policies for candidate solutions

Metrics for high-priority initiatives

Further reading

Build a Zero Trust Roadmap

Leverage an iterative and repeatable process to apply zero trust to your organization.

EXECUTIVE BRIEF

Analyst Perspective

Internet is the new corporate network.

For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

Victor Okorie
Senior Research Analyst, Security and Privacy
Info-Tech Research Group

Executive Summary

Your Challenge

  • Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
  • The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

Common Obstacles

  • Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
  • Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

Info-Tech’s Approach

  • Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
  • Our unique approach:
    • Assess resources and determine zero trust readiness.
    • Address barriers and identify enablers.
    • Prioritize initiatives and build out roadmap.
    • Identify most appropriate vendors via vendor selection framework.
    • Deploy zero trust and monitor with zero trust progress metrics.

Info-Tech Insight

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Your challenge

This research is designed to help organizations:

  • Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
  • Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

Top three reasons for building a zero trust strategy

44%

Reduce attacker’s ability to move laterally

44%

Enforce least privilege access to critical resources

41%

Reduce enterprise attack surface

Common obstacles

These barriers make this challenge difficult to address for many organizations:

  • Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
    • To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
  • Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
    • To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

43%

Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
(Source: Teramind, 2021)

96%

Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
(Source: Microsoft, 2021)

What is zero trust?

It depends on who you ask…

  • Vendors use zero trust as a marketing buzzword.
  • Organizations try to comprehend zero trust in their own limited views.
  • Zero trust regulations/standards are still developing.

“A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

Source: NIST, SP 800-207: Zero Trust Architecture, 2020

“An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

Source: DOD, Zero Trust Reference Architecture, 2021

“A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

Source: NSA, Embracing a Zero Trust Security Model, 2021

“Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Source: CISA, Zero Trust Maturity Model, 2021

“The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

What is zero trust?

From Theoretical to Practical

Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

Zero Trust; Identity; Workloads & Applications; Network; Devices; Data

Info-Tech Insight

Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

Zero trust business benefits

Reduce business and organizational risk

Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

36% of data breaches involved internal actors.
Source: Verizon, 2021

Reduce CapEx and OpEx

Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
Source: SecurityBrief - Australia, 2020.

Reduce scope and cost of compliance

Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

Scope of compliance reduced due to segmentation.

Reduce risk of data breach

Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
Source: IBM, 2021

This is an image of a thought map detailing Info-Tech's Build A Zero Trust Roadmap. The main headings are: Define; Design; Develop; Monitor

Info-Tech’s methodology for Building a Zero Trust Roadmap

1. Define Business Goals and Protect Surfaces

2. Assess Key Capabilities and Identify Zero Trust Initiatives

3. Evaluate Candidate Solutions and Finalize Roadmap

4. Formulate Policies for Roadmap Initiatives

5. Monitor the Zero Trust Roadmap Deployment

Phase Steps

Define business goals

Identify critical DAAS elements

Map business goals to critical DAAS elements
  1. Review the Info-Tech framework
  2. Assess current capabilities and define the zero trust target state
  3. Identify tasks to close gaps
  4. Define tasks and initiatives
  5. Align initiatives to business goals and protect surfaces
  1. Define solution criteria
  2. Identify candidate solutions
  3. Evaluate candidate solutions
  4. Perform cost/benefit analysis
  5. Prioritize initiatives
  6. Finalize roadmap
  1. Formulate policies for critical DAAS elements
  2. Formulate policies to secure a path to access critical DAAS elements
  1. Establish metrics for roadmap tasks
  2. Track and report metrics
  3. Build a communication deck

Phase Outcomes

Mapping of business goals to protect surfaces

Gap analysis of security capabilities

Evaluation of candidate solutions and a roadmap to close gaps

Method for defining zero trust policies for candidate solutions

Metrics for measuring the progress and efficiency of the zero trust implementation

Protect what is relevant

Apply zero trust to key protect surfaces

A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

Align protect surfaces to business objectives

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

Identify zero trust capabilities

Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

Roadmap first, not solution first

Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

Create enforceable policies

The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

Success should benefit the organization

To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key deliverable:

Zero Trust Communication Deck

Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

Zero Trust Protect Surface Mapping Tool

Identify critical and vulnerable DAAS elements to protect and align them to business goals.

Zero Trust Program Gap Analysis Tool

Perform a gap analysis between current and target states to build a zero trust roadmap.

Zero Trust Candidate Solutions Selection Tool

Determine and evaluate candidate solutions based on defined criteria.

Zero Trust Progress Monitoring Tool

Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

Blueprint benefits

IT Benefits

  • A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
  • Improved security posture across the digital attack surface while focusing on the protect surface.
  • An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

Business Benefits

  • Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
  • Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
  • Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
  • Reduced risk of data breach in any instance of a malicious attack.

Measure the value of this blueprint

Save an average of $1.76 million dollars in the event of a data breach

  • This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
  • Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

43%

Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
Source: IBM, 2021

In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

This image contains a screenshot info-tech's methodology for building a zero-trust roadmap, discussed earlier in this blueprint

Executive Brief Case Study

National Aeronautics and Space Administration (NASA)

INDUSTRY: Government

SOURCE: Zero Trust Architecture Technical Exchange Meeting

NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

The lessons learned in adapting zero trust were:

  • Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
  • Provide support for mobile and external partners.
  • Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
  • Develop a zero trust strategy that aligns with mission objectives.

Results

NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
Call #1:
Scope requirements, objectives, and your specific challenges.

Call #3:
Define current security capabilities and zero trust target state.

Call #5:

Identify and evaluate solution criteria.

Call #7:
Create a process for formulating zero trust policies.

Call #8:
Establish metrics for assessing the implementation and effectiveness of zero trust.

Call #2:
Identify business goals and protect surfaces.

Call #4:
Identify gap-closing tasks and assign to zero trust initiatives.

Call #6:
Prioritize zero trust initiatives.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

Workshop Overview

Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

Day 1 Day 2 Day 3 Day 4 Day 5

Define Business Goals and Protect Surfaces

Begin Gap Analysis

Complete Gap Analysis

Finalize Roadmap and Formulate Policies

Next Steps and
Wrap-Up (offsite)
Activities

1.1 Understand business and IT strategy and plans.

1.2 Define business goals.

1.3 Identify five critical protect surfaces and their associated DAAS elements.

1.4 Map business goals and protect surfaces.

2.1 Assess current security capabilities and define the zero Trust target state for a set of controls.

2.2 Identify tasks to close maturity gaps.

2.3 Assign tasks to zero trust initiatives.

3.1 Align initiatives to business goals and key protect surfaces.

3.2 Conduct cost/benefit analysis on zero trust initiatives.

3.3 Prioritize initiatives.

4.1 Define solution criteria.

4.2 Identify candidate solutions.

4.3 Evaluate candidate solutions.

4.4 Finalize roadmap.

4.5 Formulate policies for critical DAAS elements.

4.6 Establish metrics for high-priority initiatives.

5.1 Complete in-progress deliverables from previous four days.

5.2 Set up review time for workshop deliverables and to discuss next steps.
Deliverables
  1. 1.Mapping of business goals to key protect surfaces and their associated DAAS elements
  1. Security capabilities current state assessment
  2. Zero trust target state
  3. Tasks to address maturity gaps
  1. Zero trust initiative list mapped to business goals and key protect surfaces
  2. Prioritization of zero trust initiatives
  1. Zero trust roadmap
  2. Zero trust policies for critical protect surfaces
  3. Method for defining zero trust policies for candidate solutions
  4. Metrics for high-priority initiatives
  1. Zero trust roadmap documentation
  2. Mapping of Info-Tech resources against individual initiatives

Phase 1

Define Business Objectives and Protect Surfaces

Build a Zero Trust Roadmap

This phase will walk you through the following activities:

  • Identify and define the business goals.
  • Identify the critical DAAS elements and protect surface.
  • Align the business goals to the protect surface and critical DAAS elements.

This phase involves the following participants:

  • Security Team
  • Business Executives
  • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

Analyze your business goals

Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

  • Security leaders need to understand the direction the business is headed in.
  • Wise security investments depend on aligning your security initiatives to business objectives.
  • Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
    • For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

    Info-Tech Insight

    Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

1.1 Define your organization’s business goals

Estimated time 1-3 hours

  1. As a group, brainstorm the business goals of the organization.
  2. Review relevant business and IT strategies.
  3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
  4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

Input

  • Business and IT strategies

Output

  • Prioritized list of business objectives

Materials

  • Whiteboard/Flip Charts
  • Zero Trust Protect Surface Mapping Tool

Participants

  • Security Team
  • IT Leadership
  • Business Stakeholders
  • Risk Management
  • Compliance
  • Legal

Download the Zero Trust Protect Surface Mapping Tool

Info-Tech Insight

Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

What does zero trust mean for you?

For a successful implementation, focus on your zero trust outcome.

This image describes the Who, What, When, Where, Why, and How for Zero Trust.

Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

Understand protect surface

Data, Application, Asset, and Services

A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

Components of a protect surface

  • Data
  • Application
  • Asset
  • Services

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

Sample Scenario

INDUSTRY: Healthcare

SOURCE: Info-Tech Research Group

Illustration

A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

  • What is the data that can’t be risked exfiltrated?
  • What application(s) is used to access this data?
  • What assets are used to generate and store the data?
  • What are the services we rely on to be able to access the data?

DAAS Element

  • The data here is the patient information.
  • The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
  • The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
  • The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

DAAS and Zero Trust Pillar

This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

Shift from attack surface to protect surface

This image contains a screenshot of the thought map: Shift from attack surface to protect surface. Go from complex to a micro perimeter approach.

Info-Tech Insight

The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

1.2 Identify critical DAAS elements

Estimated time 1-3 hours

  1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.
  • Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
  • Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
  • Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
  • Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.
  • Record the critical DAAS elements and protect surface in their respective columns of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary protect surfaces to match with the business goals.

    • Download the Zero Trust Protect Surface Mapping Tool

    Input

    • Critical resources to protect
    • Understanding of how they interoperate or connect

    Output

    • Protect surfaces

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Stakeholders

    1.3 Map business goals to critical DAAS elements

    Estimated time 1-2 hours

    1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.
    • Each protect surface can be tied back to a business objective.
  • Select from the drop-down list of business objectives the option that fits the identified protect surface as it relates to the organization.
    • Type in your business objectives if the drop-down list does not apply.

    Download the Zero Trust Protect Surface Mapping Tool

    This image contains a screenshot from the Zero Trust Protect Surface Mapping Tool, with the following columns highlighted: Business Goal Name; Protect Surface Name

    Phase 2

    Assess Key Capabilities and Identify Zero Trust Initiatives

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Assess the organization’s current capabilities.
    • Define the zero trust target state.
    • Identify tasks to close gaps
    • Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    The Info-Tech Zero Trust Framework

    Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

    • ACT Zero Trust Cybersecurity Current Trends. 2019
    • NIST SP 800-207: Zero Trust Architecture. 2020
    • DOD Zero Trust Reference Architecture. 2021
    • NSA Embracing a Zero Trust Security Model. 2021
    • CISA Zero Trust Maturity Model. 2021
    • Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
    • OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
    • NSTAC Zero Trust and Trusted Identity Management. 2022
    • NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

    Identity

    • Authentication
    • Authorization
    • Privileged Access Management

    Applications

    • Software Defined Compute
    • DevSecOps
    • Software Supply Chain

    Devices

    • Authentication
    • Authorization
    • Compliance

    Networks

    • Software Defined Networking
    • Macro Segmentations
    • Micro Segmentation

    Data

    • Software Defined Storage
    • Data Loss Prevention
    • Data Rights Management

    Info-Tech Insight

    A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

    2.1 Review the Info-Tech framework

    Estimated time 30-60 minutes

    1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
    2. Customize the tool as required using the instructions in tab “2. Setup”:
    • Define costing criteria
    • Define benefits criteria
    • Configure full-time equivalent hours and start year
    • Input business goals as mapped to protect surfaces (see next slide)

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Protect surfaces mapped to business objectives

    Output

    • Customized framework

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    2.1.1 Input business goals as mapped to protect surfaces

    Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

    1. Enter Business Goals.
    2. Enter Protect Surfaces.
    3. Enter Data.
    4. Enter Application.
    5. Enter Assets.
    6. Enter Services.

    This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool. The Column headings are labeled as follows: 1: Business Goal Name; 2: Protect Surface; 3: DATA; 4: APPLICATION; 5: ASSETS; 6: SERVICES

    Info-Tech Insight

    Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

    2.2 Assess current capabilities and define zero trust target state

    Estimated time 6-12 hours

    1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Protect surfaces mapped to business objectives
    • Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

    Output

    • Current-state and target-state assessment for gap analysis

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management

    Understanding security target states

    Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

    AD HOC 01

    Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

    DEVELOPING 02

    Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

    DEFINED 03

    A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

    MANAGED 04

    Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

    OPTIMIZED 05

    An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

    2.2.1 Conduct current-state assessment

    1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.
    • Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.
  • Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
  • Select the target maturity for the control.
    • This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, with the following column headings highlighted and numbered: 1: Current Maturity; 2: Current State Comments (optional); Target Maturity

    Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

    2.2.2 Review the Gap Analysis Dashboard

    1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
    2. Use the color-coded legend to see the size of the gap between your current and target state.
    3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”
    this image contains a screenshot of Info-tech's Zero-Trust framework discussed earlier in this blueprint, with the addition of a legend demonstrating how to use the gap analysis tool to identify the size of the gap between current and target states

    2.3 Identify tasks to close gaps

    Estimated time 5 hours

    1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Zero trust controls gap information

    Output

    • Gap closure task list

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management

    2.3 Identify tasks to close gaps (cont.)

    1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:
    • Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.
  • Considerations for identifying gap closure tasks:
    • In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
    • The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
    • Not all gaps require their own task. You can enter one task that may address multiple gaps.
    • Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.
    this image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, with the following column heading highlighted and numbered: 1: Gap Closure Tasks

    Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

    2.4 Define tasks and initiatives

    Estimated time 2-4 hours

    1. As a group, review the gap tasks identified in the Gap Analysis tab.
    2. Using the instructions on the following slides, finalize your tab “5. Task List.”
    3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Gap analysis

    Output

    • Refined list of tasks
    • List of zero trust initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    2.4.1 Finalize your task list

    1. Define the gap closure task list in tab “5. Task List”:
      1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
      2. Paste the list into the table in tab “5. Task List,” Task column.
    • Use Paste Values to retain the table formatting.
  • Consolidate tasks into initiatives when:
      • They have costs associated with them.
      • They require initial effort to implement and ongoing effort to maintain.
      • They must be accomplished dependently of other tasks.
    1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”
  • For tasks which are not incorporated into initiatives, enter a task owner and due date for each task.
    • this image contains a screenshot from Info-Tech's Zero Trust Gap analysis Tool with the following column headings highlighted and numbered: 1: Task; 2: Initiative Name; 3: (Task Owner; Due Date)

    Example: Initiative consolidation

    In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

    We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

    This image contains an example of Initiative Consolidation

    Info-Tech Insight

    As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

    2.4.2 Finalize your initiative list

    1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
    2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
      1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
    3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
    4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
      1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

    This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, the following column headings are numbered and highlighted: 1: Initiative Name; 2: Description; 3: Pillar

    If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

    2.5 Align initiatives to business goals and protect surfaces

    Estimated time 30-60 minutes

    1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
    2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • List of zero trust initiatives
    • Protect surfaces mapped to business objectives

    Output

    • List of zero trust initiatives aligned to business goals and protect surfaces

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    2.5.1 Align initiatives to business goals

    1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
      1. Use the legend to determine the most appropriate business goal(s).
    2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
    3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.
    This image contains a screenshot from the Zero Trust Program Gap Analysis Tool, with the following column headings numbered: 1: Selection for Business Goal(s); Business Goals Alignment; 3: Selection for Business Goals

    2.5.2 Align initiatives to protect surfaces

    1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
      1. Use the legend to determine the most appropriate protect surface(s).
    2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
    3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.
    This image contains a screenshot from the Zero Trust Program Gap Analysis Tool, with the following column headings numbered: 1: Description; 2: Protect Surfaces Covered; 3: Selection for Protect Surfaces

    Phase 3

    Evaluate Candidate Solutions and Finalize Roadmap

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Define solution criteria.
    • Identify candidate solutions.
    • Evaluate candidate solutions.
    • Perform cost/benefit analysis.
    • Prioritize initiatives and build roadmap.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    3.1 Define solution criteria

    Estimated time 30-60 minutes

    1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
    2. Customize the tool as required using the instructions on the following slides.

    Info-Tech Insight

    Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

    Download the Zero Trust Candidate Solutions Selection Tool

    Input

    • Zero trust initiative list

    Output

    • Zero trust candidate solutions

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    3.1.1 Define compliance and solution evaluation criteria

    On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

    1. Verify that the Description for each criterion is accurate.
    2. Provide weights for the compliance score and the solution score, which are the overall evaluation:
    • Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
    • Solution score consists of features score, usability score, affordability score, and architecture score.
    This image contains a screenshot from the Zero Trust Candidate Solutions Selection Tool, which demonstrates how to define compliance and solution evaluation criteria.

    3.1.2 Define remaining evaluation criteria

    On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

    1. Verify that the Description for each criterion is accurate.
    2. Provide weights for the remaining evaluation criteria:
    • Tenets: Considers how well each initiative aligns with zero trust principles.
    • Pillars: Considers how well each initiative aligns with zero trust pillars.
    • Threats: Considers what zero trust threats are relevant with the candidate solution.
    • Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
    • Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
    • Deployment Architecture: Considers the solutions deployment architecture capabilities.

    This image contains a screenshot from the Zero Trust Candidate Solutions Selection Tool, and demonstrates where to define additional evaluation data

    Review available candidate solutions

    this image contains a list of available candidate Solutions. This list includes: Zero Trust Identity; Zero-Trust Application & Workloads; Zero-Trust Networks; Zero-Trust Devices; and Zero-Trust Data

    The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

    Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

    Awareness Education & Discovery Evaluation Selection Negotiation & Configuration
    1.1 Proactively Lead Technology Optimization & Prioritization 2.1 Understand Marketplace Capabilities & Trends 3.1 Gather & Prioritize Requirements & Establish Key Success Metrics 4.1 Create a Weighted Vendor Selection Decision Model 5.1 Initiate Price Negotiation With Top
    1.2 Scope & Define the Selection Process for Each Selection Request Action 2.2 Discover Alternative Solutions & Conduct Market Education 3.2 Conduct a Data-Driven Comparison of Vendor Features & Capabilities 4.2 Conduct Investigative Interviews Focused on Mission Critical Priorities With Top 2-4 Vendors 5.2 Negotiate Contract Terms & Product Configuration Two Vendors Selected
    1.3 Conduct an Accelerated Business Needs Assessment 2.3 Evaluate Enterprise Architecture & Application Portfolio 3.3 Narrow the Field to Four Top Contenders 4.3 Validate Key Issues With Deep Technical Assessments, Trial Configuration & Reference Checks 5.3 Finalize Budget Approval & Project Implementation Timeline
    1.4 Align Stakeholder Calendars to Reduce Elapsed Time & Asynchronous Evaluation 2.4 Validate the Business Case 5.4 Invest in Training & Onboarding Assistance

    Download the Rapid Application Selection Framework research

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    The Data Quadrant Report

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Vendors ranked by their Composite Score

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Emotional Footprint

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Vendors ranked by their Customer Experience (CX) Score

    Sample whiteboard activity

    • Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
    • A sample sticky note is provided below for privileged access management.

    This image contains a screenshot of a sample whiteboard activity which can be done using sticky notes.

    • The PAM solution should support MFA
    • Live session monitoring, audit, and reporting
    • Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

    3.2 Identify candidate solutions

    Estimated time 2 hours

    1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
    2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:
    • Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

    Input

    • Candidate solutions for zero trust tasks and initiatives

    Output

    • Suitability evaluation of candidate solutions

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    Info-Tech Insight

    Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

    Download the Zero Trust Candidate Solutions Selection Tool

    3.2.1 Review candidate solutions

    1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
    2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
    3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.
    this image contains a screenshot of a sample candidate solution, which can be done using Info-Tech's Zero Trust Program Gap Analysis Tool

    3.3 Evaluate candidate solutions

    Estimated time 3 hours

    On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

    Input

    • Candidate solutions

    Output

    • Candidate solutions scored

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    Download the Zero Trust Candidate Solutions Selection Tool

    3.3.3 Evaluate solution scores

    After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

    1. On Features
      1. Enter Coverage.
      2. Enter Quality.
    2. Enter Usability.
    3. On Affordability
      1. Enter Initial Cost.
      2. Enter Ongoing Cost (annual).
    4. Enter Architecture.
    this image contains a screenshot of how you can sort the solution score column in Info-Tech's Zero Trust Program Gap Analysis Tool

    3.4 Perform cost/benefit analysis

    Estimated time 1-2 hours

    1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
    2. Define dependencies or business impacts if they will help with prioritization.

    Input

    • Ranked candidate solutions
    • Gap analysis
    • Initiative list

    Output

    • Completed cost/benefit analysis for initiative list

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.4.1 Complete the cost/benefit analysis

    Use Zero Trust Program Gap Analysis Tool.

    1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
    • Use the result from candidate selection to define the estimated costs.
    • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
  • Enter the estimated benefits, also using the criteria defined earlier.

    • This image contains a screenshot of a cost/benefit analysis table which can be found in the Zero Trust Program Gap Analysis Tool

    The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

    3.4.2 Optionally enter detailed cost estimates

    Use Zero Trust Program Gap Analysis Tool.

    1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
    • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
    • You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
    • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

    This image contains a screenshot of a sample cost/benefit table found in the Zero Trust Program Gap Analysis Tool.

    The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

    3.5 Prioritize initiatives

    Estimated time 2-3 hours

    1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
    • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
    • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
  • Follow step 3.5.1 to create a visual effort map for your organization.
  • Follow step 3.5.2 and 3.5.3 to refine the effort map’s visual output.

    • Input

    • Gap analysis
    • Initiative list
    • Cost/benefit analysis

    Output

    • Prioritized list of initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.5.1 Create a visual effort map for your organization

    1 hour

    An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

    1. Establish the axes and colors for your effort map:
      1. X-axis represents the Benefit value from column J
      2. Y-axis represents the Cost/Effort value from column H
      3. Sticky note color is determined using the Alignment to Business value from column I
    2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
    3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

    this image contains a sample visual effort map which can be found in the Zero Trust Program Gap Analysis Tool.

    Input

    • Outputs from activities 3.4.1 and 3.4.2

    Output

    • High-level prioritization for each of the gap-closing initiatives
    • Visual representation of quantitative values

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    3.5.2 Refine the effort map’s visual output

    1 hour

    Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

    1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
    2. Document these initiatives as Execution Wave 1.

    this image contains a screenshot of a refined visual effort map, which can be done by following the instructions in this section.

    Input

    • Outputs from activity 3.5.1

    Output

    • Prioritization for each of the gap-closing initiatives
    • First execution wave of gap-closing initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Sticky dots
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    3.5.3 Refine the effort map’s visual output

    30 minutes

    1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
    2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
      1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
      2. Leverage the following 0-4 Execution Wave scale:
        1. Underway –Initiatives that are already underway
        2. Must Do – Initiatives that must happen right away
        3. Should Do – Initiatives that should happen but need more time/support
        4. Could Do – Initiatives that are not a priority
        5. Won’t Do – Initiatives that likely won’t be carried out
    3. Indicate the granular level for each execution wave using the a-z scale.
    • Use the lettering to track dependencies between initiatives.
      • If one must take place before another, ensure that its letter comes first alphabetically.
      • If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

    This image depicts the sample output for a refined visual effort map

    Input

    • Outputs from activity 3.5.2

    Output

    • Prioritization for each of the gap-closing initiatives
    • First execution wave of gap-closing initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Sticky dots
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Wave assignment example

    In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

    We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

    We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

    We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

    This image depicts a sample wave assignment output, discussed in this section.

    It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

    3.6 Build roadmap

    Estimated time 2-3 hours

    1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
    2. Review the roadmap for resourcing conflicts and adjust as required.
    3. Review the final cost and effort estimates for the roadmap.

    Input

    • Gap analysis
    • Cost/benefit analysis
    • Prioritized initiative list

    Output

    • Zero trust roadmap

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.6.1 Schedule initiatives using the Gantt chart

    1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
    2. Additionally, enter a start month and year for the initiative and the expected duration in months.
    • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
    • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
    • This Image contains a screenshot of the Gantt Chart, with the following column headings highlighted and numbered: 1: Owner; 2: Expected Duration

    3.6.2 Review your roadmap

    1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
    • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
    • Does your organization have regular change freezes throughout the year that will impact the schedule?
    • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
    • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
    • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

    This image depicts an example roadmap which can be created following the use of the Gantt Chart

    3.6.3 Review your cost/effort estimates table

    1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
    • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
    • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

    This table provides you with the information to have important conversations with management and stakeholders.

    This image contains an example of the Zero Trust Roadmap Cost/Effort Estimates. The column headings are as follows: Wave; Number of Initiatives; Initial Implementation - Cost; Initial Implementation - Effort; Ongoing Maintenance - Cost; Ongoing Maintenance - Effort. A separate table is shown with the column heading: Estimated Total Three Year Investment

    Phase 4

    Formulate Policies for Roadmap Initiatives

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Formulate zero trust policies for critical DAAS elements.
    • Formulate zero trust policies to secure a path to access critical DAAS elements.

    This phase involves the following participants:

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    Understand the zero trust policy

    Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
    The policies help to prevent lateral movement.

    Who Who should access a resource? Here, the user ID that identifies the users through the principle of least privilege is allowed access to a particular resource. The authentication policy will be used to verify identity of a user when access request to a resource is made. Who requires MFA?
    What What application is used to access the resource? Application ID to identify applications that are only allowed on the network. Port control policies can be used for the application service.
    When When do users access the resource? Policy that identifies and enforces time schedule when an application accessed by users is used.
    Where Where is the resource located? The location of the destination resource should be added to the policy and, where possible, restrict the source of the traffic either by zone and/or IP address.
    Why Why is the data accessed? Data classification should be done to know why the data needs protection and the type of protection (data filtering).
    How How should you allow access to the resource? This covers the protection of the application traffic. Principle of least privilege access, log all traffic, configure security profiles, NGFW, decryption and encryption, consistent application of policy and threat prevention across all locations for all local and remote users on managed and unmanaged endpoints are ways to apply content-ID.

    Info-Tech Insight

    The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

    4.1.1 Formulate policy

    Estimated time 1-2 hours

    1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
    2. The policy created should be consistent for both cloud and on-prem environments.
    3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.
    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID
    On-Prem Pyxis_Users Pyxis Any Pyxis_server Severe (high value data) Decrypt, Inspect, log traffic
    Cloud Sales Salesforce Working hours Canada Severe (high value data) Decrypt, Inspect, log traffic

    Input

    • Kipling methodology
    • Protect surface

    Output

    • Zero trust policy

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    4.1.2 Apply policy

    1-2 hours

    1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
    2. Name the microperimeter and place it on a firewall.

    Input

    • Kipling methodology
    • Protect surface

    Output

    • Zero trust policy

    Materials

    • Whiteboard/Flip Charts
    • Sticky Notes
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    Microperimeter A
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    Microperimeter B
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    Microperimeter C
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    4.2 Secure a path to access critical DAAS elements

    How should you allow access to the resource?

    This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

    The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

    Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

    These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

    Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

    Conceptualized flow

    With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

    The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

    Who

    (Internet)

    What

    (SAAS)

    		 When

    Where

    (Public Cloud)

    		 Why

    How

    (Data Center)
    Method User-ID App-ID Time limit System Object Classification Content-ID
    On-Prem Pyxis_Users Pyxis Any Pyxis_server Severe (high value data) Decrypt, Inspect, log traffic
    Cloud Sales Salesforce Working hours Canada Severe (high value data) Decrypt, Inspect, log traffic

    Phase 5

    Monitor Zero Trust Roadmap Deployment

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Establish metrics for roadmap tasks.
    • Track metrics for roadmap tasks.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    5.1 Establish metrics for roadmap tasks

    Estimated time 2 hours

    1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
    2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
    3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
    • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
  • Enter the estimated benefits, also using the criteria defined earlier.

    • Input

    • Zero trust roadmap task list

    Output

    • Metrics for measuring zero trust task implementation and efficacy

    Materials

    • Zero Trust Progress Monitoring Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Progress Monitoring Tool

    5.1.1 Identify metrics to measure implementation and efficacy of tasks

    Estimated time 3-4 hours

    1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
    2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.
    • If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

    this image contains a screenshot of tab 2 in the Zero Trust Progress Monitoring Tool

    Info-Tech Insight

    To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

    5.1.2 Document metric metadata

    Estimated time 1-2 hours

    For each metric defined in step 4.1.1:

    1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
    2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).
    • Add more columns under the Audience category if needed.
    • Use “X” to identify if an audience group will be informed of the measurement of the metric.
  • Identify in columns N through P the target for the metric (Metric Target), the effort it takes to collect the metric (Effort to Collect), the frequency with which the organizations plans to collect the metric (Frequency of Collection), and any comments that people should know when collecting, compiling, or presenting metrics.
    • This image contains a screenshot from the Zero Trust Progress Monitoring Tool, with the following column headings numbered: 1: Priority; 2: Roles and Responsibilities; 3: effort to collect; frequency of collection; Metric Target; Comments

    5.2 Track and report metrics

    Estimated time 2 hours

    1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
    2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
    3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

    Input

    • Metrics for measuring zero trust task implementation and efficacy

    Output

    • Metric data and graphs for presenting zero trust implementation metrics to audience groups

    Materials

    • Zero Trust Progress Monitoring Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Progress Monitoring Tool

    5.2.1 Record baseline measurements for metrics

    Estimated time 1-2 hours

    On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

    1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
    2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
    3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
      (e.g. if any metric is being measured monthly, there should be one column per month)
    4. Over time, conduct measurements of your metrics and store them in the table below.
    5. Add notes, as necessary.

    this image contains a screenshot of tab 3 of the Zero Trust Progress Monitoring Tool, with the following column headings numbered: 1: Your Metrics; 2: Collection Frequency; Target; 3: Jan; 4: Metric Measurements; 5: Notes

    5.2.2 Report metric health to audience groups

    Estimated time 1-2 hours

    On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

    1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
    2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
    3. Six different graphic representations of the tracked data for the selected metric will populate.

    Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

    This image contains a screenshot from tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

    5.3 Build a communication deck

    Estimated time 2 hours

    Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

    In this communication deck template, you will find the following sections:

    • Introduction
    • Protect Surfaces
    • Zero Trust Gap Analysis
    • Zero Trust Initiatives & Tasks

    Input

    • Protect surfaces mapped to business goals
    • Zero trust program gap analysis
    • Zero trust roadmap initiatives and tasks
    • Zero trust metrics

    Output

    • Communication deck for zero trust strategy

    Materials

    • Zero Trust Communication Deck

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Communication Deck

    Summary of Accomplishment

    Knowledge Gained

    • Knowledge of protect surfaces and the business goals protecting them supports
    • Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
    • Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
    • A defined set of security metrics assessing zero trust implementation progress and efficacy

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    This is a picture of an Info-Tech Account Representative
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Zero Trust Program Gap Analysis Tool

    This is a screenshot from the Zero Trust Program Gap Analysis Tool

    Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

    Zero Trust Progress Monitoring Tool

    This is a screenshot from the Zero Trust Progress Monitoring Tool

    Identify and track metrics for zero trust tasks and initiatives.

    Research Contributors

    • Aaron Benson, CME Group, Director of IAM Governance
    • Brad Mateski, Zones, Solutions Architect for CyberSecurity
    • Bob Smock, Info-Tech Research Group, Vice President of Consulting
    • Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
    • John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
    • John Zhao, Fonterra, Enterprise Security Architect
    • Rongxing Lu, University of New Brunswick, Associate Professor
    • Sumanta Sarkar, University of Warwick, Assistant Professor
    • Tim Malone, J.B. Hunt Transport, Senior Director Information Security
    • Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

    Related Info-Tech Research

    This is a screenshot from Info-Tech's Build an Information Security Strategy

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

    This is a screenshot from Info-Tech's Determine Your Zero Trust Readiness.

    Determine Your Zero Trust Readiness

    IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

    Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

    This is a screenshot from Info-Tech's Mature Your Identity and Access Management Program

    Mature Your Identity and Access Management Program

    Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

    • Assess identity and access requirements
    • Identify initiatives using the identity lifecycle
    • Prioritize initiatives and build a roadmap

    Bibliography

    • “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
    • “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
    • “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
    • Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
    • “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
    • “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
    • Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
    • “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
    • English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
    • “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
    • “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
    • Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
    • “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
    • Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
    • Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
    • Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
    • National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
    • NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
    • Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
    • “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
    • Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
    • “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
    • “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
    • Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
    • Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
    • Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
    • VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
    • Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
    • “Zero Trust Access.” Fortinet, n.d. Web.
    • “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
    • “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
    • “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.

    Build an IT Succession Plan

    • Buy Link or Shortcode: {j2store}476|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $338,474 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Pending retirements in key roles create workforce risks and potentially impact business continuity.
    • Fifty-six percent of organizations have not engaged in succession planning, so they haven’t identified at-risk key roles or successors for those roles.

    Our Advice

    Critical Insight

    • Just under 60% of organizations haven't tackled succession planning.
    • This means that three out of five organizations don’t know what skills they need for the future or what their key roles truly are. They also haven’t identified at-risk key roles or successors for those roles.
    • In addition, 74% of organizations have no formal process for facilitating knowledge transfer between individuals, so knowledge will be lost.

    Impact and Result

    • Info-Tech's Key Roles Succession Planning Tool will help you assess key role incumbent risk factors as well as identify potential successors and their readiness. Pay particular attention to those employees in key roles that are nearing retirement, and flag them as high risk.
    • Plan for the transfer of critical knowledge held by key role incumbents. Managers and HR leaders see significant tacit knowledge gaps in younger workers; prioritize tacit knowledge in your transfer plan and leverage multiple transfer methods.
    • Explore alternative work arrangements to ensure sufficient time to prepare successors. A key role incumbent must be available to complete knowledge transfer.
    • Define formal transition plans for all employees in at-risk key roles and their successors by leveraging your workforce and succession planning outputs, knowledge transfer strategy, and selected alternative work arrangements.

    Build an IT Succession Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Succession Plan Deck – A step-by-step document that walks you through how to future-proof your IT team.

    Protect your team and organization from losses associated with departure of people from key roles. This blueprint will help you build an IT succession plan to ensure critical knowledge doesn’t walk out the door and continuity of business when people in key roles leave.

    • Build an IT Succession Plan Storyboard

    2. Critical Role Identifier – A tool to help you determine which roles are most critical to the success of your team.

    The purpose of this tool is to help facilitate a conversation around critical roles.

    • Critical Role Identifier

    3. Key Role Succession Planning Template – A tool that walks you through reviewing your talent, succession planning, and determining successor readiness.

    This tool will help IT leaders work through key steps in succession development for each employee in the team, and present summaries of the findings for easy reference and defensibility.

    • Key Roles Succession Planning Tool

    4. Role Profile Template – A template that helps you outline the minimum requirements for each critical role addressed in succession planning.

    This template is a guide and the categories can be customized to your organization.

    • Role Profile Template

    5. Individual Talent Profile Template – A template to assess an employee against the role profiles of critical roles.

    This profile provides the basis for evidence-based comparison of talent in talent calibration sessions.

    • Individual Talent Profile Template

    6. Role Transition Plan Template – A template to help you plan to implement knowledge transfer and alternative work arrangements.

    As one person exits a role and a successor takes over, a clear checklist-based plan will help ensure a smooth transition.

    • Role Transition Plan Template
    [infographic]

    Further reading

    INFO~TECH RESEARCH GROUP

    Build an IT Succession Plan

    Future-proof your IT team.


    Build an IT Succession Plan

    Future-proof your IT team.

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    Most organizations are unprepared for the loss of employees who hold key roles.

    • The departure of employees in key roles results in the loss of valuable knowledge, core business relationships, and profits.
    • Pending retirements in key roles create workforce risks and potentially impact business continuity.

    Planning and executing on key role transition can take years. CIOs should prepare now to mitigate the risk of loss later.

    		Common Obstacles
    • The number of organizations which have not engaged in succession planning is 56%; they haven’t identified at-risk key roles, or successors for those roles.
    • Analyzing key roles at the incumbent and successor level introduces real-life, individual-focused factors that have a major impact on role-related risk.
    		Info-Tech’s Approach
    • Plan for the transfer of critical knowledge held by key role incumbents.
    • Explore alternative work arrangements to ensure sufficient time to prepare successors.
    • Define formal transition plans for all employees in at-risk key roles and their successors.

    Info-Tech Insight

    Losing employees in key roles without adequate preparation hinders productivity, knowledge retention, relationships, and opportunities. Implement scalable succession planning to mitigate the risks.

    Most organizations are unprepared for the loss of employees who hold key roles

    Due to the atmosphere of uncertainty.

    Not only do they not have the right processes in place, but they are also ill-equipped to deal with the sheer volume of retirees in the future.

    Over 58% of organizations are unprepared for Baby Boomer retirement. Only 8% said they were very prepared.

    Pie chart with percentages of organizations who are prepared for Baby Boomer retirement.
    (Source: McLean & Company, 2013; N=120)

    A survey done by SHRM and AARP found similar results: 41% of HR professionals said their organizations have done nothing and don’t plan to do anything to prepare for a possible worker shortage as Boomers retire.

    (Source: Poll: Organizations Can Do More to Prepare for Talent Shortage as Boomers Retire)     		This means that three out of five organizations don’t know what skills they need for the future, or what their key roles truly are. They also have not identified at-risk key roles or successors for those roles.
    (Source: McLean & Company, 2013, N=120)

    To make matters worse, 74% of organizations have no formal process for facilitating knowledge transfer between individuals, so knowledge will be lost.

    Pie chart with percentages of organizations with a formal process for facilitating knowledge transfer.
    (Source: McLean & Company, 2013; N=120)

    Most organizations underestimate the costs associated with ignoring succession planning

    “In many cases, executives have no idea what knowledge they are losing.” (TLNT: Lost Knowledge – What Are You and Your Organization Doing About It?”)
    Objections to succession planning now: The risks of this mindset…
    “The recession bought us time to plan for Baby Boomer retirement.” Forty-two percent of organizations believe this to be true and may feel a false sense of security. Assume it takes three years to identify an internal successor for a key role, develop them, and execute the transition. Add the idea that, like most organizations, you don’t have a repeatable process for doing this. Do you still have enough time?
    “The skills possessed by my organization’s Baby Boomers are easy to develop in others internally.” Forty percent of organizations agree with this statement, but given the low rate of workforce planning taking place, most may not actually know the skills and knowledge they need to meet future business goals. These organizations may realize their loss too late.
    “We don’t have the time to invest in succession planning.” Thirty-nine percent of organizations cite this as an obstacle, which is a very real concern. Adopting a simple, scalable process that focuses on the most mission critical key roles will be easier to digest, as well as eliminate time wasted trying to recoup losses in the long run. The costs of not planning are much higher than the costs of planning.
    “We don’t know when our boomers plan to retire, so we can’t really plan for it.” The fact that 42% of organizations do not know employees’ retirement plans is proof positive that they’re operating blind. You can’t plan for something if you don’t have any information about what to plan for or the time frame you’re working against.
    “My organization puts a premium on fresh ideas over experience.” While nearly 45% of organizations prioritize fresh ideas, 50% value experience more. Succession planning and knowledge transfer are important strategies for ensuring experience is retained long enough for it to be passed along in the organization.

    Use Info-Tech’s tools and templates

    Talent Review

    Succession Planning

    Knowledge Transfer
    Key tools and templates to help you complete your project deliverables
    Key Roles Succession Planning Tool
    Critical Role Identifier
    Role Profile Template
    Individual Talent Profile Template    		 Key Roles Succession Planning Tool
    Role Profile Template
    Individual Talent Profile Template    		 Role Transition Plan Template
    Key Roles Succession Planning Tool
    Role Profile Template
    Individual Talent Profile Template
    Your completed project deliverables

    Critical Role Identifier

    Key Roles Succession Plan

    Key Role Profiles

    Individual Talent Profiles

    Key Role Transition Plans

    Ignoring succession planning could cause significant costs

    Losing knowledge will undermine your strategy in four ways:

    Inefficiency

    Inefficiency due to “reinvention of the wheel.” When workers leave and don’t effectively transfer their knowledge, duplication of effort to solve problems and find solutions occurs.

    		 Innovation

    Reduced capacity to innovate. Older workers know what works and what doesn’t, what’s new and what’s not. They can identify the status quo faster to make way for novel thinking.

    		 Competitive Advantage

    Loss of competitive advantage. Losing knowledge and/or established client relationships hurts your asset base and stifles growth.

    		Vulnerability

    Increased vulnerability. Losing knowledge can impede your organizational ability to identify, understand, and mitigate risks. You’ll have to learn through experience all over again.

    Succession planning improves performance by reducing the impact of sudden departures

    Business Continuity

    Succession planning limits disruption to daily operations and minimizes recruitment costs:

    • The average time to fill a vacant role externally in the US is approximately 43 days (Workable). Succession planning can reduce this via a talent pool of ready-now successors.
    		 Engagement & Retention

    Effective succession planning is a tool for engaging, developing, and retaining employees:

    • Of departing employees, 45% cite lack of opportunities for career advancement as the moderate, major, or primary reason they left (McLean & Company Exit Survey, 2018, N=7,530).
    		 Innovation & Growth

    Knowledge is a strategic asset, and succession planning can help retain, grow, and capitalize on it:

    • Retaining the experience and expertise of individuals departing from critical roles supports and enhances the quality of innovation (Harvard Business Review, 2008).

    Info-Tech’s approach

    Talent Review

    Conduct a talent review to identify key roles

    Short bracket.    		 Succession Planning

    Succession planning helps you assess which key roles are most at risk

    Long bracket.    		 Knowledge Transfer

    Utilize methods that make it easy to apply the knowledge in day-to-day practice.

    Long bracket.
    Identify Critical Roles Assess Talent Identify Successors Develop Successors Select Successors Identify Critical Knowledge Select Transfer Methods Document Role Transition Plans

    Future-Proofed IT Team
    • Business continuity
    • The right people, in the right positions, at the right time
    • Retention due to employee development & growth
    • IT success
    • Decreased impact of sudden departures
    • Improved performance

    Info-Tech’s methodology for building an IT succession plan

    1. Talent Review 2. Succession Planning 3. Knowledge Transfer
    Phase Steps
    1. Identify critical roles
    2. Assess talent
    1. Identify successor pool
    2. Develop successors
    3. Select successors
    1. Identify critical knowledge
    2. Select knowledge transfer methods
    3. Document role transition plans
    Phase Outcomes
    • Documented business priorities
    • Identified critical roles including required skills and knowledge that support achievement of business strategy
    • Key at-risk roles identified.
    • Potential successors for key roles identified.
    • Gap assessment between key role incumbents and potential successors.
    • Critical knowledge risks identified.
    • Appropriate knowledge transfer methods selected.
    • Documented knowledge transfer initiatives for key role transition plans.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is six to ten calls over the course of four to eight months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3
    Call #1: Scope requirements, objectives, and your specific challenges. Call #2:Review business priorities and clarify criteria weighting.

    Call #3: Review key role criteria. Explain information collection process.

    		 Call #4: Review risk and readiness assessments.

    Call #5: Analyze gaps between key roles and successors for key considerations.

    		 Call #6: Feedback and recommendations on critical knowledge risks.

    Call #7: Review selected transfer methods.

    		 Call #8: Analyze role transition plans for flags.

    Build an IT Succession Plan

    Phase 1

    Talent Review

    Phase 1

    1.1 Identify Critical Roles

    1.2 Assess Talent

    		 Phase 2

    2.1 Identify Successors

    2.2 Develop Successors

    2.3 Select Successors

    		 Phase 3

    3.1 Identify Critical Knowledge

    3.2 Select Transfer Methods

    3.3 Document Role Transition Plan

    This phase will walk you through:

    • Identifying your business priorities
    • Identifying your critical roles including required skills and knowledge that support achievement of business strategy

    Tools and resources used:

    • Key Roles Succession Planning Tool
    • Key Role Profile
    • Individual Talent Profile
    • Critical Role Identifier

    This phase involves the following participants:

    • IT leadership/management team
    • HR

    Conduct a talent review to identify key roles

    Sixty percent of organizations have not engaged in formal workforce planning, so they don’t know what skills they need or what their key roles truly are. (Source: McLean & Company, 2013; N=139)
    1. A talent review ensures that each work unit has the right people, in the right place, at the right time to successfully execute the business strategy.
    2. Only 40% of organizations have engaged in some form of workforce planning.
    3. The first step is to identify your business focus; with this information you can start to note the key roles that drive your business strategy.

    Key roles

    Where an organization’s most valued skills and knowledge reside

    Organizations should prepare now to mitigate the risk of loss later.

    Key roles are:

    • Held by the most senior people in the organization, who carry the bulk of leadership and decision-making responsibility.
    • Highly technical or specialized, and therefore difficult to replace.
    • Tied closely to unique or proprietary processes or possess knowledge that cannot be procured externally.
    • Critical to the continuation of business and cannot be left vacant without risking business operations.

    Info-Tech Insight

    Losing employees in key roles without adequate preparation for their departure has a direct impact on the bottom line in terms of disrupted productivity, lost knowledge, severed relationships, and missed opportunities.

    		A tree of key roles, starting with CEO and branching down.

    Identifying key roles is the first step in a range of workforce management activities because it helps establish organizational needs and priorities, as well as focusing planning effort.

    A talent review allows you to identify the knowledge and skills you need today and for the long term.

    Knowing what you need is the first step in determining what you have and what you need to keep.

    • A talent review is an analytic planning process used to ensure a work unit has the right people, in the right place, at the right time, and for the right cost in order to successfully execute its business strategy. It allows organizations to:
    • Evaluate workforce demographics, review skills, and conduct position inventories.
    • Evaluate business continuity risk from a talent perspective by identifying potential workforce shortages.
    • Identify critical positions, critical skills for each position, and percentage of critical workers retiring to assess the potential impact of losing them.
    • Look at the effect of loss on new product development, revenues, costs, and business strategic objectives.

    Caution

    A talent review is a high-level planning process which does not take individual employees into consideration. Succession planning looks at individuals and will be discussed in Phase 2.

    A talent review gets you to think in terms of:

    • Where your organization wants to be in five years.
    • What skills the organization needs to meet business goals between now and then.
    • How it can be best positioned for the longer-term future.

    Note: Planning against a time frame longer than five years is difficult because uncertainty in the external business environment will have unforeseen effects. Revisit your plan annually and update it, considering changes.

    Step 1.1

    Identify critical roles

    Activities
    • 1.1.1 Document Business Priorities, Goals, and Challenges
    • 1.1.2 Clarify Key Role Criteria and Weighting
    • 1.1.3 Evaluate Role Importance
    • 1.1.4 Key Role Selection and Comparison
    • 1.1.5 Capture Key Elements of Critical Roles

    The primary goal of this step is to ensure we have effectively identified key roles based on business priorities, goals, and challenges, and to capture the key elements of critical roles.

    Outcomes of this step

    • Documented business priorities, goals, and challenges.
    • Key elements of critical roles captured.
    • Key role criteria and weighting.
    Talent Review
    Step 1.1 Step 1.2

    Business priorities will determine the knowledge and skills you value most

    Venn diagram of business priorities: 'Customer Focus', 'Operational Focus', and 'Product Focus'.
    Note: Most organizations will be a blend of all three, with one predominating    		 “I’ve been in the position where the business assumes everyone knows what is required. It’s not until you get people into a room that it becomes clear there is misalignment. It all seems very intuitive but in a lot of cases they haven’t made the critical distinctions regarding what exactly the competencies are. They haven’t spent the time figuring out what they know.” (Anne Roberts, Principal, Leadership Within Inc.)

    1.1.1 Document business priorities

    Input: Business strategic plan

    Output: Completed workforce planning worksheet (Tab 2) of the Key Roles Succession Planning Tool

    Materials: Key Roles Succession Planning Tool

    Participants: IT leadership

    Start by identifying your business priorities based on your strategic plan. The goal of this exercise is to blast away assumptions and make sure leadership has a common understanding of your target.

    With the questions on the previous slide in mind document your business priorities, business goals, and business challenges in Tab 2 of the Key Roles Succession Planning Tool worksheet.

    Get clear answers to these questions:

    • Are we customer focused, product focused, or operationally focused? In other words, is your organization known for:
      • Great customer service or a great customer experience?
      • The lowest price?
      • Having the latest technology, or the best quality product?
    • What are our organizational/departmental business goals? To improve operational effectiveness, are we really talking about reducing operational costs?
    • What are the key business challenges to address within the context of our focus?

    Key Roles Succession Planning Tool

    Clarify what defines a key role

    A key role is crucial to achieving organizational objectives, drives business performance, and includes specialized and rare competencies. Key roles are high in strategic value and rarity – for example, the developer role for a tech company.
    Chart with axes 'Rarity' and 'Strategic Value'. Lowest in both are 'Supporting Roles', Highest in both are 'Critical Roles', and the space in the middle are 'Core Roles'. Look at two dimensions when examining roles:
    • Strategic value refers to the importance of the role in keeping the organization functioning and executing on the strategic objectives.
    • Rarity refers to how difficult it is to find and develop the competencies in the role.

    Info-tech insight

    Traditionally, succession planning has only addressed top management roles. However, until you look at the evidence, you won’t know if these are indeed high-value roles, and you may be missing other critical roles further down the hierarchy.

    Use the Critical Role Identifier to facilitate the identification of critical roles with your leaders.

    1.1.2 Clarify key role criteria & weighting

    Input: Business strategic plan

    Output: Weighted criteria to help identify critical roles

    Materials: Critical Role Identifier

    Participants: IT leadership

    1. Using Tab 2 of the Critical Role Identifier tool, along with the information on the previous slide, determine the relative importance of four criteria as contributing to the importance of a role within the organization.
    2. Rate each of the four criteria: strategic value, rarity, revenue generation, business/operation continuity, and any custom criteria numerically. You might choose only one or two criteria – they all do not need to be included.
    3. Document your decisions in Tab 2 of the Critical Role Identifier.

    Critical Role Identifier

    1.1.3 Evaluate role importance

    Input: List of IT roles

    Output: Full list of roles and a populated Critical Role Selection sheet (Tab 4)

    Materials: Critical Role Identifier

    Participants: IT leadership

    1. Using Tab 3 of the Critical Role Identifier, collect information about IT roles.
    2. Start by listing each role under consideration, and its department or subcategory.
    3. For each criteria statement listed across the top of the sheet, select an option from the drop-down menu to reflect the appropriate answer scale rating. Replace the text in grey with information customized to your team. If criteria has a weighting of zero in Tab 2, the questions associated with that criteria will be greyed out and do not have to be answered.

    Critical Role Identifier

    Identify the key roles that support and drive your business priorities

    Focus on key IT roles instead of all roles to save time and concentrate effort on your highest risk areas.

    Key Roles include:

    • Strategic Roles: Roles that give the greatest competitive advantage. Often these are roles that involve decision-making responsibility.
    • Core Roles: Roles that must provide consistent results to achieve business goals.
    • Proprietary Roles: Roles that are tied closely to unique or proprietary internal processes or knowledge that cannot be procured externally. These are often highly technical or specialized.
    • Required Roles: Roles that support the department and are required to keep it moving forward day-to-day.
    • Influential Roles: Positions filled by employees who are the backbone of the organization, the go-to people who are the corporate culture.
    		 Ask these questions to identify key roles:
    1. What are the roles that have a significant impact on delivering the business strategy?
    2. What are the key differentiating roles for our organization?
    3. Which roles, if vacant, would leave the organization open to non-compliance with regulatory or legal requirements?
    4. Which roles have a direct impact on the customer?
    5. Which roles, if vacant, would create system, function, or process failure for the organization?

    1.1.4 Key role selection and comparison

    Input: Tab 3 of the Critical Role Identifier

    Output: List of roles from highest to lowest criticality score, List of key roles entered in Tab 2 of the Key Roles Succession Planning Tool

    Materials: Critical Role Identifier, Key Roles Succession Planning Tool

    Participants: IT leadership

    1. Using tab 4 of the Critical Role Identifier, which displays the results of the role importance evaluation, review the weighted criticality score. To add or remove roles or departments make changes on Tab 3.
    2. Use this table to see the scores and roles from highest to lowest based on your weightings and scoring.
    3. In column J, classify the roles as critical, core, or supporting based on the weighted overall score and the individual criteria scores.
      1. Critical – is crucial to achieving organizational objectives, drives business performance, and includes specialized and rare skills.
      2. Core – is related to operational excellence. Highly strategically valuable but easy to find or develop.
      3. Supporting – is important in keeping business functioning; however, the strategic value is low. Competencies are easy to develop.
    4. Once you’ve selected the key roles, transfer them into Tab 2 of the Key Roles Succession Planning Tool worksheet where you have documented your business priorities.

    Critical Role Identifier

    Key Roles Succession Planning Tool

    1.1.5 Capture key elements of critical roles

    Input: Job descriptions, Success profiles, Competency profiles

    Output: List of required skills and knowledge for key roles, Role profiles documented for key roles

    Materials: Key Roles Succession Planning Tool, Role Profile Template

    Participants: IT leadership

    1. Document the minimum requirements for critical roles in column E and F of Tab 2 of the Key Roles Succession Planning Tool. Include elements that drive talent decisions, are measurable, and are oriented to future organizational needs.
    2. Consider how leadership competencies and technical skills tie to business expansion plans, new service offerings, etc.
    3. Use the Role Profile Template to help in this process and to maintain up-to-date information.
    4. Role profiles may be informed by existing job descriptions, success profiles, or competency profiles.
    5. Conduct regular maintenance on your role profiles. Outdated and inaccurate role-related information can make succession planning efforts ineffective.

    Key Roles Succession Planning Tool

    Role Profile Template

    Case Study

    Conduct a “sanity check” by walking through a checklist of all roles to ensure you haven’t missed anything.
    INDUSTRY
    Large Provincial Hospital
    SOURCE
    Payroll Manager
    Challenge
    • Key roles may not be what you think they are.
    • The Payroll Manager of a large Provincial hospital, with 20-year tenure, announced her retirement.
    • Throughout her tenure, this employee took on many tasks outside the scope of her role, including pension calculations/filings and other finance-related tasks that required a high level of specialized knowledge of internal systems.
    		 Solution
    • Little time or effort was placed on fully understanding what she did day-to-day.
    • Furthermore, the search for a replacement was left far too late, which meant that she vacated the role without training a replacement.
    • Low level roles can become critical to business continuation if they’re occupied by only one person, creating a “single point of failure” if they become vacant.
    		 Results
    • It wasn’t until after she left that it became obvious how much extra work she was doing, which made it nearly impossible to find a replacement.
    • Her manager found a replacement to take the payroll duties but had to distribute the other duties to colleagues (who were very unhappy about the extra tasks).
    • This role may not seem like a “key role,” but the incumbent turned it into one. Keep tabs on what people are working on to avoid overly nuanced role requirements.

    Step 1.2

    Assess talent

    Activities
    • 1.2.1 Identify Current Incumbents’ Information
    • 1.2.2 Identify Potential Successors and Collect Information

    The primary goal of this step is to assess departmental talent and identify gaps between potential successors and key roles. This analysis is intended to support departmental access to suitable talent ensuring future business success.

    Outcomes of this step

    • Collection of current incumbents’ information.
    • Collection of potential successor information.
    • Gap assessment.

    Talent Review

    Step 1.1 Step 1.2

    Find out key role incumbents’ career plans

    Have career discussions with key role incumbents

    • Do not ask employees directly about their retirement plans as this can be misconstrued as age discrimination – let them take the initiative.
    • To take the spotlight away from older workers and potential feelings of discrimination, supervisors should be having these discussions with their employees at least annually.
    • Having this discussion creates an opportunity for employees to share their retirement plans, if they have any.
    • Warning: This is not the time to make promises about the future. For example, alternative work arrangements cannot be guaranteed without further analysis and planning.
    		 Do the following:
    1. Book a meeting with employees and ask them to prepare for a career development discussion.
    2. Ask direct questions about motivation, lifestyle preferences, and passions.
    3. Spend the time to understand your employees’ goals and their development needs.
    If an employee discloses that they plan to leave within the next few years:
    1. Gather information about approximate exit dates (non-binding).
    2. Find out their opinions about how they would like to transition out of their role, including any alternative work arrangements they would like to pursue.

    Potential questions to ask during career discussions with key role incumbents

    • Where do you see yourself in five years?
    • What role would you see yourself in after this one?
    • What gets you excited about coming to work?
    • Describe your greatest strengths. How would you like to use those strengths in the future?
    • What is standing in the way of your career goals?
    ** Do not ask employees directly about their retirement plans as this can be misconstrued as age discrimination – let them take the initiative.**    		 Stock photo of a smiling employee with grey hair.

    1.2.1 Identify current incumbents' information

    Input: Key roles list, Employee information

    Output: List of key roles with individual incumbent information

    Materials: Key Roles Succession Planning Tool – Succession Plan Worksheet (Tab 3)

    Participants: IT leadership/management team, HR, Current incumbents if necessary

    Identify current incumbents for all key roles and collect information about them.

    Using Tab 3 of the Key Roles Succession Planning Tool identify the incumbent (the person currently in the role) for all key roles.

    Distribute the worksheet to department managers and team leaders to complete the information below for each key role.

    For that incumbent, also document:

    1. Their time in that role.
    2. Their overall performance in current role (does not meet, meets, or exceeds expectations).
    3. Next step in career (target role or retirement).
    4. Time until exit from the current role (known or estimated).
    5. Development needs for next step in career.
    6. Any additional knowledge and skills they possess beyond the role description that is of value to the organization.

    Upon completion, managers and team leaders should review the results with the department leader.

    Key Roles Succession Planning Tool

    Identify potential successors for all key roles

    It’s imperative that multiple sources of information are used to ensure no potential successor is missed and to gain a complete candidate picture.

    Work collaboratively with the management team and HR business partners for names of potential successors.

    The management team includes:

    • The incumbent’s direct supervisor.
    • Managers from the department in which the key role exists.
    • Leaders of teams with which potential successors have worked.
    • The key role incumbent (assuming it’s appropriate to do so).

    Use management roundtable discussions to identify and analyze each potential successor.

    • Participants should come equipped with names of potential successors and be prepared to provide a rationale for their recommendation.
    • Provide all participants with the key role job description in advance of the meeting, including responsibilities and required knowledge and skills.

    Don’t confuse successors with high potentials!

    • Identifying high potential employees involves recognizing those employees who consistently outperform their peers, progress more quickly than their peers, and live the company culture. They are usually striving for leadership roles.
    • While you also want your successors to exemplify these qualities of excellence, succession planning is specifically about identifying the employees who currently possess (or soon will possess) the skills and knowledge required to take over a key role.
    • Remember: Key roles are not limited to leadership roles, so cast a wider net when identifying succession candidates.
    See the following slide for sources of information participants should consult to back up their recommendations and vet succession candidates.

    Determine how employees will be identified for talent assessment

    Description Advice
    Management-nominated employees
    • Managers or skip-level leaders nominate potential successors within or outside their team.
    • Limit bias by requiring management nominations to be based on specific evidence of performance and potential.
    High-potential employees (HiPos)
    • Consider employees who are in an existing high-potential program.
    • Determine whether the HiPo program sufficiently assesses for critical role requirements. Successors must possess the skills and knowledge required for specific critical roles. Expand assessment beyond just HiPo.
    Self-nominated employees
    • Employees are informed about succession planning and asked to indicate their interest in critical roles.
    • Train managers to support the program and to handle difficult conversations (e.g. employee submitted self-nomination and was unsuccessful).
    All employees
    • All employees across a division, geography, function, or leadership level are invited for assessment.
    • While less common, this approach is appropriate for highly inclusive cultures. Be prepared to invest significantly more time and resources.
    When identifying employees, keep the following advice in mind:

    Widen the net

    Don’t limit yourself to the next level down or the same functional group.

    Match transparency

    With less transparency, there are fewer options, and you risk missing out on potential successors.

    Select the appropriate talent assessment methods

    Identify all talent assessment types used in your organization and examine their ability to inform decision-making for critical role assignments. Select multiple sources to ensure a robust talent assessment approach:

    A sound talent assessment methodology will involve both quantitative and qualitative components. Multiple data inputs and perspectives will help ensure relevant information is prioritized and suitable candidates aren’t overlooked.

    However, beware that too many inputs may slow down the process and frustrate managers.

    Beware of biases in talent assessments. A common tendency is for people to recommend successors who are exactly like them or who they like personally, not necessarily the best person for the job. HR must (diplomatically) challenge leaders to use evidence-based assessments.

    Good Successor Information Sources

    • 360-Degree Feedback – (breadth and accuracy)
    • HR-led Interviews – (objectivity and confirmation)
    • Talent Review Meetings – (leadership input)
    • Stretch Assignments – (challenge comfort zones)
    • Competency-Based Aptitude Tests – (objective data)
    • Job Simulations – (real-life testing)
    • Recent Performance Evaluations – (predictor of future performance)

    Prepare to customize the Individual Talent Profile Template

    Ensure the role profile and individual talent profile are synchronized to enable comparing employee qualifications and readiness to critical role requirements. Sample of the Role Profile.

    Role Profile

    A role profile contains information on the skills, competencies, and other minimum requirements for the critical role. It details the type of incumbent that would fit a critical role.    		 Stock image of a chain link.

    Use both in conjunction during:

    • Talent assessment
    • Successor identification
    • Successor development
    • Successor selection
    		 Sample the Individual Talent Profile.

    Individual Talent Profile

    A talent profile provides information about a person. In addition to responding to role profile criteria, it provides information on an employee’s past experiences and performance, career aspirations, and future potential.

    1.2.2 Identify Potential Successors’ Information

    Input: Key roles list, Employee information, Completed role profiles and/or Tab 2 role information.

    Output: List of potential successors for key roles that are selected for talent assessment

    Materials: Key Roles Succession Planning Tool – Succession Plan Worksheet (Tab 3)

    Participants: IT leadership, IT team leads, Employees

    Identify potential successors for key roles and collect critical information.

    Have managers and team leads complete column I on Tab 3 of the Key Roles Succession Planning Tool and review with the department leader.

    There may be more than one potential successor for key roles; this is okay.

    Once the list is compiled, complete an individual talent profile for each potential successor. Record an employee’s:

    1. Employee information
    2. Career goals
    3. Experience and education
    4. Achievements
    5. Competencies
    6. Performance
    7. Any assessment results

    Once the profiles are completed, they can be compared to the role profile to identify development needs.

    Key Roles Succession Planning Tool

    Individual Talent Profile Template

    Build an IT Succession Plan

    Phase 2

    Succession Planning

    Phase 1

    1.1 Identify Critical Roles

    1.2 Assess Talent

    		Phase 2

    2.1 Identify Successors

    2.2 Develop Successors

    2.3 Select Successors

    		Phase 3

    3.1 Identify Critical Knowledge

    3.2 Select Transfer Methods

    3.3 Document Role Transition Plan

    This phase will walk you through how to:

    • Conduct an assessment to identify “at risk” key role incumbents.
    • Identify potential successors for key roles and collect critical information.
    • Assess gaps between key role incumbents and potential successors.

    Tools and resources used:

    • Key Roles Succession Planning Tool
    • Key Role Profile
    • Individual Talent Profile

    This phase involves the following participants:

    • IT leadership/management team
    • HR

    Succession planning helps you assess which key roles are most at risk

    Drilling down to the incumbent and successor level introduces “real life,” individual-focused factors that have a major impact on role-related risk.

    Succession planning is an organizational process for identifying and developing talent internally to fill key business roles. It allows organizations to:

    • Understand the career plans of employees to allow organizations to plan more accurately.
    • Identify suitable successors for key roles and assess their readiness.
    • Mitigate risks to long-term business continuity and growth.
    • Avoid external replacement costs including headhunting and recruitment, HR administration, and productivity loss.
    • Retain internal tacit knowledge.
    • Increase engagement and retention; keeping talented people reinforces career path opportunities and builds team culture.

    Caution:

    Where the talent review was about high-level strategic planning for talent requirements, succession planning looks at individual employees and plans for which employees will fulfill which key roles next.    		 “I ask the questions, What are the risks we have with these particular roles? Is there a way to disperse this knowledge to other members of the group? If yes, then how do we do that?” (Director of HR, Service Industry)

    Succession planning ultimately must drill down to individual people – namely, the incumbent and potential successors.

    This is because individual human beings possess a unique knowledge and skill set, along with their own personal aspirations and life circumstances.

    The risks associated with a key role are theoretical. When people are introduced into the equation, the “real life” risk of loss for that key role can change dramatically.

    Succession Planning

    Funnel titled 'Succession Planning' with 'Critical Roles' at the top of the funnel, 'Critical Knowledge and Skills' as the middle of the funnel, 'Individuals' as the bottom of the funnel, and it drains into 'Incumbent's Potential Successors'.

    Step 2.1

    Identify Successors

    Activities
    • 2.1.1 Conduct Individual Risk Assessment
    • 2.1.2 Successor Readiness Assessment

    This step highlights the relative positioning of all employees assessed for departure risk compared to the potential successors’ readiness, identifying gaps that create risk for the organization, and need mitigation strategies.

    Outcomes of this step

    • Individual risk assessment results – mitigate, manage, accept matrix.
    • Potential successor readiness ranking.
    • Determination on transparency level with successors.

    Succession Planning

    Step 2.1 Step 2.2 Step 2.3

    Decide how to obtain information on employee interest in critical roles

    Not all employees may want to be considered as part of the succession planning program. It might not fit their short- or long-term plans. Avoid misalignment and outline steps to ascertain employee interest.

    Transparency

    • Use your target transparency level to:
      • Determine the degree of employees’ participation in self-assessment.
      • Guide organization-wide and targeted messaging about succession planning (see Step 3).

    Timing

    • Ensure program-level communication has occurred before asking employees about their interests in critical roles, in order to garner more trust and engagement.
    • Decide at what point along the succession planning process (if at all) that employee’s career interests will be collected and incorporated.

    Manager accountability and resources

    • Identify resources needed for managers to conduct targeted career conversations with employees (e.g. training, communication guides, key messaging).
    • If program communication is to be implemented organization-wide, approach accordingly.

    Obtaining employee interest ensures process efficiency because:

    • Time isn’t wasted focusing on candidates who aren’t interested.
    • The assessment group is narrowed down through self-selection.

    Level-set expectations with employees:

    • Communicate that they will be considered for assessment and talent review discussions.
    • Ensure they understand that everyone assessed will not necessarily be identified or selected as a successor.

    Conduct a risk assessment

    Identify key role incumbents who may leave before you’re ready.

    Pay particular attention to those employees nearing retirement and flag them as high risk.

    Understand the impact that employee age has on key role risk. Keep the following in mind when filling out the Individual Risk Assessment of the Key Roles Succession Planning Tool. See the next slide for more details on this.
    High Risk Arrow pointing both ways vertically. Anyone 60 years of age or older, or anyone who has indicated they will be retiring within five years.
    Moderate Risk Employees in their early 50s are still many years away from retirement but have enough years remaining in their career to make a significant move to a new role outside of your organization. Furthermore, they have specialized skills making them more attractive to external organizations.
    Employees in their late 50s are likely more than five years away from retirement but are also less likely than younger employees to leave your organization for another role elsewhere. This is because of increasing personal risk in making such a move, and persistent employer unwillingness to hire older employees.
    Low Risk Technically, when it comes to succession planning for key roles held by employees over the age of 50, no one should be considered “low risk for departure.
    		Pull some hard demographic data.

    Compile a report that breaks down employees into age-based demographic groups.

    Flag those over the age of 50 – they’re in the “retirement zone” and could decide to leave at any time.

    Check to see which key role incumbents fall into the “over 50” age demographic. You’ll want to shortlist these people for an individual risk assessment.

    Update this report twice a year to keep it current.

    For those people on your shortlist, gather the information that supervisors gained from the career discussions that took place. Specifically, draw out information that indicates their retirement plans.

    2.1.1 Conduct Individual Risk Assessment

    Input: Completed Succession Plan worksheet

    Output: Risk assessment of key role incumbents, understanding of which key role departures to manage, mitigate, and accept

    Materials: Key Roles Succession Planning Tool – Individual Risk Assessment (Tab 4), Key Roles Succession Planning Tool – Risk Assessment Results (Tab 5)

    Participants: IT leadership/management team

    Assign values for probability of departure and impact of departure using the Key Roles Succession Planning Tool.

    For those in key roles and those over 50, complete the Individual Risk Assessment (Tab 4) of the Key Roles Succession Planning Tool:

    1. Assess each key role incumbent’s probability of departure based on your knowledge. If the person is going to another job, is a known flight risk, or faces dismissal, the probability is high.
      • 0-40: Unlikely to Leave. If the employee is new to the role, highly engaged, or a high potential.
      • 41-60: Unknown. If the employee is sending mixed messages about happiness at work, or sending no messages, it may be difficult to guess.
      • 61-100: Likely to Leave. If the employee is nearing retirement, actively job searching, disengaged, or faces dismissal, then the probability of departure is high.
    2. Assess the role and the individual’s impact of departure on a scale of 1 (no impact) to 100 (devasting impact).
    3. Review the risk assessment results on tab 5 of the planning tool. The employees that appear in the mitigate quadrant are your succession planning priorities.

    Key Roles Succession Planning Tool

    Define readiness criteria for successor identification

    1. Select the types of readiness and the number of levels:

      Readiness by time horizon:

      • Successors are identified as ready based on how long it is estimated they will take to acquire the minimum requirements of the critical role.
      • Levels example: Ready Now, Ready in 1-2 Years, Ready in 3-5 Years.

      Readiness by moves:

      • Successors are identified as ready based on how many position moves they have made or how many developmental experiences they have had.
      • Levels example: Ready Now, Ready after 1 Move, Ready after 2 Moves.
    2. Create definitions for each readiness level:
      Example:

      Performance

      Potential
      Ready Now Definition: Ability to deliver in current role Requirement: Meets or exceeds expectations Definition: Ability to take on greater responsibility Requirement: Demonstrates learning agility
      The 9-box is an effective way to map performance and potential requirements and can guide management decision making in talent review and calibration sessions. See McLean & Company’s 9-Box Job Aid for more information. Sample of the 9-Box Job Aid, a 9-field matrix with axes 'Potential: Low to High' and 'Performance: Low to High'.
      “Time means nothing. If you say someone will be ready in a year, and you’ve done nothing in that year to develop them, they won’t be ready. We look at it as moves or experiences: ready now, ready in one move, ready in two moves.” (Amanda Mathieson, Senior Manager, Talent Management, Tangerine)

    2.1.2 Successor Readiness Assessment

    Input: Individual talent profiles, List of potential successors (Tab 3)

    Output: Readiness ranking for each potential successor

    Materials: Key Roles Succession Planning Tool

    Participants: IT leadership/management team

    Assign values for probability of departure and impact of departure using the Key Roles Succession Planning Tool.

    Using Tab 6 of the Key Roles Succession Planning Tool, evaluate the readiness of each potential successor that you previously identified.

    1. Enter the name, current role, and target role of each potential successor into the spreadsheet.
    2. For each employee, fill in a response from “strongly agree” to “strongly disagree” for the assessment criteria statements listed in column B of Tab 6. This will give you a readiness ranking in row 68.

    Key Roles Succession Planning Tool

    Decide if and how successors will be told about their status in the succession plan

    1. Decide if employees will be told. Be as transparent as possible. This will provide several benefits to your organization (e.g. higher engagement, retention) while managing potential risks (e.g. perception that the process is unfair, reducing motivation to perform).
    2. Decide who will tell them. Decide based on the culture of your organization; are official communications usually conveyed through the direct manager, HR, senior leaders, or steering committee?
    1. Determine how you will tell them.

      Suggested messaging to non-successors:

      • Not being identified as a successor does not mean that an employee is not valued by the organization, nor does it indicate the employee will be let go. It simply means that the organization needs a backup plan to manage risk.
      • Employees can still develop toward a critical role they are interested in, and the organization will continue to evaluate whether they can be a potential successor.
      • It is the employee’s responsibility to own their development and communicate to their manager any interest they have in critical roles.

      Suggested messaging to successors:

      • Being identified as a successor is an investment in employee development – not a guaranteed promotion.
      • Successor status may change based on changes to the critical role itself, or if performance is not on par with expectations.
      • The organization strives to be as fair and objective as possible through evidence-based assessments of performance and potential.

    Case Study

    Failing to have a career aspiration discussion with a potential successor leaves a sales director in a bind.

    INDUSTRY
    Professional Services
    SOURCE
    Confidential
    Challenge
    • A senior sales director in a medium-sized private company knew there would be a key management opportunity opening up in six months. He had one candidate in mind: a key contributor from the sales floor.
    • The sales manager assumed that the sales representative would want the management position and began planning the candidate’s required training in order to get him ready.
    		 Solution
    • Three months before the position opened up, the manager finally approached the representative about the opportunity, telling the representative that he was an excellent candidate for the role.
    • However, the sales representative was not interested in managing people. He wanted to come in, do a really great day’s worth of work, and then go home and be done. He already loved what he did.
    		Results
    • The sales representative turned down the offer point blank, leaving the manager with less than three months to find and groom a new internal successor.
    • The manager failed on several fronts. First, he did not ask the employee about his career aspirations. Second, he did not groom a pool of potential successors for the role, affording no protection in the event that the primary candidate couldn’t or wouldn’t assume the role.

    Step 2.2

    Develop Successors

    Activities
    • 2.2.1 Outline Successor Development Process

    The primary goal of this step is to identify the steps that need to be taken to develop potential successors. Focus on training employees for their future role, not just their current one.

    Outcomes of this step

    • Identified gaps between key role exits and successor readiness.

    Succession Planning

    Step 2.1 Step 2.2 Step 2.3

    2.2.1 Outline Successor Development Process

    Input: Role profiles, Talent profiles, Talent assessments

    Output: Identified gaps between key role exits and successor readiness

    Materials: Key Roles Succession Planning Tool – Successor Identification (Tab 7)

    Participants: IT leadership/management team

    Prepare successors for their next role, not just their current one.

    Use role and talent profiles and any talent assessment results to identify gaps for development.

    1. Outline the steps involved in the individual development planning process for successors. Key steps include identifying development timeline, learning needs, learning resources and strategies, and accomplishment metrics/evidence.
    2. Identify learning elements successor development will involve based on critical role type. For example, coaching and/or mentoring, leadership training, functional skills training, or targeted experiences/projects.
    3. Select metrics with associated timelines to measure the progress of successor development plans. Establish guidelines for employee and manager accountability in developing prioritized competencies.
    4. Determine monitoring cadence of successor development plans (i.e. how often successor development plans will be tracked to ensure timely progress). Identify who will be involved in monitoring the process (e.g. steering committee).

    Info-Tech insight

    Succession planning without integrated efforts for successor development is simply replacement planning. Get successors ready for promotion by ensuring a continuously monitored and customized development plan is in place.

    Integrate knowledge transfer in the successor development process

    1

    		 Brainstorm ideas to encourage knowledge-sharing and transfer from incumbent to successor.

    2

    		 Integrate knowledge-transfer methods into the successor development process.
    Identify key knowledge areas to include:
    • Specialized technical knowledge
    • Specialized research and development processes
    • Unique design capabilities/methods/models
    • Special formulas/algorithms/techniques
    • Proprietary production processes
    • Decision-making criteria
    • Innovative sales methods
    • Knowledge about key customers
    • Relationships with key stakeholders
    • Company history and values
    		 Use multiple methods for effective knowledge transfer.

    Explicit knowledge is easily explained and codified, such as facts and procedures. Knowledge transfer methods tend to be more formal and one-way. For example:

    • Formal documentation of processes and best practices
    • Self-published knowledgebase
    • Formal training sessions

    Tacit knowledge accumulates over years of experience and is hard to articulate. Knowledge transfer methods are often informal and interactive. For example:

    • Mentoring and job shadowing
    • Multigenerational work teams
    • Networks and communities
    Knowledge transfer can occur via a wide range of methods that need to be selected and integrated into daily work to suit the needs of the knowledge to be transferred and of the people involved. See Phase 3 for more details on knowledge transfer.

    Step 2.3

    Select Successors

    The goal of this step is to determine how critical roles will be filled when vacancies arise.

    Outcomes of this step

    • Agreement with HR on the process to fill vacancies when key roles exit.

    Succession Planning

    Step 2.1 Step 2.2 Step 2.3

    Determine how critical roles will be filled when vacancies arise

    Choose one of two approaches to successor selection:
    • Talent review meeting:
      • Conduct a talent review meeting with functional leaders to discuss key open positions and select the right successors. Ascertain successor interest prior to the meeting, if not obtained already.
      • If multiple successors are ready now, use both role and talent profiles to arrive at a final decision.
      • If only one successor is ready now, outline steps for their promotion process. Which leaders should be involved for final approval? What is TA’s role?
    • Talent acquisition (TA) process:
      • Align with TA to implement a formal recruitment process to select the right successor (open application and interview process to talent pool).
      • Decide if a talent review meeting is required afterwards to agree on the final successor or if the interview panel will make the final decision.

    Work together with Talent Acquisition (TA) to outline special treatment of critical role vacancies. Ensure TA is aware of succession plan(s).

    Explicitly determine the level of preference for internal successors versus external hires to your TA team to ensure alignment. This will create an environment where promotion from within is customary.

    Build an IT Succession Plan

    Phase 3

    Knowledge Transfer

    Phase 1

    1.1 Identify Critical Roles

    1.2 Assess Talent

    		Phase 2

    2.1 Identify Successors

    2.2 Develop Successors

    2.3 Select Successors

    		Phase 3

    3.1 Identify Critical Knowledge

    3.2 Select Transfer Methods

    3.3 Document Role Transition Plan

    This phase will show you to:

    • Identify critical knowledge risks.
    • Select appropriate transfer methods.
    • Document knowledge transfer initiatives for key role transition plans.

    Tools and resources used:

    • Role Transition Plan Template

    This phase involves the following participants:

    • IT leadership/management team
    • HR
    • Incumbent & successor managers

    Mitigate risk – formalize knowledge transfer

    Use Info-Tech’s Mitigate Key IT Employee Knowledge Loss blueprint to build and implement your knowledge transfer plan.

    Effective knowledge transfer allows organizations to:
    • Maintain or improve speed and productivity by ensuring the right people have the right skills to do their jobs well.
    • Increase agility because knowledge is more evenly distributed amongst employees. Multiple people can perform a given task and no one person becomes a bottleneck.
    • Capture and sustain knowledge; creating a knowledge database provides all employees access to the information, now and in the future.
    		 Knowledge transfer between those in key roles and potential successors yields the highest dividends for:
    • Senior level successions.
    • External hires.
    • Senior expatriate transfers.
    • Developmental stretch assignments.
    • Internal cross-divisional transfers and promotions.
    • High organizational dependency on unique expert knowledge.
    • Critical function/project/team transitions.
    • Large scale reorganizations and mergers & acquisitions.
    (Source: Piktialis and Greenes, 2008)    		 Sample of the Mitigate Key IT Employee Knowledge Loss blueprint.

    Mitigate Key IT Employee Knowledge Loss

    Knowledge transfer is complex and must be both multi-faceted and well supported

    Knowledge transfer is the capture, organization, and distribution of knowledge held by individuals to ensure that it is accessible and usable by others.

    Knowledge transfer is not stopping, learning, and returning to work. Nor is it simply implementing a document management system. Arrow pointing right. Knowledge transfer is a wide range of methods that must be carefully selected and integrated into daily work in order to meet the needs of the knowledge to be transferred and the people involved.

    Knowledge transfer works best when the following techniques are applied

    • Use multiple methods and media to transfer the knowledge.
    • Ensure a two-way interaction between the knowledge source and recipient.
    • Support knowledge transfer with active mentoring.
    • Transfer knowledge at the point of need; that is, when it’s immediately useful.
    • Offer experience-oriented training to reinforce knowledge absorption.
    • Use a knowledge management system to permanently capture knowledge shared.
    		 Personalization is the key.

    Dwyer & Dwyer say that providing “insights to a particular person (or people) needing knowledge at the time of the requirement” is the difference between knowledge transfer that sticks and knowledge that is forgotten.
    “Designing a system in which the employee must interrupt his or her work to learn or obtain new knowledge is not productive. Focus on ‘teachable moments.” (Karl Kapp, “Tools and Techniques for Transferring Know-How from Boomers to Gamers”)

    Step 3.1

    Identify Critical Knowledge to Transfer

    The goal of this step is to understand what knowledge and skills much be transferred, keeping in mind the various types of knowledge.

    Outcomes of this step

    • Critical knowledge and skills for key roles documented in the Key Role Transition plans.

    Knowledge Transfer

    Step 3.1 Step 3.2 Step 3.3

    Understand what knowledge and skills must be transferred

    There are two basic types of knowledge:

    Explicit knowledge:
    Easily explained and codified, e.g. facts and procedures.    		 Image of a head with gears inside. Tacit knowledge:
    Accumulates over years of experience and is hard to verbalize.
    • You should already have a good idea of what knowledge and skills are valued from the worksheets completed earlier.
    • Focus on identifying the knowledge, skills, and relationships essential to the specific incumbent in a key role and what it is he or she does to perform that key role well.
    Document critical knowledge and skills for key roles in the:

    Role Transition Plan Template
    1. Identify key knowledge areas. These include:
      • Specialized technical knowledge and research and development process.
      • Unique design capabilities/methods/models.
      • Special formulas/algorithms/techniques.
      • Proprietary production processes.
      • Decision-making criteria.
      • Innovative sales methods.
      • Knowledge about key customers.
      • Relationships with key stakeholders.
      • Company history and values.
    2. Ask questions of both sources and receivers of knowledge to help determine the best knowledge transfer methods to use.
      • What is the nature of the knowledge? Explicit or tacit?
      • Why is it important to transfer?
      • How will the knowledge be used?
      • What knowledge is critical for success?
      • How will the users find and access it?
      • How will it be maintained and remain relevant and usable?
      • What are the existing knowledge pathways or networks connecting sources to recipients?

    Step 3.2

    Select Knowledge Transfer Methods

    Activities
    • 3.2.1 Select Knowledge Transfer Methods

    This step helps you identify the knowledge transfer methods that will be the most effective, considering the knowledge or skill that needs to be transferred and the individuals involved.

    Outcomes of this step

    • Knowledge transfer methods chosen documented in the Key Role Transition Plans.

    Knowledge Transfer

    Step 3.1 Step 3.2 Step 3.3

    Knowledge transfer methods available

    Be prepared to use various methods to transfer knowledge and use them all liberally.

    The most common knowledge transfer method is simply to have a collaborative culture

    Horizontal bar chart ranking knowledge transfer methods by commonality.
    (Source: McLean & Company, 2013; N=121)

    A basic willingness for a role incumbent to share with a successor is the most powerful item in your tacit knowledge transfer toolkit.

    Formal documentation is critical for explicit knowledge sharing, yet only 40% of organizations use it.

    Rewarding and recognizing employees for doing knowledge transfer well is underutilized yet has emerged as an important reinforcing component of any effective knowledge transfer program.
    Don’t forget it!

    3.2.1 Select Knowledge Transfer Methods

    Input: Role profiles, Talent profiles

    Output: Methods for integrating knowledge transfer into day-to-day practice

    Materials: Role Transition Plan Template

    Participants: IT leadership/management team, HR, Knowledge source, Knowledge recipient

    Utilize methods that make it easy to apply the knowledge in day-to-day practice.

    Select your method according to the following criteria:

    1. The type of knowledge. A soft skill, like professionalism, is best taught via mentoring, while a technical process is best documented and applied on-the-job.
    2. What the knowledge recipient is comfortable with. The recipient may get bored during formal training sessions and retain more during job shadowing.
    3. What the knowledge source is comfortable with. The source may be uncomfortable with blogs and wikis, but comfortable with SharePoint.
    4. The cost. Some methods require an investment in time (e.g. mentoring), while others require an investment in technology (e.g. knowledge bases).
      • The good news is that many supporting technologies may already exist in your organization or can be acquired for free.
      • Methods that cost time may be difficult to get underway since employees may feel they don’t have the time or must change the way they work.

    The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.

    Document the knowledge transfer methods in the Role Transition Plan Template.

    Role Transition Plan Template

    Explore alternative work arrangements

    Ensure sufficient time to prepare successors

    If a key role incumbent isn’t around to complete knowledge transfer, it’s all for naught.

    Alternative work arrangements are critical tools that employers can use to achieve a mutually beneficial solution that mitigates the risk of loss associated with key roles.

    Alternative work arrangements not only support employees who want to keep working, but they allow the business to retain employees that are needed in key roles.

    In a survey from The Conference Board, one out of four older workers indicated that they continue to work because their company provided them with needed flexibility.

    And, nearly half said that more flexibility would make them less likely to retire. (Source: Ivey Business Journal)

    Flexible work options are the most used form of alternative work arrangement

    Horizontal bar chart ranking alternative work arrangements by usage.
    (Source: McLean & Company, N=44)

    Choose the alternative work arrangement that works best for you and the employee

    Alternative Work Arrangement

    Description

    Ideal Use

    Caveats
    Flexible work options Employees work the same number of hours but have flexibility in when and where they work (e.g. from home, evenings). Employees who work fairly independently, with no or few direct reports. Employee may become isolated or disconnected, impeding knowledge transfer methods that require interaction or one-on-one time.
    Contract-based work Working for a defined period of time on a specific project on a non-salaried or non-wage basis. Project-oriented work that requires specialized knowledge or skills. Available work may be sporadic or specific projects more intensive than the employee wants. Knowledge transfer must be built into the contractual arrangement.
    Part-time roles Half-days or a certain number of days per week; indefinite with no end date in mind. Employees whose roles can be readily narrowed and upon whom people and critical processes are not dependent. It may be difficult to break a traditionally full-time job down into a part-time role given the size and nature of associated tasks.
    Graduated retirement Retiring employee has a set retirement date, gradually reducing hours worked per week over time. Roles where a successor has been identified and is available to work alongside the incumbent in an overlapping capacity while he or she learns. The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement.

    The arrangement chosen may be a combination of multiple options

    Alternative Work Arrangement

    Description

    Ideal Use

    Caveats

    Part-year jobs or job sharingWorking part of the year and having the rest of the year off, unpaid.Project-oriented work where ongoing external relationships do not need to be maintained. The employee is unavailable for knowledge transfer activities for a large portion of the year. Another risk is that the employee may opt not to return at the end of the extended time off, with little notice.
    Increased paid time offAdditional vacation days upon reaching a certain age.Best used as recognition or reward for long-term service. This may be a particularly useful retention incentive in organizations that do not offer pension plans. The company may not be able to financially afford to pay for such extensive time off. If the role incumbent is the only one in the role, this may mean crucial work is not being done.
    Altered rolesConcentration of a job description on fewer tasks that allows the employee to focus on his or her specific expertise.Roles where a successor has been identified and is available to work alongside the incumbent, with the incumbent’s new role highly focused on mentoring. The role may only require a single FTE, and the organization may not be able to afford the amount of redundancy inherent in this arrangement.

    Alternative work arrangements require senior management support

    Senior management and other employees must see the value of retaining older workers, or they will not be supportive of these solutions.

    Any changes made to an employee’s work arrangement has an impact on people, processes, and policies.

    If the knowledge and skills of older employees aren’t valued, then:

    • Alternative arrangements will be seen as wasteful accommodation of a low-value employee.
    • Time won’t be allowed to manage the transition properly and make appropriate changes.
    • Other employees may resent any workload spillover.
    		 Alternate work arrangements can’t be implemented on a whim.

    Make sure alternative work arrangements can be done right and are supported – they’re often solutions that come with additional work. Determine the effects and make appropriate adjustments.

    • Review processes, particularly hand-off and approval points, to ensure tasks will still be handled seamlessly.
    • Assess organizational policies to ensure no violations are occurring or to rework policies (where possible) to accommodate alternative work arrangements.
    • Speak to affected employees to answer questions, identify obstacles, gain support, redefine their job descriptions if required, and make appropriate compensation adjustments. Always provide appropriate training when skills requirements are expanded.

    Step 3.3

    Document Role Transition Plans for all Key Roles

    Activities
    • 3.3.1 Document Role Transition Plans

    The primary goal of this step is to build clear checklist-based plans for each key role to help ensure a smooth transition as a successor takes over.

    Outcomes of this step

    • Completed key role transition plans

    Knowledge Transfer

    Step 3.1 Step 3.2 Step 3.3

    3.3.1 Document Role Transition Plans

    Input: Role profiles, Talent profiles, Talent assessments, Workforce plans

    Output: A clear checklist-based plan to help ensure a smooth transition.

    Materials: Role Transition Plan Template

    Participants: IT leadership/management team, Incumbent, Successor(s), HR

    Define a transition plan for all employees in at-risk key roles, and their successors.

    You should already have a good idea of what knowledge and skills are valued from the worksheets completed earlier. Focus on identifying the knowledge, skills, and relationships essential to the specific incumbent in a key role and what it is they do to perform that key role well.

    Using the Role Transition Plan Template develop a plan to transfer what needs to be transferred from the incumbent to the successor.

    1. Record the incumbent and successor information in the template.
    2. Summarize the key accountabilities and expectations of the incumbent’s role. This summary should highlight specific tasks and initiatives that the successor must take on, including success enablers. Attach the job description for a full description of accountabilities and expectations.
    3. Document the knowledge and skills requirements for the key role, as well as any additional knowledge and skills possessed by the key role incumbent that will aid the successor.
    4. Document any alternative work arrangements to the incumbent’s roles.
    5. Populate the Role Transition Checklist for key transition activities that must be completed by certain dates. A list of sample checklist items has been provided. Add, delete, or modify list items to suit your needs.

    Role Transition Plan Template

    DairyNZ leverages alternative work arrangements

    Ensures successful knowledge transfer
    INDUSTRY
    Agricultural research
    SOURCE
    Rose Macfarlane, General Manager Human Resources, DairyNZ
    Challenge
    • DairyNZ employs many people in specialized science research roles. Some very senior employees are international experts in their field.
    • Several experts have reached or are nearing retirement age. These pending retirements have come as no surprise.
    • However, due to the industry’s lack of development investment in the past, there is a 20–30-year experience gap in the organization for some key roles.
    		 Solution
    • One principal scientist gave over two years’ notice. His replacement – an external candidate – had been identified in advance and was hired once retirement notice was given.
    • The incumbent’s role was amended. He worked alongside his successor for 18 months in a controlled hand-over process.
    		 Results
    • The result was ideal in that the advance notice allowed full knowledge transfer to take place.

    Research Contributors and Experts

    Anne Roberts
    Principal, Leadership Within Inc. al,
    • Anne T. Roberts is an experienced organization development professional and executive business coach who works with leaders and their organizations to help them create, articulate and implement their change agenda. Her extensive experience in change management, organizational design, meeting design and facilitation, communication and leadership alignment has helped leaders tap into their creativity, drive and energy. Her ability to work with and coach people at the leadership level on a wide range of topics has them face their own organizational stories.
    		 Amanda Mathieson
    Senior Manager, Talent Management, Tangerine
    • Amanda is responsible for researching people- and leadership-focused trends, developing thought models, and providing resources, tools, and processes to build and drive the success of leaders in a disruptive world.
    • Her expertise in leadership development, organizational change management, and performance and talent management comes from her experience in various industries spanning pharmaceutical, retail insurance, and financial services. She takes a practical, experiential approach to people and leadership development that is grounded in adult learning methodologies and leadership theory. She is passionate about identifying and developing potential talent, as well as ensuring the success of leaders as they transition into more senior roles.

    Related Info-Tech Research

    Stock image of a brain. Mitigate Key IT Employee Knowledge Loss
    • Transfer IT knowledge before it’s gone.
    • Effective knowledge transfer mitigates risks from employees leaving the organization and is a key asset driving innovation and customer service.
    Stock image of sticky notes being organized on a board. Implement an IT Employee Development Plan
    • There is a growing gap between the competencies organizations have been focused on developing, and what is needed in the future.
    • Employees have been left to drive their own development, with little direction or support and without the alignment of development to organizational needs.

    Bibliography

    “Accommodating Older Workers’ Needs for Flexible Work Options.” Ivey Business Journal, July/August 2005. Accessed Jan 7, 2013.

    Christensen, Kathleen and Marcie Pitt-Catsouphes. “Approaching 65: A Survey of Baby Boomers Turning 65 Years Old”. AARP, Dec. 2010.

    Coyne, Kevin P. and Shawn T. Coyne. “The Baby Boomer Retirement Fallacy and What It Means to You. “ HBR Blog Network. Harvard Business Review, May 16, 2008. Accessed 8 Jan. 2013.

    Dwyer, Kevin and Ngoc Luong Dwyer. “Managing the Baby Boomer Brain Drain: The Impact of Generational Change on Human Resource Management.” ChangeFactory, April 2010. Accessed Jan 9, 2013.

    Gurchiek, Kathy. “Poll: Organizations Can Do More to Prepare for Talent Shortage as Boomers Retire.” SHRM, Nov 17, 2010. Accessed Jan 3, 2013.

    Howden, Daniel. “What Is Time to Fill? KPIs for Recruiters.” Workable, 24 March 2016. Web.

    Kapp, Karl M. “Tools and Techniques for Transferring Know-How from Boomers to Gamers.” Global Business and Organizational Excellence, July/August 2007. Web.

    Piktialis, Diane and Kent A. Greenes. Bridging the Gaps: How to Transfer Knowledge in Today’s Multigenerational Workplace. The Conference Board, 2008.

    Pisano, Gary P. “You need an Innovation Strategy.” Harvard Business Review, June 2015.

    Vilet, Jacque. “Lost Knowledge – What Are You and Your Organization Doing About It?” TLNT, 25 April 2012. Accessed 5 Jan. 2013.

    Review Your Application Strategy

    • Buy Link or Shortcode: {j2store}82|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,599 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Over 80% of CXOs experience frustration with IT’s failure to deliver business value.
    • Sixty percent of CEOs believe that improvement is required around IT’s understanding of business goals.
    • Sixty percent of IT professionals know there is an opportunity to run applications more efficiently, eliminating wasteful or low-value activities.

    Our Advice

    Critical Insight

    • Organizations need to better align their application strategy with their business strategy as they proceed through tactical initiatives.
    • Application strategies provide guidance on how they will help the organization survive and thrive.

    Impact and Result

    Aligning your business with applications through your strategy will not only increase business satisfaction but also help to ensure you’re delivering applications that enable the organization’s goals.

    Review Your Application Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should have an application strategy and why you should use Info-Tech’s approach to review it. Learn how we can support you in completing this strategy and review.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review your strategy

    This review guide provides organizations with a detailed assessment of their application strategy, ensuring that the applications enable the business strategy so that the organization can be more effective.The assessment provides criteria and exercises to provide actionable outcomes.

    • Application Strategy Assessment Tool
    • Application Strategy Action Plan Report Template
    • Application Strategy Sample Action Plan Report
    [infographic]

    Make the Case for Enterprise Business Analysis

    • Buy Link or Shortcode: {j2store}509|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design
    • It can be difficult to secure alignment between the many lines of business, IT included, in your organization.
    • Historically, we have drawn a dividing line between IT and "the business.”
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed to make way for the loudest voice’s option.

    Our Advice

    Critical Insight

    • Enterprise business analysis can help you stop the debate between IT and “the business,” as it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove the bias and politics in decision making all too common in organizations.
    • The business analyst is the only role that can connect the strategic with the tactical, the systems, and the operations and do so objectively. It is the one source to show how people, process, and technology connect and relate, and the most skilled can remove bias and politics from their lens of view.
    • Maturity can’t be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    Impact and Result

    Let’s make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise analysis deliver better quality outcomes, with higher value, lower cost, and higher user satisfaction.
    • Business analysts should be contributing at the strategic level, as they need to understand multiple horizons simultaneously and be able to zoom in and out as the context calls for it. Business analysts aren’t only for projects.

    Make the Case for Enterprise Business Analysis Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the Case for Enterprise Business Analysis Storyboard – Take your business analysis from tactics to strategy.

    • Make the Case for Enterprise Business Analysis Storyboard

    2. Communicate the Case for Enterprise Business Analysis Template – Make the case for enterprise business analysis.

    • Communicate the Case for Enterprise Business Analysis
    [infographic]

    Further reading

    Make the Case for Enterprise Business Analysis

    Putting the strategic and tactical puzzle together.

    Analyst Perspective

    We commonly recognize the value of effective business analysis at a project or tactical level. A good business analysis professional can support the business by identifying its needs and recommending solutions to address them.
    Now, wouldn't it be great if we could do the same thing at a higher level?
    Enterprise (or strategic) business analysis is all about seeing that bigger picture, an approach that makes any business analysis professional a highly valuable contributor to their organization. It focuses on the enterprise, not a specific project or line of business.
    Leading the business analysis effort at an enterprise level ensures that your business is not only doing things right, but also doing the right things; aligned with the strategic vision of your organization to improve the way decisions are made, options are analyzed, and successful results are realized.

    Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Difficulty properly aligning between the many lines of business in your organization.
    • Historically, we have drawn a dividing line between IT and the business.
    • The reality of organizational politics and stakeholder bias means that, with selection and prioritization, sometimes the highest value option is dismissed in favor of the loudest voice.

    Common Obstacles

    • Difficulty aligning an ever-changing backlog of projects, products, and services while simultaneously managing risks, external threats, and stakeholder expectations.
    • Many organizations have never heard of enterprise business analysis and only see the importance of business analysts at the project and delivery level.
    • Business analysis professionals rarely do enough to advocate for a seat at the strategic tables in their organizations.

    Info-Tech's Approach

    Let's make the case for enterprise business analysis!

    • Organizations that have higher business analysis maturity and deploy enterprise business analysis deliver better quality outcomes with higher value, lower cost, and higher user satisfaction.
    • Business analysts aren't only for projects. They should contribute at the strategic level, since they need to understand multiple horizons simultaneously and be able to zoom in and out as the context requires.

    Info-Tech Insight

    Enterprise business analysis can help you reframe the debate between IT and the business, since it sees everyone as part of the business. It can effectively break down silos, support the development of holistic strategies to address internal and external risks, and remove bias and politics from decision making.

    Phase 1

    Build the case for enterprise business analysis

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 1.1.1 Discuss how business analysis is used in our organization
    • 1.1.2 Discuss your disconnects between strategy and tactics
    • 1.2.1 Identify your pains and opportunities

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    How business analysis supports our success today

    Delivering value at the tactical level

    Effective business analysis helps guide an organization through improvements to processes, products, and services. Business analysts "straddle the line between IT and the business to help bridge the gap and improve efficiency" in an organization (CIO, 2019).
    They are most heavily involved in:

    • Defining needs
    • Modeling concepts, processes, and solutions
    • Conducting analysis
    • Maintaining and managing requirements
    • Managing stakeholders
    • Monitoring progress
    • Doing business analysis planning
    • Conducting elicitation

    In a survey, business analysts indicated that of their total working time, they spend 31% performing business analysis planning and 41% performing elicitation and analysis (PMI, 2017).

    By including a business analyst in a project, organizations benefit by:
    (IAG, 2009)

    87%

    Reduced time overspending

    75%

    Prevented budget overspending

    78%

    Reduction in missed functionality

    1.1.1 Discuss how business analysis is used in your organization

    15-30 minutes

    1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives on business analysis. This should relate to their experience and not a future or aspirational usage.
    2. Have a team member facilitate the session.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives and record the results for the group to review and discuss.
    5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding of how your organization leverages its business analysis function

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Executives and leadership are satisfied with IT when there is alignment between tactics and goals

    Info-Tech's CIO Business Vision Survey data highlights the importance of IT projects in supporting the business to achieve its strategic goals.

    However, Info-Tech's CEO-CIO Alignment Survey (N=124) data indicates that CEOs perceive IT as poorly aligned with the business' strategic goals.

    Info-Tech's CIO-CEO Alignment Diagnostics

    43%

    of CEOs believe that business goals are going unsupported by IT.

    60%

    of CEOs believe that IT must improve understanding of business goals.

    80%

    of CIOs/CEOs are misaligned on the target role of IT.

    30%

    of business stakeholders support their IT departments.

    Addressing problems solely with tactics does not always have the desired effect

    94%

    Source: "Out of the Crisis", Deming (via Harvard Business Review)

    According to famed management and quality thought leader and pioneer W. Edwards Deming, 94% of issues in the workplace are systemic cause significant organizational pain.

    Yet we continue to address them on the surface, rather than acknowledge how ingrained they are in our culture, systems, and processes.

    For example, we:

    • Create workarounds to address process and solution constraints
    • Expect that poor (or lack of ) leadership can be addressed in a course or seminar
    • Expect that "going Agile" will resolve our problems, and that decision making, governance, and organizational alignment will happen organically.

    Band-aid solutions rarely have the desired effect, particularly in the long-term.

    Our solutions should likewise focus on the systemic/macro environment. We can do this via projects, products and services, but those don't always address the larger issues.

    If we take the work our business analysis currently does in defining needs and solutions, and elevate this to the strategic level, the results can be impactful.

    Many organizations would benefit from enhancing their business analysis maturity

    The often-overlooked strategic value of the role comes with maturing your practices.

    Only 18% of organizations have mature (optimized or established) business analysis practices.

    With that higher level of maturity comes increased levels of capability, efficiency, and effectiveness in delivering value to people, processes, and technology. Through such efforts, they're better equipped and able to connect the strategy of their organization to the projects, processes, and products they deliver.

    They shift focus from "figuring business analysis out" to truly unleashing its potential, with business analysts contributing in strategic and tactical ways.

    an image showing the following data: Optimized- 5; Established- 13; Improving- 37; Starting- 25; Ad hoc- 21

    (Adapted from PMI, 2017)

    Info-Tech Insight

    Business analysts are best suited to connect the strategic with the tactical, the systems, and the operations. They maintain the most objective lens regarding how people, process, and technology connect and relate, and the most skilled of them can remove bias and politics from their perspective.

    1.1.2 Discuss your disconnects between strategy and tactics

    30-60 minutes

      1. Gather the appropriate stakeholders to discuss their knowledge, experience, and perspectives regarding failures that resulted from disconnects between strategy and tactics.
      2. Have a team member facilitate the session.
      3. Brainstorm and document all shared thoughts and perspectives.
      4. Synthesize those thoughts and perspectives and record the results.
      5. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Input

    • Stakeholder knowledge and experience

    Output

    • A shared understanding and list of failures due to disconnects between strategy and tactics

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Download the Communicate the Case for Enterprise Business Analysis template

    Defining enterprise business analysis

    Terms may change, but the function remains the same.

    Enterprise business analysis (sometimes referred to as strategy analysis) "…focuses on defining the future and transition states needed to address the business need, and the work required is defined both by that need and the scope of the solution space. It covers strategic thinking in business analysis, as well as the discovery or imagining of possible solutions that will enable the enterprise to create greater value for stakeholders and/or capture more value for itself."
    (Source: "Business Analysis Body of Knowledge," v3)

    Define the function of enterprise business analysis

    This is a competitive advantage for mature organizations.

    Organizations with high-performing business analysis programs experience an enhanced alignment between strategy and operations. This contributes to improved organizational performance. We see this in financial (69% vs. 45%) and strategic performance (66% vs. 21%), also organizational agility (40% vs. 14%) and management of operational projects (62% vs. 29%). (PMI, 2017)

    When comparing enterprise with traditional business analysis, we see stark differences in the size and scope of their view, where they operate, and the role they play in organizational decision making.

    Enterprise Traditional
    Decision making Guides and influences Executes
    Time horizon 2-10 years 0-2 years
    Focus Strategy, connecting the strategic to the operational Operational, optimizing how business is done, and keeping the lights on
    Domain

    Whole organization

    Broader marketplace

    		 Only stakeholder lines of business relevant to the current project, product or service
    Organizational Level Executive/Leadership Project

    (Adapted from Schulich School of Business)

    Info-Tech Insight

    Maturity can't be rushed. Build your enterprise business analysis program on a solid foundation of leading and consistent business analysis practices to secure buy-in and have a program that is sustainable in the long term.

    An image showing the percentages of high- and low- maturity organizations, for the following categories: Financial performance; Strategy implementation; Organizational agility; Management of projects.

    (Adapted from PMI, 2017)

    How enterprise business analysis is used to improve organizations

    The biggest sources of project failure include:

    • Wrong (or poor) requirements
    • Unrealistic (or incomplete) business case
    • Lack of appropriate governance and oversight
    • Poor implementation
    • Poor benefits management
    • Environmental changes

    Source: MindTools.com, 2023.

    Enterprise business analysis addresses these sources and more.

    It brings a holistic view of the organization, improving collaboration and decision making across the many lines of business, effectively breaking down silos.

    In addition to ensuring we're doing the right things, not just doing things right in the form of improved requirements and more accurate business cases, or ensuring return on investment (ROI) and monitoring the broader landscape, enterprise business analysis also supports:

    • Reduced rework and waste
    • Understanding and improving operations
    • Making well-informed decisions through improved objectivity/reduced bias
    • Identifying new opportunities for growth and expansion
    • Identifying and mitigating risk
    • Eliminating projects and initiatives that do not support organizational goals or objectives
    • A career-pathing option for business analysts

    Identify your pains and opportunities

    There are many considerations in enterprise business analysis.

    Pains, gains, threats, and opportunities can come at your organization from anywhere. Be it a new product launch, an international expansion, or a new competitor, it can be challenging to keep up.

    This is where an enterprise business analyst can be the most helpful.

    By keeping a pulse on the external and internal environments, they can support growth, manage risks, and view your organization through multiple lenses and perspectives to get a single, complete picture.

    External

    Internal

    Identifying competitive forces

    In the global environment

    Organizational strengths and weaknesses
    • Monitoring and maintaining your competitive advantage.
    • Understanding trends, risks and threats in your business domain, and how they affect your organization.
    • Benchmarking performance against like and unlike organizations, to realize where you stand and set a baseline for continuous improvement and business development.
    • Leveraging tools and techniques to scan the broader landscape on an ongoing basis. Using PESTLE analysis, they can monitor the political, economic, social, technological, legal, and environmental factors that impact when, where, how, and with who you conduct your business and IT operations.
    • Supporting alignment between a portfolio or program of projects and initiatives.
    • Improving alignment between the various lines of business, who often lack full visibility outside of their silo, and can find themselves clashing over time, resources, and attention from leaders.
    • Improving solutions and outcomes through objective option selection.

    1.2.1 Identify your pains and opportunities

    30-60 minutes

    1. As a group, generate a list of the current pains and opportunities facing your organization. You can focus on a particular type (competitive, market, or internal) or leave it open. You can also focus on pains or opportunities separately, or simultaneously.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review, discuss, and prioritize.
      1. Discuss the impact and likelihood of each item. This can be formally ranked and quantified if there is data to support the item or leveraging the wisdom of the group.
      2. Prioritize the top three to five items of each type, as agreed by the group, and document the results.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Attendee knowledge
    • Supporting data, if available

    Output

    • A list of identified organizational pains and opportunities that has been prioritized by the group

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Phase 2

    Prepare the foundations for your enterprise business analysis program

    Phase 1

    Phase 2

    1.1 Define enterprise business analysis

    1.2 Identify your pains and opportunities

    2.1 Set your vision

    2.2 Define your roadmap and next steps

    2.3 Complete your executive communications deck

    This phase will walk you through the following activities:

    • 2.1.1 Define your vision and goals
    • 2.1.2 Identify your enterprise business analysis inventory
    • 2.2.1 Now, Next, Later

    This phase involves the following participants:

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Set your vision

    Your vision becomes your "north star," guiding your journey and decisions.

    When thinking about a vision statement for enterprise business analysis, think about:

    • Who are we doing this for? Who will benefit?
    • What do our business partners need? What do our customers need?
    • What value do we provide them? How can we best support them?
    • Why is this special/different from how we usually do business?

    Always remember: Your goal is not your vision!

    Not knowing the difference will prevent you from both dreaming big and achieving your dream.

    Your vision represents where you want to go. It's what you want to do.

    Your goals represent how you want to achieve your vision.

    • They are a key element of operationalizing your vision.
    • Your strategy, initiatives, and features will align with one or more goals.

    Info-Tech Best Practice

    Your vision shouldn't be so far out that it doesn't feel real, nor so short term that it gets bogged down in details. Finding balance will take some trial and error and will be different depending on your organization.

    2.1.1 Define your vision and goals

    1-2 hours

    1. Gather the appropriate stakeholders to discuss their vision for enterprise business analysis. It should address the questions used in framing your vision statement.
    2. Have a team member facilitate the session.
    3. Review your current organizational vision and goals.
    4. Discuss and document all shared thoughts and perspectives on how enterprise business analysis can align with the organizational vision.
    5. Synthesize those thoughts and perspectives to create a vision statement.
    6. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Stakeholder vision, knowledge, and experience
    • Current organizational vision and goals

    Output

    • A documented vision and goals for your enterprise business analysis program

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Components of successful enterprise business analysis programs

    Ensure you're off to the best start by examining where you are and where you want to go.

    Training

    • Do the current team members have the right level of training?
    • Can we easily obtain training to close any gaps?

    Competencies and capabilities

    • Do our business analysts have the right skills, attributes, and behaviors to be successful?

    Structure and alignment

    • Would the organizational culture support enterprise business analysis (EBA)?
    • How might we structure the EBA unit to maximize effectiveness?
    • How can we best support the organization's goals and objectives?

    Methods and processes

    • How do we plan on managing the work to be done?
    • Can we define our processes and workflows?

    Tools, techniques, and templates

    • Do we have the most effective tools, techniques, and templates?

    Governance

    • How will we make decisions?
    • How will the program be managed?

    2.1.2 Identify your enterprise business analysis inventory

    30-60 minutes

    1. Gather the appropriate stakeholders to discuss the current business analysis assets, which could be leveraged for enterprise business analysis. This includes people, processes, and technologies which cover skills, knowledge, resources, experience, knowledge, and competencies. Focus on what the organization currently has, and not what it needs.
    2. Have a team member facilitate the session.
    3. Record the results for the group to review and discuss.
    4. Transfer the results to the Communicate the Case for Enterprise Business Analysis template.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your current business analysis assets and resources Stakeholder knowledge and experience

    Output

    • A list of assets and resources to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    Define your roadmap and next steps

    What do we have? What do we need?

    From completing the enterprise business analysis inventory, you will have a comprehensive list of all available assets.

    The next question is, how can this be leveraged to start building for the future?

    To operationalize enterprise business analysis, consider:

    • What do we still need to do?
    • How important are the identified gaps? Can we still operate?
    • What decisions do we need to make?
    • What stakeholders do we need to involve? Have we engaged them all?

    Lay out your roadmap

    Taking steps to mature your enterprise business analysis practice.

    The Now, Next, Later technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • Now tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • Next tasks are those that should be completed soon. These tasks are not as critical as Now tasks, but they are still important and should be tackled relatively soon.
    • Later tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks, while allowing the flexibility to adjust as necessary.

    This technique also helps clarify what must be done first vs. what can wait. This prioritizes the most important things while keeping track of what must be done next, maintaining a smooth development/improvement process.

    An image of the now - next - later roadmap technique.

    2.2.1 Now, Next, Later

    1-2 hours

    1. Use the list of items created in 2.1.2 (Identify your enterprise business analysis inventory). Add any you feel are missing during this exercise.
    2. Have a team member facilitate the session.
    3. In the Communicate the Case for Enterprise Business Analysis template, categorize these items according to Now, Next and Later, where:
      1. Now = Critically important items that may require little effort to complete. These must be done within the next six months.
      2. Next = Important items that may require more effort or depend on other factors. These must be done in six to twelve months.
      3. Later = Less important items that may require significant effort to complete. These must be done at some point within twelve months.

    Ultimately, the choice of priority and timing is yours. Recognize that items may change categories as new information arises.

    Download the Communicate the Case for Enterprise Business Analysis template

    Input

    • Your enterprise business analysis inventory and gaps
    • Stakeholder knowledge and experience

    Output

    • A prioritized list of items to enable enterprise business analysis

    Materials

    • Whiteboard/Flip charts
    • Collaborative whiteboard
    • Communicate the Case for Enterprise Business Analysis template

    Participants

    • Business analyst(s)
    • Organizational business leaders
    • Any other relevant stakeholders

    2.3 Complete your executive communication deck

    Use the results of your completed exercises to build your executive communication slide deck, to make the case for enterprise business analysis

    Slide Header Associated Exercise Rationale
    Pains and opportunities

    1.1.2 Discuss your disconnects between strategy and tactics

    1.2.1 Identify your pains and opportunities

    		 This helps build the case for enterprise business analysis (EBA), leveraging the existing pains felt in the organization. This will draw the connection for your stakeholders.
    Our vision and goals 2.1.1 Define your vision and goals Defines where you want to go and what effort will be required.
    What is enterprise business analysis

    1.1.1 How is BA being used in our organization today?
    Pre-populated supporting content

    		 Defines the discipline of EBA and how it can support and mature your organization.
    Expected benefits Pre-populated supporting content What's in it for us? This section helps answer that question. What benefits can we expect, and is this worth the investment of time and effort?
    Making this a reality 2.1.2 Identify your EBA inventory Identifies what the organization presently has that makes the effort easier. It doesn't feel as daunting if there are existing people, processes, and technologies in place and in use today.
    Next steps 2.2.1 Now, Next, Later A prioritized list of action items. This will demonstrate the work involved, but broken down over time, into smaller, more manageable pieces.

    Track metrics

    Track metrics throughout the project to keep stakeholders informed.

    As the project nears completion:

    1. You will have better-aligned and more satisfied stakeholders.
    2. You will see fewer projects and initiatives that don't align with the organizational goals and objectives.
    3. There will be a reduction in costs attributed to misaligned projects and initiatives (as mentioned in #2) and the opportunity to allocate valuable time and resources to other, higher-value work.
    Metric Description Target Improvement/Reduction
    Improved stakeholder satisfaction Lines of business and previously siloed departments/divisions will be more satisfied with time spent on solution involvement and outcomes. 10% year 1, 20% year 2
    Reduction in misaligned/non-priority project work Reduction in projects, products, and services with no clear alignment to organizational goals. With that, resource costs can be allocated to other, higher-value solutions. 10% year 1, 25% year 2
    Improved delivery agility/lead time With improved alignment comes reduced conflict and political infighting. As a result, the velocity of solution delivery will increase. 10%

    Bibliography

    Bossert, Oliver and Björn Münstermann. "Business's 'It's not my problem' IT problem." McKinsey Digital. 30 March, 2023.
    Brule, Glenn R. "The Lay of the Land: Enterprise Analysis." Modern Analyst.
    "Business Analysis: Leading Organizations to Better Outcomes." Project Management Institute (PMI), 2017
    Corporate Finance Institute. "Strategic Analysis." Updated 14 March 2023
    IAG Consulting. Business Analysis Benchmark Report, 2009.
    International Institute of Business Analysis. "A Guide to the Business Analysis Body of Knowledge" (BABOK Guide) version 3.
    Mirabelli, Vincent. "Business Analysis Foundations: Enterprise" LinkedIn Learning, February 2022.
    - - "Essential Techniques in Enterprise Analysis" LinkedIn Learning, September 2022.
    - - "The Essentials of Enterprise Analysis" Love the Process Academy. May 2020.
    - - "The Value of Enterprise Analysis." VincentMirabelli.com
    Praslova, Ludmila N. "Today's Most Critical Workplace Challenges Are About Systems." Harvard Business Review. 10 January 2023.
    Pratt, Mary K. and Sarah K. White. "What is a business analyst? A key role for business-IT efficiency." CIO. 17 April, 2019.
    Project Management Institute. "Business Analysis: Leading Organizations to Better Outcomes." October 2017.
    Sali, Sema. "The Importance of Strategic Business Analysis in Successful Project Outcomes." International Institute of Business Analysis. 26 May 2022.
    - - "What Does Enterprise Analysis Look Like? Objectives and Key Results." International Institute of Business Analysis. 02 June 2022.
    Shaker, Kareem. "Why do projects really fail?" Project Management Institute, PM Network. July 2010.
    "Strategic Analysis: Definition, Types and Benefits" Voxco. 25 February 2022.
    "The Difference Between Enterprise Analysis and Business Analysis." Schulich School of Business, Executive Education Center. 24 September 2018 (Updated June 2022)
    "Why Do Projects Fail: Learning How to Avoid Project Failure." MindTools.com. Accessed 24 April 2023.

    Leverage Agile Goal Setting for Improved Employee Engagement & Performance

    • Buy Link or Shortcode: {j2store}593|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Managers are responsible for driving the best performance out of their staff while still developing individuals professionally.
    • Micromanaging tasks is an ineffective, inefficient way to get things done and keep employees engaged at the same time.
    • Both managers and employees view goal setting as a cumbersome process that never materializes in day-to-day work.
    • Without a consistent and agile goal-setting environment that pervades every day, managers risk low productivity and disengaged employees.

    Our Advice

    Critical Insight

    • Effective performance management occurs throughout the year, on a daily and weekly basis, not just at annual performance review time. Managers must embrace this reality and get into the habit of setting agile short-term goals to drive productivity.
    • Employee empowerment is one of the most significant contributors to employee engagement, which is a proven performance driver. Short-term goal setting, which is ultimately employee-owned, develops and nurtures a strong sense of employee empowerment.
    • Micromanaging employee tasks will get managers nowhere quickly. Putting in the effort to collaboratively define goals that benefit both the organization and the employee will pay off in the long run.
    • Goal setting should not be a cumbersome activity, but an agile, rolling habit that ensures employees are focused, supported, and given appropriate feedback to continue to drive performance.

    Impact and Result

    • Managers who have daily meetings to set goals are 17% more successful in terms of employee performance than managers who set goals annually.
    • Managers must be agile goal-setting role models, or risk over a third of their staff being confused about productivity expectations.
    • Managers that allow tracking of goals to be an inhibitor to goal setting are most likely to have a negative effect on employee performance success. In fact, tracking goals should not be a priority in the short-term.

    Leverage Agile Goal Setting for Improved Employee Engagement & Performance Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Learn the agile, short-term goal-setting process

    Implement agile goal setting with your team right away and drive performance.

    • Storyboard: Leverage Agile Goal Setting for Improved Employee Engagement & Performance
    [infographic]

    Enterprise Network Design Considerations

    • Buy Link or Shortcode: {j2store}502|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Network Management
    • Parent Category Link: /network-management

    Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

    Our Advice

    Critical Insight

    The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

    Impact and Result

    Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

    Enterprise Network Design Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Network Design Considerations Deck – A brief deck that outlines key trusts and archetypes when considering enterprise network designs.

    This blueprint will help you:

    • Enterprise Network Design Considerations Storyboard

    2. Enterprise Network Roadmap Technology Assessment Tool – Build an infrastructure assessment in an hour.

    Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

    • Enterprise Network Roadmap Technology Assessment Tool
    [infographic]

    Further reading

    Enterprise Network Design Considerations

    It is not just about connectivity.

    Executive Summary

    Info-Tech Insight

    Connectivity and security are tightly coupled

    Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

    Many services are no longer within the network

    The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

    Users are demanding an anywhere, any device access model

    Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

    Enterprise networks are changing

    The new network reality

    The enterprise network of 2020 and beyond is changing:

    • Services are becoming more distributed.
    • The number of services provided “off network” is growing.
    • Users are more often remote.
    • Security threats are rapidly escalating.

    The above statements are all accurate for enterprise networks, though each potentially to differing levels depending on the business being supported by the network. Depending on how affected the network in question currently is and will be in the near future, there are different common network archetypes that are best able to address these concerns while delivering business value at an appropriate price point.

    High-Level Design Considerations

    1. Understand Business Needs

      2. Understand what the business needs are and where users and resources are located.

    2. Define Your Trust Model

      3. Trust is a spectrum and tied tightly to security.

    3. Align With an Archetype

      4. How will the network be deployed?

    4. Understand Available Tooling

      5. What tools are in the market to help achieve design principles?

    Understand business needs

    Mission

    Never ignore the basics. Start with revisiting the mission and vision of the business to address relevant needs.

    Users

    Identify where users will be accessing services from. Remote vs. “on net” is a design consideration now more than ever.

    Resources

    Identify required resources and their locations, on net vs. cloud.

    Controls

    Identify required controls in order to define control points and solutions.

    Define a trust model

    Trust is a spectrum

    • There is a spectrum of trust, from fully trusted to not trusted at all. Each organization must decide for their network (or each area thereof) the appropriate level of trust to assign.
    • The ease of network design and deployment is directly proportional to the trust spectrum.
    • When resources and users are outside of direct IT control, the level of appropriate trust should be examined closely.

    Implicit

    Trust everything within the network. Security is perimeter based and designed to stop external actors from entering the large trusted zone.

    Controlled

    Multiple zones of trust within the network. Segmentation is a standard practice to separate areas of higher and lower trust.

    Zero

    Verify trust. The network is set up to recognize and support the principle of least privilege where only required access is supported.

    Align with an archetype

    Archetypes are a good guide

    • Using a defined archetype as a guiding principle in network design can help clarify appropriate tools or network structures.
    • Different aspects of a network can have different archetypes where appropriate (e.g. IT vs. OT [operational technology] networks).

    Traditional

    Services are provided from within the traditional network boundaries and security is provided at the network edge.

    Hybrid

    Services are provided both externally and from within the traditional network boundaries, and security is primarily at the network edge.

    Inverted

    Services are provided primarily externally, and security is cloud centric.

    Traditional networks

    Resources within network boundaries

    Moat and castle security perimeter

    Abstract

    A traditional network is one in which there are clear boundaries defined by a security perimeter. Trust can be applied within the network boundaries as appropriate, and traffic is generally routed through internally deployed control points that may be centralized. Traditional networks commonly include large firewalls and other “big iron” security and control devices.

    Network Design Tenets

    • The full network path from resource to user is designed, deployed, and controlled by IT.
    • Users external to the network must first connect to the network to gain access to resources.
    • Security, risk, and trust controls will be implemented by internal enterprise hardware/software devices.

    Control

    In the traditional network, it is assumed that all required control points can be adequately deployed across hardware/software that is “on prem” and under the control of central IT.

    Info-Tech Insight

    With increased cloud services provided to end users, this network is now more commonly used in data centers or OT networks.

    Traditional networks

    The image contains an example of what traditional networks look like, as described in the text below.

    Defining Characteristics

    • Traffic flows in a defined path under the control of IT to and from central IT resources.
    • Due to visibility into, and the control of, the traffic between the end user and resources, IT can relatively simply implement the required security controls on owned hardware.

    Common Components

    • Traditional offices
    • Remote users/road warriors
    • Private data center/colocation space

    Hybrid networks

    Resources internal and external to network

    Network security perimeter combined with cloud protection

    Abstract

    A hybrid network is one that combines elements of a traditional network with cloud resources. As some of these resources are not fully under the control of IT and may be completely “offnet” or loosely coupled to the on-premises network, the security boundaries and control points are less likely to be centralized. Hybrid networks allow the flexibility and speed of cloud deployment without leaving behind traditional network constructs. This generally makes them expensive to secure and maintain.

    Network Design Tenets

    • The network path from resource to user may not be in IT’s locus of control.
    • Users external to the network must first connect to the network to gain access to internal resources but may directly access publicly hosted ones.
    • Security, risk, and trust controls may potentially be implemented by a mixture of internal enterprise hardware/software devices and external control points.

    Control

    The hallmark of a hybrid network is the blending of public and private resources. This blending tends to necessitate both public and private points of control that may not be homogenous.

    Info-Tech Insight

    With multiple control points to address, take care in simplifying designs while addressing all concerns to ease operational load.

    Hybrid networks

    The image contains an example of what hybrid networks look like, as described in the text below.

    Defining Characteristics

    • Traffic flows to central resources across a defined path under the control of IT.
    • Traffic to cloud assets may be partially under the control of IT.
    • For central resources, the traffic to and from the end user can have the required security controls relatively simply implemented on owned hardware.
    • For public cloud assets, IT may or may not have some control over part of the path.

    Common Components

    • Traditional offices
    • Remote users/road warriors
    • Private data center/colocation space
    • Public cloud assets (IaaS/PaaS/SaaS)

    Inverted perimeter

    Resources primarily external to the network

    Security control points are cloud centric

    Abstract

    An inverted perimeter network is one in which security and control points cover the entire workflow, on or off net, from the consumer of services through to the services themselves with zero trust. Since the control plane is designed to encompass the workflow in a secure manner, much of the underlying connectivity can be abstracted. In an extreme version of this deployment, IT would abstract end-user access, and any cloud-based or on-premises resources would be securely published through the control plane with context-aware precision access.

    Network Design Tenets

    • The network path from resource to user is abstracted and controlled by IT through services like secure access service edge (SASE).
    • Users only need internet access and appropriate credentials to gain access to resources.
    • Security, risk, and trust controls will be implemented through external cloud based services.

    Control

    An inverted network abstracts the lower-layer connectivity away and focuses on implementing a cloud-based zero trust control plane.

    Info-Tech Insight

    This model is extremely attractive for organizations that consume primarily cloud services and have a large remote work force.

    Inverted networks

    The image contains an example of what inverted networks look like, as described in the text below.

    Defining Characteristics

    • The end user does not have to be in a defined location.
    • All central resources that are to be accessed are hosted on cloud resources.
    • IT has little to no control of the path between the end user and central resources.

    Common Components

    • Traditional offices
    • Regent offices/shared workspaces
    • Remote users/road warriors
    • Public cloud assets (IaaS/PaaS/SaaS)

    Understand available tooling

    Don’t buy a hammer and go looking for nails

    • A network archetype must be defined in order to understand what tools (hardware or software) are appropriate for consideration in a network build or refresh.
    • Tools are purpose built and generally designed to solve specific problems if implemented and operated correctly. Choose the tools to align with the challenges that you are solving as opposed to choosing tools and then trying to use those purchases to overcome challenges.
    • The purchase of a tool does not allow for abdication of proper design. Tools must be chosen appropriately and integrated properly to orchestrate the best solutions. Purchasing a tool and expecting the tool to solve all your issues rarely succeeds.

    “It is essential to have good tools, but it is also essential that the tools should be used in the right way.” — Wallace D. Wattles

    Software-defined WAN (SD-WAN)

    Simplified branch office connectivity

    Archetype Value: Traditional Networks

    What It Is Not

    SD-WAN is generally not a way to slash spending by lowering WAN circuit costs. Though it is traditionally deployed across lower cost access, to minimize risk and realize the most benefits from the platform many organizations install multiple circuits with greater bandwidths at each endpoint when replacing the more costly traditional circuits. Though this maximizes the value of the technology investment, it will result in the end cost being similar to the traditional cost plus or minus a small percentage.

    What It Is

    SD-WAN is a subset of software-defined networking (SDN) designed specifically to deploy a secure, centrally managed, connectivity agnostic, overlay network connecting multiple office locations. This technology can be used to replace, work in concert with, or augment more traditional costly connectivity such as MPLS or private point to point (PtP) circuits. In addition to the secure overlay, SD-WAN usually also enables policy-based, intelligent controls, based on traffic and circuit intelligence.

    Why Use It

    You have multiple endpoint locations connected by expensive lower bandwidth traditional circuits. Your target is to increase visibility and control while controlling costs if and where possible. Ease of centralized management and the ability to more rapidly turn up new locations are attractive.

    Cloud access security broker (CASB)

    Inline policy enforcement placed between users and cloud services

    Archetype Value: Hybrid Networks

    What It Is Not

    CASBs do not provide network protection; they are designed to provide compliance and enforcement of rules. Though CASBs are designed to give visibility and control into cloud traffic, they have limits to the data that they generally ingest and utilize. A CASB does not gather or report on cloud usage details, licencing information, financial costing, or whether the cloud resource usage is aligned with the deployment purpose.

    What It Is

    A CASB is designed to establish security controls beyond a company’s environment. It is commonly deployed to augment traditional solutions to extend visibility and control into the cloud. To protect assets in the cloud, CASBs are designed to provide central policy control and apply services primarily in the areas of visibility, data security, threat protection, and compliance.

    Why Use It

    You a mixture of on-premises and cloud assets. In moving assets out to the cloud, you have lost the traditional controls that were implemented in the data center. You now need to have visibility and apply controls to the usage of these cloud assets.

    Secure access service edge (SASE)

    Convergence of security and service access in the cloud

    Archetype Value: Inverted Networks

    What It Is Not

    Though the service will consist of many service offerings, SASE is not multiple services strung together. To present the value proposed by this platform, all functionality proposed must be provided by a single platform under a “single pane of glass.” SASE is not a mature and well-established service. The market is still solidifying, and the full-service definition remains somewhat fluid.

    What It Is

    SASE exists at the intersection of network-as-a-service and network-security-as-a-service. It is a superset of many network and security cloud offerings such as CASB, secure web gateway, SD-WAN, and WAN optimization. Any services offered by a SASE provider will be cloud hosted, presented in a single stack, and controlled through a single pane of glass.

    Why Use It

    Your network is inverting, and services are provided primarily as cloud assets. In a full realization of this deployment’s value, you would abstract how and where users gain initial network access yet remain in control of the communications and data flow.

    Activity

    Understand your enterprise network options

    Activity: Network assessment in an hour

    • Learn about the Enterprise Network Roadmap Technology Assessment Tool
    • Complete the Enterprise Network Roadmap Technology Assessment Tool

    This activity involves the following participants:

    • IT strategic direction decision makers.
    • IT managers responsible for network.
    • Organizations evaluating platforms for mission critical applications.

    Outcomes of this step:

    • Completed Enterprise Network Roadmap Technology Assessment Tool

    Info-Tech Insight

    Review your design options with security and compliance in mind. Infrastructure is no longer a standalone entity and now tightly integrates with software-defined networks and security solutions.

    Build an assessment in an hour

    Learn about the Enterprise Network Roadmap Technology Assessment Tool.

    This workbook provides a high-level analysis of a technology’s readiness for adoption based on your organization’s needs.

    • The workbook then places the technology on a graph that measures both the readiness and fit for your organization. In addition, it provides warnings for specific issues and lets you know if you have considerable uncertainty in your answers.
    • At a glance you can now communicate what you are doing to help the company:
      • Grow
      • Save money
      • Reduce risk
    • Regardless of your specific audience, these are important stories to be able to tell.
    The image contains three screenshots from the Enterprise Network Roadmap Technology Assessment Tool.

    Build an assessment in an hour

    Complete the Enterprise Network Roadmap Technology Assessment Tool.

    Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

    1. Weightings: Adjust the Weighting tab to meet organizational needs. The provided weightings for the overall solution areas are based on a generic firm; individual firms will have different needs.
    2. Data Entry: For each category, answer the questions for the technology you are considering. When you have completed the questionnaire, go to the next tab for the results.
    3. Results: The Enterprise Network Roadmap Technology Assessment Tool provides a value versus readiness assessment of your chosen technology customized to your organization.

    The image contains three screenshots from the Enterprise Network Roadmap Technology Assessment Tool. It has a screenshot for each step as described in the text above.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services

    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap

    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    Leverage your vendor sourcing process to get better results.

    Research Authors

    The image contains a photo of Scott Young.

    Scott Young, Principal Research Advisor, Info-Tech Research Group

    Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

    The image contains a photo of Troy Cheeseman.

    Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

    Bibliography

    Ahlgren, Bengt. “Design considerations for a network of information.” ACM Digital Library, 21 Dec. 2008.

    Cox Business. “Digital transformation is here. Is your business ready to upgrade your mobile work equation?” BizJournals, 1 April 2022. Accessed April 2022.

    Elmore, Ed. “Benefits of integrating security and networking with SASE.” Tech Radar, 1 April 2022. Web.

    Greenfield, Dave. “From SD-WAN to SASE: How the WAN Evolution is Progressing.” Cato Networks, 19 May 2020. Web

    Korolov, Maria. “What is SASE? A cloud service that marries SD-WAN with security.” Network World, 7 Sept. 2020. Web.

    Korzeniowski, Paul, “CASB tools evolve to meet broader set of cloud security needs.” TechTarget, 26 July 2019. Accessed March 2022.

    Make Sense of Strategic Portfolio Management

    • Buy Link or Shortcode: {j2store}447|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As an IT leader, you’re responsible for steering the realization of business strategy through wise investments in and responsible stewardship of assets, applications, portfolios, programs, products, and projects.
    • You need a tool to help align goals and facilitate processes across business units. You’re aware of a tool space called Strategic Portfolio Management, and it looks like it could help, but you’re unsure of how it’s different from some of the existing tools you already pay for and don’t use to their full functionality.

    Our Advice

    Critical Insight

    As a software space, strategic portfolio management lacks a unified definition. In the same way that it took many years for project portfolio management to stabilize as a concept distinct from traditional enterprise project management, strategic portfolio management is experiencing a similar period of formational uncertainty. Unpacking what’s truly new and valuable in helping to define strategy and drive strategic outcomes versus what’s just repackaged as SPM is an important first step, but it's not an easy undertaking.

    Impact and Result

    In this concise publication, we will cut through the marketing to unpack what strategic portfolio management is, and what makes it distinct from similar capabilities. We’ll help to situate you in the space and assess the extent to which your tooling needs can be met by a strategic portfolio management offering.

    Make Sense of Strategic Portfolio Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make Sense of Strategic Portfolio Management Storyboard – A guide to help you drive strategic outcomes.

    In this concise publication we introduce you to strategic portfolio management and consider the extent to which your organization can leverage an SPM application to help drive strategic outcomes.

    • Make Sense of Strategic Portfolio Management Storyboard

    2. Strategic Portfolio Management Needs Assessment Tool – Use this tool to determine if your organization can benefit from the features and functionality of an SPM approach.

    Use this Excel workbook to determine if your organization can benefit from the features and functionality of an SPM approach or whether you need something more like a traditional project portfolio management tool.

    • Strategic Portfolio Management Needs Assessment
    [infographic]

    Further reading

    Make Sense of Strategic Portfolio Management

    Separate what's new and valuable from bloated claims on the hype cycle.

    Analyst Perspective

    Do you need strategic portfolio management, or do you need to do portfolio management more strategically?

    Travis Duncan, Research Director, PPM and CIO Strategy

    Travis Duncan
    Research Director, PPM and CIO Strategy
    Info-Tech Research Group

    While the market is eager to get users into what they're calling "strategic portfolio management," there's a lot of uncertainty out there about what this market is and how it's different from other, more established portfolio disciplines – most significantly, project portfolio management.

    Indeed, if you look at how the space is covered within the industry, you'll encounter a dog's breakfast of players, a comparison of apples and oranges: Jira in the same quadrants as Planisware, Smartsheets in the same profiles as Planview and ServiceNow. While each of the individual players is impressive, their areas of focus are unique and the extent to which they should be compared together under the category of strategic portfolio management is questionable.

    It speaks to some of the grey area within the SPM space more generally, which is at a bit of a crossroads: Will it formally shed the guardrails of its antecedents to become its own space, or will it devolve into a bait and switch through which capabilities that struggled to gain much traction beyond IT settings seek to infiltrate the business and grow their market share under a different name?

    Part of it is up to the rest of us as users and potential customers. Clarifying what we need before we jump into something simply because our prior attempts failed will help determine whether we need a unique space for strategic portfolio management or whether we simply need to do portfolio management more strategically.

    Executive Summary

    Your Challenge Common Obstacles Info-Tech's Approach
    • As an IT leader, you're responsible for steering the realization of business strategy through wise investments in/ and responsible stewardship of: assets, applications, portfolios, programs, products, and projects.
    • You need a tool to help align goals and facilitate processes and communications across business units. You're aware of a tool space called strategic portfolio management, and it looks like it could help, but you're unsure of how it's different from some of the existing tools you already license.
    • As a software space, strategic portfolio management lacks a unified definition. Unpacking what's truly new in helping to define strategy and drive strategic outcomes versus what's just repackaged as SPM is no small undertaking.
    • Because SPM can span different business units, ways of working, and roles, getting buy-in, alignment, and adoption can be even more precarious than it is when implementing other types of solutions.
    • In this concise publication, we will cut through the marketing to unpack what strategic portfolio management is and what makes it distinct from similar capabilities.
    • Assess the extent to which your tooling needs can be met by a strategic portfolio management offering or the extent to which you may need to look at other software categories.
    • With a better understanding of the space, we hope to help facilitate better internal discussions around the value of SPM for your business needs.

    Info-Tech Insight
    In the same way that it took many years for PPM to stabilize as a concept distinct from traditional enterprise project management, strategic portfolio management is experiencing a similar period of formational uncertainty. In a space that can be all things to all users, clarify your actual needs before jumping onto a bandwagon and ending up with something that you don't need, and that the organization can't adopt.

    Strategic portfolio management is enterprise portfolio management

    Evolved from various other capabilities and vendor solutions, strategic portfolio management (SPM) seeks to connect strategy to execution.

    While the concept of 'strategic portfolio management' has been written about within project portfolio management circles for nearly 20 years, SPM, as a distinct organizational competence and software category, is a relatively new and largely vendor-driven capability.

    First emerging in the discourse during the mid-to-late 2010s, SPM has evolved from its roots in traditional enterprise project portfolio management. Though, as we will discuss, it has other antecedents not limited to PPM.

    In this publication, we'll unpack what SPM is, how it is distinct (and, in turn, how it is not distinct) from PPM and other capabilities, and we will consider the extent to which your organization can and should leverage an SPM application to help drive strategic outcomes.

    –The increasing need to deliver value from digital initiatives is giving rise to strategic portfolio management, a digital investment management discipline that enables strategy realization in complex dynamic environments."
    – OnePlan, "Is Strategic Portfolio Management the Future of PPM?"

    Only 2% of business leaders are confident that they will achieve 80% to 100% of their strategic objectives.
    Source: Smith, 2022

    Put strategic portfolio management in context

    SPM is a new stage in the history of project portfolio management more generally. While it's emerging as a distinct capability, and it borrows from capabilities beyond PPM, unpacking its distinctiveness is best done by first understanding its source.

    Understand the recent triggers for strategic portfolio management

    Triggers for the emergence of strategic portfolio management in the discourse include the pace of technology-introduced change, the waning of enterprise project management, and challenges around enterprise PPM tool adoption.

    Spot the difference?

    Scope, focus, and audience are just a few of the factors distinguishing what the market calls "SPM" from traditional PPM.

    Project Portfolio Management Differentiator Strategic Portfolio Management
    Work-Level (Tactical) Primary Orientation High-Level (Strategic)
    CIO Accountable for Outcomes CxO
    Project Manager Responsible for Outcomes Product Management Organization
    Project Managers, PMO Staff Targeted Users Business Leaders, ePMO Staff
    Project Portfolio(s) Essential Scope Multi-Portfolio (Project, Application, Product, Program, etc.)
    IT Project Delivery and Business Results Delivery Core Focus Business Strategy and Change Delivery
    Project Scope Change Impact Sensitivity Enterprise Scope
    IT and/or Business Benefit Language of Value Value Stream
    Project Timelines Main View Strategy Roadmaps
    Resource Capacity Primary Currency Money
    Work-Assignment Details Modalities of Planning Value Milestones & OKRs
    Work Management Modalities of Execution Governance (Project, Product, Strategy, Program, etc.)
    Project Completion Definitions of "Done" Business Capability Realization

    Info-Tech Insight
    The distinction between the two capabilities is not necessarily as black and white as the table above would have it (some "PPM" tools offer what we're identifying above as "SPM" capabilities), but it can be helpful to think in these binaries when trying to distinguish the two capabilities. At the very least, SPM broadens its scope to target more executive and business users, and functions best when it's speaking at a higher level, to a business audience.

    Strategic portfolio management offers a more holistic view of the enterprise

    At its best, strategic portfolio management can accommodate various paradigms of work management and incorporate different types of portfolio management.

    Perhaps the biggest evolution from traditional PPM that strategic portfolio management promises is that it casts a wider net in terms of the types of work it tracks (and how it tracks that work) and the types of portfolios it accommodates.

    Not bound to the concepts of "projects" and a "project portfolio" specifically, SPM broadens its scope to encompass capabilities like product and product portfolio management, enterprise architecture management, security and risk management, and more.

    • Where a PPM solution only shows one piece of the puzzle, SPM looks at the entire investment ecosystem, tracking strategic goals, the ideas generated to help achieve those goals, and all the various kinds of investments made in the service of those goals.
    • what's more, where traditional PPM tools required users to adhere to a certain way of working and managing tasks, SPM is more flexible, relying on integrations across various ways of working to provide higher-level insight on the progress of work and the achievement of goals.

    Deliver business strategy and change effectively

    Info-Tech's Strategic Portfolio Management Framework

    "An SPM tool will capture business strategy, business capabilities, operating models, the enterprise architecture and the project portfolio with unmatched visibility into how they all relate. This will give...a robust understanding of the impact of a proposed IT change " and enable IT and business to act like cocreators driving innovation."
    – Paula Ziehr

    You might need a strategic portfolio management tool if–

    If you find yourself facing any of these situations, it might be time to step away from your PPM tool and into an SPM approach:

    • Your organization is facing a large implementation that will cross multiple departmental units and requires alignment across senior leadership (e.g. a digital transformation initiative).
    • You currently have disparate systems tracking different portfolios (project, product, applications, etc.) and types of investments, but lack insight into the whole in terms of how work efforts and investments tie back to strategy realization.
    • You are an ePMO or a strategy realization office that doesn't manage work necessarily, but that rather ensures that the work, assets, and capabilities that are funded connect to strategy and drive the realization of strategy.

    Sixty one percent of leaders acknowledge their companies struggle to bridge the gap between creating a strategy and executing on that strategy.
    Source: StrategyBlocks, 2020

    Get to know your strategic portfolio management stakeholders

    In terms of users, SPM's focus is further up the org chart than most applications, relying on high-level but usable outputs to help drive decision making.

    ePMO or Strategy Realization Office Senior Leadership and Executive Stakeholders Business Leads and IT Directors and Managers
    SPM tools are best facilitated through enterprise PMOs or strategy realization offices. After all, in enterprises, these are the entities charged with the planning, execution, and tracking of strategy.

    Their roles within the tool typically entail:

    • Helping to facilitate processes and collect data.
    • Data quality and curation.
    • Report distribution and consumption.
    		 As those with the accountability and authority to drive the organization's strategy, you could argue that these stakeholders are the primary stakeholders for an SPM tool.

    Their roles within the tool typically entail:

    • Using strategy map and ideation functionalities.
    • Using reports to steward strategy realization.
    		 SPM targets more business users as well as senior IT managers and directors.

    Their roles within the tool typically entail:

    • Using strategy map and ideation functionalities.
    • Providing updates to ePMOs on progress.

    What should you look for in a strategic portfolio management tool? (1 of 2)

    Standard features for SPM include:

    Name Description
    Analytics and Reporting SPM should provide access to real-time dashboards and data interpretation, which can be exported as reports in a range of formats.
    Strategy Mapping and Road Mapping SPM should provide access to up-to-date timeline views of strategies and initiatives, including the ability to map such things as dependencies, market needs, funding, priorities, governance, and accountabilities.
    Value Tracking and Measurement SPM should include the ability to forecast, track, and measure return on investment for strategic investments. This includes accommodations for various paradigms of value delivery (e.g. traditional value delivery and measurement, OKRs, as well as value mapping and value streams).
    Ideation and Innovation Management SPM should include the ability to facilitate innovation management processes across the organization, including the ability to support stage gates from ideation through to approval; to articulate, socialize, and test ideas; perform impact assessments; create value canvas and OKR maps; and prioritize.
    Multi-Portfolio Management SPM should include the ability to perform various modalities of portfolio management and portfolio optimization, including project portfolio management, applications portfolio management, asset portfolio management, etc.
    Interoperability/APIs An SPM tool should enable seamless integration with other applications for data interoperability.

    What should you look for in a strategic portfolio management tool? (2 of 2)

    Advanced features for SPM can include:

    Name Description
    Product Management SPM can include product-management-specific functionality, including the ability to connect product families, roadmaps, and backlogs to enterprise goals and priorities, and track team-level activities at the sprint, release, and campaign levels.
    Enterprise Architecture Management SPM can include the ability to define and map the structure and operation of an organization in order to effectively coordinate various domains of architecture and governance (e.g. business architecture, data architecture, application architecture, security architecture, etc.) in order to effectively plan and introduce change.
    Security and Risk Management SPM can include the ability to identify and track enterprise risks and ensure compliance controls are met.
    Lean Portfolio Management SPM can include the ability to plan and report on portfolio performance independent from task level details of product, program, or project delivery.
    Investment and Financial Management SPM can include the ability to forecast, track, and report on financials at various levels (strategy, product, program, project, etc.).
    Multi-Methodology Delivery SPM can include the ability to plan and execute work in a way that accommodates various planning and delivery paradigms (predictive, iterative, Kanban, lean, etc.).

    What's promising within the space?

    As this space continues to stabilize, the following are some promising associations for business and IT enablement.

    1. SPM accommodates various ways of working.
    • Where traditional PPM and work management tools required that users change their processes and tasking paradigms to fit within the tool's rigid task management and data structures, the best SPM tools are those that are adaptable to various ways of working and can accommodate many tasking and work management models.
    • Sometimes this is done through extensive integrations and APIs that pull data from existing work management applications into a single view within the SPM tool, and other times, this is done by abstracting the task-level details into a higher-level reporting structure (it can depend on the solution). In any event, the best SPMs are bound to one work management model.
    2. SPM puts the focus on value and change.
    • With its focus on the planning and execution of strategy, SPM can't avoid putting a spotlight on value and value realization. The best SPM tools include the ability to forecast, track, and measure return on investment for strategic investments, and they accommodate for various paradigms of value delivery (e.g. traditional value delivery and measurement, OKRs, as well as value mapping and value streams).
    • Of course, you can't realize value without successfully fostering change. And while SPM tools don't necessarily offer functionality explicitly identifiable as organizational change management, they can act as agents of change in putting the spotlight on the execution of change at the executive level.
    3. SPM fosters a coherent approach to demand management.
    • With its goal of ensuring that strategy informs the organization of portfolios and guides the selection of projects and delivery of products, SPM can potentially bring some order to what is often a chaotic demand-management landscape, ensuring that planned and in-progress work is well justified from an ROI perspective.

    What's of concern within the space?

    As a progeny from other capabilities, SPM has some risks and connotations potential users should be wary of.

    1. The space is rife with IT buzzwords and, as a concept, is sometimes used as a repackaging of failing concepts.
    • You don't need to spend too much time engaging with the literature around SPM before you notice the marketing appeals heavily to concepts like "digitalization," "digital transformation," "continual innovation," "agility/Agile," and the like. While these are all important concepts, and the pursuit of them is worthwhile in many cases, there's no denying they're used as consultant and vendor buzzwords, deployed to excite our imaginations, without necessarily providing much meat around what they mean or how they're deployed and successfully sustained.
    • Indeed, many concepts and capabilities that appear in relation to SPM are on the downward swing of industry hype cycles, suggesting that SPM may be being used by vendors and consultants as another attempt to repackage and capitalize on these concepts even as practitioners grow weary and suspicious of the marketing claims built up around them.
    2. Some solutions that identify as SPM are not.
    • Because it's on the upward swing of its place in the hype cycle, many established PPM and service management vendors are applying the 'strategic portfolio management" label to their products without necessarily doing anything different from a functionality perspective to fit within the space. As a result, SPM vendor landscapes can compare work management, project management, demand management tools, and more. Users who want SPM functionality need to stay frosty to ensure they get what they pay for.
    3. SPM tools may have a capacity blind spot.
    • The biggest barrier to getting things done and done well in modern enterprises is approving more work than you have the capacity to deliver. While SPM offerings can help with better demand management, not many of them cover the capacity side with the same level of improvement.

    Does your organization need a strategic portfolio management tool?

    Use Info-Tech's Strategic Portfolio Management Needs Assessment to gauge your readiness for SPM.

    • As noted in previous places in this deck, there is often a grey area in the market between project portfolio management tools and strategic portfolio management tools.
    • Some PPM tools offer SPM functionality, while some SPM tools avoid traditional PPM outcomes and stay at a higher, strategic level.
    • Depending on the scope of your PMO or portfolio optimization needs, you may need a tool that has just one, or both, of these capabilities.
    • Use Info-Tech's Strategic Portfolio Management Needs Assessment to help you assess whether you require a high-level strategy management tool, a more low-level project portfolio management tool, or a mix of both.

    Download Info-Tech's Strategic Portfolio Management Needs Assessment

    1.1 Assess your needs

    10 to 20 minutes

    1. The Strategic Portfolio Management Needs Assessment is a 41-question survey broken up into three parts: (1) PMO Type, (2) Features and Functionality, (3) Roles.
    2. Go through each section using the provided dropdowns to help identify the orientation of your PMO, the feature and functionality needs of your office, as well as the roles whose needs will need to be serviced through the potential tool implementation.

    This screenshot shows a sample output from the assessment. Based upon your inputs, you'll be grouped within three ranges:

    1. Green: Based upon your inputs, you will benefit from an SPM tool.
    2. Yellow: You may benefit from an SPM tool, but you may also require something more traditional. Clarify your requirements before proceeding.
    3. Red: you're unlikely to leverage many of the benefits of an SPM tool at this time. Look for a more tactical solution.

    Sample Output from the assessment tool

    Input Output
    • Understanding of existing project management, project portfolio management, and work management applications.
    • Recommendation on PPM/SPM tool type
    Materials Participants
    • Strategic Portfolio Management Needs Assessment tool
    • Portfolio managers and/or ePMO directors
    • Project managers and product managers
    • Business stakeholders

    Explore the SPM vendor landscape

    Use Info-Tech's application selection resources to help find the right solution for your organization.

    If the analysis in the previous slides suggested you can benefit from an SPM tool, you can quick-start your vendor evaluation process with SoftwareReviews.

    SoftwareReviews has extensive coverage of not just the SPM space, but of the project portfolio management (pictured to the top right) and project management spaces as well. So, from the tactical to the strategic, SoftwareReviews can help you find the right tools.

    Further, as you settle in on a shortlist, you can begin your vendor analysis using our rapid application selection methodology (see framework on bottom right). For more information see our The Rapid Application Selection Framework blueprint.

    Info-Tech's Rapid Application Selection Framework

    Info-Tech's Rapid Application Selection Framework (RASF)

    Related Info-Tech Research

    Develop a Project Portfolio Management Strategy
    Drive IT project throughput by throttling resource capacity.

    Prepare an Actionable Roadmap for your PMO
    Turn planning into action with a realistic PMO timeline.

    Maintain an Organized Portfolio
    Align portfolio management practices with COBIT (APO05: Manage Portfolio)

    Bibliography

    Angliss, Katy, and Pete Harpum. Strategic Portfolio Management: In the Multi-Project and Program Organization. Book. Routledge. 30 Dec. 2022.

    Anthony, James. "95 Essential Project Management Statistics: 2022 Market Share & Data Analysis." Finance Online. 2022. Web. Accessed 21 March 2022

    Banham, Craig. "Integrating strategic planning with portfolio management." Sopheon. Webinar. Accessed 6 Feb. 2023.

    Garfein, Stephen J. "Executive Guide to Strategic Portfolio Management: roadmap for closing the gap between strategy and results." PMI. Conference Paper. Oct. 2007. Accessed 6 Feb. 2023.

    Garfein, Stephen J. "Strategic Portfolio Management: A smart, realistic and relatively fast way to gain sustainable competitive advantage." PMI. Conference Paper. 2 March 2005. Accessed 6 Feb. 2023.

    Hontar, Yulia. "Strategic Portfolio Management." PPM Express. Blog 16 June 2022. Accessed 6 Feb. 2023.

    Milsom, James. "6 Strategic Portfolio Management Trends for 2023." i-nexus. Blog. 25 Jan. 2022. Accessed 6 Feb. 2023.

    Milsom, James. "Strategic Portfolio Management 101." i-nexus. 8 Dec. 2021. Blog . Accessed 6 Feb. 2023.

    OnePlan, "Is Strategic Portfolio Management the Future of PPM?" YouTube. 17 Nov. 2022. Accessed 6 Feb. 2023.

    OnePlan. "Strategic Portfolio Management for Enterprise Agile." YouTube. 27 May 2022. Accessed 6 Feb. 2023.

    Piechota, Frank. "Strategic Portfolio Management: Enabling Successful Business Outcomes." Shibumi. Blog . 31 May 2022. Accessed 6 Feb. 2023.

    ServiceNow. "Strategic Portfolio Management—The Thing You've Been Missing." ServiceNow. Whitepaper. 2021. Accessed 6 Feb. 2023.

    Smith, Shepherd, "50+ Eye-Opening Strategic Planning Statistics" ClearPoint Strategy. Blog. 13 Sept. 2022. Accessed 6 Feb. 2023.

    SoftwareAG. "What is Strategic Portfolio Management (SPM)?" SoftwareAG. Blog. Accessed 6 Feb. 2023.

    Stickel, Robert. "What It Means to be Adaptive." OnePlan. Blog. 24 May 2021. Accessed 6 Feb. 2023.

    UMT360. "What is Strategic Portfolio Management?" YouTube. Webinar. 22 Oct. 2020. Accessed 6 Feb. 2023.

    Wall, Caroline. "Elevating Strategy Planning through Strategic Portfolio Management." StrategyBlocks. Blog. 26 Feb. 2020. Accessed 6 Feb. 2023.

    Westmoreland, Heather. "What is Strategic Portfolio Management." Planview. Blog. 19 Oct 2002. Accessed 6 Feb. 2023.

    Wiltshire, Andrew. "Shibumi Included in Gartner Magic Quadrant for Strategic Portfolio Management for the 2nd Straight Year." Shibumi. Blog. 20 Apr. 2022. Accessed 6 Feb. 2023.

    Ziehr, Paula. "Keep your eye on the prize: Align your IT investments with business strategy." SoftwareAG. Blog. 5 Jul. 2022. Accessed 6 Feb. 2023.

    Improve Incident and Problem Management

    • Buy Link or Shortcode: {j2store}290|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $43,761 Average $ Saved
    • member rating average days saved: 23 Average Days Saved
    • Parent Category Name: Incident and problem management
    • Parent Category Link: /improve-your-core-processes/infra-and-operations/i-and-o-process-management/incident-and-problem-management
    • IT infrastructure managers have conflicting accountabilities. It can be difficult to fight fires as they appear while engaging in systematic fire prevention.
    • Repetitive interruptions erode faith in IT. If incidents recur consistently, why should the business trust IT to resolve them?

    Continue reading

    Develop Meaningful Service Metrics

    • Buy Link or Shortcode: {j2store}399|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: $20,308 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • IT organizations measure services from a technology perspective but rarely from a business goal or outcome perspective.
    • Most organizations do a poor job of identifying and measuring service outcomes over the duration of a service’s lifecycle – never ensuring the services remain valuable and meet expected long-term ROI.

    Our Advice

    Critical Insight

    • Service metrics are critical to ensuring alignment of IT service performance and business service value achievement.
    • Service metrics reinforce positive business and end-user relationships by providing user-centric information that drives responsiveness and consistent service improvement.
    • Poorly designed metrics drive unintended and unproductive behaviors that have negative impacts on IT and produce negative service outcomes.

    Impact and Result

    Effective service metrics will provide the following service gains:

    • Confirm service performance and identify gaps.
    • Drive service improvement to maximize service value.
    • Validate performance improvements while quantifying and demonstrating business value.
    • Ensure service reporting aligns with end-user experience.
    • Achieve and confirm process and regulatory compliance.

    Which will translate into the following relationship gains:

    • Embed IT into business value achievement.
    • Improve the relationship between the business and IT.
    • Achieve higher customer satisfaction (happier end users receiving expected service, the business is able to identify how things are really performing).
    • Reinforce desirable actions and behaviors from both IT and the business.

    Develop Meaningful Service Metrics Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop meaningful service metrics, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Develop Meaningful Service Metrics – Executive Brief
    • Develop Meaningful Service Metrics – Phases 1-3

    1. Design the metrics

    Identify the appropriate service metrics based on stakeholder needs.

    • Develop Meaningful Service Metrics to Ensure Business and User Satisfaction – Phase 1: Design the Metrics
    • Metrics Development Workbook

    2. Design reports and dashboards

    Present the right metrics in the most interesting and stakeholder-centric way possible.

    • Develop Meaningful Service Metrics to Ensure Business and User Satisfaction – Phase 2: Design Reports and Dashboards
    • Metrics Presentation Format Selection Guide

    3. Implement, track, and maintain

    Run a pilot with a smaller sample of defined service metrics, then continuously validate your approach and make refinements to the processes.

    • Develop Meaningful Service Metrics to Ensure Business and User Satisfaction – Phase 3: Implement, Track, and Maintain
    • Metrics Tracking Tool
    [infographic]

    Workshop: Develop Meaningful Service Metrics

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Design the Metrics

    The Purpose

    Define stakeholder needs for IT based on their success criteria and identify IT services that are tied to the delivery of business outcomes.

    Derive meaningful service metrics based on identified IT services and validate that metrics can be collected and measured.

    Key Benefits Achieved

    Design meaningful service metrics from stakeholder needs.

    Validate that metrics can be collected and measured.

    Activities

    1.1 Determine stakeholder needs, goals, and pain points.

    1.2 Determine the success criteria and related IT services.

    1.3 Derive the service metrics.

    1.4 Validate the data collection process.

    1.5 Validate metrics with stakeholders.

    Outputs

    Understand stakeholder priorities

    Adopt a business-centric perspective to align IT and business views

    Derive meaningful business metrics that are relevant to the stakeholders

    Determine if and how the identified metrics can be collected and measured

    Establish a feedback mechanism to have business stakeholders validate the meaningfulness of the metrics

    2 Design Reports and Dashboards

    The Purpose

    Determine the most appropriate presentation format based on stakeholder needs.

    Key Benefits Achieved

    Ensure the metrics are presented in the most interesting and stakeholder-centric way possible to guarantee that they are read and used.

    Activities

    2.1 Understand the different presentation options.

    2.2 Assess stakeholder needs for information.

    2.3 Select and design the metric report.

    Outputs

    Learn about infographic, scorecard, formal report, and dashboard presentation options

    Determine how stakeholders would like to view information and how the metrics can be presented to aid decision making

    Select the most appropriate presentation format and create a rough draft of how the report should look

    3 Implement, Track, and Maintain Your Metrics

    The Purpose

    Run a pilot with a smaller sample of defined service metrics to validate your approach.

    Make refinements to the implementation and maintenance processes prior to activating all service metrics.

    Key Benefits Achieved

    High user acceptance and usability of the metrics.

    Processes of identifying and presenting metrics are continuously validated and improved.

    Activities

    3.1 Select the pilot metrics.

    3.2 Gather data and set initial targets.

    3.3 Generate the reports and validate with stakeholders.

    3.4 Implement the service metrics program.

    3.5 Track and maintain the metrics program.

    Outputs

    Select the metrics that should be first implemented based on urgency and impact

    Complete the service intake form for a specific initiative

    Create a process to gather data, measure baselines, and set initial targets

    Establish a process to receive feedback from the business stakeholders once the report is generated

    Identify the approach to implement the metrics program across the organization

    Set up mechanism to ensure the success of the metrics program by assessing process adherence and process validity

    Further reading

    Develop Meaningful Service Metrics

    Select IT service metrics that drive business value.

    ANALYST PERSPECTIVE

    Are you measuring and reporting what the business needs to know?

    “Service metrics are one of the key tools at IT’s disposal in articulating and ensuring its value to the business, yet metrics are rarely designed and used for that purpose.

    Creating IT service metrics directly from business and stakeholder outcomes and goals, written from the business perspective and using business language, is critical to ensuring that the services that IT provides are meeting business needs.

    The ability to measure, manage, and improve IT service performance in relation to critical business success factors, with properly designed metrics, embeds IT in the value chain of the business and ensures IT’s focus on where and how it enables business outcomes.”

    Valence Howden,
    Senior Manager, CIO Advisory
    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:
    • CIO
    • IT VPs
    		 This Research Will Help You:
    • Align business/IT objectives (design top-down or outside-in)
    • Significantly improve the relationship between the business and IT aspects of the organization
    • Reinforce desirable actions and behaviors
    This Research Will Also Assist:
    • Service Level Managers
    • Service Owners
    • Program Owners
    		 This Research Will Help Them
    • Identify unusual deviations from the normal operating state
    • Drive service improvement to maximize service value
    • Validate the value of performance improvements while quantifying and demonstrating benefits realization

    Executive summary

    Situation

    • IT organizations measure services from a technology perspective yet rarely measure services from a business goal/outcome perspective.
    • Most organizations do a poor job of identifying and measuring service outcomes over the duration of a service’s lifecycle – never ensuring the services remain valuable and meet expected long-term ROI.

    Complication

    • IT organizations have difficulty identifying the right metrics to demonstrate the value of IT services to the business in tangible terms.
    • IT metrics, as currently designed, reinforce division between the IT and business perspectives of service performance. They drive siloed thinking and finger-pointing within the IT structure, and prevent IT resources from understanding how their work impacts business value.

    Resolution

    • Our program enables IT to develop the right service metrics to tie IT service performance to business value and user experience.
    • Ensure the metrics you implement have immediate stakeholder value, reinforcing alignment between IT and the business while influencing behavior in the desired direction.
    • Make sure that your metrics are defined in relation to the business goals and drivers, ensuring they will provide actionable outcomes.

    Info-Tech Insight

    1. Service metrics are critical to ensuring alignment of IT service performance and business service value achievement.
    2. Service metrics reinforce positive business and end-user relationships by providing user-centric information that drives responsiveness and consistent service improvement.
    3. Poorly designed metrics drive unintended and unproductive behaviors, which have negative impacts on IT and produce negative service outcomes.

    Service metrics 101

    What are service metrics?

    Service metrics measure IT services in a way that relates to a business outcome. IT needs to measure performance from the business perspective using business language.

    		Why do we need service metrics?

    To ensure the business cares about the metrics that IT produces, start with business needs to make sure you’re measuring the right things. This will give IT the opportunity talk to the right stakeholders and develop metrics that will meet their business needs.

    Service metrics are designed with the business perspective in mind, so they are fully aligned with business objectives.

    Perspectives Matter

    Different stakeholders will require different types of metrics. A CEO may require metrics that provide a snapshot of the critical success of the company while a business manager is more concerned about the performance metrics of their department.

    		What are the benefits of implementing service metrics?

    Service metrics help IT communicate with the business in business terms and enables IT to articulate how and where they provide business value. Business stakeholders can also easily understand how IT services contribute to their success.

    The majority of CIOs feel metrics relating to business value and stakeholder satisfaction require significant improvement

    A significantly higher proportion of CIOs than CEOs feel that there is significant improvement necessary for business value metrics and stakeholder satisfaction reporting. Stacked horizontal bar chart presenting survey results from CIOs and CXOs of 'Business Value Metrics'. Answer options are 'Effective', 'Some Improvement Necessary', 'Significant Improvement Necessary', and 'Not Required'.N=364

    Stacked horizontal bar chart presenting survey results from CIOs and CXOs of 'Stakeholder Satisfaction Reporting'. Answer options are 'Effective', 'Some Improvement Necessary', 'Significant Improvement Necessary', and 'Not Required'.N=364

    (Source: Info-Tech CIO-CXO Alignment Diagnostic Survey)

    Meaningless metrics are a headache for the business

    A major pitfall of many IT organizations is that they often provide pages of technical metrics that are meaningless to their business stakeholders.

    1. Too Many MetricsToo many metrics are provided and business leaders don’t know what to do with these metrics.
    2. Metrics Are Too TechnicalIT provides technical metrics that are hard to relate to business needs, and methods of calculating metrics are not clearly understood, articulated, and agreed on.
    3. Metrics Have No Business ValueService metrics are not mapped to business goals/objectives and they drive incorrect actions or spend.
    		 When considering only CEOs who said that stakeholder satisfaction reporting needed significant improvement, the average satisfaction score goes down to 61.6%, which is a drop in satisfaction of 12%.

    A bar that says 73% dropping to a bar that says 61%. Description above.

    (Source: Info-Tech Research Group CIO-CXO Alignment Diagnostic Survey)

    Poorly designed metrics hurt IT’s image within the organization

    By providing metrics that do not articulate the value of IT services, IT reinforces its role as a utility provider and an outsider to strategic decisions.

    When the CIOs believe business value metrics weren’t required, 50% of their CEOs said that significant improvements were necessary.

    Pie Chart presenting the survey results from CEOs regarding 'Business Value Metrics'. Description above.

    (Source: Info-Tech Research Group CIO-CXO Alignment Diagnostic Survey)
    1. Reinforce the wrong behaviorThe wrong metrics drive us-against-them, siloed thinking within IT, and meeting metric targets is prioritized over providing meaningful outcomes.
    2. Do not reflect user experienceMetrics don’t align with actual business/user experience, reinforcing a poor view of IT services.
    3. Effort ≠ ValueInvesting dedicated resources and effort to the achievement of the wrong metrics will only leave IT more constrained for other important initiatives.

    Articulate meaningful service performance that supports the achievement of business outcomes

    Service metrics measure the performance of IT services and how they enable or drive the activity outcomes.

    A business process consists of multiple business activities. In many cases, these business activities require one or more supporting IT services.

    A 'Business Process' broken down to its parts, multiple 'Business Activities' and their 'IT Services'. For each business process, business stakeholders and their goals and objectives should be identified.

    For each business activity that supports the completion of a business process, define the success criteria that must be met in order to produce the desirable outcome.

    Identify the IT services that are used by business stakeholders for each business activity. Measure the performance of these services from a business perspective to arrive at the appropriate service metrics.

    Differentiate between different types of metrics

    Stakeholders have different goals and objectives; therefore, it is critical to identify what type of metrics should be presented to each stakeholder.

    Business Metrics

    Determine Business Success

    Business metrics are derived from a pure business perspective. These are the metrics that the business stakeholders will measure themselves on, and business success is determined using these metrics.

    Arrow pointing right.

    		Service Metrics

    Manage Service Value to the Business

    Service metrics are used to measure IT service performance against business outcomes. These metrics, while relating to IT services, are presented in business terms and are tied to business goals.

    Arrow pointing right.

    		IT Metrics

    Enable Operational Excellence

    IT metrics are internal to the IT organization and used to manage IT service delivery. These metrics are technical, IT-specific, and drive action for IT. They are not presented to the business, and are not written in business language.

    Implementing service metrics is a key step in becoming a service provider and business partner

    As a prerequisite, IT organizations must have already established a solid relationship with the business and have a clear understanding of its critical business-facing services.

    At the very least, IT needs to have a service-oriented view and understand the specific needs and objectives associated with each stakeholder.

    Visualization of 'Business Relationship Management' with an early point on the line representing 'Service Provider: Establish service-oriented culture and business-centric service delivery', and the end of the line being 'Strategic Partner'.

    Once IT can present service metrics that the business cares about, it can continue on the service provider journey by managing the performance of services based on business needs, determine and influence service demand, and assess service value to maximize benefits to the business.

    Which processes drive service metrics?

    Both business relationship management (BRM) and service level management (SLM) provide inputs into and receive outputs from service metrics.

    Venn Diagram of 'Business Relationship Management', 'Service Metrics', and 'Service Level Management'.

    Business Relationship Management

    BRM works to understand the goals and objectives of the business and inputs them into the design of the service metrics.

    Service Metrics

    BRM leverages service metrics to help IT organizations manage the relationship with the business.

    BRM articulates and manages expectations and ensures IT services are meeting business requirements.

    Which processes drive service metrics?

    Both BRM and SLM provide inputs into and receive outputs from service metrics.

    Venn Diagram of 'Business Relationship Management', 'Service Metrics', and 'Service Level Management'.

    Service Level Management

    SLM works with the business to understand service requirements, which are key inputs in designing the service metrics.

    Service Metrics

    SLM leverages service metrics in overseeing the day-to-day delivery of IT services. It ensures they are provided to meet expected service level targets and objectives.

    Effective service metrics will deliver both service gains and relationship gains

    Effective service metrics will provide the following service gains:

    • Confirm service performance and identify gaps
    • Drive service improvement to maximize service value
    • Validate performance improvements while quantifying and demonstrating business value
    • Ensure service reporting aligns with end-user experience
    • Achieve and confirm process and regulatory compliance
        Which will translate into the following relationship gains:
        • Embed IT into business value achievement
        • Improve relationship between the business and IT
        • Achieve higher customer satisfaction (happier end users receiving expected service, the business is able to identify how things are really performing)
        • Reinforce desirable actions and behaviors from both IT and the business

    Don’t let conventional wisdom become your roadblock

    Conventional Wisdom

    Info-Tech Perspective
    Metrics are measured from an application or technology perspective Metrics need to be derived from a service and business outcome perspective.
    The business doesn’t care about metrics Metrics are not usually designed to speak in business terms about business outcomes. Linking metrics to business objectives creates metrics that the business cares about.
    It is difficult to have a metrics discussion with the business It is not a metrics/number discussion, it is a discussion on goals and outcomes.
    Metrics are only presented for the implementation of the service, not the ongoing outcome of the service IT needs to focus on service outcome and not project outcome.
    Quality can’t be measured Quality must be measured in order to properly manage services.

    Our three-phase approach to service metrics development

    Let Info-Tech guide you through your service metrics journey

    1

    2

    3
    Design Your Metrics Develop and Validate Reporting Implement, Track, and Maintain
    Sample of Phase 1 of Info-Tech's service metric development package, 'Design Your Metrics'. Sample of Phase 2 of Info-Tech's service metric development package, 'Develop and Validate Reporting'. Sample of Phase 3 of Info-Tech's service metric development package, 'Implement, Track, and Maintain'.
    Start the development and creation of your service metrics by keeping business perspectives in mind, so they are fully aligned with business objectives. Identify the most appropriate presentation format based on stakeholder preference and need for metrics. Track goals and success metrics for your service metrics programs. It allows you to set long-term goals and track your results over time.

    CIOs must actively lead the design of the service metrics program

    The CIO must actively demonstrate support for the service metrics program and lead the initial discussions to determine what matters to business leaders.

    1. Lead the initiative by defining the need
      Show visible support and demonstrate importance
    2. Articulate the value to both IT and the business
      Establish the urgency and benefits
    3. Select and assemble an implementation group
      Find the best people to get the job done
    4. Drive initial metrics discussions: goals, objectives, actions
      Lead brainstorming with senior business leaders
    5. Work with the team to determine presentation formats and communication methods
      Identify the best presentation approach for senior stakeholders
    6. Establish a feedback loop for senior management
      Solicit feedback on improvements
    7. Validate the success of the metrics
      Confirm service metrics support business outcomes

    Measure the success of your service metrics

    It is critical to determine if the designed service metrics are fulfilling their intended purpose. The process of maintaining the service metrics program and the outcomes of implementing service metrics need to be monitored and tracked.

    Validating Service Metrics Design

    Target Outcome

    Related Metrics
    The business is enabled to identify and improve service performance to their end customer # of improvement initiatives created based on service metrics
    $ cost savings/revenue generated due to actions derived from service metrics

    Procedure to validate the usefulness of IT metrics

    # / % of service metrics added/removed per year

    Alignment between IT and business objectives and processes Business’ satisfaction with IT

    Measure the success of your service metrics

    It is critical to determine if the designed service metrics are fulfilling their intended purpose. The process of maintaining the service metrics program and the outcomes of implementing service metrics need to be monitored and tracked.

    Validating Service Metrics Process

    Target Outcome

    Related Metrics

    Properly defined service metrics aligned with business goals/outcomes
    Easy understood measurement methodologies    		% of services with (or without) defined service metrics

    % of service metrics tied to business goals

    Consistent approach to review and adjust metrics# of service metrics adjusted based on service reviews

    % of service metrics reviewed on schedule

    Demonstrate monetary value and impact through the service metrics program

    In a study done by the Aberdeen Group, organizations engaged in the use of metrics benchmarking and measurement have:
    • 88% customer satisfaction rate
    • 60% service profitability
    • 15% increase in workforce productivity over the last 12 months

    Stock image of a silhouette of three people's head and shoulders.
    (Source: Aberdeen Group. “Service Benchmarking and Measurement.”)

    		A service metric is defined for: “Response time for Business Application A

    The expected response time has not been achieved and this is visible in the service metrics. The reduced performance has been identified as having an impact of $250,000 per month in lost revenue potential.

    The service metric drove an action to perform a root-cause analysis, which identified a network switch issue and drove a resolution action to fix the technology and architect redundancy to ensure continuity.

    The fix eliminated the performance impact, allowing for recovery of the $250K per month in revenue, improved end-user confidence in the organization, and increased use of the application, creating additional revenue.

    Implementing and measuring a video conferencing service

    CASE STUDY
    Industry: Manufacturing | Source: CIO interview and case material
    Situation

    The manufacturing business operates within numerous countries and requires a lot of coordination of functions and governance oversight. The company has monthly meetings, both regional and national, and key management and executives travel to attend and participate in the meetings.

    Complication

    While the meetings provide a lot of organizational value, the business has grown significantly and the cost of business travel has started to become prohibitive.

    Action

    It was decided that only a few core meetings would require onsite face-to-face meetings, and for all other meetings, the company would look at alternative means. The face-to-face aspect of the meetings was still considered critical so they focused on options to retain that aspect.

    The IT organization identified that they could provide a video conferencing service to meet the business need. The initiative was approved and rolled out in the organization.

    Result:

    IT service metrics needed to be designed to confirm that the expected value outcome of the implementation of video conferencing was achieved.

    Under the direction of the CIO, the business goals and needs driving use of the service (i.e. reduction in travel costs, efficiency, no loss of positive outcome) were used to identify success criteria and key questions to confirm success.

    With this information, the service manager was able to implement relevant service metrics in business language and confirmed an 80% adoption rate and a 95% success rate in term meetings running as expected and achieving core outcomes.

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Develop meaningful service metrics to ensure business and user satisfaction

    1. Design the Metrics 2. Design Reports and Dashboards 3. Implement, Track, and Maintain
    Supporting Tool icon

    Best-Practice Toolkit
    1. Defining stakeholder needs for IT based on their success criteria
    2. Derive meaningful service metrics based on identified IT services and validate with business stakeholders
    3. Validate metrics can be collected and measured
    4. Determine calculation methodology
    1. Presentation format selected based on stakeholder needs and preference for information
    2. Presentation format validated with stakeholders
    1. Identify metrics that will be presented first to the stakeholders based on urgency or impact of the IT service
    2. Determine the process to collect data, select initial targets, and integrate with SLM and BRM functions
    3. Roll out the metrics implementation for a broader audience
    4. Establish roles and timelines for metrics maintenance

    Guided Implementations
    • Design metrics based on business needs
    • Validate the metrics
    • Select presentation format
    • Review metrics presentation design
    • Select and implement pilot metrics
    • Determine rollout process and establish maintenance/tracking mechanism
    Associated Activity icon

    Onsite Workshop

    		 Module 1:
    Derive Service Metrics From Business Goals     		Module 2:
    Select and Design Reports and Dashboards     		Module 3:
    Implement, Track, and Maintain Your Metrics to Ensure Success
    Phase 1 Outcome:
    • Meaningful service metrics designed from stakeholder needs
    		 Phase 2 Outcome:
    • Appropriate presentation format selected for each stakeholder
    		 Phase 3 Outcome:
    • Metrics implemented and process established to maintain and track program success

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.
    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Design the Metrics
    Determine Presentation Format and Implement Metrics
    Gather Service Level Requirements
    Monitor and Improve Service Levels

    Activities
    • 1.1 Determine stakeholder needs
    • 1.2 Determine success criteria and key performance indicators
    • 1.3 Derive metrics
    • 1.4 Validate the metric collection
    • 2.1 Discuss stakeholder needs/preference for data and select presentation format
    • 2.2 Select and design the metric report
    • Requirements
    • 3.1 Determine the business requirements
    • 3.2 Negotiate service levels
    • 3.3 Align operational level agreements (OLAs) and supplier contracts
    • 4.1 Conduct service report and perform service review
    • 4.2 Communicate service review
    • 4.3 Remediate issues using action plan
    • 4.4 Proactive prevention

    Deliverables
    1. Metrics Development Workbook
    1. Metrics Presentation Format Selection Guide
    2. Metrics Tracking Tool
    1. Service Level Management SOP
    2. Service Level Agreement
    1. Service Level Report
    2. Service Level Review
    3. Business Satisfaction Report

    Develop Meaningful Service Metrics to Ensure Business and User Satisfaction

    PHASE 1

    Design the Metrics

    Step (1): Design the Metrics

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Derive the Service Metrics

    1.2

    Validate the Metrics

    2.1

    Determine Reporting Format

    3.1

    Select Pilot Metrics

    3.2

    Activate and Maintain Metrics

    This step involves the following participants:

    • CIO
    • Business Relationship Manager (BRM)
    • Service Level Manager (SLM)

    Outcomes of this step

    • Defined stakeholder needs for IT based on their success criteria
    • Identified IT services that are tied to the delivery of business outcomes
    • Derived meaningful service metrics based on identified IT services and validated with business stakeholders
    • Validated that metrics can be collected and measured
    • Determined calculation methodology

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Design the Metrics

    Proposed Time to Completion (in weeks): 4 weeks
    Step 1.1: Design Metrics Step 1.2: Validate the Metrics
    Start with an analyst kick-off call:
    • Determine the stakeholder and their needs
    • Identify IT services that are tied to the delivery of business outcomes
    • Derive the service metrics
    		 Review findings with analyst:
    • For the selected metrics, identify the data source for collection
    • Validate whether or not the data can be created
    • Create a calculation method for the metrics
    Then complete these activities…
    • Using the methodology provided, identify additional stakeholders and map out their success criteria, including KPIs to determine the appropriate service metrics
    		 Then complete these activities…
    • Determine whether the designed metrics are measurable, and if so, how
    With these tools & templates:
    • Metrics Development Workbook
    		 With these tools & templates:
    • Metrics Development Workbook

    Design your service metrics – overview

    Figure representing 'CIO'. Step 1
    Derive your service metrics

    Metrics Worksheet

    		Figure representing 'SLM' and/or 'BRM'. Step 2
    Validate your metrics

    Metrics Worksheet

    		Figures representing 'CIO', 'SLM', and/or 'BRM'. Step 3
    Confirm with stakeholders

    Metrics Tracking Sheet

    		A star.

    Defined IT Service Metrics

    Deriving the right metrics is critical to ensuring that you will generate valuable and actionable service metrics.

    Derive your service metrics from business objectives and needs

    Service metrics must be designed with the business perspective in mind so they are fully aligned with business objectives.

    Thus, IT must start by identifying specific stakeholder needs. The more IT understands about the business, the more relevant the metrics will be to the business stakeholders.

    1. Who are your stakeholders?
    2. What are their goals and pain points?
    3. What do the stakeholders need to know?
    4. What do I need to measure?
    5. Derive your service metrics

    Derive your service metrics

    Supporting Tool icon 1.1 Metrics Development Workbook

    This workbook guides the development and creation of service metrics that are directly tied to stakeholder needs.

    This process will ensure that your service metrics are designed with the business perspective in mind so they are fully aligned with business objectives.

    1. Who are the relevant stakeholders?
    2. What are the goals and pain points of your stakeholders?
    3. What do the stakeholders need to know?
    4. What does IT need to measure?
    5. What are the appropriate IT metrics?

    Download the Metrics Development Workbook.

    		Sample of Info-Tech's Metrics Development Workbook.

    Determine your stakeholders

    Supporting Tool icon 1.1 0.5 Hour

    Who are your stakeholders?

    1. Identify the primary stakeholders of your service metrics. Stakeholders are the people who have a very specific need to know about how IT services affect their business outcomes. Different stakeholders can have different perspective on the same IT service metric.Most often, the primary target of service metrics are the business stakeholders, e.g. VP of a business unit.
    2. Identify any additional stakeholders. The CIO is also a stakeholder since they are effectively the business relationship manager for the senior leaders.

    Video Conferencing Case Study
    Manufacturing company

    For this phase, we will demonstrate how to derive the service metrics by going through the steps in the methodology.

    At a manufacturing company, the CIO’s main stakeholder is the CEO, whose chief concern is to improve the financial position of the company.

    Identify goals and pain points of your stakeholders

    Supporting Tool icon 1.2 0.5 Hour

    What are their goals and pain points?

    1. Clearly identify each stakeholder’s business goals and outcomes. These would be particular business goals related to a specific business unit.
    2. Identify particular pain points for each business unit to understand what is preventing them from achieving the desirable business outcome.

    VC Case Study

    One of the top initiatives identified by the company to improve financial performance was to reduce expense.

    Because the company has several key locations in different states, company executives used to travel extensively to carry out meetings at each location.

    Therefore, travel expenses represent a significant proportion of operational expenses and reducing travel costs is a key goal for the company’s executives.

    What do the stakeholders need to know?

    Supporting Tool icon 1.3 0.5 Hour

    What do the stakeholders need to know?

    1. Identify the key things that the stakeholders would need to know based on the goals and pain points derived from the previous step.These are your success criteria and must be met to successfully achieve the desired goals.

    VC Case Study

    The CEO needs to have assurance that without executives traveling to each location, remote meetings can be as effective as in-person meetings.

    These meetings must provide the same outcome and allow executives to collaborate and make similar strategic decisions without the onsite, physical presence.

    Therefore, the success criteria are:

    • Reduced travel costs
    • Effective collaboration
    • High-quality meetings

    What do I need to measure?

    Supporting Tool icon 1.4 1 Hour

    What does IT need to measure?

    1. Identify the IT services that are leveraged to achieve the business goals and success criteria.
    2. Identify the users of those services and determine the nature of usage for each group of users.
    3. Identify the key indicators that must be measured for those services from an IT perspective.

    VC Case Study

    The IT department decides to implement the video conferencing service to reduce the number of onsite meetings. This technology would allow executives to meet remotely with both audio and video and is the best option to replicate a physical meeting.

    The service is initially available to senior executives and will be rolled out to all internal users once the initial implementation is deemed successful.

    To determine the success of the service, the following needs to be measured:

    1. Outcomes of VC meetings
    2. Quality of the VC meetings
    3. Reduction in travel expenses

    Derive service metrics

    Supporting Tool icon 1.5 0.5 Hour

    Derive your service metrics

    1. Derive the service metrics that are meaningful to business stakeholders based on the IT services and the key indicators identified in the previous steps.
    2. Distinguish between service metrics and business metrics. You may identify some business metrics in addition to the IT metrics, and although these are important, IT doesn’t own the process of tracking and reporting business metrics.

    VC Case Study

    In the previous step, IT identified that it must measure the outcomes of VC meetings, quality of the VC meetings, and the reduction in travel expenses. From these, the appropriate service metrics can be derived to answer the needs of the CEO.

    IT needs to measure:

    1. Percent of VC meetings successfully delivered
    2. Growth of number of executive meetings conducted via VC
    Outcomes

    IT also identified the following business metrics:

    1. Reduction in percent of travel expense/spend
    2. Reduction in lost time due to travel

    Validate your metrics

    Once appropriate service metrics are derived from business objectives, the next step is to determine whether or not it is viable to actually measure the metrics.

    Can you measure it? The first question IT must answer is whether the metric is measurable. IT must identify the data source, validate its ability to collect the data, and specify the data requirement. Not all metrics can be measured!
    How will you measure it? If the metric is measurable, the next step is to create a way to measure the actual data. In most cases, simple formulas that can be easily understood are the best approach.
    Define your actions Metrics must be used to drive or reinforce desirable outcomes and behaviors. Thus, IT must predetermine the necessary actions associated with the different metric levels, thresholds, or trends.

    Determine if you can measure the identified metric

    Supporting Tool icon 1.6 0.5 Hour

    INSTRUCTIONS

    1. Determine what data sources are available. Make sure that you know where the information you need is captured, or will need to be captured. This would include:
      • A ticket/request system
      • An auto discovery tool
      • A configuration management database ( CMDB)
    2. Confirm that IT has the ability to collect the information.
      • If the necessary data is already contained in an identified data source, then you can proceed.
      • If not, consider whether it’s possible to gather the information using current sources and systems.
      • Understand the constraints and cost/ROI to implement new technology or revise processes and data gathering to produce the data.

    VC Case Study

    Using the metric derived from the video conferencing service example, IT wants to measure the % of VC meetings successfully delivered.

    What are the data sources?

    • Number of VC meetings that took place
    • Number of service incidents
    • User survey

    Determine if you can measure the identified metric

    Supporting Tool icon 1.6 0.5 Hour

    INSTRUCTIONS

    1. Understand your data requirements
      • To produce relevant metrics from your data, you need to ensure the level of quality and currency that provides you with useful information. You need to define:
        • The level of detail that has to be captured to make the data useful.
        • The consistency of the data, and how it needs to be entered or gathered.
        • The accuracy of the data. This includes how current the data needs to be, how quickly changes have to be made, and how data quality will be verified.

    VC Case Study

    Data requirement for percent of successful VC meetings:

    • Level of detail – user category, location, date/time,
    • Consistency – how efficiently are VC-related incidents opened and closed? Is the data collected and stored consistently?
    • Accuracy – is the information entered accurately?

    Create the calculation to measure it

    Supporting Tool icon 1.7 0.5 Hour

    Determine how to calculate the metrics.

    INSTRUCTIONS
    1. Develop the calculations that will be used for each accepted metric. The measurement needs to be clear and straightforward.
    2. Define the scope and assumptions for each calculation, including:
      • The defined measurement period (e.g. monthly, weekly)
      • Exclusions (e.g. nonbusiness hours, during maintenance windows)

    VC Case Study

    Metric: Percent of VC meetings delivered successfully

    IT is able to determine the total number of VC meetings that took place and the number of VC service requests to the help desk.

    That makes it possible to use the following formula to determine the success percentage of the VC service:

    ((total # VC) – (# of VC with identified incidents)) / (total # VC) * 100

    Define the actions to be taken for each metric

    Supporting Tool icon 1.7 1.5 Hour

    INSTRUCTIONS

    Centered on the defined metrics and their calculations, IT can decide on the actions that should be driven out of each metric based on one of the following scenarios:
    • Scenario 1: Ad hoc remedial action and root-cause investigation. If the reason for the result is unknown, determining root cause or identifying trends is required to determine required actions.
    • Scenario 2: Predefined remedial action. A set of predetermined actions associated with different results. This is useful when the meaning of the results is clear and points to specific issues within the environment.
    • Scenario 3: Nonremedial action. The metrics may produce a result that reinforces or supports company direction and strategy, or identifies an opportunity that may drive a new initiative or idea.

    VC Case Study

    If the success rate of the VC meetings is below 90%, IT needs to focus on determining if there is a common cause and identify if this is a consistent downward trend.

    A root-cause analysis is performed that identifies that network issues are causing difficulties, impacting the connection quality and usability of the VC service.

    Validate the confirmed metrics with the business

    Supporting Tool icon 1.8 1 Hour

    INPUT: Selected service metrics, Discussion with the business

    OUTPUT: Validated metrics with the business

    Materials: Metrics with calculation methodology

    Participants: IT and business stakeholders, Service owners

    INSTRUCTIONS

    1. Once you have derived the appropriate metrics and established that the metrics are measurable, you must go back to the targeted stakeholders and validate that the selected metrics will provide the right information to meet their identified goals and success criteria.
    2. Add confirmed metrics to the Metrics Tracking Tool, in the Metrics Tracking Plan tab.
    Service Metric Corresponding
    Business Goal     		Measurement
    Method     		Defined Actions

    Example: Measuring the online banking service at a financial institution

    Who are IT’s stakeholders? The financial institution provides various banking solutions to its customers. Retail banking is a core service offered by the bank and the VP of retail banking is a major stakeholder of IT.
    What are their goals and pain points? The VP of retail banking’s highest priorities are to increase revenue, increase market share, and maintain the bank’s brand and reputation amongst its customers.
    What do they need to know? In order to measure success, the VP of retail banking needs to determine performance in attracting new clients, retaining clients, expanding into new territory, and whether they have increased the number of services provided to existing clients.
    What does IT need to measure? The recent implementation of an online banking service is a key initiative that will keep the bank competitive and help retail banking meet its goals. The key indicators of this service are: the total number of clients, the number of products per client, percent of clients using online banking, number of clients by segment, service, territory.
    Derive the service metrics Based on the key indicators, IT can derive the following service metrics:
    1. Number of product applications originated from online banking
    2. Customer satisfaction/complaints
    As part of the process, IT also identified some business metrics, such as the number of online banking users per month or the number of times a client accesses online banking per month.

    Design service metrics to track service performance and value

    CASE STUDY
    Industry: Manufacturing | Source: CIO
    Challenge Solution Results
    The IT organization needed to generate metrics to show the business whether the video conferencing service was being adopted and if it was providing the expected outcome and value.

    Standard IT metrics were technical and did not provide a business context that allowed for easy understanding of performance and decision making.

    		The IT organization, working through the CIO and service managers, sat down with the key business stakeholders of the video conferencing service.

    They discussed the goals for the meeting and defined the success criteria for those goals in the context of video conference meeting outcomes.

    The success criteria that were discussed were then translated into a set of questions (key performance indicators) that if answered, would show that the success criteria were achieved.

    		The service manager identified what could be measured to answer the defined questions and eliminated any metrics that were either business metrics or non-IT related.

    The remaining metrics were identified as the possible service metrics, and the ability to gather the information and produce the metric was confirmed.

    Service metrics were defined for:

    1. Percent of video conference meetings delivered successfully
    2. Growth in the number of executive meetings conducted via video conference

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of Valence Howden, Senior Manager, CIO Advisory, Info-Tech Research Group.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    		 Sample of activity 1.1 'Determine your stakeholders'. Determine stakeholder needs, goals, and pain points

    The onsite analyst will help you select key stakeholders and analyze their business objectives and current pain points.

    1.2

    		 Sample of activity 1.2 'Identify goals and pain points of your stakeholders'. Determine the success criteria and related IT services

    The analyst will facilitate a discussion to uncover the information that these stakeholders care about. The group will also identify the IT services that are supporting these objectives.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    1.5

    		 Sample of activity 1.5 'Derive service metrics'. Derive the service metrics

    Based on the key performance indicators obtained in the previous page, derive meaningful business metrics that are relevant to the stakeholders.

    1.6

    		 Sample of activity 1.6 'Determine if you can measure the identified metric'. Validate the data collection process

    The analyst will help the workshop group determine whether the identified metrics can be collected and measured. If so, a calculation methodology is created.

    1.7

    		 Sample of activity 1.7 'Create the caluclation to measure it'. Validate metrics with stakeholders

    Establish a feedback mechanism to have business stakeholders validate the meaningfulness of the metrics.

    Develop Meaningful Service Metrics to Ensure Business and User Satisfaction

    PHASE 2

    Design Reports and Dashboards

    Step (2): Design Reports and Dashboards

    PHASE 1PHASE 2PHASE 3

    1.1

    Derive the Service Metrics

    1.2

    Validate the Metrics

    2.1

    Determine Reporting Format

    3.1

    Select Pilot Metrics

    3.2

    Activate and Maintain Metrics

    This step involves the following participants:

    • Business Relationship Manager
    • Service Level Manager
    • Business Stakeholders

    Outcomes of this step

    • Presentation format selected based on stakeholder needs and preference for information
    • Presentation format validated with stakeholders

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Design Reports and Dashboards

    Proposed Time to Completion (in weeks): 3 weeks
    Step 2.1: Select Presentation Format Step 2.2: Review Design
    Start with an analyst kick-off call:
    • Review the different format of metrics presentation and discuss the pros/cons of each format
    • Discuss stakeholder needs/preference for data
    • Select the presentation format
    		 Review findings with analyst:
    • Discuss stakeholder feedback based on selected presentation format
    • Modify and adjust the presentation format as needed
    Then complete these activities…
    • Design the metrics using the selected format
    		 Then complete these activities…
    • Finalize the design for metrics presentation
    With these tools & templates:
    • Metrics Presentation Format Selection Guide
    		 With these tools & templates:
    • Metrics Presentation Format Selection Guide

    Design the reports – overview

    Figure representing 'SLM' and/or 'BRM'. Step 1
    Understand the pros and cons of different reporting styles     		Figure representing 'SLM' and/or 'BRM'. Step 2
    Determine your reporting and presentation style

    Presentation Format Selection

    		Figure representing 'SLM' and/or 'BRM'. Step 3
    Design your metrics reports     		A star.

    Validated Service Reports

    The design of service metrics reporting is critically important. The reporting style must present the right information in the most interesting and stakeholder-centric way possible to ensure that it is read and used.

    The reports must also display information in a way that generates actions. If your stakeholders cannot make decisions, kick off activities, or ask questions based on your reports, then they have no value.

    Determine the right presentation format for your metrics

    Most often, metrics are presented in the following ways:

    Dashboard
    (PwC. “Mega-Trends and Implications.”)
    Sample of the 'Dashboard' metric presentation format.     		Infographic
    (PwC. “Healthcare’s new entrants.”)
    Sample of the 'Infographic' metric presentation format.
    Report
    (PwC Blogs. “Northern Lights.”)
    Sample of the 'Report' metric presentation format.     		Scorecard
    (PwC. “Annual Report 2015.”)
    Sample of the 'Scorecard' metric presentation format.

    Understand the advantages and disadvantages of each reporting style – Dashboard

    A dashboard is a reporting method that provides a dynamic at-a-glance view of key metrics from the perspective of key stakeholders. It provides a quick graphical way to process important performance information in real time.

    Features

    Typically web-based

    Dynamic data that is updated in real time

    		Advantage

    Aggregates a lot of information into a single view

    Presents metrics in a simplistic style that is well understood

    Provides a quick point-in-time view of performance

    Easy to consume visual presentation style

    		Disadvantage

    Complicated to set up well.
    Requires additional technology support: programming, API, etc.

    Promotes a short-term outlook – focus on now, no historical performance and no future trends. Doesn’t provide the whole picture and story.

    Existing dashboard tools are often not customized enough to provide real value to each stakeholder.

    Dashboards present real-time metrics that can be accessed and viewed at any time

    Sample of the 'Dashboard' metric presentation format.
    (Source: PwC. “Mega-Trends and Implications.”)     		Metrics presented through online dashboards are calculated in real time, which allows for a dynamic, current view into the performance of IT services at any time.

    Understand the advantages and disadvantages of each reporting style – Infographic

    An infographic is a graphical representation of metrics or data, which is used to show information quickly and clearly. It’s based on the understanding that people retain and process visual information more readily than written details.

    Features

    Turns dry into attractive –transforms data into eye-catching visual memory that is easier to retain

    Can be used as the intro to a formal report

    There are endless types of infographics

    		Advantage

    Easily consumable

    Easy to retain

    Eye catching

    Easily shared

    Spurs conversation

    Customizable

    		Disadvantage

    Require design expertise and resources

    Can be time consuming to generate

    Could be easily misinterpreted

    Message can be lost with poor design

    Infographics allow for completely unique designs

    Sample of the 'Infographic' metric presentation format.
    (Source: PwC. “Healthcare’s new entrants…”)     		There is no limit when it comes to designing an infographic. The image used here visually articulates the effects of new entrants pulling away the market.

    Understand the advantages and disadvantages of each reporting style – Formal Report

    A formal report is a more structured and official reporting style that contains detailed research, data, and information required to enable specific business decisions, and to help evaluate performance over a defined period of time.

    Definition

    Metrics can be presented as a component of a periodic, formal report

    A physical document that presents detailed information to a particular audience

    		Advantage

    More detailed, more structured and broader reporting period

    Formal, shows IT has put in the effort

    Effectively presents a broader and more complete story

    Targets different stakeholders at the same time

    		Disadvantage

    Requires significant effort and resources

    Higher risk if the report does not meet the expectation of the business stakeholder

    Done at a specific time and only valuable for that specific time period

    Harder to change format

    Formal reports provide a detailed view and analysis of performance

    Sample of the 'Formal Report' metric presentation format.
    (Source: PwC Blogs. “Northern Lights: Where are we now?”)     		An effective report incorporates visuals to demonstrate key improvements.

    Formal reports can still contain visuals, but they are accompanied with detailed explanations.

    Understand the advantages and disadvantages of each reporting style – Scorecard

    A scorecard is a graphic view of the progress and performance over time of key performance metrics. These are in relation to specified goals based on identified critical stakeholder objectives.

    Features

    Incorporates multiple metrics effectively.

    Scores services against the most important organizational goals and objectives. Scorecards may tie back into strategy and different perspectives of success.

    		Advantage

    Quick view of performance against objectives

    Measure against a set of consistent objectives

    Easily consumable

    Easy to retain

    		Disadvantage

    Requires a lot of forethought

    Scorecards provide a time-bound summary of performance against defined goals

    Sample of the 'Scorecard' metric presentation format.
    (PwC. “Annual Report 2015.”)     		Scorecards provide a summary of performance that is directly linked to the organizational KPIs.

    Determine your report style

    Supporting Tool icon 2.1 Metrics Presentation Format Selection Guide

    In this section, you will determine the optimal reporting style for the service metrics.

    This guide contains four questions, which will help IT organizations identify the most appropriate presentation format based on stakeholder preference and needs for metrics.

    1. Who is the relevant stakeholder?
    2. What are the defined actions for the metric?
    3. How frequently does the stakeholder need to see the metric?
    4. How does the stakeholder like to receive information?
    		 Sample of Info-Tech's Metrics Presentation Format Selection Guide.
    Download the Metrics Presentation Format Selection Guide.

    Determine your best presentation option

    Supporting Tool icon 2.1 2 Hours

    INPUT: Identified stakeholder and his/her role

    OUTPUT: Proper presentation format based on need for information

    Materials: Metrics Presentation Format Selection Guide

    Participants: BRM, SLM, Program Manager

    After deciding on the report type to be used to present the metric, the organization needs to consider how stakeholders will consume the metric.

    There are three options based on stakeholder needs and available presentation options within IT.

    1. Paper-based presentation is the most traditional form of reporting and works well with stakeholders who prefer physical copies. The report is produced at a specific time and requires no additional IT capability.
    2. Online documents stored on webpages, SharePoint, or another knowledge management system could be used to present the metrics. This allows the report to be linked to other information and easily shared.
    3. Online dashboards and graphics can be used to have dynamic, real-time reporting and anytime access. These webpages can be incorporated into an intranet and allow the user to view the metrics at any time. This will require IT to continuously update the data in order to maintain the accuracy of the metrics.

    Design your metric reports with these guidelines in mind

    Supporting Tool icon 2.2 30 Minutes
    1. Stakeholder-specificThe report must be driven by the identified stakeholder needs and preferences and articulate the metrics that are important to them.
    2. ClarityTo enable decision making and drive desired actions, the metrics must be clear and straightforward. They must be presented in a way that clearly links the performance measurement to the defined outcome without leading to different interpretations of the results.
    3. SimplicityThe report must be simple to read, understand, and analyze. The language of the report must be business-centric and remove as much complexity as possible in wording, imaging, and context.

    Be sure to consider access rights for more senior reports. Site and user access permissions may need to be defined based on the level of reporting.

    Metrics reporting on the video conferencing service

    CASE STUDY
    Industry: Manufacturing | Source: CIO Interview
    The Situation

    The business had a clear need to understand if the implementation of video conferencing would allow previously onsite meetings to achieve the same level of effectiveness.

    Reporting Context

    Provided reports had always been generated from an IT perspective and the business rarely used the information to make decisions.

    The metrics needed to help the business understand if the meetings were remaining effective and be tied into the financial reporting against travel expenses, but there would be limited visibility during the executive meetings.

    Approach

    The service manager reviewed the information that he had gathered to confirm how often they needed information related to the service. He also met with the CIO to get some insight into the reports that were already being provided to the business, including the ones that were most effective.

    Considerations

    The conversations identified that there was no need for a dynamic real-time view of the performance of the service, since tracking of cost savings and utility would be viewed monthly and quarterly. They also identified that the item would be discussed within a very small window of time during the management meetings.

    The Solution

    It was determined that the best style of reporting for the metric was an existing scorecard that was produced monthly, using some infographics to ensure that the information is clear at a glance to enable quick decision making.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of Valence Howden, Senior Manager, CIO Advisory, Info-Tech Research Group.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    		 Sample of presentation format option slide 'Determine the right presentation format for your metrics'. Understand the different presentation options

    The onsite analyst will introduce the group to the communication vehicles of infographic, scorecard, formal report, and dashboard.

    2.1

    		 Sample of activity 2.1 'Determine your best presentation option'. Assess stakeholder needs for information

    For selected stakeholders, the analyst will facilitate a discussion on how stakeholders would like to view information and how the metrics can be presented to aid decision making.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    2.2

    		 Sample of activity 2.2 'Design your metric reports with these guidelines in mind'. Select and design the metric report

    Based on the discussion, the working group will select the most appropriate presentation format and create a rough draft of how the report should look.

    Develop Meaningful Service Metrics to Ensure Business and User Satisfaction

    PHASE 3

    Implement, Track, and Maintain Your Metrics

    Step (3): Implement, Track, and Maintain Your Metrics

    PHASE 1PHASE 2PHASE 3

    1.1

    Derive the Service Metrics

    1.2

    Validate the Metrics

    2.1

    Determine Reporting Format

    3.1

    Select Pilot Metrics

    3.2

    Activate and Maintain Metrics

    This step involves the following participants:

    • Service Level Manager
    • Business Relationship Manager
    • Service Metrics Program Manager

    Activities in this step

    • Determine the first batch of metrics to be implemented as part of the pilot program
    • Create a process to collect and validate data, determine initial targets, and integrate with SLM and BRM functions
    • Present the metric reports to the relevant stakeholders and incorporate the feedback into the metric design
    • Establish a standard process and roll out the implementation of metrics in batches
    • Establish a process to monitor and track the effectiveness of the service metrics program and make adjustments when necessary

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Implement, Track, and Maintain Your Metrics

    Proposed Time to Completion (in weeks): 4 weeks
    Step 3.1: Select and Launch Pilot Metrics Step 3.2: Track and Maintain the Metrics
    Start with an analyst kick-off call:
    • Identify metrics that will be presented first to the stakeholders based on urgency or impact of the IT service
    • Determine the process to collect data, select initial targets, and integrate with SLM and BRM functions
    		 Review findings with analyst:
    • Review the success of metrics and discuss feedback from stakeholders
    • Roll out the metrics implementation to a broader audience
    • Establish roles and timelines for metrics maintenance
    Then complete these activities…
    • Document the first batch of metrics
    • Document the baseline, initial targets
    • Create a plan to integrate with SLM and BRM functions
    		 Then complete these activities…
    • Create a document that defines how the organization will track and maintain the success of the metrics program
    • Review the metrics program periodically
    With these tools & templates:
    • Metrics Tracking Tool
    		 With these tools & templates:
    • Metrics Tracking Tool

    Implement, Track, and Maintain the Metrics

    Figure representing 'SLM' and/or 'BRM'. Step 1
    Run your pilot

    Metrics Tracking Tool

    		Figure representing 'SLM' and/or 'BRM'. Step 2
    Validate success

    Metrics Tracking Tool

    		Figure representing 'SLM' and/or 'BRM'. Step 3
    Implement your metrics program in batches

    Metrics Tracking Tool

    		A star.

    Active Service Metrics Program

    Once you have defined the way that you will present the metrics, you are ready to run a pilot with a smaller sample of defined service metrics.

    This allows you to validate your approach and make refinements to the implementation and maintenance processes where necessary, prior to activating all service metrics.

    Track the performance of your service metrics

    Supporting Tool icon 3.1

    The Metrics Tracking Tool will enable you to track goals and success metrics for your service metrics programs. It allows you to set long-term goals and track your results over time.

    There are three sections in this tool:
    1. Metrics Tracking Plan. Identify the metrics to be tracked and their purpose.
    2. Metrics Tracking Actuals. Monitor and track the actual performance of the metrics.
    3. Remediation Tracking. Determine and document the steps that need to be taken to correct a sub-performing metric.
    		 Sample of Info-Tech's Metrics Tracking Tool.

    Select pilot metrics

    Supporting Tool icon 3.1 30 Minutes

    INPUT: Identified services, Business feedback

    OUTPUT: Services with most urgent need or impact

    Materials: Service catalog or list of identified services

    Participants: BRM, SLM, Business representatives

    To start the implementation of your service metrics program and drive wider adoption, you need to run a pilot using a smaller subset of metrics.

    INSTRUCTIONS

    To determine the sample for the pilot, consider metrics that:

    • Are related to critical business services and functions
      • or
    • Address known/visible pain points for the business
      • or
    • Were designed for supportive or influential stakeholders

    Metrics that meet two or more criteria are ideal for the pilot

    Collect and validate data

    Supporting Tool icon 3.2 1 Hour

    INPUT: Identified metrics

    OUTPUT: A data collection mythology, Metrics tracking

    Materials: Metrics

    Participants: SLM, BRM, Service owner

    You will need to start collection and validation of your identified data in order to calculate the results for your pilot metrics.

    INSTRUCTIONS

    1. Initiate data collection
      • Use the data sources identified during the design phase and initiate the data collection process.
    2. Determine start date
      • If historical data can be retrieved and gathered, determine how far back you want your measurements to start.
    3. Compile data and validate
      • Ensure that the information is accurate and up to date. This will require some level of data validation and audit.
    4. Run the metric
      • Use the defined calculation and source data to generate the metrics result.
    5. Record metrics results
      • Use the metrics tracking sheet to track the actual results.

    Determine initial targets

    Supporting Tool icon 3.3 1 Hour

    INPUT: Historical data/baseline data

    OUTPUT: Realistic initial target for improvement

    Materials: Metrics Tracking Tool

    Participants: BRM, SLM, Service owner

    INSTRUCTIONS

    Identify an initial service objective based on one or more of the following options:

    1. Establish an initial target using historical data and trends of performance.
    2. Establish an initial target based on stakeholder-identified requirements and expectations.
    3. Run the metrics report over a defined period of time and use the baseline level of achievement to establish an initial target.

    The target may not always be a number - it could be a trend. The initial target will be changed after review with stakeholders

    Integrate with SLM and BRM processes

    Supporting Tool icon 3.4 1 Hour

    INPUT: SLM and BRM SOPs or responsibility documentations

    OUTPUT: Integrate service metrics into the SLM/BRM role

    Materials: SLM / BRM reports

    Participants: SLM, BRM, CIO, Program manager, Service manager

    The service metrics program is usually initiated, used, and maintained by the SLM and BRM functions.

    INSTRUCTIONS

    Ensure that the metrics pilot is integrated with those functions by:

    1. Engaging with SLM and BRM functions/resources
      • Identify SLM and BRM resources associated with or working on the services where the metrics are being piloted
      • Obtain their feedback on the metrics/reporting
    2. Integrating with the existing reporting and meeting cycles
      • Ensure the metrics will be calculated and available for discussion at standing meetings and with existing reports
    3. Establishing the metrics review and validation cycle for these metrics
      • Confirm the review and validation period for the metrics in order to ensure they remain valuable and actionable

    Generate reports and present to stakeholders

    Supporting Tool icon 3.5 1 Hour

    INPUT: Identified metrics, Selected presentation format

    OUTPUT: Metrics reports that are ready for distribution

    Materials: Metrics Presentation Format Selection Guide

    Participants: BRM, SLM, CIO, Business representatives

    INSTRUCTIONS

    Once you have completed the calculation for the pilot metrics:

    1. Confirm the report style for the selected metrics (as defined in Phase 2)
    2. Generate the reporting for the pilot metrics
    3. Present the pilot metric reports to the identified BRM and SLM resources who will present the reporting to the stakeholders
    4. Gather feedback from Stakeholders on metrics - results and process
    5. Create and execute remediation plans for any actions identified from the metrics
    6. Initiate the review cycle for metrics (to ensure they retain value)

    Plan the rollout and implementation of the metrics reporting program

    Supporting Tool icon 3.6 1 Hour

    INPUT: Feedback from pilot, Services in batch

    OUTPUT: Systematic implementation of metrics

    Materials: Metrics Tracking Tool

    Participants: BRM, SLM, Program manager

    Upon completion of the pilot, move to start the broader implementation of metrics across the organization:

    INSTRUCTIONS

    1. Identify the service metrics that you will implement. They can be selected based on multiple criteria, including:
      • Organizational area/business unit
      • Service criticality
      • Pain points
      • Stakeholder engagement (detractors, supporters)
    2. Create a rollout plan for implementation in batches, identifying expected launch timelines, owners, targeted stakeholders, and communications plans
    3. Use the implementation plan from the pilot to roll out each batch of service metrics:
      • Collect and validate data
      • Determine target(s)
      • Integrate with BRM and SLM
      • Generate and communicate reports to stakeholders

    Maintain the service metrics

    Supporting Tool icon 3.7 1.5 Hour

    INPUT: Feedback from business stakeholders

    OUTPUT: Modification to individual metrics or to the process

    Materials: Metrics Tracking Tool, Metrics Development Workbook

    Participants: CIO, BRM, SLM, Program manager, Service owner

    Once service metrics and reporting become active, it is necessary to determine the review time frame for your metrics to ensure they remain useful.

    INSTRUCTIONS

    1. Confirm and establish a review time frame with stakeholders (e.g. annually, bi-annually, after organizational or strategic changes).
    2. Meet with stakeholders by the review date to discuss the value of existing metrics and validate:
      • Whether the goals associated with the metrics are still valid
      • If the metric is still necessary
      • If there is a more effective way to present the metrics
    3. Track actions based on review outcomes and update the remediation tracking sheet.
    4. Update tracking sheet with last complete review date.

    Maintain the metrics

    Supporting Tool icon 3.7

    Based on the outcome of the review meeting, decide what needs to be done for each metric, using the following options:

    Add

    A new metric is required or an existing metric needs large-scale changes (example: calculation method or scope).
    Triggers metrics design as shown in phases 1 and 2.

    		Change

    A minor change is required to the presentation format or data. Note: a major change in a metric would be performed through the Add option.

    Remove

    The metric is no longer required, and it needs to be removed from reporting and data gathering. A final report date for that metric should be determined.

    		Maintain

    The metric is still useful and no changes are required to the metric, its measurement, or how it’s reported.

    Ensuring metrics remain valuable

    VC CASE STUDY
    Industry: Manufacturing | Source: CIO Interview

    Reviewing the value of active metrics

    When the video conferencing service was initially implemented, it was performed as a pilot with a group of executives, and then expanded for use throughout the company. It was understood that prior to seeing the full benefit in cost reduction and increased efficiency and effectiveness, the rate of use and adoption had to be understood.

    The primary service metrics created for the service were based on tracking the number of requests for video conference meetings that were received by the IT organization. This identified the growth in use and could be used in conjunction with financial metrics related to travel to help identify the impact of the service through its growth phase.

    Once the service was adopted, this metric continued to be tracked but no longer showed growth or expanded adoption.

    The service manager was no longer sure this needed to be tracked.

    Key Activity

    The metrics around requests for video conference meetings were reviewed at the annual metrics review meeting with the business. The service manager asked if the need for the metric, the goal of tracking adoption, was still important for the business.

    The discussion identified that the adoption rate was over 80%, higher than anticipated, and that there was no value in continuing to track this metric.

    Based on the discussion, the adoption metrics were discontinued and removed from data gathering and reporting, while a success rate metric was added (how many meetings ran successfully and without issue) to ensure the ongoing value of the video conferencing service.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of Valence Howden, Senior Manager, CIO Advisory, Info-Tech Research Group.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    		 Sample of activity 3.1 'Select pilot metrics'. Select the pilot metrics

    The onsite analyst will help the workshop group select the metrics that should be first implemented based on the urgency and impact of these metrics.

    3.2

    		 Sample of activity 3.2 'Collect and validate data'. Gather data and set initial targets

    The analyst will help the group create a process to gather data, measure baselines, and set initial targets.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    3.5

    		 Sample of activity 3.5 'Generate reports and present to stakeholders'. Generate the reports and validate with stakeholders

    The Info-Tech analyst will help the group establish a process to receive feedback from the business stakeholders once the report is generated.

    3.6

    		 Sample of activity 3.6 'Plan the rollout and implementation of the metrics reporting program'. Implement the service metrics program

    The analyst will facilitate a discussion on how to implement the metrics program across the organization.

    3.7

    		 Sample of activity 3.7 'Maintain the service metrics'. Track and maintain the metrics program

    Set up a mechanism to ensure the success of the metrics program by assessing process adherence and process validity.

    Insight breakdown

    Insight 1

    Service metrics are critical to ensuring alignment of IT service performance and business service value achievement.

    Insight 2

    Service metrics reinforce positive business and end-user relationships by providing user-centric information that drives responsiveness and consistent service improvement.

    Insight 3

    Poorly designed metrics drive unintended and unproductive behaviors that have negative impacts on IT and produce negative service outcomes.

    Summary of accomplishment

    Knowledge Gained

    • Follow a methodology to identify metrics that are derived from business objectives.
    • Understand the proper presentation format based on stakeholder needs for information.
    • Establish a process to ensure the metrics provided will continue to provide value and aid decision making.

    Processes Optimized

    • Metrics presentation to business stakeholders
    • Metrics maintenance and tracking

    Deliverables Completed

    • Metrics Development Workbook
    • Metrics Presentation Format Selection Guide
    • Metrics Tracking Tool

    Research contributors and experts

    Name Organization
    Joe Evers Joe Evers Consulting
    Glen Notman Associate Partner, Citihub
    David Parker Client Program Manager, eHealth Ontario
    Marianne Doran Collins CIO, The CIO-Suite, LLC
    Chris Kalbfleisch Manager, Service Management, eHealth Ontario
    Joshua Klingenberg BHP Billiton Canada Inc.

    Related Info-Tech research

    Stock image of a menu. Design & Build a User-Facing Service Catalog
    The user-facing service catalog is the go-to place for IT service-related information.
    Stock image of a laptop keyboard. Unleash the True Value of IT by Transforming Into a Service Provider
    Earn your seat at the table and influence business strategy by becoming an IT service provider.

    Bibliography

    Pollock, Bill. “Service Benchmarking and Measurement: Using Metrics to Drive Customer Satisfaction and Profits.” Aberdeen Group. June 2009. http://722consulting.com/ServiceBenchmarkingandMeasurement.pdf

    PwC. “Mega-Trends and Implications.” RMI Discussion. LinkedIn SlideShare. September 2015. http://www.slideshare.net/AnandRaoPwC/mega-trends-and-implications-to-retirement

    PwC. “Healthcare’s new entrants: Who will be the industry’s Amazon.com?” Health Research Institute. April 2014. https://www.pwc.com/us/en/health-industries/healthcare-new-entrants/assets/pwc-hri-new-entrant-chart-pack-v3.pdf

    PwC. “Northern Lights: Where are we now?” PwC Blogs. 2012. http://pwc.blogs.com/files/12.09.06---northern-lights-2--summary.pdf

    PwC. “PwC’s key performance indicators

    First 30 Days Pandemic Response Plan

    • Buy Link or Shortcode: {j2store}418|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Given the speed and scope of the spread of the pandemic, governments are responding with changes almost daily as to what organizations and people can and can’t do. This volatility and uncertainty challenges organizations to respond, particularly in the absence of a business continuity or crisis management plan.

    Our Advice

    Critical Insight

    • Assess the risk to and viability of your organization in order to create appropriate action and communication plans quickly.

    Impact and Result

    • HR departments must be directly involved in developing the organization’s pandemic response plan. Use Info-Tech's Risk and Viability Matrix and uncover the crucial next steps to take during the first 30 days of the COVID-19 pandemic.

    First 30 Days Pandemic Response Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a response plan for the first 30 days of a pandemic

    Manage organizational risk and viability during the first 30 days of a crisis.

    • First 30 Days Pandemic Response Plan Storyboard
    • Crisis Matrix Communications Template: Business As Usual
    • Crisis Matrix Communications Template: Organization Closing
    • Crisis Matrix Communications Template: Manage Risk and Leverage Resilience
    • Crisis Matrix Communications Template: Reduce Labor and Mitigate Risk
    [infographic]

    Develop a Targeted Flexible Work Program for IT

    • Buy Link or Shortcode: {j2store}542|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $18,909 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select
    • Workplace flexibility continues to be top priority for IT employees. Organizations who fail to offer flexibility will have a difficult time attracting, recruiting, and retaining talent.
    • When the benefits of remote work are not available to everyone, this raises fairness and equity concerns.

    Our Advice

    Critical Insight

    IT excels at hybrid location work and is more effective as a business function when location flexibility is an option for its employees. But hybrid work is just a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent.

    Impact and Result

    • Uncover the needs of unique employee segments to shortlist flexible work options that employees want and will use.
    • Assess the feasibility of various flexible work options and select ones that meet employee needs and are feasible for the organization.
    • Equip leaders with the information and tools needed to implement and sustain a flexible work program.

    Develop a Targeted Flexible Work Program for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess employee and organizational flexibility needs

    Identify prioritized employee segments, flexibility challenges, and the desired state to inform program goals.

    • Develop a Targeted Flexible Work Program for IT – Phases 1-3
    • Talent Metrics Library
    • Targeted Flexible Work Program Workbook
    • Fast-Track Hybrid Work Program Workbook

    2. Identify potential flex options and assess feasibility

    Review, shortlist, and assess the feasibility of common types of flexible work. Identify implementation issues and cultural barriers.

    • Flexible Work Focus Group Guide
    • Flexible Work Options Catalog

    3. Implement selected option(s)

    Equip managers and employees to adopt flexible work options while addressing implementation issues and cultural barriers and aligning HR programs.

    • Guide to Flexible Work for Managers and Employees
    • Flexible Work Time Policy
    • Flexible Work Time Off Policy
    • Flexible Work Location Policy

    Infographic

    Workshop: Develop a Targeted Flexible Work Program for IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare to Assess Flex Work Feasibility

    The Purpose

    Gather information on organizational and employee flexibility needs.

    Key Benefits Achieved

    Understand the flexibility needs of the organization and its employees to inform a targeted flex work program.

    Activities

    1.1 Identify employee and organizational needs.

    1.2 Identify employee segments.

    1.3 Establish program goals and metrics.

    1.4 Shortlist flexible work options.

    Outputs

    Organizational context summary

    List of shortlisted flex work options

    2 Assess Flex Work Feasibility

    The Purpose

    Perform a data-driven feasibility analysis on shortlisted work options.

    Key Benefits Achieved

    A data-driven feasibility analysis ensures your flex work program meets its goals.

    Activities

    2.1 Conduct employee/manager focus groups to assess feasibility of flex work options.

    Outputs

    Summary of flex work options feasibility per employee segment

    3 Finalize Flex Work Options

    The Purpose

    Select the most impactful flex work options and create a plan for addressing implementation challenge

    Key Benefits Achieved

    A data-driven selection process ensures decisions and exceptions can be communicated with full transparency.

    Activities

    3.1 Finalize list of approved flex work options.

    3.2 Brainstorm solutions to implementation issues.

    3.3 Identify how to overcome cultural barriers.

    Outputs

    Final list of flex work options

    Implementation barriers and solutions summary

    4 Prepare for Implementation

    The Purpose

    Create supporting materials to ensure program implementation proceeds smoothly.

    Key Benefits Achieved

    Employee- and manager-facing guides and policies ensure the program is clearly documented and communicated.

    Activities

    4.1 Design employee and manager guide prototype.

    4.2 Align HR programs and policies to support flexible work.

    4.3 Create a communication plan.

    Outputs

    Employee and manager guide to flexible work

    Flex work roadmap and communication plan

    5 Next Steps and Wrap-Up

    The Purpose

    Put everything together and prepare to implement.

    Key Benefits Achieved

    Our analysts will support you in synthesizing the workshop’s efforts into a cohesive implementation strategy.

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed flexible work feasibility workbook

    Flexible work communication plan

    Further reading

    Develop a Targeted Flexible Work Program for IT

    Select flexible work options that balance organizational and employee needs to drive engagement and improve attraction and retention.

    Executive Summary

    Your Challenge

    • IT leaders continue to struggle with workplace flexibility, and it is a top priority for IT employees; as a result, organizations who fail to offer flexibility will have a difficult time attracting, recruiting, and retaining talent.
    • The benefits of remote work are not available to everyone, raising fairness and equity concerns for employees.

    Common Obstacles

    • A one-size-fits-all approach to selecting and implementing flexible work options fails to consider unique employee needs and will not reap the benefits of offering a flexible work program (e.g. higher engagement or enhanced employer brand).
    • Improper structure and implementation of flexible work programs exacerbates existing challenges (e.g. high turnover) or creates new ones.

    Info-Tech's Approach

    • Uncover the needs of unique employee segments to shortlist flexible work options that employees want and will use.
    • Assess the feasibility of various flexible work options and select ones that meet employee needs and are feasible for the organization.
    • Equip leaders with the information and tools needed to implement and sustain a flexible work program.

    Info-Tech Insight

    IT excels at hybrid location work and is more effective as a business function when location flexibility is an option for its employees. But hybrid work is just a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent.

    Flexible work arrangements are a requirement in today's world of work

    Flexible work continues to gain momentum…

    A 2022 LinkedIn report found that the following occurred between 2019 and 2021:

    +362%

    Increase in LinkedIn members sharing content with the term "flexible work."

    +83%

    Increase in job postings that mention "flexibility."
    (LinkedIn, 2022)

    In 2022, Into-Tech found that hybrid was the most commonly used location work model for IT across all industries.

    ("State of Hybrid Work in IT," Info-Tech Research Group, 2022)

    …and employees are demanding more flexibility

    90%

    of employees said they want schedule and location flexibility ("Global Employee Survey," EY, 2021).

    17%

    of resigning IT employees cited lack of flexible work options as a reason ("IT Talent Trends 2022," Info-Tech Research Group, 2022).

    71%

    of executives said they felt "pressure to change working models and adapt workplace policies to allow for greater flexibility" (LinkedIn, 2021).

    Therefore, organizations who fail to offer flexibility will be left behind

    Difficulty attracting and retaining talent

    98% of IT employees say flexible work options are important in choosing an employer ("IT Talent Trends 2022," Info-Tech Research Group, 2022).

    Worsening employee wellbeing and burnout

    Knowledge workers with minimal to no schedule flexibility are 2.2x more likely to experience work-related stress and are 1.4x more likely to suffer from burnout (Slack, 2022; N=10,818).

    Offering workplace flexibility benefits organizations and employees

    Higher performance

    IT departments that offer some degree of location flexibility are more effective at supporting the organization than those who do not.

    35% of service desk functions report improved service since implementing location flexibility.
    ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    Enhanced employer brand

    Employees are 2.1x more likely to recommend their employer to others when they are satisfied with their organization's flexible work arrangements (LinkedIn, 2021).

    Improved attraction

    41% of IT departments cite an expanded hiring pool as a key benefit of hybrid work.

    Organizations that mention "flexibility" in their job postings have 35% more engagement with their posts (LinkedIn, 2022).

    Increased job satisfaction

    IT employees who have more control over their working arrangement experience a greater sense of contribution and trust in leadership ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    Better work-life balance

    81% of employees say flexible work will positively impact their work-life balance (FlexJobs, 2021).

    Boosted inclusivity

    • Caregivers regardless of gender, supporting them in balancing responsibilities
    • Individuals with disabilities, enabling them to work from the comfort of their homes
    • Women who may have increased responsibilities
    • Women of color to mitigate the emotional tax experienced at work

    Info-Tech Insight

    Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.

    Despite the popularity of flexible work options, not all employees can participate

    IT organizations differ on how much flexibility different roles can have.

    IT employees were asked what percentage of IT roles were currently in a hybrid or remote work arrangement ("State of Hybrid Work in IT," Info-Tech Research Group, 2023).

    However, the benefits of remote work are not available to all, which raises fairness and equity concerns between remote and onsite employees.

    45%

    of employers said, "one of the biggest risks will be their ability to establish fairness and equity among employees when some jobs require a fixed schedule or location, creating a 'have and have not' dynamic based on roles" ("Businesses Suffering," EY, 2021).

    Offering schedule flexibility to employees who need to be fully onsite can be used to close the fairness and equity gap.

    When offered the choice, 54% of employees said they would choose schedule flexibility over location flexibility ("Global Employee Survey," EY, 2021).

    When employees were asked "What choice would you want your employer to provide related to when you have to work?" The top three choices were:

    68%

    Flexibility on when to start and finish work

    38%

    Compressed or four-day work weeks

    33%

    Fixed hours (e.g. 9am to 5pm)

    Disclaimer: "Percentages do not sum to 100%, as each respondent could choose up to three of the [five options provided]" ("Global Employee Survey," EY, 2021).

    Beware of the "all or nothing" approach

    There is no one-size-fits-all approach to workplace flexibility.

    Understanding the needs of various employee segments in the organization is critical to the success of a flexible work program.

    Working parents want more flexibility

    82%

    of working mothers desire flexibility in where they work.

    48%

    of working fathers "want to work remotely 3 to 5 days a week."

    Historically underrepresented groups value more flexibility

    38%

    "Thirty-eight percent of Black male employees and 33% of Black female employees would prefer a fully flexible schedule, compared to 25% of white female employees and 26% of white male employees."
    (Slack, 2022; N=10,818)

    33%

    Workplace flexibility must be customized to the organization to avoid longer working hours and heavy workloads that impact employee wellbeing

    84%

    of remote workers and 61% of onsite workers reported working longer hours post pandemic. Longer working hours were attributed to reasons such as pressure from management and checking emails after working hours (Indeed, 2021).

    2.6x

    Respondents who either agreed or strongly agreed with the statement "Generally, I find my workload reasonable" were 2.6x more likely to be engaged compared to those who stated they disagreed or strongly disagreed (McLean & Company Engagement Survey Database;2022; N=5,615 responses).

    Longer hours and unsustainable workloads can contribute to stress and burnout, which is a threat to employee engagement and retention. With careful management (e.g. setting clear expectations and establishing manageable workloads), flexible work arrangement benefits can be preserved.

    Info-Tech Insight

    Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.

    Develop a flexible work program that meets employee and organizational needs

    This is an image of a sample flexible work program which meets employee and organizational needs.

    Insight summary

    Overarching insight: IT excels at hybrid location work and is more effective as a business function when location, time, and time-off flexibility are an option for its employees.

    Introduction

    Step 1 insight

    Step 2 insight

    Step 3 insight

    • Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.
    • Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.
    • Flexible work benefits everyone. IT employees experience greater engagement, motivation, and company loyalty. IT organizations realize benefits such as better service coverage, reduced facilities costs, and increased productivity.
    • Hybrid work is a start. A comprehensive flex work program extends beyond flexible location to flexible time and time off. Organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.
    • No two employee segments are the same. To be effective, flexible work options must align with the expectations and working processes of each segment.
    • Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future proofing your organization.
    • Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization, or if the cost of the option is too high, it will not support the long-term success of the organization.
    • Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.
    • Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.
    • Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.
    • A set of formal guidelines for IT ensures flexible work is:
      1. Administered fairly across all IT employees.
      2. Defensible and clear.
      3. Scalable to the rest of the organization.

    Case Study

    Expanding hybrid work at Info-Tech

    Challenge

    In 2020, Info-Tech implemented emergency work-from-home for its IT department, along with the rest of the organization. Now in 2023, hybrid work is firmly embedded in Info-Tech's culture, with plans to continue location flexibility for the foreseeable future.

    Adjusting to the change came with lessons learned and future-looking questions.

    Lessons Learned

    Moving into remote work was made easier by certain enablers that had already been put in place. These included issuing laptops instead of desktops to the user base and using an existing cloud-based infrastructure. Much support was already being done remotely, making the transition for the support teams virtually seamless.

    Continuing hybrid work has brought benefits such as reduced commuting costs for employees, higher engagement, and satisfaction among staff that their preferences were heard.

    Looking Forward

    Every flexible work implementation is a work in progress and must be continually revisited to ensure it continues to meet organizational and employee needs. Current questions being explored at Info-Tech are:

    • The concept of the "office as a tool" – how does use of the office change when it is used for specific collaboration-related tasks, rather than everything? How should the physical space change to support this?
    • What does a viable replacement for quick hallway meetings look like in a remote world where communication is much more deliberate? How can managers adjust their practices to ensure the benefits of informal encounters aren't lost?

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Preparation

    Step 1

    Step 2

    Step 3

    Follow-up

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Assess employee and organizational needs.

    Call #3: Shortlist flex work options and assess feasibility.

    Call #4: Finalize flex work options and create rollout plan.

    Call #5: (Optional) Review rollout progress or evaluate pilot success.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 3 to 5 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Activities

    Prepare to assess flex work feasibility

    Assess flex work feasibility

    Finalize flex work options

    Prepare for implementation

    Next Steps and Wrap-Up (offsite)

    1.1 Identify employee and organizational needs.

    1.2 Identify employee segments.

    1.3 Establish program goals and metrics.

    1.4 Shortlist flex work options.

    2.1 Conduct employee/manager focus groups to assess feasibility of flex work options.

    3.1 Finalize list of approved flex work options.

    3.2 Brainstorm solutions to implementation issues.

    3.2 Identify how to overcome cultural barriers.

    4.1 Design employee and manager guide prototype.

    4.2 Align HR programs and policies to support flexible work.

    4.3 Create a communication plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. Organizational context summary
    2. List of shortlisted flex work options
    1. Summary of flex work options' feasibility per employee segment
    1. 1.Final list of flex work options
    2. 2.Implementation barriers and solutions summary
    1. Employee and manager guide to flexible work
    2. Flex work roadmap and communication plan
    1. Completed flexible work feasibility workbook
    2. Flexible work communication plan

    Step 1

    Assess employee and organizational needs

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step you will have:

    • Identified key stakeholders and their responsibilities
    • Uncovered the current and desired state of the organization
    • Analyzed feedback to identify flexibility challenges
    • Identified and prioritized employee segments
    • Determined the program goals
    • Identified the degree of flexibility for work location, timing, and deliverables

    Identify key stakeholders

    Organizational flexibility requires collaborative and cross-functional involvement to determine which flexible options will meet the needs of a diverse workforce. HR leads the project to explore flexible work options, while other stakeholders provide feedback during the identification and implementation processes.

    HR
    • Assist with the design, implementation, and maintenance of the program.
    • Provide managers and employees with guidance to establish successful flexible work arrangements.
    • Help develop communications to launch and maintain the program.

    Senior Leaders
    • Champion the project by modeling and promoting flexible work options
    • Help develop and deliver communications; set the tone for flexible work at the organization.
    • Provide input into determining program goals.

    Managers
    • Model flexible work options and encourage direct reports to request and discuss options.
    • Use flexible work program guidelines to work with direct reports to select suitable flexible work options.
    • Develop performance metrics and encourage communication between flexible and non-flexible workers.

    Flexible Workers
    • Indicate preferences of flexible work options to the manager.
    • Identify ways to maintain operational continuity and communication while working flexibly.
    • Flag issues and suggest improvements to the manager.
    • Develop creative ways to work with colleagues who don't work flexibly.

    Non-Flexible Workers
    • Share feedback on issues with flexible arrangements and their impact on operational continuity.

    Info-Tech Insight

    Flexible work is a holistic team effort. Leaders, flexible workers, teammates, and HR must clearly understand their roles to ensure that teams are set up for success.

    Uncover the current and desired state of flexibility in the organization

    Current State

    Target State

    Review:

    • Existing policies related to flexibility (e.g. vacation, work from anywhere)
    • Existing flexibility programs (e.g. seasonal hours) and their uptake
    • Productivity of employees
    • Current culture at the organization. Look for:
      • Employee autonomy
      • Reporting structure and performance management processes
      • Trust and psychological safety of employees
      • Leadership behavior (e.g. do leaders model work-life balance, or does the organization have a work 24/7 mentality?)

    Identify what is driving the need for flexible work options. Ask:

    • Why does the organization need flexible options?
      • For example, the introduction of flexibility for some employees has created a "have and have not" dynamic between roles that must be addressed.
    • What does the organization hope to gain from implementing flexible options? For example:
      • Improved retention
      • Increased attraction, remaining competitive for talent
      • Increased work-life balance for employees
      • Reduced burnout
    • What does the organization aspire to be?
      • For example, an organization that creates an environment that values output, not face time.

    These drivers identify goals for the organization to achieve through targeted flexible work options.

    Info-Tech Insight

    Hybrid work is a start. A comprehensive flex work program extends beyond flexible location, so organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.

    Identify employee segments

    Using the data, feedback, and challenges analyzed and uncovered so far, assess the organization and identify employee segments.

    Identify employee segments with common characteristics to assess if they require unique flexible work options. Assess the feasibility options for the segments separately in Step 2.

    • Segments' unique characteristics include:
      • Role responsibilities (e.g. interacting with users, creating reports, development and testing)
      • Work location/schedule (e.g. geographic, remote vs. onsite, 9 to 5)
      • Work processes (e.g. server maintenance, phone support)
      • Group characteristics (e.g. specific teams, new hires)

    Identify employee segments and sort them into groups based on the characteristics above.

    Examples of segments:

    • Functional area (e.g. Service Desk, Security)
    • Job roles (e.g. desktop support, server maintenance)
    • Onsite, remote, or hybrid
    • Full-time or part-time
    • Job level (e.g. managers vs. independent contributors)
    • Employees with dependents

    Prioritize employee segments

    Determine whether the organization needs flexible work options for the entire organization or specific employee segments.
    For specific employee segments:

    • Answer the questions on the right to identify whether an employee segment is high, medium, or low priority. Complete slides 23 to 25 for each high-priority segment, repeating the process for medium-priority segments when resources allow.

    For the entire organization:

    • When identifying an option for the entire organization, consider all segments. The approach must create consistency and inclusion; keep this top of mind when identifying flexibility on slides 23 to 25. For example, the work location flexibility would be low in an organization where some segments can work remotely and others must be onsite due to machinery requirements.

    High priority: The employee segment has the lowest engagement scores or highest turnover within the organization. Segment sentiment is that current flexibility is nonexistent or not sufficiently meeting needs.
    Medium priority: The employee segment has low engagement or high turnover. Segment sentiment is that currently available flexibility is minimal or not sufficiently meeting needs.
    Low priority: The segment does not have the lowest engagement or the highest turnover rate. Segment sentiment is that currently available flexibility is sufficiently meeting needs.

    1. What is the impact on the organization if this segment's challenges aren't addressed (e.g. if low engagement and high turnover are not addressed)?
    2. How critical is flexibility to the segment's needs/engagement?
    3. How time sensitive is it to introduce flexibility to this segment (e.g. is the organization losing employees in this segment at a high rate)?
    4. Will providing flexibility to this segment increase organizational productivity or output

    Identify challenges to address with flexibility

    Uncover the lived experiences and expectations of employees to inform selection of segments and flexible options.

    1. Collect data from existing sources, such as:
      • Engagement surveys
      • New hire/exit surveys
      • Employee experience monitor surveys
      • Employee retention pulse surveys
      • Burnout surveys
      • DEI pulse surveys
    2. Analyze employee feedback on experiences with:
      • Work duties
      • Workload
      • Work-life balance
      • Operating processes and procedures
      • Achieving operational outcomes
      • Collaboration and communication
      • Individual experience and engagement
    3. Evaluate the data and identify challenges

    Example challenges:

    • Engagement: Low average score on work-life balance question; flexible work suggested in open-ended responses.
    • Retention: Exit survey indicating that lack of work-life balance is consistently a reason employees leave. Include the cost of turnover (e.g. recruitment, training, severance).
    • Burnout: Feedback from employees through surveys or HR business partner anecdotes indicating high burnout; high usage of wellness services or employee assistance programs.
    • Absenteeism: High average number of days employees were absent in the past year. Include the cost of lost productivity.
    • Operational continuity: Provide examples of when flexible work would have enabled operational continuity in the case of disaster or extended customer service coverage.
    • Program uptake: If the organization already has a flexible work program, provide data on the low proportion of eligible employees using available options.

    1.1 Prepare to evaluate flexible work options

    1-3 hours

    Follow the guidance on preceding slides to complete the following activities.
    Note: If you are only considering remote or hybrid work, use the Fast-Track Hybrid Work Program Workbook. Otherwise, proceed with the Targeted Flexible Work Program Workbook.

    1. Identify key stakeholders. Be sure to record the level of involvement and responsibility expected from each stakeholder. Use the "Stakeholders" tab of the workbook.
    2. Uncover current and desired state. Review and record your current state with respect to culture, productivity, and current flexible work options, if any. Next, record your desired future state, including reasons for implementing flexible work, and goals for the program. Record this in the "Current and Desired State" tab of the workbook.
    3. Identify and prioritize employee segments. Identify and record employee segments. Depending on the size of your department, you may identify a few or many. Be as granular as necessary to fully separate employee groups with different needs. If your resources or needs prevent you from rolling out flexible work to the entire department, record the priority level of each segment so you can focus on the highest priority first.
    4. Identify challenges with flexibility. With each employee segment in mind, analyze your available data to identify and record each segment's main challenges regarding flexible work. These will inform your program goals and metrics.

    Download the Targeted Flexible Work Program Workbook

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • List of departmental roles
    • Data on employee engagement, productivity, sentiment regarding flexible work, etc.

    Output

    • List of stakeholders and responsibilities
    • Flexible work challenges and aims
    • Prioritized list of employee segments

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • IT department head
    • HR business partner
    • Flexible work program committee

    Determine goals and metrics for the flexible work program

    Sample program goals

    Sample metrics

    Increase productivity
    • Employee, team, and department key performance indicators (KPIs) before and after flexible work implementation
    • Absenteeism rate (% of lost working days due to all types of absence)

    Improve business satisfaction and perception of IT value

    Increase retention
    • % of exiting employees who cite lack of flexible work options or poor work-life balance as a reason they left
    • Turnover and retention rates

    Improve the employee value proposition (EVP) and talent attraction
    • # of responses on the new hire survey where flexible work options or work-life balance are cited as a reason for accepting an employment offer
    • # of views of career webpage that mentions flexible work program
    • Time-to-fill rates

    Improve engagement and work-life balance

    • Overall engagement score – deploy Info-Tech's Employee Engagement Diagnostics
    • Score for questions about work-life balance on employee engagement or pulse survey, including:
      • "I am able to maintain a balance between my work and personal life."
      • "I find my stress levels at work manageable."

    Info-Tech Insight

    Implementing flex work without solid performance metrics means you won't have a way of determining whether the program is enabling or hampering your business practices.

    1.2 Determine goals and metrics

    30 minutes

    Use the examples on the preceding slide to identify program goals and metrics:

    1. Brainstorm program goals. Be sure to consider both the business benefits (e.g. productivity, retention) and the employee benefits (work-life balance, engagement). A successful flexible work program benefits both the organization and its employees.
    2. Brainstorm metrics for each goal. Identify metrics that are easy to track accurately. Use Info-Tech's IT and HR metrics libraries for reference. Ideally, the metrics you choose should already exist in your organization so no extra effort will be necessary to implement them. It is also important to have a baseline measure of each one before flexible work is rolled out.
    3. Record your outputs on the "Goals and Metrics" tab of the workbook.

    Download the Targeted Flexible Work Program Workbook

    Download the IT Metrics Library

    Download the HR Metrics Library

    Input

    • Organizational and departmental strategy

    Output

    • List of program goals and metrics

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee

    Determine work location flexibility for priority segments

    Work location looks at where a segment can complete all or some of their tasks (e.g. onsite vs. remote). For each prioritized employee segment, evaluate the amount of location flexibility available.

    Work Duties

    Processes

    Operational Outcomes

    High degree of flexibility
    • Low dependence on onsite equipment
    • Work easily shifts to online platforms
    • Low dependence on onsite external interactions (e.g. clients, customers, vendors)
    • Low interdependence of work duties internally (most work is independent)
    • Work processes and expectations are or can be formally documented
    • Remote work processes are sustainable long term

    Most or all operational outcomes can be achieved offsite (e.g. products/service delivery not impacted by WFH)
    • Some dependence on onsite equipment
    • Some work can shift to online platforms
    • Some dependence on onsite external interactions
    • Some interdependence of work duties internally (collaboration is critical)
    • Most work processes and expectations have been or can be formally documented
    • Remote work processes are sustainable (e.g. workarounds can be supported and didn't add work)

    Some operational outcomes can be achieved offsite (e.g. some impact of WFH on product/service delivery)

    Low degree of flexibility
    • High dependence on onsite equipment
    • Work cannot shift to online platforms
    • High dependence on onsite external interactions
    • High interdependence of work duties internally (e.g. line work)
    • Few work processes and expectations can be formally documented
    • Work processes cannot be done remotely, and workarounds for remote work are not sustainable long term

    Operational outcomes cannot be achieved offsite (e.g. significant impairment to product/service delivery)

    Note

    If roles within the segment have differing levels of location flexibility, use the lowest results (e.g. if role A in the segment has a high degree of flexibility for work duties and role B has a low degree of flexibility, use the results for role B).

    Identify work timing for priority segments

    Work timing looks at when work can or needs to be completed (e.g. Monday to Friday, 9am to 5pm).

    Work Duties

    Processes

    Operational Outcomes

    High degree of flexibility

    • No need to be available to internal and/or external customers during standard work hours
    • Equipment is available at any time
    • Does not rely on synchronous (occurring at the same time) work duties internally
    • Work processes and expectations are or can be formally documented
    • Low reliance on collaboration
    • Work is largely asynchronous (does not occur at the same time)

    Most or all operational outcomes are not time sensitive

    • Must be available to internal and/or external customers during some standard work hours
    • Some reliance on synchronous work duties internally (collaboration is critical)
    • Most work processes and expectations have been or can be formally documented
    • Moderate reliance on collaboration
    • Some work is synchronous

    Some operational outcomes are time sensitive and must be conducted within set date or time windows

    Low degree of flexibility

    • Must be available to internal and/or external customers during all standard work hours (e.g. Monday to Friday 9 to 5)
    • High reliance on synchronous work duties internally (e.g. line work)
    • Few work processes and expectations can be formally documented
    • High reliance on collaboration
    • Most work is synchronous

    Most or all operational outcomes are time sensitive and must be conducted within set date or time windows

    Note

    With additional coordination, flex time or flex time off options are still possible for employee segments with a low degree of flexibility. For example, with a four-day work week, the segment can be split into two teams – one that works Monday to Thursday and one that works Tuesday to Friday – so that employees are still available for clients five days a week.

    Examine work deliverables for priority segments

    Work deliverables look at the employee's ability to deliver on their role expectations (e.g. quota or targets) and whether reducing the time spent working would, in all situations, impact the work deliverables (e.g. constrained vs. unconstrained).

    Work Duties

    Operational Outcomes

    High degree of flexibility

    • Few or no work duties rely on equipment or processes that put constraints on output (unconstrained output)
    • Employees have autonomy over which work duties they focus on each day
    • Most or all operational outcomes are unconstrained (e.g. a marketing analyst who builds reports and strategies for clients can produce more reports, produce better reports, or identify new strategies)
    • Work quota or targets are achievable even if working fewer hours
    • Some work duties rely on equipment or processes that put constraints on output
    • Employees have some ability to decide which work duties they focus on each day
    • Some operational outcomes are constrained or moderately unconstrained (e.g. an analyst build reports based on client data; while it's possible to find efficiencies and build reports faster, it's not possible to attain the client data any faster)
    • Work quota or targets may be achievable if working fewer hours

    Low degree of flexibility

    • Most or all work duties rely on equipment or processes that put constraints on output (constrained output)
    • Daily work duties are prescribed (e.g. a telemarketer is expected to call a set number of people per day using a set list of contacts and a defined script)
    • Most or all operational outcomes are constrained (e.g. a machine operator works on a machine that produces 100 parts an hour; neither the machine nor the worker can produce more parts)
    • Work quota or targets cannot be achieved if fewer hours are worked

    Note

    For segments with a low degree of work deliverable flexibility (e.g. very constrained output), flexibility is still an option, but maintaining output would require additional headcount.

    1.3 Determine flexibility needs and constraints

    1-2 hours

    Use the guidelines on the preceding slides to document the parameters of each work segment.

    1. Determine work location flexibility. Work location looks at where a segment can complete all or some of their tasks (e.g. onsite vs. remote). For each prioritized employee segment, evaluate the amount of location flexibility available.
    2. Identify work timing. Work timing looks at when work can or needs to be completed (e.g. Monday to Friday, 9am to 5pm).
    3. Examine work deliverables. Work deliverables look at the employee's ability to deliver on their role expectations (e.g. quota or targets) and whether reducing the time spent working would, in all situations, impact the work deliverables (e.g. constrained vs. unconstrained).
    4. Record your outputs on the "Current and Desired State" tab of the workbook.

    Download the Targeted Flexible Work Program Workbook

    Input

    • List of employee segments

    Output

    • Summary of flexibility needs and constraints for each employee segment

    Materials

    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Step 2

    Identify potential flex options and assess feasibility

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step you will have:

    • Created a shortlist of potential options for each prioritized employee segment
    • Evaluated the feasibility of each potential option
    • Determined the cost and benefit of each potential option
    • Gathered employee sentiment on potential options
    • Finalized options with senior leadership

    Prepare to identify and assess the feasibility of potential flexible work options

    First, review the Flexible Work Solutions Catalog

    Before proceeding to the next slide, review the Flexible Work Options Catalog to identify and shortlist five to seven flexible work options that are best suited to address the challenges faced for each of the priority employee segments identified in Step 1.

    Then, assess the feasibility of implementing selected options using slides 29 to 32

    Assess the feasibility of implementing the shortlisted solutions for the prioritized employee segments against the feasibility factors in this step. Repeat for each employee segment. Use the following slides to consult with and include leaders when appropriate.

    • Document your analysis in tabs 6 to 8 of the Targeted Flexible Work Program Workbook.
    • Note implementation issues throughout the assessment and record them in the tool. They will be addressed in Step 3: Implement Selected Program(s). Don't rule out an option simply because it presents some challenges; careful implementation can overcome many challenges.
    • At the end of this step, determine the final list of flexible work options and gain approval from senior leaders for implementation.

    Evaluate feasibility by reviewing the option's impact on continued operations and job performance

    Operational coverage

    Synchronous communication

    Time zones

    Face-to-face

    communication

    To what extent are employees needed to deliver products or services?

    • If constant customer service is required, stagger employees' schedules (e.g. one team works Monday-Thursday while another works Tuesday-Friday).

    To what extent do employees need to communicate with each other synchronously?

    • Break the workflow down and identify times when employees do and do not have to work at the same time to communicate with each other.

    To what extent do employees need to coordinate work across time zones?

    • If the organization already operates in different time zones, ensure that the option does not impact operations requiring continuous coverage.
    • When employees are located in different time zones, coordinate schedules based on the other operational factors.

    When do employees need to interact with each other or clients in person?

    • Examine the workflow closely to identify times when face-to-face communication is not required. Schedule "office days" for employees to work together when in-person interaction is needed.
    • When the interaction is only required with clients, determine whether employees are able to meet clients offsite.

    Info-Tech Insight

    Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future-proof your organization.

    Assess the option's alignment with organizational culture

    Symbols

    Values

    		 Behaviors

    How supportive of flexible work are the visible aspects of the organization's culture?

    • For example, the mission statement, newsletters, or office layout.
    • Note: Visible elements will need to be adapted to ensure they reinforce the value of the flexible work option.

    How supportive are both the stated and lived values of the organization?

    • When the flexible work option includes less direct supervision, assess how empowered employees feel to make decisions.
    • Assess whether all types of employees (e.g. virtual) are included, valued, and supported.

    How supportive are the attitudes and behaviors, especially of leaders?

    • Leaders set the expectations for acceptable behaviors in the organization. Determine how supportive leaders are toward flexible workers by examining their attitudes and perceptions.
    • Identify if employees are open to different ways of doing work.

    Determine the resources required for the option

    People

    Process

    		 Technology

    Do employees have the knowledge, skills, and abilities to adopt this option?

    • Identify any areas (e.g. process, technology) employees will need to be trained on and assess the associated costs.
    • Determine whether the option will require additional headcount to ensure operational continuity (e.g. two part-time employees in a job-sharing arrangement) and calculate associated costs (e.g. recruitment, training, benefits).

    How much will work processes need to change?

    • Interview organizational leaders with knowledge of the employee segment's core work processes. Determine whether a significant change will be required.
    • If a significant change is required, evaluate whether the benefits of the option outweigh the costs of the process and behavioral change (see the "net benefit" factor on slide 33).

    What new technologies will be required?

    • Identify the technology (e.g. that supports communication, work processes) required to enable the flexible work option.
    • Note whether existing technology can be used or additional technology will be required, and further investigate the viability and costs of these options.

    Examine the option's risks

    Data

    Health & Safety

    Legal

    How will data be kept secure?

    • Determine whether the organization's data policy and technology covers employees working remotely or other flexible work options.
    • If the employee segment handles sensitive data (e.g. personal employee information), consult relevant stakeholders to determine how data can be kept secure and assess any associated costs.

    How will employees' health and safety be impacted?

    • Consult your organization's legal counsel to determine whether the organization will be liable for the employees' health and safety while working from home or other locations.
    • Determine whether the organization's policies and processes will need to be modified.

    What legal risks might be involved?

    • Identify any policies in place or jurisdictional requirements to avoid any legal risks. Consult your organization's legal counsel about the situations below.
      • If the option causes significant changes to the nature of jobs, creating the risk of constructive dismissal.
      • If there are any risks to providing less supervision (e.g. higher chance of harassment).
      • When only some employee segments are eligible for the option, determine whether there is a risk of inequitable access.
      • If the option impacts any unionized employees or collective agreements.

    Determine whether the benefits of the option outweigh the costs

    Include senior leadership in the net benefit process to ensure any unfeasible options are removed from consideration before presenting to employees.

    1. Document the employee and employer benefits of the option from the previous feasibility factors on slides 29 to 32.
    • Include the benefits of reaching program goals identified in Step 1.
    • Quantify the benefits in dollar value where possible.
  • Document the costs and risks of the option, referring to the costs noted from previous feasibility factors.
    • Quantify the costs in dollar value where possible.
  • Compare the benefits and costs.
    • Add an option to your final list if the benefits are greater than the costs.

    • This is an image of a table with the main heading being Net Benefit, with the following subheadings: Benefits to organization; Benefits to employees; Costs.

    Info-Tech Insight

    Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization as a whole, or if the cost of the option is too high, it will not support the long-term success of the organization.

    2.1a Identify and evaluate flexible work options

    30 minutes per employee segment per work option

    If you are only considering hybrid or remote work, skip to activity 2.1b. Use the guidelines on the preceding slides to conduct feasibility assessments.

    1. Shortlist flexible work options. Review the Flexible Work Options Catalog to identify and shortlist five to seven flexible work options that are best suited to address the challenges faced for each of the priority employee segments. Record these on the "Options Shortlist" tab of the workbook. Even if the decision is simple, ensure you record the rationale to help communicate your decision to employees. Transparent communication is the best way to avoid feelings of unfairness if desired work options are not implemented.
    2. Evaluate option feasibility. For each of the shortlisted options, complete one "Feasibility - Option" tab in the workbook. Make as many copies of this tab as needed.
      • When evaluating each option, consider each employee segment individually as you work through the prompts in the workbook. You may find that segments differ greatly in the feasibility of various types of flexible work. You will use this information to inform your overall policy and any exceptions to it.
      • You may need to involve each segment's management team to get an accurate picture of day-to-day responsibilities and flexible work feasibility.
    3. Weigh benefits and costs. At the end of each flexible work option evaluation, record the anticipated costs and benefits. Discuss whether this balance renders the option viable or rules it out.

    Download the Targeted Flexible Work Program Workbook

    Download the Flexible Work Options Catalog

    Input

    • List of employee segments

    Output

    • Shortlist of flexible work options
    • Feasibility analysis for each work option

    Materials

    • Targeted Flexible Work Program Workbook
    • Flexible Work Options Catalog

    Participants

    • Flexible work program committee
    • Employee segment managers

    2.1b Assess hybrid work feasibility

    30 minutes per employee segment

    Use the guidelines on the preceding slides to conduct a feasibility assessment. This exercise relies on having trialed hybrid or remote work before. If you have never implemented any degree of remote work, consider completing the full feasibility assessment in activity 2.1a.

    1. Evaluate hybrid work feasibility. Review the feasibility prompts on the "Work Unit Remote Work Assessment" tab and record your insight for each employee segment.
      • When evaluating each option, consider each employee segment individually as you work through the prompts in the workbook. You may find that segments differ greatly in their ability to accommodate hybrid work. You will use this information to inform your overall policy and any exceptions to it.
      • You may need to involve each segment's management team to get an accurate picture of day-to-day responsibilities and hybrid work feasibility.

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • List of employee segments

    Output

    • Feasibility analysis for each work option

    Materials

    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Ask employees which options they prefer and gather feedback for implementation

    Deliver a survey and/or conduct focus groups with a selection of employees from all prioritized employee segments.

    Share

    • Present your draft list of options to select employees.
    • Communicate that the organization is in the process of assessing the feasibility of flexible work options and would like employee input to ensure flex work meets needs.
    • Be clear that the list is not final or guaranteed.

    Ask

    • Ask which options are preferred more than others.
    • Ask for feedback on each option – how could it be modified to meet employee needs better? Use this information to inform implementation in Step 3.

    Decide

    • Prioritize an option if many employees indicated an interest in it.
    • If employees indicate no interest in an option, consider eliminating it from the list, unless it will be required. There is no value in providing an option if employees won't use it.

    Survey

    • List the options and ask respondents to rate each on a Likert scale from 1 to 5.
    • Ask some open-ended questions with comment boxes for employee suggestions.

    Focus Group

    • Conduct focus groups to gather deeper feedback.
    • See Appendix I for sample focus group questions.

    Info-Tech Insight

    Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.

    Finalize options list with senior leadership

    1. Select one to three final options and outline the details of each. Include:
      • Scope: To what extent will the option be applied? E.g. work-from-home one or two days a week.
      • Eligibility: Which employee segments are eligible?
      • Cost: What investment will be required?
      • Critical implementation issues: Will any of the implementation issues identified for each feasibility factor impact whether the option will be approved?
      • Resources: What additional resources will be required (e.g. technology)?
    2. Present the options to stakeholders for approval. Include:
      • An outline of the finalized options, including what the option is and the scope, eligibility, and critical implementation issues.
      • The feasibility assessment results, including benefits, costs, and employee preferences. Have more detail from the other factors ready if leaders ask about them.
      • The investment (cost) required to implement the option.
    3. Proceed to Step 3 to implement approved options.

    Running an IT pilot of flex work

    • As a technology department, IT typically doesn't own flexible work implementation for the entire organization. However, it is common to trial flexible work options for IT first, before rolling out to the entire organization.
    • During a flex work pilot, ensure you are working closely with HR partners, especially regarding regulatory and compliance issues.
    • Keep the rest of the organizational stakeholders in the loop, especially regarding their agreement on the metrics by which the pilot's success will be evaluated.

    2.2a Finalize flexible work options

    2-3 hours + time to gather employee feedback

    If you are only considering hybrid or remote work, skip to activity 2.2b. Use the guidelines on the preceding slides to gather final feedback and finalize work option selections.

    1. Gather employee feedback. If employee preferences are already known, skip this step. If they are not, gather feedback to ascertain whether any of the shortlisted options are preferred. Remember that a successful flexible work program balances the needs of employees and the business, so employee preference is a key determinant in flexible work program success. Document this on the "Employee Preferences" tab of the workbook.
    2. Finalize flexible work options. Use your notes on the cost-benefit balance for each option, along with employee preferences, to decide whether the move forward with it. Record this decision on the "Options Final List" tab. Include information about eligible employee segments and any implementation challenges that came up during the feasibility assessments. This is the final decision summary that will inform your flexible program parameters and policies.

    Download the Targeted Flexible Work Program Workbook

    Input

    • Flexible work options shortlist

    Output

    • Final flexible work options list

    Materials

    • Targeted Flexible Work Program Workbook

    Participants

    • Flexible work program committee

    2.2b Finalize hybrid work parameters

    2-3 hours + time to gather employee feedback

    Use the guidelines on the preceding slides to gather final feedback and finalize work option selections.

    1. Summarize feasibility analysis. On the "Program Parameters" tab, record the main insights from your feasibility analysis. Finalize important elements, including eligibility for hybrid/remote work by employee segment. Additionally, record the standard parameters for the program (i.e. those that apply to all employee segments) and variable parameters (i.e. ones that differ by employee segment).

    Download the Fast-Track Hybrid Work Program Workbook

    Input

    • Hybrid work feasibility analysis

    Output

    • Final hybrid work program parameters

    Materials

    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee

    Step 3

    Implement selected option(s)

    1. Assess employee and organizational flexibility needs
    2. Identify potential flex options and assess feasibility
    3. Implement selected option(s)

    After completing this step, you will have:

    • Addressed implementation issues and cultural barriers
    • Equipped the organization to adopt flexible work options successfully
    • Piloted the program and assessed its success
    • Developed a plan for program rollout and communication
    • Established a program evaluation plan
    • Aligned HR programs to support the program

    Solve the implementation issues identified in your feasibility assessment

    1. Identify a solution for each implementation issue documented in the Targeted Flexible Work Program Workbook. Consider the following when identifying solutions:
      • Scope: Determine whether the solution will be applied to one or all employee segments.
      • Stakeholders: Identify stakeholders to consult and develop a solution. If the scope is one employee segment, work with organizational leaders of that segment. When the scope is the entire organization, consult with senior leaders.
      • Implementation: Collaborate with stakeholders to solve implementation issues. Balance the organizational and employee needs, referring to data gathered in Steps 1 and 2.

    Example:

    Issue

    Solution

    Option 1: Hybrid work

    Brainstorming at the beginning of product development benefits from face-to-face collaboration.

    Block off a "brainstorming day" when all team members are required in the office.

    Employee segment: Product innovation team

    One team member needs to meet weekly with the implementation team to conduct product testing.

    Establish a schedule with rotating responsibility for a team member to be at the office for product testing; allow team members to swap days if needed.

    Address cultural barriers by involving leaders

    To shift a culture that is not supportive of flexible work, involve leaders in setting an example for employees to follow.

    Misconceptions

    Tactics to overcome them
    • Flexible workers are less productive.
    • Flexible work disrupts operations.
    • Flexible workers are less committed to the organization.
    • Flexible work only benefits employees, not the organization.
    • Employees are not working if they aren't physically in the office.

    Make the case by highlighting challenges and expected benefits for both the organization and employees (e.g. same or increased productivity). Use data in the introductory section of this blueprint.

    Demonstrate operational feasibility by providing an overview of the feasibility assessment conducted to ensure operational continuity.

    Involve most senior leadership in communication.

    Encourage discovery and exploration by having managers try flexible work options themselves, which will help model it for employees.

    Highlight success stories within the organization or from competitors or similar industries.

    Invite input from managers on how to improve implementation and ownership, which helps to discover hidden options.

    Shift symbols, values, and behaviors

    • Work with senior leaders to identify symbols, values, and behaviors to modify to align with the selected flexible work options.
    • Validate that the final list aligns with your organization's mission, vision, and values.

    Info-Tech Insight

    Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.

    Equip the organization for successful implementation

    Info-Tech recommends providing managers and employees with a guide to flexible work, introducing policies, and providing training for managers.

    Provide managers and employees with a guide to flexible work

    Introduce appropriate organization policies

    Equip managers with the necessary tools and training

    Use the guide to:

    • Familiarize employees and managers with the flexible work program.
    • Gain employee and manager buy-in and support for the program.
    • Explain the process and give guidance on selecting flexible work options and working with their colleagues to make it a success.

    Use Info-Tech's customizable policy templates to set guidelines, outline arrangements, and scope the organization's flexible work policies. This is typically done by, or in collaboration with, the HR department.

    Download the Guide to Flexible Work for Managers and Employees

    Download the Flex Location Policy

    Download the Flex Time-Off Policy

    Download the Flex Time Policy

    3.1 Prepare for implementation

    2-3 hours

    Use the guidelines on the preceding slides to brainstorm solutions to implementation issues and prepare to communicate program rollout to stakeholders.

    1. Solve implementation issues.
      • If you are working with the Targeted Flexible Work Program Workbook: For each implementation challenge identified on the "Final Options List" tab, brainstorm solutions. If you are working with the Fast-Track Hybrid Work Program Workbook: Work through the program enablement prompts on the "Program Enablement" tab.
      • You may need to involve relevant stakeholders to help you come up with appropriate solutions for each employee segment.
      • Ensure that any anticipated cultural barriers have been documented and are addressed during this step. Don't underestimate the importance of a supportive organizational culture to the successful rollout of flexible work.
    2. Prepare the employee guide. Modify the Guide to Flexible Work for Managers and Employees template to reflect your final work options list and the processes and expectations employees will need to follow.
    3. Create a communication plan. Use Info-Tech's Communicate Any IT Initiative blueprint and Appendix II to craft your messaging.

    Download the Guide to Flexible Work for Managers and Employees

    Download the Targeted Flexible Work Program Workbook

    Input

    • Flexible work options final list

    Output

    • Employee guide to flexible work
    • Flexible work rollout communication plan

    Materials

    • Guide to Flexible Work for Managers and Employees
    • Targeted Flexible Work Program Workbook
      Or
    • Fast-Track Hybrid Work Program Workbook

    Participants

    • Flexible work program committee
    • Employee segment managers

    Run an IT pilot for flexible work

    Prepare for pilot

    Launch Pilot

    Identify the flexible work options that will be piloted.

    • Refer to the final list of selected options for each priority segment to determine which options should be piloted.

    Select pilot participants.

    • If not rolling out to the entire IT department, look for the departments and/or team(s) where there is the greatest need and the biggest interest (e.g. team with lowest engagement scores).
    • Include all employees within the department, or team if the department is too large, in the pilot.
    • Start with a group whose managers are best equipped for the new flexibility options.

    Create an approach to collect feedback and measure the success of the pilot.

    • Feedback can be collected using surveys, focus groups, and/or targeted in-person interviews.

    The length of the pilot will greatly vary based on which flexible work options were selected (e.g. seasonal hours will require a shorter pilot period compared to implementing a compressed work week). Use discretion when deciding on pilot length and be open to extending or shortening the pilot length as needed.

    Launch pilot.

    • Launch the program through a town hall meeting or departmental announcement to build excitement and buy-in.
    • Develop separate communications for employee segments where appropriate. See Appendix II for key messaging to include.

    Gather feedback.

    • The feedback will be used to assess the pilot's success and to determine what modifications will be needed later for a full-scale rollout.
    • When gathering feedback, tailor questions based on the employee segment but keep themes similar. For example:
      • Employees: "How did this help your day-to-day work?"
      • Managers: "How did this improve productivity on your team?"

    Track metrics.

    • The success of the pilot is best communicated using your department's unique KPIs.
    • Metrics are critical for:
      • Accurately determining pilot success.
      • Getting buy-in to expand the pilot beyond IT.
      • Justifying to employees any changes made to the flexible work options.

    Assess the pilot's success and determine next steps

    Review the feedback collected on the previous slide and use this decision tree to decide whether to relaunch a pilot or proceed to a full-scale rollout of the program.

    This is an image of the flow chart used to assess the pilot's success and determine the next steps. It will help you to determine whether you will Proceed to full-scale rollout on next slide, Major modifications to the option/launch (e.g. change operating time) – adjust and relaunch pilot or select a new employee segment and relaunch pilot, Minor modifications to the option/launch (e.g. introduce additional communications) – adjust and proceed to full scale rollout, or Return to shortlist (Step 2) and select a different option or launch pilot with a different employee segment.

    Prepare for full-scale rollout

    If you have run a team pilot prior to rolling out to all of IT, or run an IT pilot before an organizational rollout, use the following steps to transition from pilot to full rollout.

    1. Determine modifications
      • Review the feedback gathered during the pilot and determine what needs to change for a full-scale implementation.
      • Update HR policies and programs to support flexible work. Work closely with your HR business partner and other organizational leaders to ensure every department's needs are understood and compliance issues are addressed.
    2. Roll out and evaluate
      • Roll out the remainder of the program (e.g. to other employee segments or additional flexible work options) once there is significant uptake of the pilot by the target employee group and issues have been addressed.
      • Determine how feedback will be gathered after implementation, such as during engagement surveys, new hire and exit surveys, stay interviews, etc., and assess whether the program continues to meet employee and organizational needs.

    Rolling out beyond IT

    For a rollout beyond IT, HR will likely take over.

    However, this is your chance to remain at the forefront of your organization's flexible work efforts by continuing to track success and gather feedback within IT.

    Align HR programs and organizational policies to support flexible work

    Talent Management

    Learning & Development

    Talent Acquisition

    Reinforce managers' accountability for the success of flexible work in their teams:

    • Include "managing virtual teams" in the people management leadership competency.
    • Recognize managers who are modeling flexible work.

    Support flexible workers' career progression:

    • Monitor the promotion rates of flexible workers vs. non-flexible workers.
    • Make sure flexible workers are discussed during talent calibration meetings and have access to career development opportunities.

    Equip managers and employees with the knowledge and skills to make flexible work successful.

    • Provide guidance on selecting the right options and maintaining workflow.
    • If moving to a virtual environment, train managers on how to make it a success.

    Incorporate the flexible work program into the organization's employee value proposition to attract top talent who value flexible work options.

    • Highlight the program on the organization's career site and in job postings.

    Organizational policies

    Determine which organizational policies will be impacted as a result of the new flexible work options. For example, the introduction of flex time off can result in existing vacation policies needing to be updated.

    Plan to re-evaluate the program and make improvements

    Collect data

    Collect data

    Act on data

    Uptake

    Gather data on the proportion of employees eligible for each option who are using the option.

    If an option is tracking positively:

    • Maintain or expand the program to more of the organization.
    • Conduct a feasibility assessment (Step 2) for new employee segments.

    Satisfaction

    Survey managers and employees about their satisfaction with the options they are eligible for and provide an open box for suggestions on improvements.

    If an option is tracking negatively:

    • Investigate why. Gather additional data, interview organizational leaders, and/or conduct focus groups to gain deeper insight.
    • Re-assess the feasibility of the option (Step 2). If the costs outweigh the benefits based on new data, determine whether to cancel the option.
    • Take appropriate action based on the outcome of the evaluation, such as modifying or cancelling the option or providing employees with more support.
      • Note: Cancelling an option can impact the engagement of employees using the option. Ensure that the data, reasons for cancelling the option, and potential substitute options are communicated to employees in advance.

    Program goal progress

    Monitor progress against the program goals and metrics identified in Step 1 to evaluate the impact on issues that matter to the organization (e.g. retention, productivity, diversity).

    Career progression

    Evaluate flexible workers' promotion rates and development opportunities to determine if they are developing.

    Info-Tech Insight

    Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.

    Insight summary

    Overarching insight: IT excels at hybrid location work and is more effective as a business function when location, time, and time-off flexibility are an option for its employees.

    Introduction

    • Flexible work options are not a concession to lower productivity. Properly implemented, flex work enables employees to be more productive at reaching business goals.
    • Employees' lived experiences and needs determine if people use flexible work programs – a flex program that has limited use or excludes people will not benefit the organization.
    • Flexible work benefits everyone. IT employees experience greater engagement, motivation, and company loyalty. IT organizations realize benefits such as better service coverage, reduced facilities costs, and increased productivity.

    Step 1 insight

    • Hybrid work is a start. A comprehensive flex work program extends beyond flexible location to flexible time and time off. Organizations must understand the needs of unique employee groups to uncover the options that will attract and retain talent. Provide greater inclusivity to employees by broadening the scope to include flex location, flex time, and flex time off.
    • No two employee segments are the same. To be effective, flexible work options must align with the expectations and working processes of each segment.

    Step 2 insight

    • Every role is eligible for hybrid location work. If onsite work duties prevent an employee group from participating, see if processes can be digitized or automated. Flexible work is an opportunity to go beyond current needs to future proofing your organization.
    • Flexible work options must balance organizational and employee needs. If an option is beneficial to employees but there is little or no benefit to the organization, or if the cost of the option is too high, it will not support the long-term success of the organization.
    • Prioritize flexible work options that employees want. Providing too many options often leads to information overload and results in employees not understanding what is available, lowering adoption of the flexible work program.

    Step 3 insight

    • Leaders' collective support of the flexible program determines the program's successful adoption. Don't sweep cultural barriers under the rug; acknowledge and address them to overcome them.
    • Negative performance of a flexible work option does not necessarily mean failure. Take the time to evaluate whether the option simply needs to be tweaked or whether it truly isn't working for the organization.
    • A set of formal guidelines for IT ensures flexible work is:
      1. Administered fairly across all IT employees.
      2. Defensible and clear.
      3. Scalable to the rest of the organization.

    Research Contributors and Experts

    Quinn Ross
    CEO
    The Ross Firm Professional Corporation

    Margaret Yap
    HR Professor
    Ryerson University

    Heather Payne
    CEO
    Juno College

    Lee Nguyen
    HR Specialist
    City of Austin

    Stacey Spruell
    Division HR Director
    Travis County

    Don MacLeod
    Chief Administrative Officer
    Zorra Township

    Stephen Childs
    CHRO
    Panasonic North America

    Shawn Gibson
    Sr. Director
    Info Tech Research Group

    Mari Ryan
    CEO/Founder
    Advancing Wellness

    Sophie Wade
    Founder
    Flexcel Networks

    Kim Velluso
    VP Human Resources
    Siemens Canada

    Lilian De Menezes
    Professor of Decision Sciences
    Cass Business School, University of London

    Judi Casey
    WorkLife Consultant and former Director, Work and Family Researchers Network
    Boston College

    Chris Frame
    Partner – Operations
    LiveCA

    Rose M. Stanley, CCP, CBP, WLCP, CEBS
    People Services Manager
    Sunstate Equipment Co., LLC

    Shari Lava
    Director, Vendor Research
    Info-Tech Research Group

    Carol Cochran
    Director of People & Culture
    FlexJobs

    Kidde Kelly
    OD Practitioner

    Dr. David Chalmers
    Adjunct Professor
    Ted Rogers School of Management, Ryerson University

    Kashmira Nagarwala
    Change Manager
    Siemens Canada

    Dr. Isik U. Zeytinoglu
    Professor of Management and Industrial Relations McMaster University, DeGroote School of Business

    Claire McCartney
    Diversity & Inclusion Advisor
    CIPD

    Teresa Hopke
    SVP of Client Relations
    Life Meets Work – www.lifemeetswork.com

    Mark Tippey
    IT Leader and Experienced Teleworker

    Dr. Kenneth Matos
    Senior Director of Research
    Families and Work Institute

    1 anonymous contributor

    Appendix I: Sample focus group questions

    See Info-Tech's Focus Group Guidefor guidance on setting up and delivering focus groups. Customize the guide with questions specific to flexible work (see sample questions below) to gain deeper insight into employee preferences for the feasibility assessment in Step 2 of this blueprint.

    Document themes in the Targeted Flexible Work Program Workbook.

    • What do you need to balance/integrate your work with your personal life?
    • What challenges do you face in achieving work-life balance/integration?
    • What about your job is preventing you from achieving work-life balance/integration?
    • How would [flexible work option] help you achieve work-life balance/integration?
    • How well would this option work with the workflow of your team or department? What would need to change?
    • What challenges do you see in adopting [flexible work option]?
    • What else would be helpful for you to achieve work-life balance/integration?
    • How could we customize [flexible work option] to ensure it meets your needs?
    • If this program were to fail, what do you think would be the top reasons and why?

    Appendix II: Communication key messaging

    1. Program purpose

    Start with the name and high-level purpose of the program.

    2. Business reasons for the program

    Share data you gathered in Step 1, illustrating challenges causing the need for the program and the benefits.

    3. Options selection process

    Outline the process followed to select options. Remember to share the involvement of stakeholders and the planning around employees' feedback, needs, and lived experiences.

    4. Options and eligibility

    Provide a brief overview of the options and eligibility. Specify that the organization is piloting these options and will modify them based on feedback.

    5. Approval not guaranteed

    Qualify that employees need to be "flexible about flexible work" – the options are not guaranteed and may sometimes be unavailable for business reasons.

    6. Shared responsibility

    Highlight the importance of everyone (managers, flexible workers, the team) working together to make flexible work achievable.

    7. Next steps

    Share any next steps, such as where employees can find the organization's Guide to Flexible Work for Managers and Employees, how to make flexible work a success, or if managers will be providing further detail in a team meeting.

    8. Ongoing communications

    Normalize the program and embed it in organizational culture by continuing communications through various media, such as the organization's newsletter or announcements in town halls.

    Works Cited

    Baziuk, Jennifer, and Duncan Meadows. "Global Employee Survey - Key findings and implications for ICMIF." EY, June 2021. Accessed May 2022.
    "Businesses suffering 'commitment issues' on flexible working," EY, 21 Sep. 2021. Accessed May 2022.
    "IT Talent Trends 2022". Info-Tech Research Group, 2022.
    "Jabra Hybrid Ways of Working: 2021 Global Report." Jabra, Aug. 2021. Accessed May 2022.
    LinkedIn Talent Solutions. "2022 Global Talent Trends." LinkedIn, 2022. Accessed May 2022.
    Lobosco, Mark. "The Future of Work is Flexible: 71% of Leaders Feel Pressure to Change Working Models." LinkedIn, 9 Sep. 2021. Accessed May 2022.
    Ohm, Joy, et al. "Covid-19: Women, Equity, and Inclusion in the Future of Work." Catalyst, 28 May 2020. Accessed May 2022.
    Pelta, Rachel. "Many Workers Have Quit or Plan to After Employers Revoke Remote Work." FlexJobs, 2021. Accessed May 2022.
    Slack Future Forum. "Inflexible return-to-office policies are hammering employee experience scores." Slack, 19 April 2022. Accessed May 2022.
    "State of Hybrid Work in IT: A Trend Report". Info-Tech Research Group, 2023.
    Threlkeld, Kristy. "Employee Burnout Report: COVID-19's Impact and 3 Strategies to Curb It." Indeed, 11 March 2021. Accessed March 2022.

    Build a Strategic IT Workforce Plan

    • Buy Link or Shortcode: {j2store}390|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $180,171 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Organizational Design
    • Parent Category Link: /organizational-design
    • Talent has become a competitive differentiator. To 46% of business leaders, workforce planning is a top priority – yet only 13% do it effectively.
    • CIOs aren’t sure what they need to give the organization a competitive edge or how current staffing line-ups fall short.

    Our Advice

    Critical Insight

    • A well defined strategic workforce plan (SWP) isn’t just a nice-to-have, it’s a must-have.
    • Integrate as much data as possible into your workforce plan to best prepare you for the future. Without knowledge of your future initiatives, you are filling hypothetical holes.
    • To be successful, you need to understand your strategic initiatives, workforce landscape, and external and internal trends.

    Impact and Result

    The workforce planning process does not need to be onerous, especially with help from Info-Tech’s solid planning tools. With the right people involved and enough time invested, developing an SWP will be easier than first thought and time well spent. Leverage Info-Tech’s client-tested 5-step process to build a strategic workforce plan:

    1. Build a project charter
    2. Assess workforce competency needs
    3. Identify impact of internal and external trends
    4. Identify the impact of strategic initiatives on roles
    5. Build and monitor the workforce plan

    Build a Strategic IT Workforce Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a strategic workforce plan for IT, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Initiate the project

    Assess the value of a strategic workforce plan and the IT department’s fit for developing one, and then structure the workforce planning project.

    • Build a Strategic Workforce Plan – Phase 1: Initiate the Project
    • IT Strategic Workforce Planning Project Charter Template
    • IT Strategic Workforce Planning Project Plan Template

    2. Analyze workforce needs

    Gather and analyze workforce needs based on an understanding of the relevant internal and external trends, and then produce a prioritized plan of action.

    • Build a Strategic Workforce Plan – Phase 2: Analyze Workforce Needs
    • Workforce Planning Workbook

    3. Build the workforce plan

    Evaluate workforce priorities, plan specific projects to address them, and formalize and integrate strategic workforce planning into regular planning processes.

    • Build a Strategic Workforce Plan – Phase 3: Build and Monitor the SWP
    [infographic]

    Workshop: Build a Strategic IT Workforce Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Project Goals, Metrics, and Current State

    The Purpose

    Develop a shared understanding of the challenges your organization is facing with regards to talent and workforce planning.

    Key Benefits Achieved

    An informed understanding of whether or not you need to develop a strategic workforce plan for IT.

    Activities

    1.1 Identify goals, metrics, and opportunities

    1.2 Segment current roles

    1.3 Identify organizational culture

    1.4 Assign job competencies

    1.5 Assess current talent

    Outputs

    Identified goals, metrics, and opportunities

    Documented organizational culture

    Aligned competencies to roles

    Identified current talent competency levels

    2 Assess Workforce and Analyze Trends

    The Purpose

    Perform an in-depth analysis of how internal and external trends are impacting the workforce.

    Key Benefits Achieved

    An enhanced understanding of the current talent occupying the workforce.

    Activities

    2.1 Assess environmental trends

    2.2 Identify impact on workforce requirements

    2.3 Identify how trends are impacting critical roles

    2.4 Explore viable options

    Outputs

    Complete internal trends analysis

    Complete external trends analysis

    Identified internal and external trends on specific IT roles

    3 Perform Gap Analysis

    The Purpose

    Identify the changing competencies and workforce needs of the future IT organization, including shortages and surpluses.

    Key Benefits Achieved

    Determined impact of strategic initiatives on workforce needs.

    Identification of roles required in the future organization, including surpluses and shortages.

    Identified projects to fill workforce gaps.

    Activities

    3.1 Identify strategic initiatives

    3.2 Identify impact of strategic initiatives on roles

    3.3 Determine workforce estimates

    3.4 Determine projects to address gaps

    Outputs

    Identified workforce estimates for the future

    List of potential projects to address workforce gaps

    4 Prioritize and Plan

    The Purpose

    Prepare an action plan to address the critical gaps identified.

    Key Benefits Achieved

    A prioritized plan of action that will fill gaps and secure better workforce outcomes for the organization.

    Activities

    4.1 Determine and prioritize action items

    4.2 Determine a schedule for review of initiatives

    4.3 Integrate workforce planning into regular planning processes

    Outputs

    Prioritized list of projects

    Completed workforce plan

    Identified opportunities for integration

    Implement Infrastructure Shared Services

    • Buy Link or Shortcode: {j2store}456|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Organizations have service duplications for unique needs. These duplications increase business expenditure.
    • Lack of collaboration between business units to share their services increases business cost and reduces business units’ faith to implement shared services.
    • Transitioning infrastructure to shared services is challenging for many organizations. It requires an accurate planning and efficient communication between participating business units.

    Our Advice

    Critical Insight

    • Identify your current process, tool, and people capabilities before implementing shared services. Understand the financial compensations prior to implementation and assess if your organization is ready for transitioning to shared services model.
    • Do not implement shared services when the nature of the services differs greatly between business units.

    Impact and Result

    • Understand benefits of shared services for the business and determine whether transitioning to shared services would benefit the organization.
    • Identify the best implementation plan based on goals, needs, and services.
    • Build a shared-services process to manage the plan and ensure its success.

    Implement Infrastructure Shared Services Research & Tools

    Start here – Read the Executive Brief

    Read our concise Executive Brief to find out why you should implement shared services, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Conduct gap analysis

    Identify benefits of shared services to your organization and define implementation challenges.

    • Implement Infrastructure Shared Services – Phase 1: Conduct Gap Analysis
    • Shared Services Implementation Executive Presentation
    • Shared Services Implementation Business Case Template
    • Shared Services Implementation Assessment Tool

    2. Choose the right path

    Identify your process and staff capabilities and discover which services will be transitioned to shared services plan. It will also help you to figure out the best model to choose.

    • Implement Infrastructure Shared Services – Phase 2: Choose the Right Path
    • Sample Enterprise Services

    3. Plan the transition

    Discuss an actionable plan to implement shared services to track the project. Walk through a communication plan to document the goals, progress, and expectations with customer stakeholders.

    • Implement Infrastructure Shared Services – Phase 3: Plan the Transition
    • Shared Services Implementation Roadmap Tool
    • Shared Services Implementation Customer Communication Plan
    [infographic]

    Workshop: Implement Infrastructure Shared Services

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Challenges

    The Purpose

    Establish the need for change.

    Key Benefits Achieved

    Set a clear understanding about benefits of shared services to your organization.

    Activities

    1.1 Identify your organization’s main drivers for using a shared services model.

    1.2 Define if it is beneficial to implement shared services.

    Outputs

    Shared services mission

    Shared services goals

    2 Assess Your Capabilities

    The Purpose

    Become aware of challenges to implement shared services and your capabilities for such transition.

    Key Benefits Achieved

    Discover the primary challenges for transitioning to shared services, eliminate resistance factors, and identify your business potentials for implementation.

    Activities

    2.1 Identify your organization’s resistance to implement shared services.

    2.2 Assess process and people capabilities.

    Outputs

    Shared Services Business Case

    Shared Services Assessment

    3 Define the Model

    The Purpose

    Determine the shared services model.

    Key Benefits Achieved

    Identify the core services to be shared and the best model that fits your organization.

    Activities

    3.1 Define core services that will be moved to shared services.

    3.2 Assess different models of shared services and pick the one that satisfies your goals and needs.

    Outputs

    List of services to be transferred to shared services

    Shared services model

    4 Implement and Communicate

    The Purpose

    Define and communicate the tasks to be delivered.

    Key Benefits Achieved

    Confidently approach key stakeholders to make the project a reality.

    Activities

    4.1 Define the roadmap for implementing shared services.

    4.2 Make a plan to communicate changes.

    Outputs

    List of initiatives to reach the target state, strategy risks, and their timelines

    Draft of a communication plan

    Optimize Lead Generation With Lead Scoring

    • Buy Link or Shortcode: {j2store}557|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Prospective buyer traffic into digital marketing platforms has exploded.
    • Many freemium/low-cost digital marketing platforms lack lead scoring and nurturing functionality.
    • As a result, the volume of unqualified leads being delivered to outbound sellers has increased dramatically.
    • This has reduced sales productivity, frustrated prospective buyers, and raised the costs of lead generation.

    Our Advice

    Critical Insight

    • Lead scoring is a must-have capability for high-tech marketers.
    • Without lead scoring, marketers will see increased costs of lead generation and decreased SQL-to-opportunity conversion rates.
    • Lead scoring increases sales productivity and shortens sales cycles.

    Impact and Result

    • Align Marketing, Sales, and Inside Sales on your ideal customer profile.
    • Re-evaluate the assets and activities that compose your current lead generation engine.
    • Develop a documented methodology to ignore, nurture, or contact right away the leads in your marketing pipeline.
    • Deliver more qualified leads to sellers, raising sales productivity and marketing/lead-gen ROI.

    Optimize Lead Generation With Lead Scoring Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize lead generation with lead scoring, review SoftwareReviews Advisory’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Drive aligned vision for lead scoring

    Outline your plan, form your team, and plan marketing tech stack support.

    • Optimize Lead Generation With Lead Scoring – Phase 1: Drive an Aligned Vision for Lead Scoring

    2. Build and test your lead scoring model

    Set lead flow thresholds, define your ideal customer profile and lead generation engine components, and weight, score, test, and refine them.

    • Optimize Lead Generation With Lead Scoring – Phase 2: Build and Test Your Lead Scoring Model
    • Lead Scoring Workbook

    3. Apply your model to marketing apps and go live with better qualified leads

    Apply your lead scoring model to your lead management app, test it, validate the results with sellers, apply advanced methods, and refine.

    • Optimize Lead Generation With Lead Scoring – Phase 3: Apply Your Model to Marketing Apps and Go Live With Better Qualified Leads
    [infographic]

    Workshop: Optimize Lead Generation With Lead Scoring

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Drive Aligned Vision for Lead Scoring

    The Purpose

    Drive an aligned vision for lead scoring.

    Key Benefits Achieved

    Attain an aligned vision for lead scoring.

    Identify the steering committee and project team and clarify their roles and responsibilities.

    Provide your team with an understanding of how leads score through the marketing funnel.

    Activities

    1.1 Outline a vision for lead scoring.

    1.2 Identify steering committee and project team members.

    1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.

    1.4 Align on marketing pipeline terminology.

    Outputs

    Steering committee and project team make-up

    Direction on tech stack to support lead generation

    Marketing pipeline definitions alignment

    2 Buyer Journey and Lead Generation Engine Mapping

    The Purpose

    Define the buyer journey and map the lead generation engine.

    Key Benefits Achieved

    Align the vision for your target buyer and their buying journey.

    Identify the assets and activities that need to compose your lead generation engine.

    Activities

    2.1 Establish a buyer persona.

    2.2 Map your buyer journey.

    2.3 Document the activities and assets of your lead generation engine.

    Outputs

    Buyer persona

    Buyer journey map

    Lead gen engine assets and activities documented

    3 Build and Test Your Lead Scoring Model

    The Purpose

    Build and test your lead scoring model.

    Key Benefits Achieved

    Gain team alignment on how leads score and, most importantly, what constitutes a sales-accepted lead.

    Develop a scoring model from which future iterations can be tested.

    Activities

    3.1 Understand the Lead Scoring Grid and set your thresholds.

    3.2 Identify your ideal customer profile, attributes, and subattribute weightings – run tests.

    Outputs

    Lead scoring thresholds

    Ideal customer profile, weightings, and tested scores

    Test profile scoring

    4 Align on Engagement Attributes

    The Purpose

    Align on engagement attributes.

    Key Benefits Achieved

    Develop a scoring model from which future iterations can be tested.

    Activities

    4.1 Weight the attributes of your lead generation engagement model and run tests.

    4.2 Apply weightings to activities and assets.

    4.3 Test engagement and profile scenarios together and make any adjustments to weightings or thresholds.

    Outputs

    Engagement attributes and weightings tested and complete

    Final lead scoring model

    5 Apply Model to Your Tech Platform

    The Purpose

    Apply the model to your tech platform.

    Key Benefits Achieved

    Deliver better qualified leads to Sales.

    Activities

    5.1 Apply model to your marketing management/campaign management software and test the quality of sales-accepted leads in the hands of sellers.

    5.2 Measure overall lead flow and conversion rates through your marketing pipeline.

    5.3 Apply lead nurturing and other advanced methods.

    Outputs

    Model applied to software

    Better qualified leads in the hands of sellers

    Further reading

    Optimize Lead Generation With Lead Scoring

    In today’s competitive environment, optimizing Sales’ resources by giving them qualified leads is key to B2B marketing success.

    EXECUTIVE BRIEF

    Analyst Perspective

    Improve B2B seller win rates with a lead scoring methodology as part of your modern lead generation engine.

    The image contains a picture of Jeff Golterman.

    As B2B organizations emerge from the lowered demands brought on by COVID-19, they are eager to convert marketing contacts to sales-qualified leads with even the slightest signal of intent, but many sales cycles are wasted when sellers receive unqualified leads. Delivering highly qualified leads to sellers is still more art than science, and it is especially challenging without a way to score a contact profile and engagement. While most marketers capture some profile data from contacts, many will pass a contact over to Sales without any engagement data or schedule a demo with a contact without any qualifying profile data. Passing unqualified leads to Sales suboptimizes Sales’ resources, raises the costs per lead, and often results in lost opportunities. Marketers need to develop a lead scoring methodology that delivers better qualified leads to Field Sales scored against both the ideal customer profile (ICP) and engagement that signals lower-funnel buyer interest. To be successful in building a compelling lead scoring solution, marketers must work closely with key stakeholders to align the ICP asset/activity with the buyer journey. Additionally, working early in the design process with IT/Marketing Operations to implement lead management and analytical tools in support will drive results to maximize lead conversion rates and sales wins.

    Jeff Golterman

    Managing Director

    SoftwareReviews Advisory

    Executive Summary

    Your Challenge

    The affordability and ease of implementation of digital marketing tools have driven global adoption to record levels. While many marketers are fine-tuning the lead generation engine components of email, social media, and web-based advertising to increase lead volumes, just 32% of companies pass well-qualified leads over to outbound marketers or sales development reps (SDRs). At best, lead gen costs stay high, and marketing-influenced win rates remain suboptimized. At worst, marketing reputation suffers when poorly qualified leads are passed along to sellers.

    Common Obstacles

    Most marketers lack a methodology for lead scoring, and some lack alignment among Marketing, Product, and Sales on what defines a qualified lead. In their rush to drive lead generation, marketers often fail to “define and align” on the ICP with stakeholders, creating confusion and wasted time and resources. In the rush to adopt B2B marketing and sales automation tools, many marketers have also skipped the important steps to 1) define the buyer journey and map content types to support, and 2) invest in a consistent content creation and sourcing strategy. The wrong content can leave prospects unmotivated to engage further and cause them to seek alternatives.

    Info-Tech’s Approach

    To employ lead scoring effectively, marketers need to align Sales, Marketing, and Product teams on the definition of the ICP and what constitutes a Sales-accepted lead. The buyer journey needs to be mapped in order to identify the engagement that will move a lead through the marketing lead generation engine. Then the project team can score prospect engagement and the prospect profile attributes against the ICP to arrive at a lead score. The marketing tech stack needs to be validated to support lead scoring, and finally Sales needs to sign off on results.

    SoftwareReviews Advisory Insight:

    Lead scoring is a must-have capability for high-tech marketers. Without lead scoring, marketers will see increased costs of lead gen, decreased SQL to opportunity conversion rates, decreased sales productivity, and longer sales cycles.

    Who benefits from a lead scoring project?

    This Research Is Designed for:

    • Marketers and especially campaign managers who are:
      • Looking for a more precise way to score leads and deploy outbound marketing resources to optimize contacts-to-MQL conversion rates.
      • Looking for a more effective way to profile contacts raised by your lead gen engine.
      • Looking to use their lead management software to optimize lead scoring.
      • Starting anew to strengthen their lead generation engine and want examples of a typical engine, ways to identify buyer journey, and perform lead nurturing.

    This Research Will Help You:

    • Explain why having a lead scoring methodology is important.
    • Identify a methodology that will call for identifying an ICP against which to score prospect profiles behind each contact that engages your lead generation engine.
    • Create a process of applying weightings to score activities during contact engagement with your lead generation engine. Apply both scores to arrive at a contact/lead score.
    • Compare your current lead gen engine to a best-in-class example in order to identify gaps and areas for improvement and exploration.

    This Research Will Also Assist:

    • CMOs, Marketing Operations leaders, heads of Product Marketing, and regional Marketing leads who are stakeholders in:
      • Finding alternatives to current lead scoring approaches.
        • Altering current or evaluating new marketing technologies to support a refreshed lead scoring approaches.

    This Research Will Help Them:

    • Align stakeholders on an overall program of identifying target customers, building common understanding of what constitutes a qualified lead, and determining when to use higher-cost outbound marketing resources.
    • Deploy high-value applications that will improve core marketing metrics.

    Insight summary

    Continuous adjustment and improvement of your lead scoring methodology is critical for long-term lead generation engine success.

    • Building a highly functioning lead generation engine is an ongoing process and one that requires continual testing of new asset types, asset design, and copy variations. Buyer profiles change over time as you launch new products and target new markets.
    • Pass better qualified leads to Field Sales and improve sales win rates by taking these crucial steps to implement a better lead generation engine and a lead scoring methodology:
      • Make the case for lead scoring in your organization.
      • Establish trigger points that separate leads to ignore, nurture, qualify, or outreach/contact.
      • Identify your buyer journey and ICP through collaboration among Sales, Marketing, and Product.
      • Assess each asset and activity type across your lead generation engine and apply a weighting for each.
      • Test lead scenarios within our supplied toolkit and with stakeholders. Adjust weightings and triggers that deliver lead scores that make sense.
      • Work with IT/Marketing Operations to emulate your lead scoring methodology within your marketing automation/campaign management application.
      • Explore advanced methods including nurturing.
    • Use the Lead Scoring Workbook collaboratively with other stakeholders to design your own methodology, test lead scenarios, and build alignment across the team.

    Leading marketers who successfully implement a lead scoring methodology develop it collaboratively with stakeholders across Marketing, Sales, and Product Management. Leaders will engage Marketing Operations, Sales Operations, and IT early to gain support for the evaluation and implementation of a supporting campaign management application and for analytics to track lead progress throughout the Marketing and Sales funnels. Leverage the Marketing Lead Scoring Toolkit to build out your version of the model and to test various scenarios. Use the slides contained within this storyboard and the accompanying toolkit as a means to align key stakeholders on the ICP and to weight assets and activities across your marketing lead generation engine.

    What is lead scoring?

    Lead scoring weighs the value of a prospect’s profile against the ICP and renders a profile score. The process then weighs the value of the prospects activities against the ideal call to action (CTA) and renders an activity score. Combining the profile and activity scores delivers an overall score for the value of the lead to drive the next step along the overall buyer journey.

    EXAMPLE: SALES MANAGEMENT SOFTWARE

    • For a company that markets sales management software the ideal buyer is the head of Sales Operations. While the ICP is made up of many attributes, we’ll just score one – the buyer’s role.
    • If the prospect/lead that we wish to score has an executive title, the lead’s profile scores “High.” Other roles will score lower based on your ICP. Alongside role, you will also score other profile attributes (e.g. company size, location).
    • With engagement, if the prospect/lead clicked on our ideal CTA, which is “request a proposal,” our engagement would score high. Other CTAs would score lower.
    The image contains a screenshot of two examples of lead scoring. One example demonstrates. Profile Scoring with Lead Profile, and the second image demonstrates Activity Scoring and Lead Engagement.

    SoftwareReviews Advisory Insight:

    A significant obstacle to quality lead production is disagreement on or lack of a documented definition of the ideal customer profile. Marketers successful in lead scoring will align key stakeholders on a documented definition of the ICP as a first step in improving lead scoring.

    Use of lead scoring is in the minority among marketers

    The majority of businesses are not practicing lead scoring!

    Up to 66% of businesses don’t practice any type of lead scoring.

    Source: LeadSquared, 2014

    “ With lead scoring, you don’t waste loads of time on unworthy prospects, and you don’t ignore people on the edge of buying.”

    Source: BigCommerce

    “The benefits of lead scoring number in the dozens. Having a deeper understanding of which leads meet the qualifications of your highest converters and then systematically communicating with them accordingly increases both ongoing engagement and saves your internal team time chasing down inopportune leads.”

    – Joey Strawn, Integrated Marketing Director, in IndustrialMarketer.com

    Key benefit: sales resource optimization

    Many marketing organizations send Sales too many unqualified leads

    • Leads – or, more accurately, contacts – are not all qualified. Some are actually nothing more than time-wasters for sellers.
    • Leading marketers peel apart a contact into at least two dimensions – “who” and “how interested.”
      • The “who” is compared to the ICP and given a score.
      • The “how interested” measures contact activity – or engagement – within our lead gen engine and gives it a score.
    • Scores are combined; a contact with a low score is ignored, medium is nurtured, and high is sent to sellers.
    • A robust ICP, together with engagement scoring and when housed within your lead management software, prioritizes for marketers which contacts to nurture and gets hot leads to sellers more quickly.

    Optimizing Sales Resources Using Lead Scoring

    The image contains a screenshot of a graph to demonstrate optimizing sales resources with lead scoring.

    Lead scoring drives greater sales effectiveness

    When contacts are scored as “qualified leads” and sent to sellers, sales win rates and ROI climb

    • Contacts can be scored properly once marketers align with Sales on the ICP and work closely with colleagues in areas like product marketing and field marketing to assign weightings to lead gen activities.
    • When more qualified leads get into the hands of the salesforce, their win rates improve.
    • As win rates improve, and sellers are producing more wins from the same volume of leads, sales productivity improves and ROI on the marketing investment increases.

    “On average, organizations that currently use lead scoring experience a 77% lift in lead generation ROI, over organizations that do not currently use lead scoring.”

    – MarketingSherpa, 2012

    Average Lead Generation ROI by Use of Lead Scoring

    The image contains a screenshot of a graph to demonstrate the average lead generation ROI by using of lead scoring. 138% are currenting using lead scoring, and 78% are not using lead scoring.
    Source: 2011 B2B Marketing Benchmark Survey, MarketingSherpa
    Methodology: Fielded June 2011, N=326 CMOs

    SoftwareReviews’ Lead Scoring Approach

    1. Drive Aligned Vision for Lead Scoring

    2. Build and Test Your Lead Scoring Model

    3. Apply to Your Tech Platform and Validate, Nurture, and Grow

    Phase
    Steps
    1. Outline a vision for lead scoring and identify stakeholders.
    2. Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.
    3. Align on marketing pipeline terminology, buyer persona and journey, and lead gen engine components.
    1. Understand the Lead Scoring Grid and establish thresholds.
    2. Collaborate with stakeholders on your ICP, apply weightings to profile attributes and values, and test your model.
    3. Identify the key activities and assets of your lead gen engine, weight attributes, and run tests.
    1. Apply model to your marketing management software.
    2. Test quality of sales-accepted leads by sellers and measure conversion rates through your marketing pipeline.
    3. Apply advanced methods such as lead nurturing.

    Phase Outcomes
    1. Steering committee and stakeholder selection
    2. Stakeholder alignment
    3. Team alignment on terminology
    4. Buyer journey map
    5. Lead gen engine components and asset types documented
    1. Initial lead-stage threshold scores
    2. Ideal customer profile, weightings, and tested scores
    3. Documented activities/assets across your lead generation engine
    4. Test results to drive adjusted weightings for profile attributes and engagement
    5. Final model to apply to marketing application
    1. Better qualified leads in the hands of sellers
    2. Advanced methods to nurture leads

    Key Deliverable: Lead Scoring Workbook

    The workbook walks you through a step-by-step process to:

    • Identify your team.
    • Identify the lead scoring thresholds.
    • Define your IPC.
    • Weight the activities within your lead generation engine.
    • Run tests using lead scenarios.

    Tab 1: Team Composition

    Consider core functions and form a cross-functional lead scoring team. Document the team’s details here.

    The image contains a screenshot of the Lead Scoring Workbook, Tab 1.

    Tab 2: Threshold Setting

    Set your initial threshold weightings for profile and engagement scores.

    The image contains a screenshot of the Lead Scoring Workbook, Tab 2.

    Tab 3:

    Establish Your Ideal Customer Profile

    Identify major attributes and attribute values and the weightings of both. You’ll eventually score your leads against this ICP.

    Record and Weight Lead Gen Engine Activities

    Identify the major activities that compose prospect engagement with your lead gen engine. Weight them together as a team.

    Test Lead Profile Scenarios

    Test actual lead profiles to see how they score against where you believe they should score. Adjust threshold settings in Tab 2.

    Test Activity Engagement Scores

    Test scenarios of how contacts navigate your lead gen engine. See how they score against where you believe they should score. Adjust thresholds on Tab 2 as needed.

    Review Combined Profile and Activity Score

    Review the combined scores to see where on your lead scoring matrix the lead falls. Make any final adjustments to thresholds accordingly.

    The image contains screenshots of the Lead Scoring Workbook, Tab 3.

    Several ways we help you build your lead scoring methodology

    DIY Toolkit Guided Implementation Workshop Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
    • Begin your project using the step-by-step process outlined in this blueprint.
    • Leverage the accompanying workbook.
    • Launch inquiries with the analyst who wrote the research.
    • Kick off your project with an inquiry with the authoring analyst and your engagement manager.
    • Additional inquiries will guide you through each step.
    • Leverage the blueprint and toolkit.
    • Reach out to your engagement manager.
    • During a half-day workshop the authoring analyst will guide you and your team to complete your lead scoring methodology.
    • Reach out to your engagement manager.
    • We’ll lead the engagement to structure the process, gather data, interview stakeholders, craft outputs, and organize feedback and final review.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Call #1: Collaborate on vision for lead scoring and the overall project.

    Call #2: Identify the steering committee and the rest of the team.

    Call #3: Discuss app/tech stack support for lead scoring. Understand key marketing pipeline terminology and the buyer journey.

    Call #4: Discuss your ICP, apply weightings, and run test scenarios.

    Call #5: Discuss and record lead generation engine components.

    Call #6: Understand the Lead Scoring Grid and set thresholds for your model.

    Call #7: Identify your ICP, apply weightings to attributes, and run tests.

    Call #8: Weight the attributes of engagement activities and run tests. Review the application of the scoring model on lead management software.

    Call #9: Test quality of sales-accepted leads in the hands of sellers. Measure lead flow and conversion rates through your marketing pipeline.

    Call #10: Review progress and discuss nurturing and other advanced topics.

    A Guided Implementation (GI) is series of calls with a SoftwareReviews Advisory analyst to help implement our best practices in your organization. For guidance on marketing applications, we can arrange a discussion with an Info-Tech analyst. Your engagement managers will work with you to schedule analyst calls.

    Workshop Overview

    Accelerate your project with our facilitated SoftwareReviews Advisory workshops

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Drive Aligned Vision for Lead Scoring

    Buyer Journey and Lead Gen Engine Mapping

    Build and Test Your Lead Scoring Model

    Align on Engagement Attributes

    Apply to Your Tech Platform

    Activities

    1.1 Outline a vision for lead scoring.

    1.2 Identify steering committee and project team members.

    1.3 Assess your tech stack for lead scoring and seek advice from Info-Tech analysts to modernize where needed.

    1.4 Align on marketing pipeline terminology.

    2.1 Establish a buyer persona (if not done already).

    2.2 Map your buyer journey.

    2.3 Document the activities and assets of your lead gen engine.

    3.1 Understand Lead Scoring Grid and set your thresholds.

    3.2 Identify ICP attribute and sub-attribute weightings. Run tests.

    4.1 Weight the attributes of your lead gen engagement model and run tests.

    4.2 Apply weightings to activities and assets.

    4.3 Test engagement and profile scenarios together and adjust weightings and thresholds as needed.

    5.1 Apply model to your campaign management software and test quality of sales-accepted leads in the hands of sellers.

    5.2. Measure overall lead flow and conversion rates through your marketing pipeline.

    5.3 Apply lead nurturing and other advanced methods.

    Deliverables
    1. Steering committee & project team composition
    2. Direction on tech stack to support lead gen
    3. Alignment on marketing pipeline definitions
    1. Buyer (persona if needed) journey map
    2. Lead gen engine assets and activities documented
    1. Lead scoring thresholds
    2. ICP, weightings, and tested scores
    3. Test profile scoring
    1. Engagement attributes and weightings tested and complete
    2. Final lead scoring model
    1. Model applied to your marketing management/ campaign management software
    2. Better qualified leads in the hands of sellers

    Phase 1

    Drive an Aligned Vision for Lead Scoring

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    • Solidify your vision for lead scoring.
    • Achieve stakeholder alignment.
    • Assess your tech stack.

    This phase involves the following stakeholders:

    • Field Marketing/Campaign Manager
    • CMO
    • Product Marketing
    • Product Management
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 1.1

    Establish a Cross-Functional Vision for Lead Scoring

    Activities

    1.1.1 Identify stakeholders critical to success

    1.1.2 Outline the vision for lead scoring

    1.1.3 Select your lead scoring team

    This step will walk you through the following activities:

    • Discuss the reasons why lead scoring is important.
    • Review program process.
    • Identify stakeholders and team.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Stakeholder alignment on vision of lead scoring
    • Stakeholders described and team members recorded
    • A documented buyer journey and map of your current lead gen engine

    1.1.1 Identify stakeholders critical to success

    1 hour

    1. Meet to identify the stakeholders that should be included in the project’s steering committee.
    2. Finalize selection of steering committee members.
    3. Contact members to ensure their willingness to participate.
    4. Document the steering committee members and the milestone/presentation expectations for reporting project progress and results
    Input Output
    • Stakeholder interviews
    • List of business process owners (lead management, inside sales lead qualification, sales opportunity management, marketing funnel metric measurement/analytics)
    • Lead generation/scoring stakeholders
    • Steering committee members
    Materials Participants
    • N/A
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental Leads – Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    SoftwareReviews Advisory Insight:

    B2B marketers that lack agreement among Marketing, Sales, Inside Sales, and lead management supporting staff of what constitutes a qualified lead will squander precious time and resources throughout the customer acquisition process.

    1.1.2 Outline the vision for lead scoring

    1 hour

    1. Convene a meeting of the steering committee and initiative team members who will be involved in the lead scoring project.
    • Using slides from this blueprint, understand the definition of lead scoring, the value of lead scoring to the organization, and the overall lead scoring process.
    • Understand the teams’ roles and responsibilities and help your Marketing Operations/IT colleagues understand some of the technical requirements needed to support lead scoring.
    • This is important because as the business members of the team are developing the lead scoring approach on paper, the technical team can begin to evaluate lead management apps within which your lead scoring model will be brought to life.
    Input Output
    • Slides to explain lead scoring and the lead scoring program
    • An understanding of the project among key stakeholders
    Materials Participants
    • Slides taken from this blueprint. We suggest slides from the Executive Brief (slides 3-16) and any others depending on the team’s level of familiarity.
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental leads from Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    SoftwareReviews Advisory Insight:

    While SMBs can implement some form of lead scoring when volume is very low and leads can be scored by hand, lead scoring and effective lead management cannot be performed without investment in digital platforms and lead management software and integration with customer relationship management (CRM) applications in the hands of inside and field sales staff. Marketers should plan and budget for the right combination of applications and tools to be in place for proper lead management.

    Lead scoring stakeholders

    Developing a common stakeholder understanding of the ICP, the way contact profiles are scored, and the way activities and asset engagement in your lead generation engine are scored will strengthen alignment between Marketing, Sales and Product Management.

    Title

    Key Stakeholders Within a Lead Generation/Scoring Initiative

    Lead Scoring Sponsor
    • Owns the project at the management/C-suite level
    • Responsible for breaking down barriers and ensuring alignment with organizational strategy
    • CMO, VP of Marketing, CEO (in SMB providers)

    Lead Scoring Initiative Manager
    • Typically a senior member of the marketing team
    • Responsible for preparing and managing the project plan and monitoring the project team’s progress
    • Marketing Manager or a field marketing team member who has strong program management skills, has run large-scale B2B generation campaigns, and is familiar with the stakeholder roles and enabling technologies

    Business Leads
    • Works alongside the lead scoring initiative manager to ensure that the strategy is aligned with business needs
    • In this case, likely to be a marketing lead
    • Marketing Director

    Digital, Marketing/Sales Ops/IT Team
    • Composed of individuals whose application and technology tools knowledge and skills are crucial to lead generation success
    • Responsible for understanding the business requirements behind lead generation and the requirements in particular to support lead scoring and the evaluation, selection, and implementation of the supporting tech stack – apps, website, analytics, etc.
    • Project Manager, Business Lead, CRM Manager, Integration Manager, Marketing Application SMEs, Sales Application

    Steering Committee
    • Composed of C-suite/management-level individuals who act as the lead generation process decision makers
    • Responsible for validating goals and priorities, defining the scope, enabling adequate resourcing, and managing change especially among C-level leaders in Sales & Product
    • Executive Sponsor, Project Sponsor, CMO, Business Unit SMEs

    SoftwareReviews Advisory Insight:

    Marketers managing the lead scoring initiative must include Product Marketing, Sales, Inside Sales, and Product Management. And given that world-class B2B lead generation engines cannot run without technology enablement, Marketing Operations/IT – those that are charged with enabling marketing and sales – must also be part of the decision making and implementation process of lead scoring and lead generation.

    1.1.3 Select your lead scoring team

    30 minutes

    1. The CMO and other key stakeholders should discuss and determine who will be involved in the lead scoring project.
    • Business leaders in key areas – Product Marketing, Field Marketing, Digital Marketing, Inside Sales, Sales, Marketing Ops, Product Management, and IT – should be involved.
  • Document the members of your lead scoring team in tab 1 of the Lead Scoring Workbook.
    • The size of the team will vary depending on your initiative and size of your organization.
    InputOutput
    • Stakeholders
    • List of lead scoring team members
    MaterialsParticipants
    • Lead Scoring Workbook
    • Initiative Manager
    • CMO, Sponsoring Executive
    • Departmental Leads – Sales, Marketing, Product Marketing, Product Management (and others)
    • Marketing Applications Director
    • Senior Digital Business Analyst

    Download the Lead Scoring Workbook

    Lead scoring team

    Consider the core team functions when composing the lead scoring team. Form a cross-functional team (i.e. across IT, Marketing, Sales, Service, Operations) to create a well-aligned lead management/scoring strategy. Don’t let your core team become too large when trying to include all relevant stakeholders. Carefully limit the size of the team to enable effective decision making while still including functional business units.

    Required Skills/Knowledge

    Suggested Team Members

    Business
    • Understanding of the customer
    • Understanding of brand
    • Understanding of multichannel marketing: email, events, social
    • Understanding of lead qualification
    • Field Marketing/Campaign Lead
    • Product Marketing
    • Sales Manager
    • Inside Sales Manager
    • Content Marketer/Copywriter

    IT
    • Campaign management application capabilities
    • Digital marketing
    • Marketing and sales funnel Reporting/metrics
    • Marketing Application Owners
    • CRM/Sales Application Owners
    • Marketing Analytics Owners
    • Digital Platform Owners

    Other
    • Branding/creative
    • Social
    • Change management
    • Creative Director
    • Social Media Marketer

    Step 1.2 (Optional)

    Assess Your Tech Stack for Lead Scoring

    Our model assumes you have:

    1.2.1 A marketing application/campaign management application in place that accommodates lead scoring.

    1.2.2 Lead management software integrated with the sales automation/CRM tool in the hands of Field Sales.

    1.2.3 Reporting/analytics that spans the entire lead generation pipeline/funnel.

    Refer to the following three slides if you need guidance in these areas.

    This step will walk you through the following activities:

    • Confirm that you have your tech stack in place.
    • Set up an inquiry with an Info-Tech analyst should you require guidance on evaluating lead pipeline reporting, CRM, or analytics applications.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Understanding of what new application and technology support is required to support lead scoring.

    SoftwareReviews Advisory Insight:

    Marketers that collaborate closely with Marketing Ops/IT early in the process of lead scoring design will be best able to assess whether current marketing applications and tools can support a full lead scoring capability.

    1.2.1 Plan technology support for marketing management apps

    Work with Marketing Ops and IT early to evaluate application enablement for lead management, including scoring

    A thorough evaluation takes months – start early

    • Work closely with Marketing Operations (or the team that manages the marketing apps and digital platforms) as early as possible to socialize your approach to lead scoring.
    • Work with them on a set of updated requirements for selecting a marketing management suite or for changes to existing apps and tools to support your lead scoring approach that includes lead tracking and marketing funnel analytics.
    • Access the Info-Tech blueprint Select a Marketing Management Suite, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews Marketing Management Data Quadrant during vendor evaluation and selection.

    SoftwareReviews Marketing Management Data Quadrant

    The image contains a screenshot of the Marketing Management Data Quadrant.

    1.2.2 Plan technology support for sales opportunity management

    Work with Marketing Ops and IT early to evaluate applications for sales opportunity management

    A thorough evaluation takes months – start early

    • Work closely with Sales Operations as early as possible to socialize your approach to lead scoring and how lead management must integrate with sales opportunity management to manage the entire marketing and sales funnel management process.
    • Work with them on a set of updated requirements for selecting a sales opportunity management application that integrates with your marketing management suite or for changes to existing apps and tools to support your lead management and scoring approach that support the entire marketing and sales pipeline with analytics.

    Access the Info-Tech blueprint Select and Implement a CRM Platform, along with analyst inquiry support during the requirements definition, vendor evaluation, and vendor selection phases. Use the SoftwareReviews CRM Data Quadrant during vendor evaluation and selection.

    SoftwareReviews Customer Relationship Management Data Quadrant

    The image contains a screenshot of the SoftwareReviews Customer Relationship Management Data Quadrant.

    1.2.3 Plan analytics support for marketing pipeline analysis

    Work with Marketing Ops early to evaluate analytics tools to measure marketing and sales pipeline conversions

    A thorough evaluation takes weeks – start early

    • Work closely with Marketing and Sales Operations as early as possible to socialize your approach to measuring the lifecycle of contacts through to wins across the entire marketing and sales funnel management process.
    • Work with them on a set of updated requirements for selecting tools that can support the measurement of conversion ratios from contact to MQL, SQL, and opportunity to wins. Having this data enables you to measure improvement in component parts to your lead generation engine.
    • Access the Info-Tech blueprint Select and Implement a Reporting and Analytics Solution, along with analyst inquiry support during the requirements definition, vendor evaluation and vendor selection phases. Use the SoftwareReviews Best Business intelligence & Analytics Software Data Quadrant as well during vendor evaluation and selection.

    SoftwareReviews Business Intelligence Data Quadrant

    The image contains a screenshot of the Software Reviews Business Intelligent Quadrant.

    Step 1.3

    Catalog Your Buyer Journey and Lead Gen Engine Assets

    Activities

    1.3.1 Review marketing pipeline terminology

    1.3.2 Describe your buyer journey

    1.3.3 Describe your awareness and lead generation engine

    This step will walk you through the following activities:

    • Discuss marketing funnel terminology.
    • Describe your buyer journey.
    • Catalog the elements of your lead generation engine.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on terminology, your buyer journey, and elements of your lead generation engine

    1.3.1 Review marketing pipeline terminology

    30 minutes

    1. We assume for this model the following:
      1. Our primary objective is to deliver more, and more-highly qualified, sales-qualified leads (SQLs) to our salesforce. The salesforce will accept SQLs and after further qualification turn them into opportunities. Sellers work opportunities and turn them into wins. Wins that had first/last touch attribution within the lead gen engine are considered marketing-influenced wins.
      2. This model assumes the existence of sales development reps (SDRs) whose mission it is to take marketing-qualified leads (MQLs) from the lead generation engine and further qualify them into SQLs.
      3. The lead generation engine takes contacts – visitors to activities, website, etc. – and scores them based on their profile and engagement. If the contact scores at or above the designated threshold, the lead generation engine rates it as an MQL and passes it along to Inside Sales/SDRs. If the contact scores above a certain threshold and shows promise, it is further nurtured. If the contact score is low, it is ignored.
    2. If an organization does not possess a team of SDRs or Inside Sales, you would adjust your version of the model to, for example, raise the threshold for MQLs, and when the threshold is reached the lead generation engine would pass the lead to Field Sales for further qualification.

    Stage

    Characteristics

    Actions

    Contact
    • Unqualified
    • No/low activity

    Nurture

    SDR Qualify

    Send to Sales

    Close

    MQL
    • Profile scores high
    • Engagement strong

    SQL
    • Profile strengthened
    • Demo/quote/next step confirmed

    Oppt’y
    • Sales acceptance
    • Sales opportunity management

    Win
    • Deal closed

    SoftwareReviews Advisory Insight:

    Score leads in a way that makes it crystal clear whether they should be ignored, further nurtured, further qualified, or go right into a sellers’ hands as a super hot lead.

    1.3.2 Describe your buyer journey

    1. Understand the concept of the buyer journey:
      1. Typically Product Marketing is charged with establishing deep understanding of the target buyer for each product or solution through a complete buyer persona and buyer journey map. The details of how to craft both are covered in the upcoming SoftwareReviews Advisory blueprint Craft a More Comprehensive Go-to-Market Strategy. However, we share our Buyer Journey Template here (on the next slide) to illustrate the connection between the buyer journey and the lead generation and scoring processes.
      2. Marketers and campaigners developing the lead scoring methodology will work closely with Product Marketing, asking them to document the buyer journey.
      3. The value of the buyer journey is to guide asset/content creation, nurturing strategy and therefore elements of the lead generation engine such as web experience, email, and social content and other elements of engagement.
      4. The additional value of having a buyer persona is to also inform the ICP, which is an essential element of lead scoring.
      5. For the purposes of lead scoring, use the template on the next slide to create a simple form of the buyer journey. This will guide lead generation engine design and the scoring of activities later in our blueprint.

    2 hours

    On the following slide:

    1. Tailor this template to suit your buyer journey. Text in green is yours to modify. Text in black is instructional.
    2. Your objective is to use the buyer journey to identify asset types and a delivery channel that once constructed/sourced and activated within your lead gen engine will support the buyer journey.
    3. Keep your buyer journey updated based on actual journeys of sales wins.
    4. Complete different buyer journeys for different product areas. Complete these collaboratively with stakeholders for alignment.

    SoftwareReviews Advisory Insight:

    Establishing a buyer journey is one of the most valuable tools that, typically, Product Marketing produces. Its use helps campaigners, product managers, and Inside and Field Sales. Leading marketers keep journeys updated based on live deals and characteristics of wins.

    Buyer Journey Template

    Personas: [Title] e.g. “BI Director”

    The image contains a screenshot of the describe persona level as an example.

    [Persona name] ([levels it includes from arrows above]) Buyer’s Journey for [solution type] Vendor Selection

    The image contains a screenshot of the Personas Type example to demonstrate a specific IT role, end use in a relevant department.

    1.3.3 Describe Your Awareness and Lead Gen Engine

    1. Understand the workings of a typical awareness and lead generation engine. Reference the image of a lead gen engine on the following slide when reviewing our guidance below:
      1. In our lead scoring example found in the Lead Scoring Workbook, tab 3, “Weight and Test,” we use a software company selling a sales automation solution, and the engagement activities match with the Typical Awareness and Lead Gen Engine found on the following slide. Our goal is to match a visual representation of a lead gen and awareness engine with the activity scoring portion of lead scoring.
      2. At the top of the Typical Awareness and Lead Generation Engine image, the activities are activated by a team of various roles: digital manager (new web pages), campaign manager (emails and paid media), social media marketer (organic and paid social), and events marketing manager (webinars).
      3. “Awareness” – On the right, the slide shows additional awareness activities driven by the PR/Corporate Comms and Analyst Relations teams.*
      4. The calls to action (CTAs) found in the outreach activities are illustrated below the timeline. The CTAs are grouped and are designed to 1) drive profile capture data via a main sales form fill, and 2) drive engagement that corresponds to the Education, Solution, and Selection buyer journey phases outlined on the prior slide. Ensure you have fast paths to get a hot lead – request a demo – directly to Field Sales when profiles score high.

    * For guidance on best practices in engaging industry analysts, contact your engagement manager to schedule an inquiry with our expert in this area. during that inquiry, we will share best practices and recommended analyst engagement models.

    Lead Scoring Workbook

    2 hours

    On the following slide:

    1. Tailor the slide to describe your lead generation engine as you will use it when you get to latter steps to describe the activities in your lead gen engine and weight them for lead scoring.
    2. Use the template to see what makes up a typical lead gen and awareness building engine. Record your current engine parts and see what you may be missing.
    3. Note: The “Goal” image in the upper right of the slide is meant as a reminder that marketers should establish a goal for SQLs delivered to Field Sales for each campaign.

    SoftwareReviews Advisory Insight:

    Marketing’s primary mission is to deliver marketing-influenced wins (MIWs) to the company. Building a compelling awareness and lead gen engine must be done with that goal in mind. Leaders are ruthless in testing – copy, email subjects, website navigation, etc. – to fine-tune the engine and staying highly collaborative with sellers to ensure high value lead delivery.

    Typical Awareness and Lead Gen Engine

    Understand how a typical lead generation engine works. Awareness activities are included as a reference. Use as a template for campaigns.

    The image contains a screenshot of a diagram to demonstrate how a lead generation engine works.

    Phase 2

    Build and Test Your Lead Scoring Model

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    1. Understand the Lead Scoring Grid and establish thresholds.
    2. Collaborate with stakeholders on your ICP, apply weightings to profile attributes and values, and test.
    3. Identify the key activities and assets of your lead gen engine, weight attributes, and run tests.

    This phase involves the following participants:

    • Field Marketing/Campaign Manager
    • Product Marketing
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 2.1

    Start Building Your Lead Scoring Model

    Activities

    2.1.1 Understand the Lead Scoring Grid

    2.1.2 Identify thresholds

    This step will walk you through the following activities:

    • Discuss the concept of the thresholds for scoring leads in each of the various states – “ignore,” “nurture,” “qualify,” “send to sales.”
    • Open the Lead Scoring Workbook and validate your own states to suit your organization.
    • Arrive at an initial set of threshold scores.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on stages
    • Stakeholder alignment on initial set of thresholds

    2.1.1 Understand the Lead Scoring Grid

    30 minutes

    1. Understand how lead scoring works and our grid is constructed.
    2. Understand the two important areas of the grid and the concept of how the contact’s scores will increase as follows:
      1. Profile – as the profile attributes of the contact approaches that of the ICP we want to score the contact/prospect higher. Note: Step 1.3 walks you through creating your ICP.
      2. Engagement – as the contact/prospect engages with the activities (e.g. webinars, videos, events, emails) and assets (e.g. website, whitepapers, blogs, infographics) in our lead generation engine, we want to score the contact/prospect higher. Note: You will describe your engagement activities in this step.
    3. Understand how thresholds work:
      1. Threshold percentages, when reached, trigger movement of the contact from one state to the next – “ignore,” “nurture,” “qualify with Inside Sales,” and “send to sales.”
    The image contains a screenshot of an example of the lead scoring grid, as described in the text above.

    2.1.2 Identify thresholds

    30 minutes

    We have set up a model Lead Scoring Grid – see Lead Scoring Workbook, tab 2, “Identify Thresholds.”

    Set your thresholds within the Lead Scoring Workbook:

    • Set your threshold percentages for ”Profile” and “Engagement.”
    • You will run test scenarios for each in later steps.
    • We suggest you start with the example percentages given in the Lead Scoring Workbook and plan to adjust them during testing in later steps.
    • Define the “Send to Sales,” “Qualify With Inside Sales,” “Nurture,” and “Ignore” zones.

    SoftwareReviews Advisory Insight:

    Clarify that all-important threshold for when a lead passes to your expensive and time-starved outbound sellers.

    The image contains a screenshot of the Lead Scoring Workbook, tab 2 demonstrating the Lead Scoring Grid.

    Lead Scoring Workbook

    Step 2.2

    Identify and Verify Your Ideal Customer Profile and Weightings

    Activities

    2.2.1 Identify your ideal customer profile

    2.2.2 Run tests to validate profile weightings

    This step will walk you through the following activities:

    • Identify the attributes that compose the ICP.
    • Identify the values of each attribute and their weightings.
    • Test different contact profile scenarios against what actually makes sense.
    • Adjust weightings if needed.

    This step involves the following participants:

    • Stakeholders

    Outcomes of this step

    • Stakeholder alignment on ICP
    • Stakeholder alignment on weightings given to attributes
    • Tested results to verify thresholds and cores

    2.2.1 Identify your ideal customer profile

    Collaborate with stakeholders to understand what attributes best describe your ICP. Assign weightings and subratings.

    2 hours

    1. Choose attributes such as job role, organization type, number of employees/potential seat holders, geographical location, interest area, etc., that describe the ideal profile of a target buyer. Best practice sees marketers choosing attributes based on real wins.
    2. Some marketers compare the email domain of the contact to a target list of domains. In the Lead Scoring Workbook, tab 3, “Weight and Test,” we provide an example profile for a “Sales Automation Software” ICP.
    3. Use the workbook as a template, remove our example, and create your own ICP attributes. Then weight the attributes to add up to 100%. Add in the attribute values and weight them. In the next step you will test scenarios.

    SoftwareReviews Advisory Insight:

    Marketers who align with colleagues in areas such as Product Marketing, Sales, Inside Sales, Sales Training/Enablement, and Product Managers and document the ICP give their organizations a greater probability of lead generation success.

    The image contains a screenshot of tab 3, demonstrating the weight and test with the example profile.

    Lead Scoring Workbook

    2.2.2 Run tests to validate profile weightings

    Collaborate with stakeholders to run different profile scenarios. Validate your model including thresholds.

    The image contains a screenshot of tab 3 to demonstrate the next step of running tests to validate profile weightings.

    SoftwareReviews Advisory Insight:

    Keep your model simple in the interest of fast implementation and to drive early learnings. The goal is not to be perfect but to start iterating toward success. You will update your scoring model even after going into production.

    2 hours

    1. Choose scenarios of contact/lead profile attributes by placing a “1” in the “Attribute” box shown at left.
    2. Place your estimate of how you believe the profile should score in the box to the right of “Estimated Profile State.” How does the calculated state, beneath, compare to the estimated state?
    3. In cases where the calculated state differs from your estimated state, consider weighting the profile attribute differently to match.
    4. If you find estimates and calculated states off dramatically, consider changing previously determined thresholds in tab 2, “Identify Thresholds.” Test multiple scenarios with your team.

    Lead Scoring Workbook

    Step 2.3

    Establish Key Lead Generation Activities and Assets

    Activities

    2.3.1 Establish activities, attribute values, and weights

    2.3.2 Run tests to evaluate activity ratings

    This step will walk you through the following activities:

    • Identify the activities/asset types in your lead gen engine.
    • Weight each attribute and define values to score for each one.
    • Run tests to ensure your model makes sense.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Final stakeholder alignment on which assets compose your lead generation engine
    • Scoring model tested

    2.3.1 Establish activities, attribute values, and weights

    2 hours

    1. Catalog the assets and activities that compose your lead generation engine outlined in Activity 1.3.3. Identify their attribute values and weight them accordingly.
    2. Consider weighting attributes and values according to how close that asset gets to conveying your ideal call to action. For example, if your ideal CTA is “schedule a demo” and the “click” was submitted in the last seven days, it scores 100%. Take time decay into consideration. If that same click was 60 days ago, it scores less – maybe 60%.
    3. Different assets convey different intent and therefore command different weightings; a video comparing your offering against the competition, considered a down funnel asset, scores higher than the company video, considered a top-of-the-funnel activity and “awareness.”
    The image contains a screenshot of the next step of establishing activities, attribute values, and weights.

    Lead Scoring Workbook

    2.3.2 Run tests to validate activity weightings

    Collaborate with stakeholders to run different engagement scenarios. Validate your model including thresholds.

    The image contains a screenshot of activity 2.3.2: run tests to validate activity weightings.

    SoftwareReviews Advisory Insight:

    Use data from actual closed deals and the underlying activities to build your model – nothing like using facts to inform your key decisions. Use common sense and keep things simple. Then update further when data from new wins appears.

    2 hours

    1. Test scenarios of contact engagement by placing a “1” in the “Attribute” box shown at left.
    2. Place your estimate of how you believe the engagement should score in the box to the right of “Estimated Engagement State.” How does the calculated state, beneath, compare to the estimated state?
    3. In cases where the calculated state differs from your estimated state, consider weighting the activity attribute differently to match.
    4. If you find that the estimates and calculated states are off dramatically, consider changing previously determined thresholds in tab 2, “Identify Thresholds.” Test multiple scenarios with your team.

    Lead Scoring Workbook

    Phase 3

    Apply Your Model to Marketing Apps and Go Live With Better Qualified Leads

    Phase 1

    Phase 2

    Phase 3

    1.1 Establish a cross-functional vision for lead scoring

    1.2 Asses your tech stack for lead scoring (optional)

    1.3 Catalog your buyer journey and lead gen engine assets

    2.1 Start building your lead scoring model

    2.2 Identify and verify your IPC and weightings

    2.3 Establish key lead generation activities and assets

    3.1 Apply model to your marketing management software

    3.2 Test the quality of sales-accepted leads

    3.3 Apply advanced methods

    This phase will walk you through the following activities:

    1. Apply model to your marketing management/campaign management software.
    2. Get better qualified leads in the hands of sellers.
    3. Apply lead nurturing and other advanced methods.

    This phase involves the following participants:

    • Field Marketing/Campaign Manager
    • Sales Leadership/Sales Operations
    • Inside Sales leadership
    • Marketing Operations/IT
    • Digital Platform leadership

    Step 3.1

    Apply Model to Your Marketing Management Software

    Activities

    3.1.1 Apply final model to your lead management software

    This step will walk you through the following activities:

    • Apply the details of your scoring model to the lead management software.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Marketing management software or campaign management application is now set up/updated with your lead scoring approach.

    3.1.1 Apply final model to your lead management software

    Now that your model is complete and ready to go into production, input your lead scoring parameters into your lead management software.

    The image contains a screenshot of activity 3.1.1 demonstrating tab 4 of the Lead Scoring Workbook.

    3 hours

    1. Go to the Lead Scoring Workbook, tab 4, “Model Summary” for a formatted version of your lead scoring model. Double-check print formatting and print off a copy.
    2. Use the copy of your model to show to prospective technology providers when asking them to demonstrate their lead scoring capabilities.
    3. Once you have finalized your model, use the printed output from this tab to ease your process of transposing the corresponding model elements into your lead management software.

    Lead Scoring Workbook

    Step 3.2

    Test the Quality of Sales-Accepted Leads

    Activities

    3.2.1 Achieve sales lead acceptance

    3.2.2 Measure and optimize

    This step will walk you through the following activities:

    • Suggest that the Inside Sales and Field Sales teams should assess whether to sign off on quality of leads received.
    • Campaign managers and stakeholders should now be able to track lead status more effectively.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Sales leadership should be able to sign off that leads are better qualified.
    • With marketing pipeline analytics in place, campaigners can start to measure lead flow and conversion rates.

    3.2.1 Achieve sales lead acceptance

    Collaborate with sellers to validate your lead scoring approach.

    1 hour

    1. Gather a set of SQLs – leads that have been qualified by Inside Sales and delivered to Field Sales. Have Field Sales team members convey whether these leads were properly qualified.
    2. Where leads are deemed not properly qualified, determine if the issue was a) a lack of proper qualification by the Inside Sales team, or b) the lead generation engine, which should have further nurtured the lead or ignored it outright.
    3. Work collaboratively with Inside Sales to update your lead scoring model and/or Inside Sales practice.

    Stage

    Characteristics

    Actions

    Contact

    • Unqualified
    • No/low activity

    Nurture

    SDR Qualify

    Send to Sales

    Close

    MQL

    • Profile scores high
    • Engagement strong

    SQL

    • Profile strengthened
    • Demo/quote/next step confirmed

    Oppt’y

    • Sales acceptance
    • Sales opportunity management

    Win

    • Deal closed

    SoftwareReviews Advisory Insight:

    Marketers that collaborate with Sales – and in this case, a group of sellers as a sales advisory team – well in advance of sales acceptance to design lead scoring will save time during this stage, build trust with sellers, and make faster decisions related to lead management/scoring.

    3.2.2 Measure and optimize

    Leverage analytics that help you optimize your lead scoring methodology.

    Ongoing

    1. Work with Marketing Ops/IT team to design and implement analytics that enable you to:
    2. Meet frequently with your stakeholder team to review results.
    3. Learn from the wins: see how they actually scored and adjust thresholds and/or asset/activity weightings.
    4. Learn from losses: fix ineffective scoring, activities, assets, form-fill strategies, and engagement paths.
    5. Test from both wins and losses if demographic weightings are delivering accurate scores.
    6. Analyze those high scoring leads that went right to sellers but did not close. This could point to a sales training or enablement challenge.
    The image contains a screenshot of the lead scoring dashboard.

    Analytics will also drive additional key insights across your lead gen engine:

    • Are volumes increasing or decreasing? What percentage of leads are in what status (A1-D4)?
    • What nurturing will re-engage stalled leads that score high in profile but low in engagement (A3, B3)?
    • Will additional profile data capture further qualify leads with high engagement (C1, C2)?
    • And beyond all of the above, what leads move to Inside Sales and convert to SQLs, opportunities, and eventually marketing-influenced wins?

    Step 3.3

    Apply Advanced Methods

    Activities

    3.3.1 Employ lead nurturing strategies

    3.3.2 Adjust your model over time to accommodate more advanced methods

    This step will walk you through the following activities:

    • Apply lead nurturing to your lead gen engine.
    • Adjust your engine over time with more advanced methods.

    This step involves the following participants:

    • Stakeholders
    • Project sponsors and leaders

    Outcomes of this step

    • Marketers can begin to test lead nurturing strategies and other advanced methods.

    3.3.1 Employ lead nurturing strategies

    A robust content marketing competence with compelling assets and the capture of additional profile data for qualification are key elements of your nurturing strategy.

    The image contains a screenshot of the Lead Scoring Grid with a focus on Nurture.

    SoftwareReviews Advisory Insight:

    Nurturing success combines the art of crafting engaging copy/experiences and the science of knowing just where a prospect is within your lead gen engine. Great B2B marketers demonstrate the discipline of knowing when to drive engagement and/or additional profile attribute capture using intent while not losing the prospect to over-profiling.

    Ongoing

    1. The goal of lead nurturing is to move the collection of contacts/leads that are scoring, for example, in the A3, B3, C1, C2, and C3 cells into A2, B2, and B1 cells.
    2. How is this best done? To nurture leads that are A3 and B3, entice the prospect with engagement that leads to the bottom of funnel – e.g. “schedule a demo” or “schedule a consultation” via a compelling asset. See the example on the following slide.
    3. To nurture C1 and C2, we need to qualify them further, so entice with an asset that leads to deeper profile knowledge.
    4. For C3 leads, we need both profile and activity nurturing.

    Lead nurturing example

    The image contains an example of a lead nurturing example.

    SoftwareReviews Advisory Insight:

    When nurturing, choose/design content as to what “intent” it satisfies. For example, a head-to-head comparison with a key competitor signals “Selection” phase of the buyer journey. Content that helps determine what app-type to buy signals “Solution”. A company video, or a webinar replay, may mean your buyer is “educating themselves.

    3.3.2 Adjust your model over time to accommodate more advanced methods

    When getting started or within a smaller marketing team, focus on the basics outlined thus far in this blueprint. Larger and/or more experienced teams are able to employ more advanced methods.

    Ongoing

    Advanced Methods

    • Invest in technologies that interpret lead scores and trigger next-step actions, especially outreach by Inside and/or Field Sales.
    • Use the above to route into nurturing environments where additional engagement will raise scores and trigger action.
    • Recognize that lead value decays with time to time additional outreach/activities and to reduce lead scores over time.
    • Always be testing different engagement, copy, and subsequent activities to optimize lead velocity through your lead gen engine.
    • Build intent sensitivity into engagement activities; e.g. test if longer demo video engagement times imply ”contact me for a demo” via a qualification outreach. Update scores manually to drive learnings.
    • Vary engagement paths by demographics to deliver unique digital experiences. Use firmographics/email domain to drive leads through a more tailored account-based marketing (ABM) experience.
    • Reapply learnings from closed opportunities/wins to drive updates to buyer journey mapping and your ICP.

    Frequently used acronyms

    ABM

    Account-Based Marketing

    B2B

    Business to Business

    CMO

    Chief Marketing Officer

    CRM

    Customer Relationship Management

    ICP

    Ideal Customer Profile

    MIW

    Marketing-Influenced Win

    MQL

    Marketing-Qualified Lead

    SDR

    Sales Development Representative

    SQL

    Sales-Qualified Lead

    Works cited

    Arora, Rajat. “Mining the Real Gems from you Data – Lead Scoring and Engagement Scoring.” LeadSquared, 27 Sept. 2014. Web.

    Doyle, Jen. “2012 B2B Marketing Benchmark Report: Research and insights on attracting and converting the modern B2B buyer.” MarketingSherpa, 2012. Web.

    Doyle, Jen, and Sergio Balegno. “2011 MarketingSherpa B2B Marketing Benchmark Survey: Research and Insights on Elevating Marketing Effectiveness from Lead Generation to Sales Conversion.” MarketingSherpa, 2011.

    Kirkpatrick, David. “Lead Scoring: CMOs realize a 138% lead gen ROI … and so can you.” marketingsherpa blog, 26 Jan 2012. Web.

    Moser, Jeremy. “Lead Scoring Is Important for Your Business: Here’s How to Create Scoring Model and Hand-Off Strategy.” BigCommerce, 25 Feb. 2019. Web.

    Strawn, Joey. “Why Lead Scoring Is Important for B2Bs (and How You Can Implement It for Your Company.” IndustrialMarketer.com, 17 Aug. 2016. Web.

    Select an EA Tool Based on Business and User Need

    • Buy Link or Shortcode: {j2store}274|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $62,999 Average $ Saved
    • member rating average days saved: 18 Average Days Saved
    • Parent Category Name: Architecture Domains
    • Parent Category Link: /architecture-domains
    • A mature EA function is increasingly becoming an organizational priority to drive innovation, provide insight, and define digital capabilities.
    • Proliferation of digital technology has increased complexity, straining the EA function to deliver insights.
    • An EA tool increases the efficiency with which the EA function can deliver insights, but a large number of organizations have not a selected an EA tool that suits their needs.

    Our Advice

    Critical Insight

    • EA tool value largely comes from tying organizational context and requirements to the selection process.
    • Organizations that have selected an EA tool often fail to have it adopted and show its true value. To ensure successful adoption and value delivery, the EA tool selection process must account for the needs of business stakeholders and tool users.

    Impact and Result

    • Link the need for the EA tool to your organization’s EA value proposition. The connection enables the EA tool to address the future needs of stakeholders and the design style of the EA team.
    • Use Info-Tech’s EA Solution Recommendation Tool to create a shortlist of EA tools that is suited to the preferences of the organization.
    • Gather additional information on the shortlist of EA tool vendors to narrow down the selection using the EA Tool Request for Information Template.

    Select an EA Tool Based on Business and User Need Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should procure an EA tool in the digital age, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Select an EA Tool Based on Business and User Need – Executive Brief
    • Select an EA Tool Based on Business and User Need – Phases 1-3

    1. Make the case

    Decide if an EA tool is needed in your organization and define the requirements of EA tool users.

    • Select an EA Tool Based on Business and User Need – Phase 1: Make the Case
    • EA Value Proposition Template
    • EA Tool User Requirements Template

    2. Shortlist EA tools

    Determine your organization’s preferences in terms of product capabilities and vendor characteristics.

    • Select an EA Tool Based on Business and User Need – Phase 2: Shortlist EA Tools
    • EA Solution Recommendation Tool

    3. Select and communicate the process

    Gather information on shortlisted vendors and make your final decision.

    • Select an EA Tool Based on Business and User Need – Phase 3: Select and Communicate the Process
    • EA Tool Request for Information Template
    • EA Tool Demo Script Template
    • Request for Proposal (RFP) Template
    • EA Tool Selection Process Template
    [infographic]

    Security Priorities 2023

    • Buy Link or Shortcode: {j2store}254|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $909 Average $ Saved
    • member rating average days saved: 1 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Most people still want a hybrid work model but there is a shortage in security workforce to maintain secure remote work, which impacts confidence in the security practice.
    • Pressure of operational excellence drives organizational modernization with the consequence of higher risks of security attacks that impact not only cyber but also physical systems.
    • The number of regulations with stricter requirements and reporting is increasing, along with high sanctions for violations.
    • Accurate assessment of readiness and benefits to adopt next-gen cybersecurity technologies can be difficult. Additionally, regulation often faces challenges to keep up with next-gen cybersecurity technologies implications and risks of adoption, which may not always be explicit.
    • Software is usually produced as part of a supply chain instead in a silo. Thus, a vulnerability in any part of the supply chain can become a threat surface.

    Our Advice

    Critical Insight

    • Secure remote work still needs to be maintained to facilitate the hybrid work model post pandemic.
    • Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits. Hence, we need to secure organization modernization.
    • Organizations should use regulatory changes to improve security practices, instead of treating them as a compliance burden.
    • Next-gen cybersecurity technologies alone are not the silver bullet. A combination of technologies with skilled talent, useful data, and best practices will give a competitive advantage.

    Impact and Result

    • Use this report to help decide your 2023 security priorities by:
      • Collecting and analyzing your own related data, such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
      • Identifying your needs and analyzing your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
      • Determining the next steps. Refer to Info-Tech's recommendations and related research.

    Security Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Security Priorities 2023 Report – A report to help decide your 2023 security priorities.

    Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:

  • Collect and analyze your own related data such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
  • Identify your needs and analyze your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
  • Refer to Info-Tech's recommendations and related research for guidance on the next steps.

    • Security Priorities 2023 Report

    Infographic

    Further reading

    Security Priorities 2023

    How we live post pandemic

    Each organization is different, so a generic list of priorities will not be applicable to every organization.

    During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.

    Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.

    Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.

    This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.

    In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
    Source: Coveware, 2022

    From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
    Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701

    Hybrid work changes processes and infrastructure

    Investment on remote work due to changes in processes and infrastructure

    As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.

    Process changes to support hybrid work

    A bar graph is depicted with the following dataset: None of the above - 12%; Change management - 29%; Asset management - 34%; Service request support - 41%; Incident management - 42%

    Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.

    Infrastructure changes to support hybrid work

    A bar graph is depicted with the following dataset: Changed queue management and ticketing system(s) - 11%; Changed incident and service request processes - 23%; Addition of chatbots as part of the Service Desk intake process - 29%; Reduced the need for recovery office spaces and alternative work mitigations - 40%; Structure & day-to-day operation of Service Desk - 41%; Updated network architecture - 44%

    For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.

    Top cybersecurity concerns and organizational preparedness for them

    Concerns may correspond to readiness.

    In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.

    Cybersecurity issues

    A bar graph is depicted with the following dataset: Cyber risks are not on the radar of the executive leaders or board of directors - 3.19; Organization is not prepared to respond to a cyber attack - 3.08; Supply chain risks related to cyber threats - 3.18; Talent shortages leading to capacity constraints in cyber security - 3.51; New government or industry-imposed regulations - 3.15

    Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).

    Cybersecurity legislation readiness

    A bar graph is depicted with the following dataset: 1 (Not confident at all) - 2.4%; 2 - 11.2%; 3 - 39.7%; 4 - 33.3%; 5 (Very confident) - 13.4%

    When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).

    Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.

    We know the concerns and readiness…

    But what is the overall security maturity?

    As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?

    A bar graph is depicted with the following dataset: Security Culture - 47%; Policy and Process Governance - 47%; Event and Incident Management - 58%; Vulnerability - 57%; Auditing - 52%; Compliance Management - 58%; Risk Analysis - 52%

    Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).

    And how will the potential recession impact security?

    Organizations are preparing for recession, but opportunities for growth during recession should be well planned too.

    As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).

    Expected organizational spending on cybersecurity compared to the previous fiscal year

    A bar graph is depicted with the following dataset: A decrease of more than 10% - 2.2%; A decrease of between 1-10% - 2.6%; About the same - 41.4%; An increase of between 1-10% - 39.6%; An increase of more than 10% - 14.3%

    Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).

    An infographic titled Cloudy with a Chance of Recession

    Source: Statista, 2022, CC BY-ND

    US recession forecast

    Contingency planning for recessions normally includes tight budgeting; however, it can also include opportunities for growth such as hiring talent who have been laid off by competitors and are difficult to acquire in normal conditions. This can support our previous findings on increasing cybersecurity spending.

    Five Security Priorities for 2023

    This image describes the Five Security Priorities for 2023.

    Maintain Secure Hybrid Work

    PRIORITY 01

    • HOW TO STRATEGICALLY ACQUIRE, RETAIN, OR UPSKILL TALENT TO MAINTAIN SECURE SYSTEMS.

    Executive summary

    Background

    If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.

    The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.

    Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.

    Current situation

    Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.

    Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.

    Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).

    "WFH doubled every 15 years pre-pandemic. The increase in WFH during the pandemic was equal to 30 years of pre-pandemic growth."

    Source: National Bureau of Economic Research, 2021

    Leaders must do more to increase confidence in the security practice

    Importance may not correspond to confidence

    As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.

    Cybersecurity importance

    A bar graph is depicted with the following dataset: Importance to the Organization - 94.3%; Importance to My Department 92.2%

    Cybersecurity importance areas

    A bar graph is depicted with the following dataset: Mobility (Remote & Mobile Access) - 90.2%; Regulatory Compliance - 90.1%; Desktop Computing - 90.9%; Data Access / Integrity - 93.7%

    Confidence in cybersecurity practice

    A bar graph is depicted with the following dataset: Confidence in the Organization's Overall Security - 79.4%; Confidence in Security for My Department - 79.8%

    Confidence in cybersecurity practice areas

    A bar graph is depicted with the following dataset: Mobility (Remote & Mobile Access) - 75.8%; Regulatory Compliance - 81.5%; Desktop Computing - 80.9%; Data Access / Integrity - 80.5%

    Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).

    If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.

    Use this template to explain the priorities you need your stakeholders to know about.

    Maintain secure hybrid work plan

    Provide a brief value statement for the initiative.

    Build a strong cybersecurity workforce to increase confidence in the security practice to facilitate hybrid work.

    Initiative Description:

    • Description must include what organization will undertake to complete the initiative.
    • Review your security strategy for hybrid work.
    • Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
    • Use the identified skill gaps to define the technical skill requirements for current and future work roles.
    • Conduct a skills assessment on your current workforce to identify employee skill gaps.
    • Decide whether to train, hire, contract, or outsource each skill gap.

    Drivers:

    List initiative drivers.

    • Employees still prefer to WFH for certain days of the week.
    • The investment on WFH during pandemic such as updated network architecture and infrastructure and day-to-day operations.
    • Tech companies' huge layoffs, e.g. Meta laid off more than 11,000 employees.

    Risks:

    List initiative risks and impacts.

    • Unskilled workers lacking certificates or years of experience who are trained and become skilled workers then quit or are hijacked by competitors.
    • Organizational and cultural changes cause friction with work-life balance.
    • Increased attack surface of remote/hybrid workforce.

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Increase perceived productivity by employees and increase retention.
    • Increase job satisfaction and work-life balance.
    • Hiring talent that has been laid off who are difficult to acquire in normal conditions.

    Related Info-Tech Research:

    Recommended Actions

    1. Identify skill requirements to maintain secure hybrid work

    Review your security strategy for hybrid work.

    Determine the skill needs of your security strategy.

    2. Identify skill gaps

    Identify skills gaps that hinder the successful execution of the hybrid work security strategy.

    Use the identified skill gaps to define the technical skill requirements for work roles.

    3. Decide whether to build or buy skills

    Conduct a skills assessment on your current workforce to identify employee skill gaps.

    Decide whether to train, hire, contract, or outsource each skill gap.

    Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech

    Secure Organization Modernization

    PRIORITY 02

    • TRENDS SUGGEST MODERNIZATION SUCH AS DIGITAL
      TRANSFORMATION TO THE CLOUD, OPERATIONAL TECHNOLOGY (OT),
      AND THE INTERNET OF THINGS (IOT) IS RISING; ADDRESSING THE RISK
      OF CONVERGING ENVIRONMENTS CAN NO LONGER BE DEFERRED.

    Executive summary

    From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.

    The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.

    Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.

    Current situation

    • Pressure of operational excellence: Competitive markets cannot keep pace with demand without modernization. For example, in automated milking systems, the labor time saved from milking can be used to focus on other essential tasks such as the decision-making process.
    • Technology offerings: Technologies are available and affordable such as automated equipment, versatile communication systems, high-performance human machine interaction (HMI), IIoT/Edge integration, and big data analytics.
    • Higher risks of cyberattacks: Modernization enlarges attack surfaces, which are not only cyber but also physical systems. Most incidents indicate that attackers gained access through the IT network, which was followed by infiltration into OT networks.

    IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.

    Source: Statista,
    March 2022

    Modernization brings new opportunities and new threats

    Higher risks of cyberattacks on Industrial Control System (ICS)

    Target: Australian sewage plant.

    Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.

    Target: Middle East energy companies.

    Method: Shamoon.

    Impact: Overwritten Windows-based systems files.

    Target: German Steel Mill

    Method: Spear-phishing

    Impact: Blast furnace control shutdown failure.

    Target: Middle East Safety Instrumented System (SIS).

    Method: TRISIS/TRITON.

    Impact: Modified safety system ladder logic.

    Target: Viasat's KA-SAT Network.

    Method: AcidRain.

    Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services.

    A timeline displaying the years 1903; 2000; 2010; 2012; 2013; 2014; 2018; 2019; 2021; 2022 is displayed.

    Target: Marconi wireless telegraphs presentation. Method: Morse code.

    Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily."

    Target: Iranian uranium enrichment plant.

    Method: Stuxnet.

    Impact: Compromised programmable logic controllers (PLCs).

    Target: ICS supply chain.

    Method: Havex.

    Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers.

    Target: Ukraine power grid.

    Method: BlackEnergy.

    Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers.

    Target: Colonial Pipeline.

    Method: DarkSide ransomware.

    Impact: Compromised billing infrastructure halted the pipeline operation.

    Sources:

    • DOE, 2018
    • CSIS, 2022
    • MIT Technology Review, 2022

    Info-Tech Insight

    Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

    Use this template to explain the priorities you need your stakeholders to know about.

    Secure organization modernization

    Provide a brief value statement for the initiative.

    The systems (OT, IT, IIoT) are evolving now – ensure your security plan has you covered.

    Initiative Description:

    • Description must include what organization will undertake to complete the initiative.
    • Identify the drivers to align with your organization's business objectives.
    • Build your case by leveraging a cost-benefit analysis and update your security strategy.
    • Identify people, process, and technology gaps that hinder the modernization security strategy.
    • Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
    • Evaluate and enable modernization technology top focus areas and refine security processes.
    • Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

    Drivers:

    List initiative drivers.

    • Pressure of operational excellence
    • Technology offerings
    • Higher risks of cyberattacks

    Risks:

    List initiative risks and impacts.

    • Complex systems with many components to implement and manage require diligent change management.
    • Organizational and cultural changes cause friction between humans and machines.
    • Increased attack surface of cyber and physical systems.

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Improve service reliability through continuous and real-time operation.
    • Enhance efficiency through operations visibility and transparency.
    • Gain cost savings and efficiency to automate operations of complex and large equipment and instrumentations.

    Related Info-Tech Research:

    Recommended Actions

    1. Identify modernization business cases to secure

    Identify the drivers to align with your organization's business objectives.

    Build your case by leveraging a cost-benefit analysis, and update your security strategy.

    2. Identify gaps

    Identify people, process, and technology gaps that hinder the modernization
    security strategy.

    Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.

    3. Decide whether to build or buy capabilities

    Evaluate and enable modernization technology top focus areas and refine
    security processes.

    Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

    Sources:

    Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

    Secure IT-OT Convergence, Info-Tech

    Develop a cost-benefit analysis

    Identify a modernization business case for security.

    Benefits

    Metrics

    Operational Efficiency and Cost Savings

    • Reduction in truck rolls and staff time of manual operations of equipment or instrumentation.
    • Cost reduction in energy usage such as substation power voltage level or water treatment chemical level.

    Improve Reliability and Resilience

    • Reduction in field crew time to identify the outage locations by remotely accessing field equipment to narrow down the
      fault areas.
    • Reduction in outage time impacting customers and avoiding financial penalty in service quality metrics.
    • Improve operating reliability through continuous and real-time trend analysis of equipment performance.

    Energy & Capacity Savings

    • Optimize energy usage of operation to reduce overall operating cost and contribution to organizational net-zero targets.

    Customers & Society Benefits

    • Improve customer safety for essential services such as drinkable water consumption.
    • Improve reliability of services and address service equity issues based on data.

    Cost

    Metrics

    Equipment and Infrastructure

    Upgrade existing security equipment or instrumentation or deploy new, e.g. IPS on Enterprise DMZ and Operations DMZ.

    Implement communication network equipment and labor to install and configure.

    Upgrade or construct server room including cooling/heating, power backup, and server and rack hardware.

    Software and Commission

    The SCADA/HMI software and maintenance fee as well as lifecycle upgrade implementation project cost.

    Labor cost of field commissioning and troubleshooting.

    Integration with security systems, e.g. log management and continuous monitoring.

    Support and Resources

    Cost to hire/outsource security FTEs for ongoing managing and operating security devices, e.g. SOC.

    Cost to hire/outsource IT/OT FTEs to support and troubleshoot systems and its integrations with security systems, e.g. MSSP.

    An example of a cost-benefit analysis for ICS modernization

    Sources:

    Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

    Lawrence Berkeley National Laboratory, 2021

    IT-OT convergence demands new security approach and solutions

    Identify gaps

    Attack Vectors

    IT

    • User's compromised credentials
    • User's access device, e.g. laptop, smartphone
    • Access method, e.g. denial-of-service to modem, session hijacking, bad data injection

    OT

    • Site operations, e.g. SCADA server, engineering workstation, historian
    • Controls, e.g. SCADA Client, HMI, PLCs, RTUs
    • Process devices, e.g. sensors, actuators, field devices

    Defense Strategies

    • Limit exposure of system information
    • Identify and secure remote access points
    • Restrict tools and scripts
    • Conduct regular security audits
    • Implement a dynamic network environment

    (Control System Defense: Know the Opponent, CISA)

    An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

    An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

    Source: ISA-99, 2007

    RESPOND TO REGULATORY CHANGES

    PRIORITY 03

    • GOVERNMENT-ENACTED POLICY CHANGES AND INDUSTRY REGULATORY CHANGES COULD BE A COMPLIANCE BURDEN … OR PREVENT YOUR NEXT SECURITY INCIDENT.

    Executive summary

    Background

    Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).

    Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."

    Current situation

    Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.

    Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.

    High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.

    Approximately 100 cross-border data flow regulations exist in 2022.

    Source: McKinsey, 2022

    Stricter requirements for payments

    Obligation changes to keep up with emerging threats and technologies

    64 New requirements were added
    A total of 64 requirements have been added to version 4.0 of the PCI DSS.

    13 New requirements become effective March 31, 2024
    The other 51 new requirements are considered best practice until March 31, 2025, at which point they will become effective.

    11 New requirements only for service providers
    11 of the new requirements are applicable only to entities that provide third-party services to merchants.

    Defined roles must be assigned for requirements.

    Focus on periodically assessing and documenting scope.

    Entities may choose a defined approach or a customized approach to requirements.

    An example of new requirements for PCI DSS v4.0

    Source: Prepare for PCI DSS v4.0, Info-Tech

    Use this template to explain the priorities you need your stakeholders to know about.

    Respond to regulatory changes

    Provide a brief value statement for the initiative.

    The compliance obligations are evolving – ensure your security plan has you covered.

    Initiative Description:

    Description must include what organization will undertake to complete the initiative.

    • Identify relevant security and privacy compliance and conformance levels.
    • Identify gaps for updated obligations, and map obligations into control framework.
    • Review, update, and implement policies and strategy.
    • Develop compliance exception process and forms.
    • Develop test scripts.
    • Track status and exceptions

    Drivers:

    List initiative drivers.

    • Pressure of new regulations
    • Governance, risk & compliance (GRC) tool offerings
    • High administrative or criminal penalties of non-compliance

    Risks:

    List initiative risks and impacts.

    • Complex structures and a great number of compliance requirements
    • Restricted budget and lack of skilled workforce for organizations such as local municipalities and small or medium organizations compared to private counterparts
    • Personal liability for some regulations for non-compliance

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Reduces compliance risk.
    • Reduces complexity within the control environment by using a single framework to align multiple compliance regimes.
    • Reduces costs and efforts related to managing IT audits through planning and preparation.

    Related Info-Tech Research:

    Recommended Actions

    1. Identify compliance obligations

    Identify relevant security and privacy obligations and conformance levels.

    Identify gaps for updated obligations, and map obligations into control framework.

    2. Implement compliance strategy

    Review, update, and implement policies and strategy.

    Develop compliance exception process.

    3. Track and report

    Develop test scripts to check your remediations to ensure they are effective.

    Track and report status and exceptions.

    Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech

    Identify relevant security and privacy compliance obligations

    Identify obligations

    # Security Jurisdiction
    1 Network and Information Security (NIS2) Directive European Union (EU) and organizations outside the EU that are essential within an EU country
    2 North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) North American electrical utilities
    3 Executive Order (EO) 14028: Improving the Nation's Cybersecurity, The White House, 2021 United States

    #

    		Privacy Jurisdiction
    1 General Data Protection Regulation (GDPR) EU and EU citizens
    2 Personal Information Protection and Electronic Documents Act (PIPEDA) Canada
    3 California Consumer Privacy Act (CCPA) California, USA
    4 Personal Information Protection Law of the People’s Republic of China (PIPL) China

    An example of security and privacy compliance obligations

    How much does it cost to become compliant?

    • It is important to understand the various frameworks and to adhere to the appropriate compliance obligations.
    • Many factors influence the cost of compliance, such as the size of organization, the size of network, and current security readiness.
    • To manage compliance obligations, it is important to use a platform that not only performs internal and external monitoring but also provides third-party vendors (if applicable) with visibility into potential threats in their organization.

    Adopt Next-Generation Cybersecurity Technologies

    PRIORITY 04

    • GOVERNMENTS AND HACKERS ARE RECOGNIZING THE IMPORTANCE OF EMERGING TECHNOLOGIES, SUCH AS ZERO TRUST ARCHITECTURE AND AI-BASED CYBERSECURITY. SO SHOULD YOUR ORGANIZATION.

    Executive summary

    Background

    The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.

    More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
    ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.

    Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.

    Current situation

    ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.

    Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.

    AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.

    Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million

    Source: IBM, 2022

    Traditional security is not working

    Alert Fatigue

    Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.

    Lack of Insight

    To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.

    Lack of Visibility

    System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.

    Source: IBM Security Intelligence, 2020

    A business case for AI-based cybersecurity

    Threat management

    Prevention

    Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.

    Detection

    AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.

    Response

    AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.

    Recovery

    AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.

    Prevention; Detection; Response; Recovery

    AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.

    Use this template to explain the priorities you need your stakeholders to know about.

    Adopt next-gen cybersecurity technologies

    Use this template to explain the priorities you need your stakeholders to know about.

    Develop a practical roadmap that shows the business value of next-gen cybersecurity technologies investment.

    Initiative Description:

    Description must include what organization will undertake to complete the initiative.

    • Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
    • Adopt well-established data governance practices for cross-functional teams.
    • Conduct a maturity assessment of key processes and highlight interdependencies.
    • Develop a baseline and periodically review risks, policies and procedures, and business plan.
    • Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
    • Monitor metrics on effectiveness and efficiency.

    Drivers:

    List initiative drivers.

    • Pressure of attacks by sophisticated threat actors
    • Next-gen cybersecurity technologies tool offerings
    • High cost of traditional security, e.g. longer breach lifecycle

    Risks:

    List initiative risks and impacts.

    • Lack of transparency of the model or bias, leading to non-compliance with policies/regulations
    • Risks related with data quality and inadequate data for model training
    • Adversarial attacks, including, but not limited to, adversarial input and model extraction

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    • Reduces the number of alerts, thus reduces alert fatigue.
    • Increases the identification of unknown threats.
    • Leads to faster detection and response.
    • Closes skills gap and increases productivity.

    Related Info-Tech Research:

    Recommended Actions

    1. People

    Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.

    Adopt well-established data governance practices for cross-functional teams.

    2. Process

    Conduct a maturity assessment of key processes and highlight interdependencies.

    Develop a baseline and periodically review risks, policies and procedures, and business plan.

    3. Technology

    Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.

    Monitor metrics on effectiveness and efficiency.

    Source: Leverage AI in Threat Management (keynote presentation), Info-Tech

    Secure Services and Applications

    PRIORITY 05

    • APIS ARE STILL THE #1 THREAT TO APPLICATION SECURITY.

    Executive summary

    Background

    Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.

    DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.

    DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).

    Current situation

    Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.

    DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.

    OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.

    Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).

    Source: CIRAS Incident reporting, ENISA (N=1,239)

    Software development keeps evolving

    DOD Maturation of Software Development Best Practices

    Best Practices 30 Years Ago 15 Years Ago Present Day
    Lifecycle Years or Months Months or Weeks Weeks or Days
    Development Process Waterfall Agile DevSecOps
    Architecture Monolithic N-Tier Microservices
    Deployment & Packaging Physical Virtual Container
    Hosting Infrastructure Server Data Center Cloud
    Cybersecurity Posture Firewall + SIEM + Zero Trust

    Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."

    These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.

    The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.

    Therefore, we must secure each part of the link to avoid attacks on the weakest link.

    Software supply chain guidance

    Secure each part of the link to avoid attacks on the weakest link.

    Guide for Developers

    Guide for Suppliers

    		 Guide for Customers

    Secure product criteria and management, develop secure code, verify third-party components, harden build environment, and deliver code.

    Define criteria for software security checks, protect software, produce well-secured software, and respond to vulnerabilities.

    Secure procurement and acquisition, secure deployment, and secure software operations.

    Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

    "Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."

    Source: NIST – NCCoE, 2022

    Use this template to explain the priorities you need your stakeholders to know about.

    Secure services and applications

    Provide a brief value statement for the initiative.

    Adopt recommended practices for securing the software supply chain.

    Initiative Description:

    Description must include what organization will undertake to complete the initiative.

    • Define and keep security requirements and risk assessments up to date.
    • Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene.
    • Verify distribution infrastructure, product and individual components integrity, and SBOM.
    • Use multi-layered defenses, e.g. ZT for integration and control configuration.
    • Train users on how to detect and report anomalies and when to apply updates to a system.
    • Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

    Drivers:

    List initiative drivers.

    • Cyberattacks exploit the vulnerabilities of weak software supply chain
    • Increased need to enhance software supply chain security, e.g. under the White House Executive Order (EO) 14028
    • OT insecure-by-design hinders OT modernization

    Risks:

    List initiative risks and impacts.

    Only a few developers and suppliers explicitly address software security in detail.

    Time pressure to deliver functionality over security.

    Lack of security awareness and lack of trained workforce.

    Benefits:

    List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

    Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.

    Developers and suppliers provide software security with minimal vulnerabilities in its releases.

    Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.

    Related Info-Tech Research:

    Recommended Actions

    1. Procurement and Acquisition

    Define and keep security requirements and risk assessments up to date.

    Perform analysis on current market and supplier solutions and acquire security evaluation.

    Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene

    2. Deployment

    Verify distribution infrastructure, product and individual components integrity, and SBOM.

    Save and store the tests and test environment and review and verify the
    self-attestation mechanism.

    Use multi-layered defenses, e.g. ZT for integration and control configuration.

    3. Software Operations

    Train users on how to detect and report anomalies and when to apply updates to a system.

    Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

    Apply supply chain risk management (SCRM) operations.

    Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

    Bibliography

    Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
    Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
    Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
    31 Oct. 2022.
    "China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
    Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
    Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
    "Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
    "Cost of a Data Breach Report 2022." IBM, 2022.
    "Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
    "Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
    Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
    "The Future of Work," 1 April 2022.
    "Digital Services Act: EU's landmark rules for online platforms enter into force."
    EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
    "DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
    Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
    Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
    "Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
    28 July 2022. Accessed 18 Nov. 2022.
    "Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
    "Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
    Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
    Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
    Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
    5 Aug. 2022. Accessed 16 Nov. 2022.
    "Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
    "Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
    16 June 2021. Accessed 25 Nov. 2022.
    Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
    "Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
    Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
    Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
    "National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
    Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
    17 Nov. 2022.
    O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
    "OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
    Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
    Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
    "Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
    Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
    "Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
    "Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
    "Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
    "Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
    North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
    Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
    26 Oct. 2022. Accessed 15 Nov. 2022.
    "Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
    1 Sep. 2022.
    Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
    22 Nov. 2022.
    "Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
    31 Oct. 2022.
    "The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
    What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
    Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
    Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
    14 July 2022. Accessed 27 Oct. 2022

    Research Contributors and Experts

    Andrew Reese
    Cybersecurity Practice Lead
    Zones

    Ashok Rutthan
    Chief Information Security Officer (CISO)
    Massmart

    Chris Weedall
    Chief Information Security Officer (CISO)
    Cheshire East Council

    Jeff Kramer
    EVP Digital Transformation and Cybersecurity
    Aprio

    Kris Arthur
    Chief Information Security Officer (CISO)
    SEKO Logistics

    Mike Toland
    Chief Information Security Officer (CISO)
    Mutual Benefit Group

    The challenge of corporate security management

    • Buy Link or Shortcode: {j2store}41|cart{/j2store}
    • Related Products: {j2store}41|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk
    • byline: Align security and business objectives to obtain the greatest benefit from both.

    Corporate security management is a vital aspect in every modern business, regardless of business area or size. At Tymans Group we offer expert security management consulting to help your business set up proper protocols and security programs. More elaborate information about our security management consulting services and solutions can be found below.

    Corporate security management components

    You may be experiencing one or more of the following:

    • The risk goals should support business goals. Your business cannot operate without security, and security is there to conduct business safely. 
    • Security governance supports security strategy and security management. These three components form a protective arch around your business. 
    • Governance and management are like the legislative branch and the executive branch. Governance tells people what to do, and management's job is to verify that they do it.

    Our advice with regards to corporate security management

    Insight

    To have a successful information security strategy, take these three factors into account:

    • Holistic: your view must include people, processes, and technology.
    • Risk awareness: Base your strategy on the actual risk profile of your company and then add the appropriate best practices.
    • Business-aligned: When your strategic security plan demonstrates alignment with the business goals and supports it, embedding will be much more straightforward.

    Impact and results of our corporate security management approach

    • The approach of our security management consulting company helps to provide a starting point for realistic governance and realistic corporate security management.
    • We help you by implementing security governance and managing it, taking into account your company's priorities, and keeping costs to a minimum.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within the corporate security management domain have access to:

    Get up to speed

    Read up on why you should build your customized corporate information security governance and management system. Review our methodology and understand the four ways we can support you.

    Align your security objectives with your business goals

    Determine the company's risk tolerance.

    • Implement a Security Governance and Management Program – Phase 1: Align Business Goals With Security Objectives (ppt)
    • Information Security Governance and Management Business Case (ppt)
    • Information Security Steering Committee Charter (doc)
    • Information Security Steering Committee RACI Chart (doc)
    • Security Risk Register Tool (xls)

    Build a practical governance framework for your company

    Our best-of-breed security framework makes you perform a gap analysis between where you are and where you want to be (your target state). Once you know that, you can define your goals and duties.

    • Implement a Security Governance and Management Program – Phase 2: Develop an Effective Governance Framework (ppt)
    • Information Security Charter (doc)
    • Security Governance Organizational Structure Template (doc)
    • Security Policy Hierarchy Diagram (ppt)
    • Security Governance Model Facilitation Questions (ppt)
    • Information Security Policy Charter Template (doc)
    • Information Security Governance Model Tool (Visio)
    • Pdf icon 20x20
    • Information Security Governance Model Tool (PDF)

    Now that you have built it, manage your governance framework.

    There are several essential management activities that we as a security management consulting company suggest you employ.

    • Implement a Security Governance and Management Program – Phase 3: Manage Your Governance Framework (ppt)
    • Security Metrics Assessment Tool (xls)
    • Information Security Service Catalog (xls)
    • Policy Exception Tracker (xls)
    • Information Security Policy Exception Request Form (doc)
    • Security Policy Exception Approval Workflow (Visio)
    • Security Policy Exception Approval Workflow (PDF)
    • Business Goal Metrics Tracking Tool (xls)

    Book an online appointment for more advice

    We are happy to tell you more about our corporate security management solutions and help you set up fitting security objectives. As a security management consulting firm we offer solutions and advice, based on our own extensive experience, which are practical and people-orientated. Discover our services, which include data security management and incident management and book an online appointment with CEO Gert Taeymans to discuss any issues you may be facing regarding risk management or IT governance.

    cybersecurity

    Build, Optimize, and Present a Risk-Based Security Budget

    • Buy Link or Shortcode: {j2store}371|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats.
    • This budget will have to be defended against many other stakeholders to ensure there is proper funding.
    • Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organizational risk level.
    • CISOs struggle with the ability to assess the effectiveness of their security controls and where to allocate money.

    Our Advice

    Critical Insight

    • CISOs can demonstrate the value of security when they correlate mitigations to business operations and attribute future budgetary needs to business evolution.
    • To identify the critical areas and issues that must be reflected in your security budget, develop a comprehensive corporate risk analysis and mitigation effectiveness model, which will illustrate where the moving targets are in your security posture.

    Impact and Result

    • Info-Tech’s methodology moves you away from the traditional budgeting approach to building a budget that is designed to be as dynamic as the business growth model.
    • Collect your organization's requirements and build different budget options to describe how increases and decreases can affect the risk level.
    • Discuss the different budgets with the business to determine what level of funding is needed for the desired level of security.
    • Gain approval of your budget early by preshopping and presenting the budget to individual stakeholders prior to the final budget approval process.

    Build, Optimize, and Present a Risk-Based Security Budget Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build, optimize, and present a risk-based security budget, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review requirements for the budget

    Collect and review the required information for your security budget.

    • Build, Optimize, and Present a Risk-Based Security Budget – Phase 1: Review Requirements for the Budget

    2. Build the budget

    Take your requirements and build a risk-based security budget.

    • Build, Optimize, and Present a Risk-Based Security Budget – Phase 2: Build the Budget
    • Security Budgeting Tool

    3. Present the budget

    Gain approval from business stakeholders by presenting the budget.

    • Build, Optimize, and Present a Risk-Based Security Budget – Phase 3: Present the Budget
    • Preshopping Security Budget Presentation Template
    • Final Security Budget Presentation Template
    [infographic]

    Workshop: Build, Optimize, and Present a Risk-Based Security Budget

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Requirements for the Budget

    The Purpose

    Understand your organization’s security requirements.

    Collect and review the requirements.

    Key Benefits Achieved

    Requirements are gathered and understood, and they will provide priorities for the security budget.

    Activities

    1.1 Define the scope and boundaries of the security budget.

    1.2 Review the security strategy.

    1.3 Review other requirements as needed, such as the mitigation effectiveness assessment or risk tolerance level.

    Outputs

    Defined scope and boundaries of the security budget

    2 Build the Budget

    The Purpose

    Map business capabilities to security controls.

    Create a budget that represents how risk can affect the organization.

    Key Benefits Achieved

    Finalized security budget that presents three different options to account for risk and mitigations.

    Activities

    2.1 Identify major business capabilities.

    2.2 Map capabilities to IT systems and security controls.

    2.3 Categorize security controls by bare minimum, standard practice, and ideal.

    2.4 Input all security controls.

    2.5 Input all other expenses related to security.

    2.6 Review the different budget options.

    2.7 Optimize the budget through defense-in-depth options.

    2.8 Finalize the budget.

    Outputs

    Identified major business capabilities, mapped to the IT systems and controls

    Completed security budget providing three different options based on risk associated

    Optimized security budget

    3 Present the Budget

    The Purpose

    Prepare a presentation to speak with stakeholders early and build support prior to budget approvals.

    Present a pilot presentation and incorporate any feedback.

    Prepare for the final budget presentation.

    Key Benefits Achieved

    Final presentations in which to present the completed budget and gain stakeholder feedback.

    Activities

    3.1 Begin developing a communication strategy.

    3.2 Build the preshopping report.

    3.3 Practice the presentation.

    3.4 Conduct preshopping discussions with stakeholders.

    3.5 Collect initial feedback and incorporate into the budget.

    3.6 Prepare for the final budget presentation.

    Outputs

    Preshopping Report

    Final Budget Presentation

    Get Started With IT Project Portfolio Management

    • Buy Link or Shortcode: {j2store}443|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $7,599 Average $ Saved
    • member rating average days saved: 46 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Most companies are struggling to get their project work done. This is due in part to the fact that many prescribed remedies are confusing, disruptive, costly, or ineffective.
    • While struggling to find a solution, within the organization, project requests never stop and all projects continue to all be treated the same. Resources are requested for multiple projects without any visibility into their project capacity. Projects lack proper handoffs from closure to ongoing operational work. And the benefits are never tracked.
    • If you have too many projects, limited resources, ineffective communications, or low post-project adoption, keep reading. Perhaps you should spend a bit more on project, portfolio, and organizational change management.

    Our Advice

    Critical Insight

    • Successful project outcomes are not built by rigorous project processes: Projects may be the problem, but project management rigor is not the solution.
    • Don’t fall into the common trap of thinking high-rigor project management should be every organization’s end goal.
    • Instead, understand that it is better to spend time assessing the portfolio to determine what projects should be prioritized.

    Impact and Result

    Begin by establishing a few foundational practices that will work to drive project throughput.

    • Capacity Estimation: Understand what your capacity is to do projects by determining how much time is allocated to doing other things.
    • Book of Record: Establish a basic but sustainable book of record so there is an official list of projects in flight and those waiting in a backlog or funnel.
    • Simple Project Management Processes: Align the rigor of your project management process with what is required, not what is prescribed by the PMP designation.
    • Impact Assessment: Address the impact of change at the beginning of the project and prepare stakeholders with the right level of communication.

    Get Started With IT Project Portfolio Management Research & Tools

    Start here – read the Executive Brief

    Begin by establishing a few foundational practices that will work to drive project throughput. Most project management problems are resolved with portfolio level solutions. This blueprint will address the eco-system of project, portfolio, and organizational change management.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Project portfolio management

    Estimate project capacity, determine what needs to be tracked on an ongoing basis, and determine what criteria is necessary for prioritizing projects.

    • Project Portfolio Supply-Demand Analysis Tool
    • Project Value Scorecard Development Tool
    • Project Portfolio Book of Record

    2. Project management

    Develop a process to inform the portfolio of the project status, create a plan that can be maintained throughout the project lifecycle, and manage the scope through a change request process.

    • Light Project Change Request Form Template

    3. Organizational change management

    Perform a change impact assessment and identify the obvious and non-obvious stakeholders to develop a message canvas accordingly.

    • Organizational Change Management Triage Tool

    4. Develop an action plan

    Develop a roadmap for how to move from the current state to the target state.

    • PPM Wireframe
    • Project Portfolio Management Foundations Stakeholder Communication Deck
    [infographic]

    Workshop: Get Started With IT Project Portfolio Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Project Portfolio Management

    The Purpose

    Establish the current state of the portfolio.

    Organize the portfolio requirements.

    Determine how projects are prioritized.

    Key Benefits Achieved

    Understand project capacity supply-demand.

    Build a portfolio book of record.

    Create a project value scorecard.

    Activities

    1.1 Conduct capacity supply-demand estimation.

    1.2 Determine requirements for portfolio book of record.

    1.3 Develop project value criteria.

    Outputs

    Clear project capacity

    Draft portfolio book of record

    Project value scorecard

    2 Project Management

    The Purpose

    Feed the portfolio with the project status.

    Plan the project work with a sustainable level of granularity.

    Manage the project as conditions change.

    Key Benefits Achieved

    Develop a process to inform the portfolio of the project status.

    Create a plan that can be maintained throughout the project lifecycle and manage the scope through a change request process.

    Activities

    2.1 Determine necessary reporting metrics.

    2.2 Create a work structure breakdown.

    2.3 Document your project change request process.

    Outputs

    Feed the portfolio with the project status

    Plan the project work with a sustainable level of granularity

    Manage the project as conditions change

    3 Organizational Change Management

    The Purpose

    Discuss change accountability.

    Complete a change impact assessment.

    Create a communication plan for stakeholders.

    Key Benefits Achieved

    Complete a change impact assessment.

    Identify the obvious and non-obvious stakeholders and develop a message canvas accordingly.

    Activities

    3.1 Discuss change accountability.

    3.2 Complete a change impact assessment.

    3.3 Create a communication plan for stakeholders.

    Outputs

    Assign accountability for the change

    Assess the change impact

    Communicate the change

    4 Develop an Action Plan

    The Purpose

    Summarize current state.

    Determine target state.

    Create a roadmap.

    Key Benefits Achieved

    Develop a roadmap for how to move from the current state to the target state.

    Activities

    4.1 Summarize current state and target state.

    4.2 Create a roadmap.

    Outputs

    Stakeholder Communication Deck

    MS Project Wireframe

    Master M&A Cybersecurity Due Diligence

    • Buy Link or Shortcode: {j2store}261|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,399 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance

    This research is designed to help organizations who are preparing for a merger or acquisition and need help with:

    • Understanding the information security risks associated with the acquisition or merger.
    • Avoiding the unwanted possibility of acquiring or merging with an organization that is already compromised by cyberattackers.
    • Identifying best practices for information security integration post merger.

    Our Advice

    Critical Insight

    The goal of M&A cybersecurity due diligence is to assess security risks and the potential for compromise. To succeed, you need to look deeper.

    Impact and Result

    • A repeatable methodology to systematically conduct cybersecurity due diligence.
    • A structured framework to rapidly assess risks, conduct risk valuation, and identify red flags.
    • Look deeper by leveraging compromise diagnostics to increase confidence that you are not acquiring a compromised entity.

    Master M&A Cybersecurity Due Diligence Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to master M&A cyber security due diligence, review Info-Tech’s methodology, and understand how we can support you in completing this project.

    [infographic]

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

    • Buy Link or Shortcode: {j2store}386|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
    • Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.

    Our Advice

    Critical Insight

    • The cloud can be secure despite unique security threats.
    • Securing a cloud environment is a balancing act of who is responsible for meeting specific security requirements.
    • Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting a trusted cloud security provider (CSP) partner.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining privacy of data and other information.
      • Securing the network connection points.
    • Determine your balancing act between yourself and your CSP; through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should prioritize security in the cloud, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine your cloud risk profile

    Determine your organization’s rationale for cloud adoption and what that means for your security obligations.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 1: Determine Your Cloud Risk Profile
    • Secure Cloud Usage Policy

    2. Identify your cloud security requirements

    Use the Cloud Security CAGI Tool to perform four unique assessments that will be used to identify secure cloud vendors.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 2: Identify Your Cloud Security Requirements
    • Cloud Security CAGI Tool

    3. Evaluate vendors from a security perspective

    Learn how to assess and communicate with cloud vendors with security in mind.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 3: Evaluate Vendors From a Security Perspective
    • IaaS and PaaS Service Level Agreement Template
    • SaaS Service Level Agreement Template
    • Cloud Security Communication Deck

    4. Implement your secure cloud program

    Turn your security requirements into specific tasks and develop your implementation roadmap.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 4: Implement Your Secure Cloud Program
    • Cloud Security Roadmap Tool

    5. Build a cloud security governance program

    Build the organizational structure of your cloud security governance program.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 5: Build a Cloud Security Governance Program
    • Cloud Security Governance Program Template
    [infographic]

    Portfolio Management

    • Buy Link or Shortcode: {j2store}47|cart{/j2store}
    • Related Products: {j2store}47|crosssells{/j2store}
    • member rating overall impact: 9.6/10
    • member rating average dollars saved: $40,234
    • member rating average days saved: 30
    • Parent Category Name: Applications
    • Parent Category Link: /applications
    • byline: Develop your project portfolio management strategy.

    The challenge

    • Typically your business wants much more than your IT development organization can deliver with the available resources at the requested quality levels.
    • Over-damnd has a negative influence on delivery throughput. IT starts many projects (or features) but has trouble delivering most of them within the set parameters of scope, time, budget, and quality. Some requested deliverables may even be of questionable value to the business.
    • You may not have the right project portfolio management (PPM) strategy to bring order in IT's delivery activities and to maximize business value.

    Our advice

    Insight

    • Many in IT mix PPM and project management. Your project management playbook does not equate to the holistic view a real PPM practice gives you.
    • Some organizations also mistake PPM for a set of processes. Processes are needed, but a real strategy works towards tangible goals.
    • PPM works at the strategic level of the company; hence executive buy-in is critical. Without executive support, any effort to reconcile supply and demand will be tough to achieve.

    Impact and results 

    • PPM is a coherent business-aligned strategy that maximizes business value creation across the entire portfolio, rather than in each project.
    • Our methodology tackles the most pressing challenge upfront: get executive buy-in before you start defining your goals. With senior management behind the plan, implementation will become easier.
    • Create PPM processes that are a cultural fit for your company. Define your short and long-term goals for your strategy and support them with fully embedded portfolio management processes.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started.

    Read our executive brief to understand why you should develop a PPM strategy and understand how our methodology can help you. We show you how we can support you.

    Obtain executive buy-in for your strategy

    Ensure your strategy is a cultural fit or cultural-add for your company.

    • Develop a Project Portfolio Management Strategy – Phase 1: Get Executive Buy-In for Your PPM Strategy (ppt)
    • PPM High-Level Supply-Demand Calculator (xls)
    • PPM Strategic Plan Template (ppt)
    • PPM Strategy-Process Goals Translation Matrix Template (xls)

    Align the PPM processes to your company's strategic goals

    Use the advice and tools in this stage to align the PPM processes.

    • Develop a Project Portfolio Management Strategy – Phase 2: Align PPM Processes to Your Strategic Goals (ppt)
    • PPM Strategy Development Tool (xls)

    Refine and complete your plan

    Use the inputs from the previous stages and add a cost-benefit analysis and tool recommendation.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities (ppt)

    Streamline your maintenance delivery

    Define quality standards in maintenance practices. Enforce these in alignment with the governance you have set up. Show a high degree of transparency and open discussions on development challenges.

    • Develop a Project Portfolio Management Strategy – Phase 3: Complete Your PPM Strategic Plan (ppt)
    • Project Portfolio Analyst / PMO Analyst (doc)

     

     

    Security Priorities 2022

    • Buy Link or Shortcode: {j2store}244|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Ransomware activities and the cost of breaches are on the rise.
    • Cybersecurity talent is hard to find, and an increasing number of cybersecurity professionals are considering leaving their jobs.
    • Moving to the digital world increases the risk of a breach.

    Our Advice

    Critical Insight

    • The pandemic has fundamentally changed the technology landscape. Security programs must understand how their threat surface is now different and adapt their controls to meet the challenge.
    • The upside to the upheaval in 2021 is new opportunities to modernize your security program.

    Impact and Result

    • Use the report to ensure your plan in 2022 addresses what’s important in cybersecurity.
    • Understand the current situation in the cybersecurity space.

    Security Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Security Priorities 2022 – A report that describes priorities and recommendations for CISOs in 2022.

    Use this report to understand the current situation in the cybersecurity space and inform your plan for 2022. This report includes sections on protecting against and responding to ransomware, acquiring and retaining talent, securing a remote workforce, securing digital transformation, and adopting zero trust.

    • Security Priorities for 2022 Report

    Infographic

    Further reading

    Security Priorities 2022

    The pandemic has changed how we work

    disruptions to the way we work caused by the pandemic are here to stay.

    The pandemic has introduced a lot of changes to our lives over the past two years, and this is also true for various aspects of how we work. In particular, a large workforce moved online overnight, which shifted the work environment rapidly.

    People changed how they communicate, how they access company information, and how they connect to the company network. These changes make cybersecurity a more important focus than ever.

    Although changes like the shift to remote work occurred in response to the pandemic, they are largely expected to remain, regardless of the progression of the pandemic itself. This report will look into important security trends and the priorities that stemmed from these trends.

    30% more professionals expect transformative permanent change compared to one year ago.

    47% of professionals expect a lot of permanent change; this remains the same as last year. (Source: Info-Tech Tech Trends 2022 Survey; N=475)

    The cost of a security breach is rising steeply

    The shift to remote work exposes organizations to more costly cyber incidents than ever before.

    $4.24 million

    Average cost of a data breach in 2021    		 The cost of a data breach rose by nearly 10% in the past year, the highest rate in over seven years.

    $1.07 million

    More costly when remote work involved in the breach

    The average cost of breaches where remote work is involved is $1.07 million higher than breaches where remote work is not involved.

    The ubiquitous remote work that we saw in 2021 and continue to see in 2022 can lead to more costly security events. (Source: IBM, 2021)

    Remote work is here to stay, and the cost of a breach is higher when remote work is involved.

    The cost comes not only directly from payments but also indirectly from reputational loss. (Source: IBM, 2021)

    Security teams can participate in the solution

    The numbers are clear: in 2022, when we face a threat environment like WE’VE never EXPERIENCED before, good security is worth the investment

    $1.76 million

    Saved when zero trust is deployed facing a breach

    Zero trust controls are realistic and effective controls.

    Organizations that implement zero trust dramatically reduce the cost of an adverse security event.

    35%

    More costly if it takes more than 200 days to identify and contain a breach

    With increased BYOD and remote work, detection and response is more challenging than ever before – but it is also highly effective.

    Organizations that detect and respond to incidents quickly will significantly reduce the impact. (Source: IBM, 2021)

    Breaches are 34% less costly when mature zero trust is implemented.

    A fully staffed and well-prepared security team could save the cost through quick responses. (Source: IBM, 2021)

    Top security priorities and constraints in 2022

    Survey results

    As part of its research process for the 2022 Security Priorities Report, Info-Tech Research Group surveyed security and IT leaders (N=97) to ask their top security priorities as well as their main obstacles to security success in 2022:

    Top Priorities
    A list of the top three priorities identified in the survey with their respective percentages, 'Acquiring and retaining talent, 30%', 'Protecting against and responding to ransomware, 23%', and 'Securing a remote workforce, 23%'.

    Survey respondents were asked to force-rank their security priorities.

    Among the priorities chosen most frequently as #1 were talent management, addressing ransomware threats, and securing hybrid/remote work.

    		 Top Obstacles
    A list of the top three obstacles identified in the survey with their respective percentages, 'Staffing constraints, 31%', 'Demand of ever-changing business environment, 23%', and 'Budget constraints, 15%'.

    Talent management is both the #1 priority and the top obstacle facing security leaders in 2022.

    Unsurprisingly, the ever-changing environment in a world emerging from a pandemic and budget constraints are also top obstacles.

    We know the priorities…

    But what are security leaders actually working on?

    This report details what we see the world demanding of security leaders in the coming year.

    Setting aside the demands – what are security leaders actually working on?

    A list of 'Top security topics among Info-Tech members' with accompanying bars, 'Security Strategy', 'Security Policies', 'Security Operations', 'Security Governance', and 'Security Incident Response'.

    Many organizations are still mastering the foundations of a mature cybersecurity program.

    This is a good idea!

    Most breaches are still due to gaps in foundational security, not lack of advanced controls.

    We know the priorities…

    But what are security leaders actually working on?

    A list of industries with accompanying bars representing their demand for security. The only industry with a significant positive percentage is 'Government'. Security projects included in annual plan relative to industry.

    One industry plainly stands out from the rest. Government organizations are proportionally much more active in security than other industries, and for good reason: they are common targets.

    Manufacturing and professional services are proportionally less interested in security. This is concerning, given the recent targeting of supply chain and personal data holders by ransomware gangs.

    5 Security Priorities for 2022 Logo for Info-Tech. Logo for ITRG.

    People

    1. Acquiring and Retaining Talent
      Create a good working environment for existing and potential employees. Invest time and effort into talent issues to avoid being understaffed.
    2. Securing a Remote Workforce
      Create a secure environment for users and help your people build safe habits while working remotely.

    Process

    1. Securing Digital Transformation
      Build in security from the start and check in frequently to create agile and secure user experiences.

    Technology

    1. Adopting Zero Trust
      Manage access of sensitive information based on the principle of least privilege.
    2. Protecting Against and Responding to Ransomware
      Put in your best effort to build defenses but also prepare for a breach and know how to recover.

    Main Influencing Factors
    COVID-19 Pandemic
    The pandemic has changed the way we interact with technology. Organizations are universally adapting their business and technology processes to fit the post-pandemic paradigm.    		 Rampant Cybercrime Activity
    By nearly every conceivable metric, cybercrime is way up in the past two years. Cybercriminals smell blood and pose a more salient threat than before. Higher standards of cybersecurity capability are required to respond to this higher level of threat.    		 Remote Work and Workforce Reallocation
    Talented IT staff across the globe enabled an extraordinarily fast shift to remote and distance work. We must now reckon with the security and human resourcing implications of this huge shift.

    Acquire and Retain Talent

    Priority 01

    Security talent was in short supply before the pandemic, and it's even worse now.

    Executive summary

    Background

    Cybersecurity talent has been in short supply for years, but this shortage has inflected upward since the pandemic.

    The Great Resignation contributed to the existing talent gap. The pandemic has changed how people work as well as how and where they choose work. More and more senior workers are retiring early or opting for remote working opportunities.

    The cost to acquire cybersecurity talent is huge, and the challenge doesn’t end there. Retaining top talent can be equally difficult.

    Current situation

    • A 2021 survey by ESG shows that 76% of security professional agree it’s difficult to recruit talent, and 57% said their organization is affected by this talent shortage.
    • (ISC)2 reports there are 2.72 million unfilled job openings and an increasing workforce gap (2021).

    2.72 million unfilled cybersecurity openings (Source: (ISC)2, 2021)

    IT leaders must do more to attract and retain talent in 2022

    • Over 70% of IT professionals are considering quitting their jobs (TalentLMS, 2021). Meanwhile, 51% of surveyed cybersecurity professionals report extreme burnout during the last 12 months and many of them have considered quitting because of it (VMWare, 2021).
    • Working remotely makes it easier for people to look elsewhere, lowering the barrier to leaving.
    • This is a big problem for security leaders, as cybersecurity talent is in very short supply. The cost of acquiring and retaining quality cybersecurity staff in 2022 is significant, and many organizations are unwilling or unable to pay the premium.
    • Top talent will demand flexible working conditions – even though remote work comes with security risk.
    • Most smart, talented new hires in 2022 are demanding to work remotely most of the time.
    Top reasons for resignations in 2021
    Burnout 30%
    Other remote opportunities 20%
    Lack of growth opportunities 20%
    Poor culture 20%
    Acquisition concerns 10%
    (Source: Survey of West Coast US cybersecurity professionals; TechBeacon, 2021)

    Talent will be 2022’s #1 strength and #1 weakness

    Staffing obstacles in 2022:

    “Attracting and retaining talent is always challenging. We don’t pay as well and my org wants staff in the office at least half of the time. Most young, smart, talented new hires want to work remotely 100 percent of the time.“

    “Trying to grow internal resources into security roles.”

    “Remote work expectations by employees and refusal by business to accommodate.”

    “Biggest obstacle: payscales that are out of touch with cybersecurity market.”

    “Request additional staff. Obtaining funding for additional position is most significant obstacle.”

    (Info-Tech Tech Security Priorities Survey 2022)    		 Top obstacles in 2022:

    As you can see, respondents to our security priorities survey have strong feelings on the challenges of staffing a cybersecurity team.

    The growth of remote work means local talent can now be hired by anybody, vastly increasing your competition as an employer.

    Hiring local will get tougher – but so will hiring abroad. People who don’t want to relocate for a new job now have plenty of alternatives. Without a compelling remote work option, you will find non-local prospects unwilling to move for a new job.

    Lastly, many organizations are still reeling at the cost of experienced cybersecurity talent. Focused internal training and development will be the answer for many organizations.

    Recommended Actions

    Provide career development opportunities

    Many security professionals are dissatisfied with their unclear career development paths. To improve retention, organizations should provide their staff with opportunities and clear paths for career and skills advancement.

    		 Be open-minded when hiring

    To broaden the candidate pool, organizations should be open-minded when considering who to hire.

    • Enable remote work.
    • Do not fixate on certificates and years of experience; rather, be open to developing those who have the right interest and ability.
    • Consider using freelance workers.
    Facilitate work-life balance

    Many security professionals say they experience burnout. Promoting work-life balance in your organization can help retain critical skills.

    		 Create inclusive environment

    Hire a diverse team and create an inclusive environment where they can thrive.

    Talent acquisition and retention plan

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Address a top priority and a top obstacle with a plan to attract and retain top organizational and cybersecurity talent.

    Initiative Description:

    • Provide secure remote work capabilities for staff.
    • Work with HR to refine a hiring plan that addresses geographical and compensation gaps with cybersecurity and general staff.
    • Survey staff engagement to identify points of friction and remediate where needed.
    • Define a career path and growth plan for staff.
    		 Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.
    Reduction in costs due to turnover and talent loss

    Other Expected Business Benefits:

    Arrow pointing up.
    Productivity due to good morale/ engagement    		 Arrow pointing up.
    Improved corporate culture
    		Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Big organizational and cultural changes
    • Increased attack surface of remote/hybrid workforce

    Related Info-Tech Research:

    Secure a Remote Workforce

    Priority 02

    Trends suggest remote work is here to stay. Addressing the risk of insecure endpoints can no longer be deferred.

    Executive summary

    Remote work poses unique challenges to cybersecurity teams. The personal home environment may introduce unauthorized people and unknown network vulnerabilities, and the organization loses nearly all power and influence over the daily cyber hygiene of its users.

    In addition, the software used for enabling remote work itself can be a target of cybersecurity criminals.

    Current situation

    • 70% of workers in technical services work from home.
    • Employees of larger firms and highly paid individuals are more likely to be working outside the office.
    • 80% of security and business leaders find that remote work has increased the risk of a breach.
      • (Source: StatCan, 2021)

    70% of tech workers work from home (Source: Statcan, 2021)

    Remote work demands new security solutions

    The security perimeter is finally gone

    The data is outside the datacenter.
    The users are outside the office.
    The endpoints are … anywhere and everywhere.

    Organizations that did not implement digital transformation changes following COVID-19 experience higher costs following a breach, likely because it is taking nearly two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely (IBM, 2021).

    In 2022 the cumulative risk of so many remote connections means we need to rethink how we secure the remote/hybrid workforce.

    		 Security
    • Distributed denial of service
    • DNS hijacking
    • Weak VPN protocols
    Identity
    • One-time verification allowing lateral movement
    		 Colorful tiles representing the surrounding security solutions. Network
    • Risk perimeter stops at corporate network edge
    • Split tunneling
    Authentication
    • Weak authentication
    • Weak password
    Access
    • Man-in-the-middle attack
    • Cross-site scripting
    • Session hijacking

    Recommended Actions

    Mature your identity management

    Compromised identity is the main vector to breaches in recent years. Stale accounts, contractor accounts, misalignment between HR and IT – the lack of foundational practices leads to headline-making breaches every week.
    Tighten up identity control to keep your organization out of the newspaper.

    		 Get a handle on your endpoints

    Work-from-home (WFH) often means unknown endpoints on unknown networks full of other unknown devices…and others in the home potentially using the workstation for non-work purposes. Gaining visibility into your endpoints can help to keep detection and resolution times short.
    Educate users

    Educate everyone on security best practices when working remotely:

    • Apply secure settings (not just defaults) to the home network.
    • Use strong passwords.
    • Identify suspicious email.
    		 Ease of use

    Many workers complain that the corporate technology solution makes it difficult to get their work done.

    Employees will take productivity over security if we force them to choose, so IT needs to listen to end users’ needs and provide a solution that is nimble and secure.

    Roadmap to securing remote/hybrid workforce

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    The corporate network now extends to the internet – ensure your security plan has you covered.

    Initiative Description:

    • Reassess enterprise security strategy to include the WFH attack surface (especially endpoint visibility).
    • Ensure authentication requirements for remote workers are sufficient (e.g. MFA, strong passwords, hardware tokens for high-risk users/connections).
    • Assess the value of zero trust networking to minimize the blast radius in the case of a breach.
    • Perform penetration testing annually.
    		Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing down.


    Reduced cost of security incidents/reputational damage

    Other Expected Business Benefits:

    Arrow pointing up.
    Improved ability to attract and retain talent    		 Arrow pointing up.
    Increased business adaptability
    		Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential disruption to traditional working patterns
    • Cost of investing in WFH versus risk of BYOD

    Related Info-Tech Research:

    Secure Digital Transformation

    Priority 03

    Digital transformation could be a competitive advantage…or the cause of your next data breach.

    Executive summary

    Background

    Digital transformation is occurring at an ever-increasing rate these days. As Microsoft CEO Satya Nadella said early in the pandemic, “We’ve seen two years’ worth of digital transformation in two months.”

    We have heard similar stories from Info-Tech members who deployed rollouts that were scheduled to take months over a weekend instead.

    Microsoft’s own shift to rapidly expand its Teams product is a prime example of how quickly the digital landscape has changed. The global adaption to a digital world has largely been a success story, but rapid change comes with risk, and there is a parallel story of rampant cyberattacks like we have never seen before.

    Insight

    There is an adage that “slow is smooth, and smooth is fast” – the implication being that fast is sloppy. In 2022 we’ll see a pattern of organizations working to catch up their cybersecurity with the transformations we all made in 2020.

    $1.78 trillion expected in digital transformation investments (Source: World Economic Forum, 2021)

    An ounce of security prevention versus a pound of cure

    The journey of digital transformation is a risky one.

    Digital transformations often rely heavily on third-party cloud service providers, which increases exposure of corporate data.

    Further, adoption of new technology creates a new threat surface that must be assessed, mitigations implemented, and visibility established to measure performance.

    However, digital transformations are often run on slim budgets and without expert guidance.

    Survey respondents report as much: rushed deployments, increased cloud migration, and shadow IT are the top vulnerabilities reported by security leaders and executives.

    In a 2020 Ponemon survey, 82% of IT security and C-level executives reported experiencing at least one data breach directly resulting from a digital transformation they had undergone.

    Scope creep is inevitable on any large project like a digital transformation. A small security shortcut early in the project can have dire consequences when it grows to affect personal data and critical systems down the road.

    Recommended Actions

    Engage the business early and often

    Despite the risks, organizations engage in digital transformations because they also have huge business value.

    Security leaders should not be seeking to slow or stop digital transformations; rather, we should be engaging with the business early to get ahead of risks and enable successful transformation.

    		 Establish a vendor security program

    Data is moving out of datacenters and onto third-party environments. Without security requirements built into agreements, and clear visibility into vendor security capabilities, that data is a major source of risk.

    A robust vendor security program will create assurance early in the process and help to reinforce the responsibility of securing data with other parts of the organization.
    Build/revisit your security strategy

    The threat surface has changed since before your transformation. This is the right time to revisit or rebuild your security strategy to ensure that your control set is present throughout the new environment – and also a great opportunity to show how your current security investments are helping secure your new digital lines of business!

    		 Educate your key players

    Only 16% of security leaders and executives report alignment between security and business processes during digital transformation.

    If security is too low a priority, then key players in your transformation efforts are likely unaware of how security risks impact their own success. It will be incumbent upon the CISO to start that conversation.

    Securing digital transformation

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Ensure your investment in digital transformation is appropriately secured.

    Initiative Description:

    • Engage security with digital transformation and relevant governance structures (steering committees) to ensure security considerations are built into digital transformation planning.
    • Incorporate security stage gates in project management procedures.
    • Establish a vendor security assessment program.
    		Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased likelihood of digital transformation success

    Other Expected Business Benefits:

    Arrow pointing up.
    Ability to make informed decisions for the field rep strategy     		Arrow pointing down.
    Reduced long-term cost of digital transformation
    		Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Potential increased up front cost (reduced long-term cost)
    • Potential slowed implementation with security stage gates in project management

    Related Info-Tech Research:

    Adopt Zero Trust

    Priority 04

    Governments are recognizing the importance of zero trust strategies. So should your organization.

    Why now for zero trust?

    John Kindervag modernized the concept of zero trust back in 2010, and in the intervening years there has been enormous interest in cybersecurity circles, yet in 2022 only 30% of organizations report even beginning to roll out zero trust capabilities (Statista, 2022).

    Why such little action on a revolutionary and compelling model?

    Zero trust is not a technology; it is a principle. Zero trust adoption takes concerted planning, effort, and expense, for which the business value has been unclear throughout most of the last 10 years. However, several recent developments are changing that:

    • Securing technology has become very hard! The size, complexity, and attack surface of IT environments has grown significantly – especially since the pandemic.
    • Cyberattacks have become rampant as the cost to deploy harmful ransomware has become lower and the impact has become higher.
    • The shift away from on-premises datacenters and offices created an opening for zero trust investment, and zero trust technology is more mature than ever before.

    The time has come for zero trust adoption to begin in earnest.

    97% will maintain or increase zero trust budget (Source: Statista, 2022)

    Traditional perimeter security is not working

    Zero trust directly addresses the most prevalent attack vectors today

    A hybrid workforce using traditional VPN creates an environment where we are exposed to all the risks in the wild (unknown devices at any location on any network), but at a stripped-down security level that still provides the trust afforded to on-premises workers using known devices.

    What’s more, threats such as ransomware are known to exploit identity and remote access vulnerabilities before moving laterally within a network – vectors that are addressed directly by zero trust identity and networking. Ninety-three percent of surveyed zero trust adopters state that the benefits have matched or exceeded their expectations (iSMG, 2022).

    Top reasons for building a zero trust program in 2022

    (Source: iSMG, 2022)

    44%

    Enforce least privilege access to critical resources

    44%

    Reduce attacker ability to move laterally

    41%

    Reduce enterprise attack surface

    The business case for zero trust is clearer than ever

    Prior obstacles to Zero Trust are disappearing

    A major obstacle to zero trust adoption has been the sheer cost, along with the lack of business case for that investment. Two factors are changing that paradigm in 2022:

    The May 2021 US White House Executive Order for federal agencies to adopt zero trust architecture finally placed zero trust on the radar of many CEOs and board members, creating the business interest and willingness to consider investing in zero trust.

    In addition, the cost of adopting zero trust is quickly being surpassed by the cost of not adopting zero trust, as cyberattacks become rampant and successful zero trust deployments create a case study to support investment.

    Bar chart titled 'Cost to remediate a Ransomware attack' with bars representing the years '2021' and '2020'. 2021's cost sits around $1.8M while 2020's was only $750K The cost to remediate a ransomware attack more than doubled from 2020 to 2021. Widespread adoption of zero trust capabilities could keep that number from doubling again in 2022. (Source: Sophos, 2021)

    The cost of a data breach is on average $1.76 million less for organizations with mature zero trust deployments.

    That is, the cost of a data breach is 35% reduced compared to organizations without zero trust controls. (Source: IBM, 2021)

    Recommended Actions

    Start small

    Don’t put all your eggs in one basket by deploying zero trust in a wide swath. Rather, start as small as possible to allow for growing pains without creating business friction (or sinking your project altogether).

    		 Build a sensible roadmap

    Zero trust principles can be applied in a myriad of ways, so where should you start? Between identities, devices, networking, and data, decide on a use case to do pilot testing and then refine your approach.
    Beware too-good-to-be-true products

    Zero trust is a powerful buzzword, and vendors know it.

    Be skeptical and do your due diligence to ensure your new security partners in zero trust are delivering what you need.

    Zero trust roadmap

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Develop a practical roadmap that shows the business value of security investment.

    Initiative Description:

    • Define desired business and security outcomes from zero trust adoption.
    • Assess zero trust readiness.
    • Build roadmaps for zero trust:
      1. Identity
      2. Networking
      3. Devices
      4. Data
    		Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Increased security posture and business agility

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced impact of security events    		 Arrow pointing down.
    Reduced cost of managing complex control set    		 Arrow pointing up.
    More secure business transformation (i.e. cloud/digital)
    		Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Learning curve of implementation (start small and slow)
    • Transition from current control set to zero trust model

    Related Info-Tech Research:

    Protect Against and Respond to Ransomware

    Priority 05

    Ransomware is still the #1 threat to the safety of your data.

    Executive summary

    Background

    • Ransomware attacks have transformed in 2021 and show no sign of slowing in 2022. There is a new major security breach every week, despite organizations spending over $150 billion in a year on cybersecurity (Nasdaq, 2021).
    • Ransomware as a service (RaaS) is commonplace, and attackers are doubling down by holding encrypted data ransom and also demanding payment under threat to disclose exfiltrated data – and they are making good on their threats.
    • The global cost of ransomware is expected to rise to $265 billion by 2031 (Cybersecurity Ventures, 2021).
    • We expect to see an increase in ransomware incidents in 2022, both in severity and volume – multiple attacks and double extortion are now the norm.
    • High staff turnover increases risk because new employees are unfamiliar with security protocols.

    150% increase ransomware attacks in 2020 (Source: ENISA)

    This is a new golden age of ransomware

    What is the same in 2022

    Unbridled ransomware attacks make it seem like attackers must be using complex new techniques, but prevalent ransomware attack vectors are actually well understood.

    Nearly all modern variants are breaching victim systems in one of three ways:

    • Email phishing
    • Software vulnerabilities
    • RDP/Remote access compromise
      •
    		What is new in 2022
    The sophistication of victim targeting

    Victims often find themselves asking, “How did the attackers know to phish the most security-oblivious person in my staff?” Bad actors have refined their social engineering and phishing to exploit high-risk individuals, meaning your chain is only as strong as the weakest link.

    Ability of malware to evade detection

    Modern ransomware is getting better at bypassing anti-malware technology, for example, through creative techniques such as those seen in the MedusaLocker variant and in Ghost Control attacks.

    Effective anti-malware is still a must-have control, but a single layer of defense is no longer enough. Any organization that hopes to avoid paying a ransom must prepare to detect, respond, and recover from an attack.

    Many leaders still don’t know what a ransomware recovery would look like

    Do you know what it would take to recover from a ransomware incident?

    …and does your executive leadership know what it would take to recover?

    The organizations that are most likely to pay a ransom are unprepared for the reality of recovering their systems.

    If you have not done a tabletop or live exercise to simulate a true recovery effort, you may be exposed to more risk than you realize.

    		 Are your defenses sufficiently hardened against ransomware?

    Organizations with effective security prevention are often breached by ransomware – but they are prepared to contain, detect, and eradicate the infection.

    Ask yourself whether you have identified potential points of entry for ransomware. Assume that your security controls will fail.

    How well are your security controls layered, and how difficult would it be for an attacker to move east/west within your systems?

    Recommended Actions

    Be prepared for a breach

    There is no guarantee that an organization will not fall victim to ransomware, so instead of putting all their effort into prevention, organizations should also put effort into planning to respond to a breach.

    		 Security awareness training/phishing detection

    Phishing continues to be the main point of entry for ransomware. Investing in phishing awareness and detection among your end users may be the most impactful countermeasure you can implement.
    Zero trust adoption

    Always verify at every step of interaction, even when access is requested by internal users. Manage access of sensitive information based on the principle of least privilege access.

    		 Encrypt and back up your data

    Encrypt your data so that even if there is a breach, the attackers don’t have a copy of your data. Also, keep regular backups of data at a separate location so that you still have data to work with after a breach occurs.

    You never want to pay a ransom. Being prepared to deal with an incident is your best chance to avoid paying!

    Prevent and respond to ransomware

    Use this template to explain the priorities you need your stakeholders to know about.

    Provide a brief value statement for the initiative.

    Determine your current readiness, response plan, and projects to close gaps.

    Initiative Description:

    • Execute a systematic assessment of your current security and ransomware recovery capabilities.
    • Perform tabletop activities and live recoveries to test data recovery capabilities.
    • Train staff to detect suspicious communications and protect their identities.
    		Description must include what IT will undertake to complete the initiative.

    Primary Business Benefits:

    Arrow pointing up.


    Improved productivity and brand protection

    Other Expected Business Benefits:

    Arrow pointing down.
    Reduced downtime and disruption    		 Arrow pointing down.
    Reduced cost due to incidents (ransom payments, remediation)
    		Align initiative benefits back to business benefits or benefits for the stakeholder groups that it impacts.

    Risks:

    • Friction with existing staff

    Related Info-Tech Research:

    Deepfakes: Dark-horse threat for 2022

    Deepfake video

    How long has it been since you’ve gone a full workday without having a videoconference with someone?

    We have become inherently trustful that the face we see on the screen is real, but the technology required to falsify that video is widely available and runs on commercially available hardware, ushering in a genuinely post-truth online era.

    Criminals can use deepfakes to enhance social engineering, to spread misinformation, and to commit fraud and blackmail.

    Deepfake audio

    Many financial institutions have recently deployed voiceprint authentication. TD describes its VoicePrint as “voice recognition technology that allows us to use your voiceprint – as unique to you as your fingerprint – to validate your identity” over the phone.

    However, hackers have been defeating voice recognition for years already. There is ripe potential for voice fakes to fool both modern voice recognition technology and the accounts payable staff.

    Bibliography

    “2021 Ransomware Statistics, Data, & Trends.” PurpleSec, 2021. Web.

    Bayern, Macy. “Why 60% of IT security pros want to quit their jobs right now.” TechRepublic, 10 Oct. 2018. Web.

    Bresnahan, Ethan. “How Digital Transformation Impacts IT And Cyber Risk Programs.” CyberSaint Security, 25 Feb. 2021. Web.

    Clancy, Molly. “The True Cost of Ransomware.” Backblaze, 9 Sept. 2021.Web.

    “Cost of a Data Breach Report 2021.” IBM, 2021. Web.

    Cybersecurity Ventures. “Global Ransomware Damage Costs To Exceed $265 Billion By 2031.” Newswires, 4 June 2021. Web.

    “Digital Transformation & Cyber Risk: What You Need to Know to Stay Safe.” Ponemon Institute, June 2020. Web.

    “Global Incident Response Threat Report: Manipulating Reality.” VMware, 2021.

    Granger, Diana. “Karmen Ransomware Variant Introduced by Russian Hacker.” Recorded Future, 18 April 2017. Web.

    “Is adopting a zero trust model a priority for your organization?” Statista, 2022. Web.

    “(ISC)2 Cybersecurity Workforce Study, 2021: A Resilient Cybersecurity Profession Charts the Path Forward.” (ISC)2, 2021. Web.

    Kobialka, Dan. “What Are the Top Zero Trust Strategies for 2022?” MSSP Alert, 10 Feb. 2022. Web.

    Kost, Edward. “What is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security.” UpGuard, 1 Nov. 2021. Web.

    Lella, Ifigeneia, et al., editors. “ENISA Threat Landscape 2021.” ENISA, Oct. 2021. Web.

    Mello, John P., Jr. “700K more cybersecurity workers, but still a talent shortage.” TechBeacon, 7 Dec. 2021. Web.

    Naraine, Ryan. “Is the ‘Great Resignation’ Impacting Cybersecurity?” SecurityWeek, 11 Jan. 2022. Web.

    Oltsik, Jon. “ESG Research Report: The Life and Times of Cybersecurity Professionals 2021 Volume V.” Enterprise Security Group, 28 July 2021. Web.

    Osborne, Charlie. “Ransomware as a service: Negotiators are now in high demand.” ZDNet, 8 July 2021. Web.

    Osborne, Charlie. “Ransomware in 2022: We’re all screwed.” ZDNet, 22 Dec. 2021. Web.

    “Retaining Tech Employees in the Era of The Great Resignation.” TalentLMS, 19 Oct. 2021. Web.

    Rubin, Andrew. “Ransomware Is the Greatest Business Threat in 2022.” Nasdaq, 7 Dec. 2021. Web.

    Samartsev, Dmitry, and Daniel Dobrygowski. “5 ways Digital Transformation Officers can make cybersecurity a top priority.“ World Economic Forum, 15 Sept. 2021. Web.

    Seymour, John, and Azeem Aqil. “Your Voice is My Passport.” Presented at black hat USA 2018.

    Solomon, Howard. “Ransomware attacks will be more targeted in 2022: Trend Micro.” IT World Canada, 6 Jan. 2022. Web.

    “The State of Ransomware 2021.” Sophos, April 2021. Web.

    Tarun, Renee. “How The Great Resignation Could Benefit Cybersecurity.” Forbes Technology Council, Forbes, 21 Dec. 2021. Web.

    “TD VoicePrint.” TD Bank, n.d. Web.

    “Working from home during the COVID-19 pandemic, April 202 to June 2021.” Statistics Canada, 4 Aug. 2021. Web.

    “Zero Trust Strategies for 2022.” iSMG, Palo Alto Networks, and Optiv, 28 Jan. 2022. Web.

    Generative AI: Market Primer

    • Buy Link or Shortcode: {j2store}349|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Much of the organization remains in the dark for understanding what Gen AI is, complicated by ambiguous branding from vendors claiming to provide Gen AI solutions.
    • Searching the market for a Gen AI platform is nearly impossible, owing to the sheer number of vendors.
    • The evaluative criteria for selecting a Gen AI platform are unclear.

    Our Advice

    Critical Insight

    • You cannot rush Gen AI selection and implementation. Organizations with (1) FTEs devoted to making Gen AI work (including developers and business intelligence analysts), (2) trustworthy and regularly updated data, and (3) AI governance are just now reaching PoC testing.
    • Gen AI is not a software category – it is an umbrella concept. Gen AI platforms will be built on different foundational models, be trained in different ways, and provide varying modalities. Do not expect Gen AI platforms to be compared against the same parameters in a vendor quadrant.
    • Bad data is the tip of the iceberg for Gen AI risks. While Gen AI success will be heavily reliant on the quality of data it is fine-tuned on, there are independent risks organizations must prepare for, from Gen AI hallucinations and output reliability to infrastructure feasibility and handling high-volume events.
    • Prepare for ongoing instability in the Gen AI market. If your organization is unsure about where to start with Gen AI, the secure route is to examine what your enterprise providers are offering. Use this as a learning platform to confidently navigate which specialized Gen AI provider will be viable for meeting your use cases.

    Impact and Result

    • Consensus on Gen AI scope and key Gen AI capabilities
    • Identification of your readiness to leverage Gen AI applications
    • Agreement on Gen AI evaluative criteria
    • Knowledge of vendor viability

    Generative AI: Market Primer Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Generative AI: Market Primer – Contextualize the marketspace and prepare for generative AI selection.

    Use Info-Tech’s best practices for setting out a selection roadmap and evaluative criteria for narrowing down vendors – both enterprise and specialized providers.

    • Generative AI: Market Primer Storyboard
    • Data Governance Policy
    • AI Governance Storyboard
    • AI Architecture Assessment and Project Planning Tool
    • AI Architecture Assessment and Project Planning Tool – Sample
    • AI Architecture Templates
    [infographic]

    Further reading

    Generative AI: Market Primer

    Cut through Gen AI buzzwords to achieve market clarity.

    Analyst Perspective

    The generative AI (Gen AI) marketspace is complex, nascent, and unstable.

    Organizations need to get clear on what Gen AI is, its infrastructural components, and the governance required for successful platform selection.

    Thomas Randall

    The urge to be fast-moving to leverage the potential benefits of Gen AI is understandable. There are plenty of opportunities for Gen AI to enrich an organization’s use cases – from commercial to R&D to entertainment. However, there are requisites an organization needs to get right before Gen AI can be effectively applied. Part of this is ensuring data and AI governance is well established and mature within the organization. The other part is contextualizing Gen AI to know what components of this market the organization needs to invest in.

    Owing to its popularity surge, OpenAI’s ChatGPT has become near synonymous with Gen AI. However, Gen AI is an umbrella concept that encompasses a variety of infrastructural architecture. Organizations need to ask themselves probing questions if they are looking to work with OpenAI: Does ChatGPT rest on the right foundational model for us? Does ChatGPT offer the right modalities to support our organization’s use cases? How much fine-tuning and prompt engineering will we need to perform? Do we require investment in on-premises infrastructure to support significant data processing and high-volume events? And do we require FTEs to enable all this infrastructure?

    Use this market primer to quickly get up to speed on the elements your organization might need to make the most of Gen AI.

    Thomas Randall

    Advisory Director, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Much of the organization remains in the dark for understanding what Gen AI is, complicated by ambiguous branding from vendors claiming to provide Gen AI solutions.
    • Searching the market for a Gen AI platform is near impossible, owing to the sheer number of vendors.
    • The evaluative criteria for selecting a Gen AI platform is unclear.

    Common Obstacles

    • Data governance is immature within the organization. There is no source of truth or regularly updated organizational process assets.
    • AI functionality is not well understood within the organization; there is little AI governance for monitoring and controlling its use.
    • The extent of effort and resources required to make Gen AI a success remains murky.

    Info-Tech's Solution

    This market primer for Gen AI will help you:

    1. Contextualize the Gen AI market: Learn what components of Gen AI an organization should consider to make Gen AI a success.
    2. Prepare for Gen AI selection: Use Info-Tech’s best practices for setting out a selection roadmap and evaluative criteria for narrowing down vendors – both enterprise and specialized providers.

    “We are entering the era of generative AI.
    This is a unique time in our history where the benefits of AI are easily accessible and becoming pervasive with co-pilots emerging in the major business tools we use today. The disruptive capabilities that can potentially drive dramatic benefits also introduces risks that need to be planned for.”

    Bill Wong, Principal Research Director – Data and BI, Info-Tech Research Group

    Who benefits from this project?

    This research is designed for:

    • Senior IT, developers, data staff, and project managers who:
      • Have received a mandate from their executives to begin researching the Gen AI market.
      • Need to quickly get up to speed on the state of the Gen AI market, given no deep prior knowledge of the space.
      • Require an overview of the different components to Gen AI to contextualize how vendor comparisons and selections can be made.
      • Want to gain an understanding of key trends, risks, and evaluative criteria to consider in their selection process.

    This research will help you:

    • Articulate the potential business value of Gen AI to your organization.
    • Establish which high-value use cases could be enriched by Gen AI functionality.
    • Assess vendor viability for enterprise and specialized software providers in the Gen AI marketspace.
    • Collect information on the prerequisites for implementing Gen AI functionality.
    • Develop relevant evaluative criteria to assist differentiating between shortlisted contenders.

    This research will also assist:

    • Executives, business analysts, and procurement teams who are stakeholders in:
      • Contextualizing the landscape for learning opportunities.
      • Gathering and documenting requirements.
      • Building deliverables for software selection projects.
      • Managing vendors, especially managing the relationships with incumbent enterprise software providers.

    This research will help you:

    • Identify examples of how Gen AI applications could be leveraged for your organization’s core use cases.
    • Verify the extent of Gen AI functionality an incumbent enterprise provider has.
    • Validate accuracy of Gen AI language and architecture referenced in project deliverables.

    Insight Summary

    You cannot speedrun Gen AI selection and implementation.

    Organizations with (1) FTEs devoted to making Gen AI work (including developers and business intelligence analysts), (2) trustworthy and regularly updated data, and (3) AI governance are just now reaching PoC testing.

    Gen AI is not a software category – it is an umbrella concept.

    Gen AI platforms will be built on different foundational models, be trained in different ways, and provide varying modalities. Do not expect to compare Gen AI platforms to the same parameters in a vendor quadrant.

    Bad data is the tip of the iceberg for Gen AI risks.

    While Gen AI success will be heavily reliant on the quality of data it is fine-tuned on, there are independent risks organizations must prepare for: from Gen AI hallucinations and output reliability to infrastructure feasibility to handle high-volume events.

    Gen AI use may require changes to sales incentives.

    If you plan to use Gen AI in a commercial setting, review your sales team’s KPIs. They are rewarded for sales velocity; if they are the human-in-the-loop to check for hallucinations, you must change incentives to ensure quality management.

    Prepare for ongoing instability in the Gen AI market.

    If your organization is unsure about where to start with Gen AI, the secure route is to examine what your enterprise providers are offering. Use this as a learning platform to confidently navigate which specialized Gen AI provider will be viable for meeting your use cases.

    Brace for a potential return of on-premises infrastructure to power Gen AI.

    The market trend has been for organizations to move to cloud-based products. Yet, for Gen AI, effective data processing and fine-tuning may call for organizations to invest in on-premises infrastructure (such as more GPUs) to enable their Gen AI to function effectively.

    Info-Tech’s methodology for understanding the Gen AI marketspace

    Phase Steps

    1. Contextualize the Gen AI marketplace

    1. Define Gen AI and its components.
    2. Explore Gen AI trends.
    3. Begin deriving Gen AI initiatives that align with business capabilities.

    2. Prepare for and understand Gen AI platform offerings

    1. Review Gen AI selection best practices and requisites for effective procurement.
    2. Determine evaluative criteria for Gen AI solutions.
    3. Explore Gen AI offerings with enterprise and specialized providers.
    Phase Outcomes
    1. Achieve consensus on Gen AI scope and key Gen AI capabilities.
    2. Identify your readiness to leverage Gen AI applications.
    3. Hand off to Build Your Generative AI Roadmap to complete pre-requisites for selection.
    1. Determine whether deeper data and AI governance is required; if so, hand off to Create an Architecture for AI.
    2. Gain consensus on Gen AI evaluative criteria.
    3. Understand vendor viability.

    Guided Implementation

    Phase 1

    Phase 2
    • Call #1: Discover if Gen AI is right for your organization. Understand what a Gen AI platform is and discover the art of the possible.
    • Call #2: To take advantage of Gen AI, perform a business capabilities analysis to begin deriving Gen AI initiatives.
    • Call #3: Explore whether Gen AI initiatives can be achieved either with incumbent enterprise players or via procurement of specialized solutions.
    • Call #4: Evaluate vendors and perform final due diligence.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The Gen AI market evaluation process should be broken into segments:

    1. Gen AI market education with this primer
    2. Structured approach to selection
    3. Evaluation and final due diligence

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful"

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Software selection engagement

    Five advisory calls over a five-week period to accelerate your selection process

    • Receive expert analyst guidance over five weeks (on average) to select and negotiate software.
    • Save money, align stakeholders, speed up the process, and make better decisions.
    • Use a repeatable, formal methodology to improve your application selection process.
    • Get better, faster results guaranteed, included in membership.
    Software selection process timeline. Week 1: Awareness - 1 hour call, Week 2: Education & Discovery - 1 hour call, Week 3: Evaluation - 1 hour call, Week 4: Selection - 1 hour call, Week 5: Negotiation & Configuration - 1 hour call.

    Click here to book your selection engagement.

    Software selection workshops

    40 hours of advisory assistance delivered online.

    Select better software, faster.

    • 40 hours of expert analyst guidance
    • Project and stakeholder management assistance
    • Save money, align stakeholders, speed up the process, and make better decisions
    • Better, faster results guaranteed; 25K standard engagement fee
    Software selection process timeline. Week 1: Awareness - 5 hours of Assistance, Week 2: Education & Discovery - 10 hours of assistance, Week 3: Evaluation - 10 hours of assistance, Week 4: Selection - 10 hours of assistance, Week 5: Negotiation & Configuration - 10 hours of assistance.

    Click here to book your workshop engagement.

    10 Secrets for Successful Disaster Recovery in the Cloud

    • Buy Link or Shortcode: {j2store}419|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $12,096 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • The pay-per-use pricing structure of cloud services make it a cheaper DR option, but there are gotchas you need to avoid, ranging from unexpected licensing costs to potential security vulnerabilities.
    • You likely started on the path to cloud DR with consideration of cloud storage for offsite retention of backups. Systems recovery in the cloud can be a real value-add to using cloud as a backup target.
    • Your cloud-based DR environment has to be secure and compliant, but performance also has to be “good enough” to operate the business.
    • Location still matters, and selecting the DR site that optimizes latency tolerance and geo-redundancy can be difficult.

    Our Advice

    Critical Insight

    • Keep your systems dormant until disaster strikes. Prepare as much of your environment as possible without tapping into compute resources. Enjoy the low at-rest costs, and leverage the reliability of the cloud in your failover.
    • Avoid failure on the failback! Bringing up your systems in the cloud is a great temporary solution, but an expensive long-term strategy. Make sure you have a plan to get back on premises.
    • Leverage cloud DR as a start for cloud migration. Cloud DR provides a gateway for broader infrastructure lift and shift to cloud IaaS, but this should only be the first phase of a longer-term roadmap that ends in multi-service hybrid cloud.

    Impact and Result

    • Calculate the cost of your DR solution with a cloud vendor. Test your systems often to build out more accurate budgets and to define failover and failback action plans to increase confidence in your capabilities.
    • Define “good enough” performance by consulting with the business and setting correct expectations for the recovery state.
    • Dig deeper into the various flavors of cloud-based DR beyond backup and restore, including pilot light, warm standby, and multi-site recovery. Each of these has unique benefits and challenges when done in the cloud.

    10 Secrets for Successful Disaster Recovery in the Cloud Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out the 10 secrets for success in cloud-based DR deployment, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    [infographic]

    Data Protection Notice

    Tymans Group BV processes personal information in compliance with this privacy statement. For further information, questions or comments on our privacy policy, please contact Gert Taeymans at https://tymansgroup.com/gdpr-contact.

    Purposes of the processing

    Tymans Group BV collects and processes customers’ personal data for customer and order management (customer administration, order / delivery follow-up, invoicing, solvency follow-up, profiling and the sending of marketing and personalised advertising).

    Legal foundation for the processing

    Personal data is processed based on several provisions of Article 6.1.

    (a)  consent, which you can revoke at any time,

    (b) required for the implementation of an agreement between you and Tymans Group BV, eg. when you enter into a contract with us,

    (c)  required to satisfy a legal obligation

    (f)  (required for the protection of our legitimate interest in entrepreneurship)] of the General Data Protection Regulation. An actual data item may be subject to multiple provisions.

    Insofar as the processing of personal data takes place based on Article 6.1. a) (consent), customers always have the right to withdraw the given consent.

    Transfer to third parties

    If required to achieve the set purposes, your personal data will be shared with other companies within the European Economic Area, which are linked directly or indirectly with Gert Taeymans BV or with any other partner of Tymans Group BV

    Tymans Group BV guarantees that these recipients will take the necessary technical and organisational measures for the protection of personal data.

    Third party categories that are subject to this provision are:

        Accounting
        Hosting
        Software Engineering (when you order websites or custom development with us)
        Social Media (only as part of Social Media Marketing contracted services by you)

    Due to the ECJ striking down the  EU-US Privacy Shield agreement, this leaves us with a open gap. The resulting implications and actions to take are not yet clear. You must be aware that one can argue that any data transfer from the EU towards the US is now in breach of the law. Other argue that necessary transfers are still allowed, whithout however defining, as far as we know, what "necessary" actually means. This website runs on servers within the EU. We also closely follow the opinions by the scholars and our regulator.

    Retention period

    Personal data processed for customer management will be stored for the time necessary to satisfy legal requirements (in terms of bookkeeping, among others).

    Right to inspection, improvement, deletion, limitation, objection and transferability of personal data

    You have at all times the right to inspect your personal data and can have it improved should it be incorrect or incomplete, have it removed, limit its processing an object to the processing of their personal data based on Article 6.1 (f), including profiling based on said provisions. Any personal data however that is needed for the legal processing of your order cannot be removed after you placed an order, as we need to keep it for legal purposes.

    Furthermore, you are entitled to obtain a copy of your personal data and to have said personal data forwarded to another company.

    In order to exercise the aforementioned rights, you are requested to send an e-mail the following address: dataprivacy@tymansgroup.com.

    Direct marketing

    You are entitled to object free of charge to the processing of any processing of their personal data aimed at direct marketing.

    Complaint

    You have the right to file a complaint with the Belgian Privacy Protection Commission (35 Rue de la Presse, 1000 Brussels - contact@adp-gba.be - 02/ 274 48 00 or 02/ 274 48 35).

    Take the First Steps to Embrace Open-Source Software

    • Buy Link or Shortcode: {j2store}164|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development

    Your organization is looking to invest in new software or a tool to solve key business and IT problems. They see open source as a viable option given the advertised opportunities and the popularity of many open-source projects, but they have concerns:

    • Despite the longevity and broad adoption of open-source software, stakeholders are hesitant about its long-term viability and the costs of ongoing support.
    • A clear direction and strategy are needed to align the expected value of open source to your stakeholders’ priorities and gain the funding required to select, implement, and support open-source software.

    Our Advice

    Critical Insight

    • Position open source in the same light as commercial software. The continuous improvement and evolution of popular open-source software and communities have established a reputation for reliability in the industry.
    • Consider open source as another form of outsource development. Open source is externally developed software where the code is accessible and customizable. Code quality may not align to your organization’s standards, which can require extensive testing and optimization.
    • Treat open source as any internally developed solution. Configurations, integrations, customizations, and orchestrations of open-source software are often done at the code level. While some community support is provided, most of the heavy lifting is done by the applications team.

    Impact and Result

    • Outline the value you expect to gain. Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.
    • Define your open-source selection criteria. Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.
    • Assess the readiness of your team. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

    Take the First Steps to Embrace Open-Source Software Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take the First Steps to Embrace Open-Source Software Storyboard – A guide to learn the fit, value, and considerations of open-source software.

    This research walks you through the misconceptions about open source, factors to consider in its selection, and initiatives to prepare your teams for its adoption.

    • Take the First Steps to Embrace Open-Source Software Storyboard

    2. Open-Source Readiness Assessment – A tool to help you evaluate your readiness to embrace open-source software in your environment.

    Use this tool to identify key gaps in the people, processes, and technologies needed to support open source in your organization. It also contains a canvas to facilitate discussions about expectations with your stakeholders and applications teams.

    • Open-Source Readiness Assessment
    [infographic]

    Further reading

    Take the First Steps to Embrace Open-Source Software

    Begin to understand what is required to embrace open-source software in your organization.

    Analyst Perspective

    With great empowerment comes great responsibilities.

    Open-source software promotes enticing technology and functional opportunities to any organization looking to modernize without the headaches of traditional licensing. Many organizations see the value of open source in its ability to foster innovation, be flexible to various use cases and system configurations, and give complete control to the teams who are using and managing it.

    However, open source is not free. While the software is freely and easily accessible, its use and sharing are bound by its licenses, and its implementation requires technical expertise and infrastructure investments. Your organization must be motivated and capable of taking on the various services traditionally provided and managed by the vendor.

    Photo of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Application Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Your organization is looking to invest in new software or a tool to solve key business and IT problems. They see open source as a viable option because of the advertised opportunities and the popularity of many open-source projects.

    Despite the longevity and the broad adoption of open-source software, stakeholders are hesitant about its adoption, its long-term viability, and the costs of ongoing support.

    A clear direction and strategy is needed to align the expected value of open source to your stakeholders’ priorities and gain the funding required to select, implement, and support open-source software.

    Common Obstacles

    Your stakeholders’ fears, uncertainties, and doubts about open source may be driven by misinterpretation or outdated information. This hesitancy can persist despite some projects being active longer than their proprietary counterparts.

    Certain software features, support capabilities, and costs are commonly overlooked when selecting open-source software because they are often assumed in the licensing and service costs of commercial software.

    Open-source software is often technically complicated and requires specific skill sets and knowledge. Unfortunately, current software delivery capability gaps impede successful adoption and scaling of open-source software.

    Info-Tech’s Approach

    Outline the value you expect to gain. Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.

    Define your open-source selection criteria. Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.

    Assess the readiness of your team. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

    Insight Summary

    Overarching Info-Tech Insight

    Open source is as much about an investment in people as it is about technology. It empowers applications teams to take greater control over their technology and customize it as they see fit. However, teams need the time and funding to conduct the necessary training, management, and ongoing community engagement that open-source software and its licenses require.

    • Position open source in the same light as commercial software.
      The continuous improvement and evolution of popular open-source software and communities have established a trusting and reliable reputation in the industry. Open-source software quality and community support can rival similar vendor capabilities given the community’s maturity and contributions in the technology.
    • Consider open source another form of outsource development.
      Open source is externally developed software where the code is accessible and customizable. Code quality may not align to your organization’s standards, which can require extensive testing and optimization. A thorough analysis of change logs, code repositories, contributors, and the community is recommended – much to the same degree as one would do with prospective outsourcing partners.
    • Treat open source as any internally developed solution.
      Configurations, integrations, customizations, and orchestrations of open-source software are often done at the code level. While some community support is provided, most of the heavy lifting is done by the applications team. Teams must be properly resourced, upskilled, and equipped to meet this requirement. Otherwise, third-party partners are needed.

    What is open source?

    According to Synopsys, “Open source software (OSS) is software that is distributed with its source code, making it available for use, modification, and distribution with its original rights. … Programmers who have access to source code can change a program by adding to it, changing it, or fixing parts of it that aren’t working properly. OSS typically includes a license that allows programmers to modify the software to best fit their needs and control how the software can be distributed.”

    What are the popular use cases?

    1. Programming languages and frameworks
    2. Databases and data technologies
    3. Operating systems
    4. Git public repos
    5. Frameworks and tools for AI/ML/DL
    6. CI/CD tooling
    7. Cloud-related tools
    8. Security tools
    9. Container technology
    10. Networking

    Source: OpenLogic, 2022

    Common Attributes of All Open-Source Software

    • Publicly shared repository that anyone can access to use the solution and contribute changes to the design and functionality of the project.
    • A community that is an open forum to share ideas and solution enhancements, discuss project direction and vision, and seek support from peers.
    • Project governance that sets out guidelines, rules, and requirements to participate and contribute to the project.
    • Distribution license that defines the terms of how a solution can be used, assessed, modified, and distributed.

    Take the first steps to embrace open-source software

    Begin to understand what is required to embrace open-source software in your organization.

    A diagram of open-source community.

    State the Value of Open Source: Discuss current business and IT priorities, use cases, and value opportunities to determine what to expect from open-source versus commercial software.

    Select Your Open-Source Software: Clarify the driving factors in your evaluation of open-source and commercial software using your existing IT procurement practices as a starting point.

    Prepare for Open Source: Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of open-source software.

    Step 1.1: State the Value of Open Source

    Diagram of step 1.1

    Activities

    1.1.1 Outline the value you expect to gain from open-source software

    This step involves the following participants:

    • Applications team
    • Product owner

    Outcomes of this step:

    • Value proposition for open source
    • Potential open-source use cases

    Use a canvas to frame your open-source evaluation

    A photo of open-source canvas

    This canvas is intended to provide a single pane of glass to start collecting your thoughts and framing your future conversations on open-source software selection and adoption.

    Record the results in the “Open-Source Canvas” tab in the Open-Source Readiness Assessment.

    Open source presents unique software and tooling opportunities

    Innovation

    Many leading-edge and bleeding-edge technologies are collaborated and innovated in open-source projects, especially in areas that are beyond the vision and scope of vendor products and priorities.

    Niche Solutions

    Open-source projects are focused. They are designed and built to solve specific business and technology problems.

    Flexible & Customizable

    All aspects of the open-source software are customizable, including source code and integrations. They can be used to extend, complement, or replace internally developed code. Licenses define how open-source code should be and must be used, productized, and modified.

    Brand & Recognition

    Open-source communities encourage contribution and collaboration among their members to add functionality and improve quality and adoption.

    Cost

    Open-source software is accessible to everyone, free of charge. Communities do not need be consulted prior to acquisition, but the software’s use, configurations, and modifications may be restricted by its license.

    However, myths continue to challenge adoption

    • Open source is less secure or poorer quality than proprietary solutions.
    • Open source is free from risk of intellectual property (IP) infringement.
    • Open source is cheaper than proprietary solutions.

    What are the top perceived barriers to using enterprise open source?

    • Concerns about the level of support
    • Compatibility concerns
    • Concerns about inherent security of the code
    • Lack of internal skills to manage and support it

    Source: Red Hat, 2022

    Service Management

    • Buy Link or Shortcode: {j2store}46|cart{/j2store}
    • Related Products: {j2store}46|crosssells{/j2store}
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture
    • byline: Implement service management in a way that makes sense.

    The challenge

    • We have good, holistic practices, but inconsistent adoption leads to chaotic service delivery and low customer satisfaction.
    • You may have designed your IT services with little structure, formalization, or standardization.
    • That makes the management of these services more difficult and also leads to low business satisfaction.

    Continue reading

    Position IT to Support and Be a Leader in Open Data Initiatives

    • Buy Link or Shortcode: {j2store}326|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Open data programs are often seen as unimportant or not worth taking up space in the budget in local government.
    • Open data programs are typically owned by a single open data evangelist who works on it as a side-of-desk project.
    • Having a single resource spend a portion of their time on open data doesn’t allow the open data program to mature to the point that local governments are realizing benefits from it.
    • It is difficult to gain buy-in for open data as it is hard to track the benefits of an open data program.

    Our Advice

    Critical Insight

    • Local government can help push the world towards being more open, unlocking economic benefits for the wider economy.
    • Cities don’t know the solutions to all of their problems often they don’t know all of the problems they have. Release data as a platform to crowdsource solutions and engage your community.
    • Build your open data policies in collaboration with the community. It’s their data, let them shape the way it’s used!

    Impact and Result

    • Level-set expectations for your open data program. Every local government is different in terms of the benefits they can achieve with open data; ensure the business understands what is realistic to achieve.
    • Create a team of open data champions from departments outside of IT. Identify potential champions for the team and use this group to help gain greater business buy-in and gather feedback on the program’s direction.
    • Follow the open data maturity model in order to assess your current state, identify a target state, and assess capability gaps that need to be improved upon.
    • Use industry best practices to develop an open data policy and processes to help improve maturity of the open data program and reach your desired target state.
    • Identify metrics that you can use to track, and communicate the success of, the open data program.

    Position IT to Support and Be a Leader in Open Data Initiatives Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop your open data program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set the foundation for the success of your open data program

    Identify your open data program's current state maturity, and gain buy-in from the business for the program.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 1: Set the Foundation for the Success of Your Open Data Program
    • Open Data Maturity Assessment
    • Open Data Program – IT Stakeholder Powermap Template
    • Open Data in Our City Stakeholder Presentation Template

    2. Grow the maturity of your open data program

    Identify a target state maturity and reach it through building a policy and processes and the use of metrics.

    • Position IT to Support and Be a Leader in Open Data Initiatives – Phase 2: Grow the Maturity of Your Open Data Program
    • Open Data Policy Template
    • Open Data Process Template
    • Open Data Process Descriptions Template
    • Open Data Process Visio Templates (Visio)
    • Open Data Process Visio Templates (PDF)
    • Open Data Metrics Template
    [infographic]

    Workshop: Position IT to Support and Be a Leader in Open Data Initiatives

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Drivers for Open Data Program

    The Purpose

    Ensure that the open data program is being driven out from the business in order to gain business support.

    Key Benefits Achieved

    Identify drivers for the open data program that are coming directly from the business.

    Activities

    1.1 Understand constraints for the open data program.

    1.2 Conduct interviews with the business to gain input on business drivers and level-set expectations.

    1.3 Develop list of business drivers for open data.

    Outputs

    Defined list of business drivers for the open data program

    2 Assess Current State and Define Target State of the Open Data Program

    The Purpose

    Understand the gaps between where your program currently is and where you want it to be.

    Key Benefits Achieved

    Identify top processes for improvement in order to bring the open data program to the desired target state maturity.

    Activities

    2.1 Perform current state maturity assessment.

    2.2 Define desired target state with business input.

    2.3 Highlight gaps between current and target state.

    Outputs

    Defined current state maturity

    Identified target state maturity

    List of top processes to improve in order to reach target state maturity

    3 Develop an Open Data Policy

    The Purpose

    Develop a draft open data policy that will give you a starting point when building your policy with the community.

    Key Benefits Achieved

    A draft open data policy will be developed that is based on best-practice standards.

    Activities

    3.1 Define the purpose of the open data policy.

    3.2 Establish principles for the open data program.

    3.3 Develop a rough governance outline.

    3.4 Create a draft open data policy document based on industry best-practice examples.

    Outputs

    Initial draft of open data policy

    4 Develop Open Processes and Identify Metrics

    The Purpose

    Build open data processes and identify metrics for the program in order to track benefits realization.

    Key Benefits Achieved

    Formalize processes to set in place to improve the maturity of the open data program.

    Identify metrics that can track the success of the open data program.

    Activities

    4.1 Develop the roles that will make up the open data program.

    4.2 Create processes for new dataset requests, updates of existing datasets, and the retiring of datasets.

    4.3 Identify metrics that will be used for measuring the success of the open data program.

    Outputs

    Initial draft of open data processes

    Established metrics for the open data program

    Implement Your Negotiation Strategy More Effectively

    • Buy Link or Shortcode: {j2store}225|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Forty-eight percent of CIOs believe their budgets are inadequate.
    • CIOs and IT departments are getting more involved with negotiations to reduce costs and risk.
    • Not all negotiators are created equal, and the gap between a skilled negotiator and an average negotiator is not always easy to identify objectively.
    • Skilled negotiators are in short supply.

    Our Advice

    Critical Insight

    • Preparation is critical for the success of your negotiation, but you cannot prepare for every eventuality.
    • Communication is the heart and soul of negotiations, but what is being “said” is only part of the picture.
    • Skilled negotiators separate themselves based on skillsets, and outcomes alone may not provide an accurate assessment of a negotiator.

    Impact and Result

    Addressing and managing critical negotiation elements helps:

    • Improve negotiation skills.
    • Implement your negotiation strategy more effectively.
    • Improve negotiation results.

    Implement Your Negotiation Strategy More Effectively Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create and follow a scalable process for preparing to negotiate with vendors, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. During

    Throughout this phase, ten essential negotiation elements are identified and reviewed.

    • Implement Your Negotiation Strategy More Effectively – Phase 1: During
    • During Negotiations Tool
    [infographic]

    Workshop: Implement Your Negotiation Strategy More Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 12 Steps to Better Negotiation Preparation

    The Purpose

    Improve negotiation skills and outcomes.

    Understand how to use the Info-Tech During Negotiations Tool.

    Key Benefits Achieved

    A better understanding of the subtleties of the negotiation process and an identification of where the negotiation strategy can go awry.

    The During Negotiation Tool will be reviewed and configured for the customer’s environment (as applicable).

    Activities

    1.1 Manage six key items during the negotiation process.

    1.2 Set the right tone and environment for the negotiation.

    1.3 Focus on improving three categories of intangibles.

    1.4 Improve communication skills to improve negotiation skills.

    1.5 Customize your negotiation approach to interact with different personality traits and styles.

    1.6 Maximize the value of your discussions by focusing on seven components.

    1.7 Understand the value of impasses and deadlocks and how to work through them.

    1.8 Use concessions as part of your negotiation strategy.

    1.9 Identify and defeat common vendor negotiation ploys.

    1.10 Review progress and determine next steps.

    Outputs

    Sample negotiation ground rules

    Sample vendor negotiation ploys

    Sample discussion questions and evaluation matrix

    Modernize Communications and Collaboration Infrastructure

    • Buy Link or Shortcode: {j2store}306|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $68,332 Average $ Saved
    • member rating average days saved: 22 Average Days Saved
    • Parent Category Name: Voice & Video Management
    • Parent Category Link: /voice-video-management
    • Organizations are losing productivity from managing the limitations of yesterday’s technology. The business is changing and the current communications solution no longer adequately connects end users.
    • Old communications technology, including legacy telephony systems, disjointed messaging and communication or collaboration mediums, and unintuitive video conferencing, deteriorates the ability of users to work together in a productive manner.
    • You need a solution that meets budgetary requirements and improves internal and external communication, productivity, and the ability to work together.

    Our Advice

    Critical Insight

    • Project scope and assessment will take more time than you initially anticipate. Poorly defined technical requirements can result in failure to meet the needs of the business. Defining project scope and assessing the existing solution is 60% of project time. Being thorough here will make the difference moving forward.
    • Even when the project is about modernizing technology, it’s not really about the technology. The requirements of your people and the processes you want to maintain or reform should be the influential factors in your decisions on technology.
    • Gaining business buy-in can be difficult for projects that the business doesn’t equate with directly driving revenue. Ensure your IT team communicates with the business throughout the process and establishes business requirements. Framing conversations in a “business first, IT second” way is crucial to speaking in a language the business will understand.

    Impact and Result

    • Define a comprehensive set of requirements (across people, process, and technology) at the start of the project. Communication solutions are long-term commitments and mistakes in planning will be amplified during implementation.
    • Analyze the pros and cons of each deployment option and identify a communications solution that balances your budget and communications objectives and requirements.
    • Create an effective RFP by outlining your specific business and technical needs and goals.
    • Make the case for your communications infrastructure modernization project and be prepared to support it.

    Modernize Communications and Collaboration Infrastructure Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize your communications and collaboration infrastructure, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess communications infrastructure

    Evaluate the infrastructure requirements and the ability to undergo modernization from legacy technology.

    • Modernize Communications and Collaboration Infrastructure – Phase 1: Assess Communications Infrastructure
    • Communications Infrastructure Roadmap Tool
    • Team Skills Inventory Tool
    • MACD Workflow Mapping Template - Visio
    • MACD Workflow Mapping Template - PDF

    2. Define the target state

    Build and document a formal set of business requirements using Info-Tech's pre-populated template after identifying stakeholders, aligning business and user needs, and evaluating deployment options.

    • Modernize Communications and Collaboration Infrastructure – Phase 2: Define the Target State
    • Stakeholder Engagement Workbook
    • Communications Infrastructure Stakeholder Focus Group Guide
    • IP Telephony and UC End-User Survey Questions
    • Enterprise Communication and Collaboration System Business Requirements Document
    • Communications TCO-ROI Comparison Calculator

    3. Advance the project

    Draft an RFP for a UC solution and gain project approval using Info-Tech’s executive presentation deck.

    • Modernize Communications and Collaboration Infrastructure – Phase 3: Advance the Project
    • Unified Communications Solution RFP Template
    • Modernize Communications Infrastructure Executive Presentation
    [infographic]

    Workshop: Modernize Communications and Collaboration Infrastructure

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Communications Infrastructure

    The Purpose

    Identify pain points.

    Build a skills inventory.

    Define and rationalize template configuration needs.

    Define standard service requests and map workflow.

    Discuss/examine site type(s) and existing technology.

    Determine network state and readiness.

    Key Benefits Achieved

    IT skills & process understanding.

    Documentation reflecting communications infrastructure.

    Reviewed network readiness.

    Completed current state analysis.

    Activities

    1.1 Build a skills inventory.

    1.2 Document move, add, change, delete (MACD) processes.

    1.3 List relevant communications and collaboration technologies.

    1.4 Review network readiness checklist.

    Outputs

    Clearly documented understanding of available skills

    Documented process maps

    Complete list of relevant communications and collaboration technologies

    Completed readiness checklist

    2 Learn and Evaluate Options to Define the Future

    The Purpose

    Hold focus group meeting.

    Define business needs and goals.

    Define solution options.

    Evaluate options.

    Discuss business value and readiness for each option.

    Key Benefits Achieved

    Completed value and readiness assessment.

    Current targets for service and deployment models.

    Activities

    2.1 Conduct internal focus group.

    2.2 Align business needs and goals.

    2.3 Evaluate deployment options.

    Outputs

    Understanding of user needs, wants, and satisfaction with current solution

    Assessment of business needs and goals

    Understanding of potential future-state solution options

    3 Identify and Close the Gaps

    The Purpose

    Identify gaps.

    Examine and evaluate ways to remedy gaps.

    Determine specific business requirements and introduce draft of business requirements document.

    Key Benefits Achieved

    Completed description of future state.

    Identification of gaps.

    Identification of key business requirements.

    Activities

    3.1 Identify gaps and brainstorm gap remedies.

    3.2 Complete business requirements document.

    Outputs

    Well-defined gaps and remedies

    List of specific business requirements

    4 Build the Roadmap

    The Purpose

    Introduce Unified Communications Solution RFP Template.

    Develop statement of work (SOW).

    Document technical requirements.

    Complete cost-benefit analysis.

    Key Benefits Achieved

    Unified Communications RFP.

    Documented technical requirements.

    Activities

    4.1 Draft RFP (SOW, tech requirements, etc.).

    4.2 Conduct cost-benefit analysis.

    Outputs

    Ready to release RFP

    Completed cost-benefit analysis

    Apply Design Thinking to Build Empathy With the Business

    • Buy Link or Shortcode: {j2store}89|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $20,772 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Business satisfaction with IT is low.
    • IT and the business have independently evolving strategy, initiatives, and objectives.
    • IT often exceeds their predicted project costs and has difficulty meeting the business’ expectations of project quality and time-to-market.

    Our Advice

    Critical Insight

    • Business needs are unclear or ambiguous.
    • IT and the business do not know how to leverage each other’s talent and resources to meet their common goals.
    • Not enough steps are taken to fully understand and validate problems.
    • IT can’t pivot fast enough when the business’s needs change.

    Impact and Result

    Product, service, and process design should always start with an intimate understanding of what the business is trying to accomplish and why it is important.

    Apply Design Thinking to Build Empathy With the Business Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should apply experience design to partner with the business, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Research

    Identify goals and objectives for experience design, establish targeted stakeholders, and conduct discovery interviews.

    • Apply Design Thinking to Build Empathy With the Business – Phase 1: Research
    • Stakeholder Discovery Interview Template

    2. Map and iterate

    Create the journey map, design a research study to validate your hypotheses, and iterate and ideate around a refined, data-driven understanding of stakeholder problems.

    • Apply Design Thinking to Build Empathy With the Business – Phase 2: Map and Iterate
    • Journey Map Template
    • Research Study Log Tool
    [infographic]

    Workshop: Apply Design Thinking to Build Empathy With the Business

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Introduction to Journey Mapping

    The Purpose

    Understand the method and purpose of journey mapping.

    Key Benefits Achieved

    Initial understanding of the journey mapping process and the concept of end-user empathy.

    Activities

    1.1 Introduce team and discuss workshop motivations and goals.

    1.2 Discuss overview of journey mapping process.

    1.3 Perform journey mapping case study activity.

    Outputs

    Case Study Deliverables – Journey Map and Empathy Maps

    2 Persona Creation

    The Purpose

    Begin to understand the goals and motivations of your stakeholders using customer segmentation and an empathy mapping exercise.

    Key Benefits Achieved

    Understand the demographic and psychographic factors driving stakeholder behavior.

    Activities

    2.1 Discuss psychographic stakeholder segmentation.

    2.2 Create empathy maps for four segments.

    2.3 Generate problem statements.

    2.4 Identify target market.

    Outputs

    Stakeholder personas

    Target market of IT

    3 Interview Stakeholders and Start a Journey Map

    The Purpose

    Get first-hand knowledge of stakeholder needs and start to capture their perspective with a first-iteration journey map.

    Key Benefits Achieved

    Capture the process stakeholders use to solve problems and empathize with their perspectives, pains, and gains.

    Activities

    3.1 Review discovery interviewing techniques.

    3.2 Review and modify the discovery questionnaire

    3.3 Demonstrate stakeholder interview.

    3.4 Synthesize learnings and begin creating a journey map.

    Outputs

    Customized discovery interview template

    Results of discovery interviewing

    4 Complete the Journey Map and Create a Research Study

    The Purpose

    Hypothesize the stakeholder journey, identify assumptions, plan a research study to validate your understanding, and ideate around critical junctures in the journey.

    Key Benefits Achieved

    Understand the stakeholder journey and ideate solutions with the intention of improving their experience with IT.

    Activities

    4.1 Finish the journey map.

    4.2 Identify assumptions and create hypotheses.

    4.3 Discuss field research and hypothesis testing.

    4.4 Design the research study.

    4.5 Discuss concluding remarks and next steps.

    Outputs

    Completed journey map for one IT process, product, or service

    Research study design and action plan

    Prepare for the Upgrade to Windows 11

    • Buy Link or Shortcode: {j2store}166|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Devices
    • Parent Category Link: /end-user-computing-devices
    • Windows 10 is going EOL in 2025.That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Our Advice

    Critical Insight

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system. Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    Impact and Result

    Windows 11 hardware requirements will result in devices that are not eligible for the upgrade. Companies will be left to spend money on replacement devices. Following the Info-Tech guidance will help clients properly budget for hardware replacements before Windows 10 is no longer supported by Microsoft. Eligible devices can be upgraded, but Info-Tech guidance can help clients properly plan the upgrade using the upgrade ring approach.

    Prepare for the Upgrade to Windows 11 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for the Upgrade to Windows 11 Deck – A look into some of the pros and cons of Microsoft’s latest desktop operating system, along with guidance on moving forward with this inevitable upgrade.

    Discover the reason for the release of Windows 11, what you require to be eligible for the upgrade, what features were added or updated, and what features were removed. Our guidance will assist you with a planned and controlled rollout of the Windows 11 upgrade. We also provide guidance on how to approach a device refresh plan if some devices are not eligible for Windows 11. The upgrade is inevitable, but you have time, and you have options.

    • Prepare for the Upgrade to Windows 11 Storyboard

    2. What Are My Options If My Devices Cannot Upgrade to Windows 11? – Build a Windows 11 Device Replacement budget with our Hardware Asset Management Budgeting Tool.

    This tool will help you budget for a hardware asset refresh and to adjust the budget as necessary to accommodate any unexpected changes. The tool can easily be modified to assist in developing and justifying the budget for hardware assets for a Windows 11 project. Follow the instructions on each tab and feel free to play with the HAM budgeting tool to fit your needs.

    • HAM Budgeting Tool
    [infographic]

    Further reading

    Prepare for the Upgrade to Windows 11

    The upgrade is inevitable, but you have time, and you have options.

    Analyst Perspective

    Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    “You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

    The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

    There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

    It is inevitable!

    P.J. Ryan

    Research Director, Infrastructure & Operations

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Windows 10 is going EOL in 2025. That is closer than you think.
    • Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
    • You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

    Common Obstacles

    • The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
    • The cost of upgrading devices just to be eligible for Windows 11 is high.
    • Your end users don’t like change. This is not going to go over well!

    Info-Tech's Approach

    • Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
    • Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
    • Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

    Info-Tech Insight

    There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

    Insight summary

    Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    Many organizations will have to spend capital on endpoint upgrades.

    Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

    Windows 11 is a virtualization challenge for some providers.

    The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

    Windows 10 will be supported by Microsoft until October 2025.

    That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

    New look and feel, and a center screen taskbar.

    Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

    The education industry gets extra attention with the release of Windows 11.

    Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

    Why Windows 11?

    Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

    Maybe. It depends who you ask.

    Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

    Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

    Nope.

    Windows 11 is a free upgrade or is included with any new computer purchase.

    Market share challenges?

    Doubtful.

    It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

    In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

    Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

    The market share is worth noting for Microsoft but it hardly warrants a new operating system.

    New look and feel?

    Unlikely

    New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

    Security?

    Likely the main reason.

    Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

    The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

    The features are available on all Windows 11 physical devices, due to the common hardware requirements.

    Windows 11 hardware-based security

    These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

    Feature What it is How it works
    TPM 2.0 (Trusted Platform Module) Chip TPM is a chip on the motherboard of the computer. It is used to store encryption keys, certificates, and passwords. TPM does this securely with tamper-proof prevention. It can also generate encryption keys and it includes its own unique encryption key that cannot be altered (helpdeskgeek.com). You do not need to enter your password once you setup Windows Hello, so the password is no longer easy to capture and steal. It is set up on a device per device basis, meaning if you go to a different device to sign in, your Windows Hello authentication will not follow you and you must set up your Hello pin or facial recognition again on that particular device. TPM (Trusted Platform Module) can store the credentials used by Windows Hello and encrypt them on the module.
    Windows Hello Windows Hello is an alternative to using a password for authentication. Users can use a pin, a fingerprint, or facial recognition to authenticate.
    Device Encryption Device encryption is only on when your device is off. It scrambles the data on your disk to make it unreadable unless you have the key to unscramble it. If your endpoint is stolen, the contents of the hard drive will remain encrypted and cannot be accessed by anyone unless they can properly authenticate on the device and allow the system to unscramble the encrypted data.
    UEFI Secure Boot Capable UEFI is an acronym for Unified Extensible Firmware Interface. It is an interface between the operating system and the computer firmware. Secure Boot, as part of the firmware interface, ensures that only unchangeable and approved software and drivers are loaded at startup and not any malware that may have infiltrated the system (Lumunge). UEFI, with Secure Boot, references a database containing keys and signatures of drivers and runtime code that is approved as well as forbidden. It will not let the system boot up unless the signature of the driver or run-time code that is trying to execute is approved. This UEFI Secure boot recognition process continues until control is handed over to the operating system.
    Virtualization Based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI) VBS is security based on virtualization capabilities. It uses the virtualization features of the Windows operating system, specifically the Hyper-V hypervisor, to create and isolate a small chunk of memory that is isolated from the operating system. HVCI checks the integrity of code for violations. The Code Integrity check happens in the isolated virtual area of memory protected by the hypervisor, hence the acronym HVCI (Hypervisor Protected Code Integrity) (Murtaza). In the secure, isolated region of memory created by VBS with the hypervisor, Windows will run checks on the integrity of the code that runs various processes. The isolation protects the stored item from tampering by malware and similar threats. If they run incident free, they are released to the operating system and can run in the standard memory space. If issues are detected, the code will not be released, nor will it run in the standard memory space of the operating system, and damage or compromise will be prevented.

    How do all the hardware-based security features work?

    This scenario explains how a standard boot up and login should happen.

    You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

    Now imagine the same process with various compromised scenarios.

    You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

    You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

    You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

    TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

    “Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

    “Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

    Can any device upgrade to Windows 11?

    In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

    Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

    Software Requirement

    You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

    Complete hardware requirements for Windows 11

    • 1 GHz (or faster) compatible 64-bit processor with two or more cores
    • 4 GB RAM
    • 64 GB or more of storage space
    • Compatible with DirectX 12 or later with WDDM 2.0 driver
      • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
      • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
      • Version 2.0 of WDDM is required for Windows 11.
    • 720p display greater than 9" diagonally with 8 bits per color channel
    • UEFI Secure Boot capable
    • TPM 2.0 chip

      • (“Windows 11 Requirements”)

    Windows 11 may challenge your virtual environment

    When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

    The Challenge

    The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

    The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

    Short-Term Solutions

    VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

    Additional Insight

    According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

    • It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
    • 64 GB of storage or greater
    • Secure Boot capable with the virtual TPM enabled
    • 4 GB of memory or greater
    • 2 or more virtual processors
    • The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

    What’s new or updated in Windows 11?

    The following two slides highlight some of the new and updated features in Windows 11.

    Security

    The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

    Taskbar

    The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

    Updated Apps

    Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

    User Interface

    The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

    Microsoft Teams

    Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

    What’s new or updated in Windows 11?

    Snap Layouts

    Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

    Widgets

    Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

    Android Apps

    Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

    Docking

    Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

    This is not intended to be an inclusive list but does cover some of the more prominent features.

    What’s missing from Windows 11?

    The following features are no longer found in Windows 11:

    • Backward compatibility
      • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
    • Internet Explorer
      • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
    • Tablet mode
      • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
    • Semi-annual updates
      • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
    • Specific apps
      • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
        • OneNote for Windows 10
        • 3D Viewer
        • Paint 3D
        • Skype
    • Cortana (by default)
      • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

    Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

    Windows 11 editions

    • Windows 11 is offered in several editions:
      • Windows 11 Home
      • Windows 11 Pro
      • Windows 11 Pro for Workstations
      • Windows 11 Enterprise Windows 11 for Education
      • Windows 11 SE for Education
    • Windows 11 hardware requirements and security features are common throughout all editions.
    • The new look and feel along with all the features mentioned previously are common to all editions as well.
    • Windows Home
      • Standard offering for home users
    • Pro versus Pro for Workstations
      • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
      • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
      • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
      • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
    • Enterprise Offerings
      • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
      • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
      • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

    Windows 11 Education Editions

    With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

    “40 Million Chromebooks in Use in Education” (Thurrott)

    “The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

    “Chromebooks Gain Market Share as Education Goes Online” (Hruska)

    “Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

    “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

    • Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
    • Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
    • The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
    • Windows 11 SE for Education:
      • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
      • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
      • Windows 11 SE requires Intune for Education and only IT admins can install applications.
    • Microsoft and others have come out with Windows SE specific devices at a low price point.
      • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
      • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

    Initial Reactions

    Below you can find some actual initial reactions to Windows 11.

    Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

    The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

    The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

    “My 91-year-old Mum has found it easy!” Binns, Paul ITRG

    “It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

    “It makes me feel more like a Mac user.” Chang, Ben Info-Tech

    “At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

    “Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

    “I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

    “A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

    “The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

    “No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

    “The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

    How do I upgrade to Windows 11?

    The process is very similar to applying updates in Windows 10.

    • Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
      • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
    • A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
    • Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
    • WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
    • Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
    • Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
    • Other modern endpoint management solutions may also allow for a controlled deployment.

    Info-Tech Insight

    The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

    When can I upgrade to Windows 11?

    You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

    • Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
      • Deploy the initial update to your test environment.
      • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
      • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
      • Increase the size of each ring as you progress.
    • Always back up your data before any upgrade.

    Deployment Ring Example

    Pilot Ring - Individuals from all departments - 10 users

    Ring #1 - Dev, Finance - 20 Users

    Ring #2 - Research - 100 Users

    Ring #3 - Sales, IT, Marketing - 500 Users

    Upgrade your eligible devices and users to Windows 11

    Build Windows 11 Deployment Rings

    Instructions:

    1. Identify who will be in the pilot group. Use individuals instead of user groups.
    2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
    3. Map groups to rings. Define which user groups will be in each ring.
    4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
    5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.
    Ring Department or Group Total Users Delay Time Before Next Group
    Pilot Ring Individuals from all departments 10 Three weeks
    Ring 1 Dev Finance 20 Two weeks
    Ring 2 Research 100 One week
    Ring 3 Sales, IT Marketing 500 N/A

    What are my options if my devices cannot upgrade to Windows 11?

    Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

    Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

    • Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
    • Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
    • Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
    • Determine the cost for replacement devices:
      • Compare vendor offerings using an RFP process.
    • Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

    Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

    New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

    New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    Build a Windows 11 Device Replacement Budget

    The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

    A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

    HAM Budgeting Tool

    Windows 11 Replacement Schedule
    2022 2023 2024 2025
    Department Total to replace Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Left to allocate
    Finance 120 20 20 20 10 10 20 20 0
    HR 28 15 13 0
    IT 30 15 15 0
    Research 58 8 15 5 20 5 5 0
    Planning 80 10 15 15 10 15 15 0
    Other 160 5 30 5 15 15 30 30 30 0
    Totals 476 35 38 35 35 35 35 38 35 50 35 35 35 35 0

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Implement Hardware Asset Management

    This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Bibliography

    aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

    Binns, Paul. Personal interview. 07 June 2022.

    Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

    Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

    Chang, Ben. Personal interview. 26 May 2022.

    Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

    Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

    “Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

    “Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

    Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

    Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

    Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

    Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

    Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

    Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

    Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

    Bibliography

    Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

    Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

    Roberts, Jeremy. Personal interview. 27 May 2022.

    Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

    Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

    “The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

    Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

    Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

    “Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

    “What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

    “Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

    “Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

    IT Management and Policies

    • Buy Link or Shortcode: {j2store}23|cart{/j2store}
    • Related Products: {j2store}23|crosssells{/j2store}
    • InfoTech Academy Title: IT management and policies videos
    • InfoTech Academy Excerpt: More videos are available once you join. Contact us for more information.
    • Teaser Video: Visit Website
    • Teaser Video Title: Policies Academy Overview
    • member rating overall impact: 9.5/10
    • member rating average dollars saved: $23101
    • member rating average days saved: 11
    • Parent Category Name: Strategy and Governance
    • InfotechAcademy-Executivebrief: Visit Website
    • Parent Category Link: /strategy-and-governance
    • byline: Review and improve on your IT Policy Library.
    Create policies that matter most to your organization.

    Management, policy, policies

    Hire or Develop a World-Class CISO

    • Buy Link or Shortcode: {j2store}243|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
    • The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
    • Current CISOs need to scope out areas of future development.

    Our Advice

    Critical Insight

    The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Impact and Result

    • Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
    • If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
    • Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

    Hire or Develop a World-Class CISO Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Hire of Develop a World-Class CISO Deck – A step-by-step guide on finding or developing the CISO that best fits your organization.

    Use this blueprint to hire or develop a world-class Chief Information Security Officer (CISO) with the competencies that suit your specific organizational needs. Once you have identified the right candidate, create a plan to develop your CISO.

    • Hire or Develop a World-Class CISO – Phases 1-4

    2. CISO Core Competency Evaluation Tool – Determine which competencies your organization needs and which competencies your CISO needs to work on.

    This tool will help you determine which competencies are a priority for your organizational needs and which competencies your CISO needs to develop.

    • CISO Core Competency Evaluation Tool

    3. CISO Stakeholder Power Map Template – Visualize stakeholder and CISO relationships.

    Use this template to identify stakeholders who are key to your security initiatives and to understand your relationships with them.

    • CISO Stakeholder Power Map Template

    4. CISO Stakeholder Management Strategy Template – Develop a strategy to improve stakeholder and CISO relationships.

    Create a strategy to cultivate your stakeholder relationships and manage each relationship in the most effective way.

    • CISO Stakeholder Management Strategy Template

    5. CISO Development Plan Template – Develop a plan to support a world-class CISO.

    This tool will help you create and implement a plan to remediate competency gaps.

    • CISO Development Plan Template

    Infographic

    Further reading

    Hire or Develop a World-Class CISO

    Find a strategic and security-focused champion for your business.

    Analyst Perspective

    Create a plan to become the security leader of tomorrow

    The days are gone when the security leader can stay at a desk and watch the perimeter. The rapidly increasing sophistication of technology, and of attackers, has changed the landscape so that a successful information security program must be elastic, nimble, and tailored to the organization’s specific needs.

    The Chief Information Security Officer (CISO) is tasked with leading this modern security program, and this individual must truly be a Chief Officer, with a finger on the pulses of the business and security processes at the same time. The modern, strategic CISO must be a master of all trades.

    A world-class CISO is a business enabler who finds creative ways for the business to take on innovative processes that provide a competitive advantage and, most importantly, to do so securely.

    Cameron Smith, Research Lead, Security and Privacy

    Cameron Smith
    Research Lead, Security & Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • CEOs/CXOs are looking to hire or develop a senior security leader and aren’t sure where to start.
    • Conversely, security practitioners are looking to upgrade their skill set and are equally stuck in terms of what an appropriate starting point is.
    • Organizations are looking to optimize their security plans and move from a tactical position to a more strategic one.

    Common Obstacles

    • It is difficult to find a “unicorn”: a candidate who is already fully developed in all areas.
    • The role of the CISO has changed so much in the past three years, it is unclear what competencies are most important.
    • You are a current CISO and need to scope out your areas of future development.

    Info-Tech’s Approach

    • Clarify the competencies that are important to your organizational needs and use them to find a candidate with those specific strengths.
    • If you are a current CISO, complete a self-assessment and identify your high-priority competency gaps so you can actively work to develop those areas.
    • Create an actionable plan to develop the CISO’s capabilities and regularly reassess these items to ensure constant improvement.

    Info-Tech Insight
    The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Your challenge

    This Info-Tech blueprint will help you hire and develop a strategic CISO

    • Security without strategy is a hacker’s paradise.
    • The outdated model of information security is tactical, where security acts as a watchdog and responds.
    • The new security leader must be strategic, striking a balance between being tactical and taking a proactive security stance. They must incorporate security into business practices from day one and enable secure adoption of new technologies and business practices.

    Around one in five organizations don’t have an individual with the sole responsibility for security1

    1 Navisite

    Info-Tech Insight
    Assigning security responsibilities to departments other than security can lead to conflicts of interest.

    Common obstacles

    It can be difficult to find the right CISO for your organization

    • The smaller the organization, the less likely it will have a CISO or equivalent position.
    • Because there is a shortage of qualified candidates, qualified CISOs can demand high salaries and many CISO positions will go unfilled.
    • It is easier for larger companies to attract top CISO talent, as they generally have more resources available.

    Source: Navisite

    Only 36% of small businesses have a CISO (or equivalent position).

    48% of mid-sized businesses have a CISO.

    90% of large organizations have a CISO.

    Source: Navisite

    Strategic versus tactical

    CISOs should provide leadership based on a strategic vision 1

    Strategic CISO Tactical CISO

    Proactive

    Focus is on protecting hyperdistributed business processes and data

    Elastic, flexible, and nimble

    Engaged in business design decisions

    Speaks the language of the audience (e.g. business, financial, technical)

    Reactive

    Focus is on protecting current state

    Perimeter and IT-centric approach

    Communicates with technical jargon

    1 Journal of Computer Science and Information Technology

    Info-Tech has identified three key behaviors of the world-class CISO

    To determine what is required from tomorrow’s security leader, Info-Tech examined the core behaviors that make a world-class CISO. These are the three areas that a CISO engages with and excels in.

    Later in this blueprint, we will review the competencies and skills that are required for your CISO to perform these behaviors at a high level.

    Align

    Aligning security enablement with business requirements

    Enable

    Enabling a culture of risk management

    Manage

    Managing talent and change

    Info-Tech Insight
    Through these three overarching behaviors, you can enable a security culture that is aligned to the business and make security elastic, flexible, and nimble to maintain the business processes.

    Info-Tech’s approach

    Understand what your organization needs in a CISO: Consider the core competencies of a CISO. Assess: Assess candidates' core competencies and the CISO's stakeholder relationships. Plan improvements: Identify resources to close competency gaps and an approach to improve stakeholder relationships. Executive development: Decide next steps to support your CISO moving forward and regularly reassess to measure progress.

    Info-Tech’s methodology to Develop or Hire a World-Class CISO

    1. Launch 2. Assess 3. Plan 4. Execute
    Phase Steps
    1. Understand the core competencies
    2. Measure security and business satisfaction and alignment
    1. Assess stakeholder relationships
    2. Assess core competencies
    1. Identify resources to address your CISO’s competency gaps
    2. Plan an approach to improve stakeholder relationships
    1. Decide next actions and support your CISO moving forward
    2. Regularly reassess to measure development and progress
    Phase Outcomes

    At the end of this phase, you will have:

    • Determined the current gaps in satisfaction and business alignment for your IT security program.
    • Identified the desired qualities in a security leader, specific to your current organizational needs.

    At the end of this phase, you will have:

    • Used the core competencies to help identify the ideal candidate.
    • Identified areas for development in your new or existing CISO.
    • Determined stakeholder relationships to cultivate.

    At the end of this phase, you will have:

    • Created a high-level plan to address any deficiencies.
    • Improved stakeholder relations.

    At the end of this phase, you will have:

    • Created an action-based development plan, including relevant metrics, due dates, and identified stakeholders. This plan is the beginning, not the end. Continually reassessing your organizational needs and revisiting this blueprint’s method will ensure ongoing development.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    CISO Core Competency Evaluation Tool

    Assess the competency levels of a current or prospective CISO and identify areas for improvement.

    Stakeholder Power Map Template

    Visualize the importance of various stakeholders and their concerns.

    Stakeholder Management Strategy Template

    Document a plan to manage stakeholders and track actions.

    Key deliverable:

    CISO Development Plan Template

    The CISO Development Plan Template is used to map specific activities and time frames for competency development to address gaps and achieve your goal.

    Strategic competencies will benefit the organization and the CISO

    Career development should not be seen as an individual effort. By understanding the personal core competencies that Info-Tech has identified, the individual wins by developing relevant new skills and the organization wins because the CISO provides increased value.

    Organizational Benefits Individual Benefits
    • Increased alignment between security and business objectives
    • Development of information security that is elastic, nimble, and flexible for the business
    • Reduction in wasted efforts and resources, and improvement in efficiency of security and the organization as a whole
    • True synergy between security and business stakeholders, where the goals of both groups are being met
    • Increased opportunity as you become a trusted partner within your organization
    • Improved relationships with peers and stakeholders
    • Less resistance and more support for security initiatives
    • More involvement and a stronger role for security at all levels of the organization

    Measured value of a world-class CISO

    Organizations with a CISO saw an average of $145,000 less in data breach costs.1

    However, we aren’t talking about hiring just any CISO. This blueprint seeks to develop your CISO’s competencies and reach a new level of effectiveness.

    Organizations invest a median of around $375,000 annually in their CISO.2 The CISO would have to be only 4% more effective to represent $15,000 more value from this position. This would offset the cost of an Info-Tech workshop, and this conservative estimate pales in comparison to the tangible and intangible savings as shown below.

    Your specific benefits will depend on many factors, but the value of protecting your reputation, adopting new and secure revenue opportunities, and preventing breaches cannot be overstated. There is a reason that investment in information security is on the rise: Organizations are realizing that the payoff is immense and the effort is worthwhile.

    Tangible cost savings from having a world-class CISO Intangible cost savings from having a world-class CISO
    • Cost savings from incident reduction.
    • Cost savings achieved through optimizing information security investments, resulting in savings from previously misdiagnosed issues.
    • Cost savings from ensuring that dollars spent on security initiatives support business strategy.
    • More opportunities to create new business processes through greater alignment between security and business.
    • Improved reputation and brand equity achieved through a proper evaluation of the organization’s security posture.
    • Continuous improvement achieved through a good security assessment and measurement strategy.
    • Ability to plan for the future since less security time will be spent firefighting and more time will be spent engaged with key stakeholders.

    1 IBM Security
    2 Heidrick & Struggles International, Inc.

    Case Study

    In the middle of difficulty lies opportunity

    SOURCE
    Kyle Kennedy
    CISO, CyberSN.com

    Challenge
    The security program identified vulnerabilities at the database layer that needed to be addressed.

    The decision was made to move to a new vendor. There were multiple options, but the best option in the CISO’s opinion was a substantially more expensive service that provided more robust protection and more control features.

    The CISO faced the challenge of convincing the board to make a financial investment in his IT security initiative to implement this new software.

    Solution
    The CISO knew he needed to express this challenge (and his solution!) in a way that was meaningful for the executive stakeholders.

    He identified that the business has $100 million in revenue that would move through this data stream. This new software would help to ensure the security of all these transactions, which they would lose in the event of a breach.

    Furthermore, the CISO identified new business plans in the planning stage that could be protected under this initiative.

    Results
    The CISO was able to gain support for and implement the new database platform, which was able to protect current assets more securely than before. Also, the CISO allowed new revenue streams to be created securely.

    This approach is the opposite of the cautionary tales that make news headlines, where new revenue streams are created before systems are put in place to secure them.

    This proactive approach is the core of the world-class CISO.

    Info-Tech offers various levels of support to best suit your needs

    Guided Implementation

    What does a typical GI on this topic look like?

    Launch Assess Plan Execute

    Call #1: Review and discuss CISO core competencies.

    Call #2: Discuss Security Business Satisfaction and Alignment diagnostic results.

    Call #3: Discuss the CISO Stakeholder Power Map Template and the importance of relationships.

    Call #4: Discuss the CISO Core Competency Evaluation Tool.

    Call #5: Discuss results of the CISO Core Competency Evaluation and identify resources to close gaps.

    Call #6: Review organizational structure and key stakeholder relationships.

    Call #7: Discuss and create your CISO development plan and track your development

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 10 calls over the course of 3 to 6 months.

    Phase 1

    Launch

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Review and understand the core competencies of a world-class CISO.
    • Launch your diagnostic survey.
    • Evaluate current business satisfaction with IT security.
    • Determine the competencies that are valuable to your IT security program’s needs.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    An organization hires a new Information Security Manager into a static and well-established IT department.

    Situation: The organization acknowledges the need for improved information security, but there is no framework for the Security Manager to make successful changes.

    Challenges Next Steps
    • The Security Manager is an outsider in a company with well-established habits and protocols. He is tasked with revamping the security strategy to create unified threat management.
    • Initial proposals for information security improvements are rejected by executives. It is a challenge to implement changes or gain support for new initiatives.
    • The Security Manager will engage with individuals in the organization to learn about the culture and what is important to them.
    • He will assess existing misalignments in the business so that he can target problems causing real pains to individuals.

    Follow this case study throughout the deck to see this organization’s results

    Step 1.1

    Understand the Core Competencies of a World-Class CISO

    Activities

    Review core competencies the security leader must develop to become a strategic business partner

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step
    Analysis and understanding of the eight strategic CISO competencies required to become a business partner

    Launch

    Core competencies

    Info-Tech has identified eight core competencies affecting the CISO’s progression to becoming a strategic business partner.

    Business Acumen
    A CISO must focus primarily on the needs of the business.

    Leadership
    A CISO must be a security leader and not simply a practitioner.

    Communication
    A CISO must have executive communication skills

    Technical Knowledge
    A CISO must have a broad technical understanding.

    Innovative Problem Solving
    A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.”

    Vendor Management
    Vendor and financial management skills are critical to becoming a strategic CISO.

    Change Management
    A CISO improves security processes by being an agent of change for the organization.

    Collaboration
    A CISO must be able to use alliances and partnerships strategically.

    1.1 Understand the core competencies a CISO must focus on to become a strategic business partner

    < 1 hour

    Over the next few slides, review each world-class CISO core competency. In Step 1.2, you will determine which competencies are a priority for your organization.

    CISO Competencies Description
    Business Acumen

    A CISO must focus primarily on the needs of the business and how the business works, then determine how to align IT security initiatives to support business initiatives. This includes:

    • Contributing to business growth with an understanding of the industry, core functions, products, services, customers, and competitors.
    • Understanding the business’ strategic direction and allowing it to securely capitalize on opportunities.
    • Understanding the key drivers of business performance and the use of sound business practice.
    Leadership

    A CISO must be a security leader, and not simply a practitioner. This requires:

    • Developing a holistic view of security, risk, and compliance for the organization.
    • Fostering a culture of risk management.
    • Choosing a strong team. Having innovative and reliable employees who do quality work is a critical component of an effective department.
      • This aspect involves identifying talent, engaging your staff, and managing their time and abilities.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Communication

    Many CISOs believe that using technical jargon impresses their business stakeholders – in fact, it only makes business stakeholders become confused and disinterested. A CISO must have executive communication skills. This involves:

    • Clearly communicating with business leaders in meaningful language (i.e. business, financial, social) that they understand by breaking down the complexities of IT security into simple and relatable concepts.
    • Not using acronyms or technological speak. Easy-to-understand translations will go a long way.
    • Strong public speaking and presentation abilities.
    Technical Knowledge

    A CISO must have a broad technical understanding of IT security to oversee a successful security program. This includes:

    • Understanding key security and general IT technologies and processes.
    • Assembling a complementary team, because no individual can have deep knowledge in all areas.
    • Maintaining continuing education to stay on top of emerging technologies and threats.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Innovative Problem Solving

    A good CISO doesn’t just say “no,” but rather finds creative ways to say “yes.” This can include:

    • Taking an active role in seizing opportunities created by emerging technologies.
    • Facilitating the secure implementation of new, innovative revenue models.
    • Developing solutions for complex business problems that require creativity and ingenuity.
    • Using information and technology to drive value around the customer experience.
    Vendor Management

    With the growing use of “anything as a service,” negotiation, vendor, and financial management skills are critical to becoming a strategic CISO.

    • The CISO must be able to evaluate service offerings and secure favorable contracts with the right provider. It is about extracting the maximum value from vendors for the dollars you are spending.
    • Vendor products must be aligned with future business plans to create maximum ongoing value.
    • The CISO must develop financial management skills. This includes the ability to calculate total cost of ownership, return on investment, and project spending over multiyear business plans.

    1.1 Understand the core competencies (continued)

    CISO Competencies Description
    Change Management

    A world-class CISO improves security processes by being an agent of change for the organization. This involves:

    • Leading, guiding, and motivating teams to adopt a responsible risk management culture.
    • Communicating important and complex ideas in a persuasive way.
    • Demonstrating an ability to change themselves and taking the initiative in adopting more efficient behaviors.
    • Handling unplanned change, such as unforeseen attacks or personnel changes, in a professional and proactive manner.
    Collaboration

    A CISO must be able to use alliances and partnerships strategically to benefit both the business and themselves. This includes:

    • Identifying formal and informal networks and constructive relationships to enable security development.
    • Leveraging stakeholders to influence positive outcomes for the organization.
    • Getting out of the IT or IT security sphere and engaging relationships in diverse areas of the organization.

    Step 1.2

    Evaluate satisfaction and alignment between the business and IT security

    Activities

    • Conduct the Information Security Business Satisfaction and Alignment diagnostic
    • Use your results as input into the CISO Core Competency Evaluation Tool

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step
    Determine current gaps in satisfaction and alignment between information security and your organization.

    If seeking to hire/develop a CISO: Your diagnostic results will help develop a profile of the ideal CISO candidate to use as a hiring and interview guide.

    If developing a current CISO, use your diagnostic results to identify existing competency gaps and target them for improvement.

    For the CISO seeking to upgrade capabilities: Use the core competencies guide to self-assess and identify competencies that require improvement.

    Launch

    1.2 Get started by conducting Info-Tech’s Information Security Business Satisfaction and Alignment diagnostic

    Suggested Time: One week for distribution, completion, and collection of surveys
    One-hour follow-up with an Info-Tech analyst

    The primary goal of IT security is to protect the organization from threats. This does not simply mean bolting everything down, but it means enabling business processes securely. To do this effectively requires alignment between IT security and the overall business.

    • Once you have completed the diagnostic, call Info-Tech to review your results with one of our analysts.
    • The results from this assessment will provide insights to inform your entries in the CISO Core Competency Evaluation Tool.

    Call an analyst to review your results and provide you with recommendations.

    Info-Tech Insight
    Focus on the high-priority competencies for your organization. You may find a candidate with perfect 10s across the board, but a more pragmatic strategy is to find someone with strengths that align with your needs. If there are other areas of weakness, then target those areas for development.

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    • Your diagnostic results will indicate where your information security program is aligned well or poorly with your business.
    • For example, the diagnostic may show significant misalignment between information security and executives over the level of external compliance. The CISO behavior that would contribute to solving this is aligning security enablement with business requirements.
      • This misalignment may be due to a misunderstanding by either party. The competencies that will contribute to resolving this are communication, technical knowledge, and business acumen.
      • This mapping method is what will be used to determine which competencies are most important for your needs at the present moment.

    Download the CISO Core Competency Evaluation Tool

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    1. Starting on Tab 2: CISO Core Competencies, use your understanding of each competency from section 1.1 along with the definitions described in the tool.
      • For each competency, assign a degree of importance using the drop-down menu in the second column from the right.
      • Importance ratings will range from not at all important at the low end to critically important at the high end.
      • Your importance score will be influenced by several factors, including:
        • The current alignment of your information security department.
        • Your organizational security posture.
        • The size and structure of your organization.
        • The existing skills and maturity within your information security department.

    Download the CISO Core Competency Evaluation Tool

    1.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to understand your organizational needs

    After completing the Info-Tech diagnostic, use the CISO Core Competency Evaluation Tool to determine which CISO competencies are a priority for your organization.

    1. Still on Tab 2. CISO Core Competencies, you will now assign a current level of effectiveness for each competency.
      • This will range from foundational at a low level of effectiveness up to capable, then inspirational, and at the highest rating, transformational.
      • Again, this rating will be very specific to your organization, depending on your structure and your current employees.
      • Fundamentally, these scores will reflect what you want to improve in the area of information security. This is not an absolute scale, and it will be influenced by what skills you want to support your goals and direction as an organization.

    Download the CISO Core Competency Evaluation Tool

    Phase 2

    Assess

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Use the CISO Core Competency Evaluation Tool to create and implement an interview guide.
    • Assess and analyze the core competencies of your prospective CISOs. Or, if you are a current CISO, use the CISO Core Competency Evaluation Tool as a self-analysis and identify areas for personal development.
    • Evaluate the influence, impact, and support of key executive business stakeholders using the CISO Stakeholder Power Map Template.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager engages with employees to learn the culture.

    Outcome: Understand what is important to individuals in order to create effective collaboration. People will engage with a project if they can relate it to something they value.

    Actions Next Steps
    • The Security Manager determines that he must use low-cost small wins to integrate with the organizational culture and create trust and buy-in and investment will follow.
    • The Security Manager starts a monthly newsletter to get traction across the organization, create awareness of his mandate to improve information security, and establish himself as a trustworthy partner.
    • The Security Manager will identify specific ways to engage and change the culture.
    • Create a persuasive case for investing in information security based on what resonates with the organization.

    Follow this case study throughout the deck to see this organization’s results

    Step 2.1

    Identify key stakeholders for the CISO and assess current relationships

    Activities

    Evaluate the power, impact, and support of key stakeholders

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Power map of executive business stakeholders
    • Evaluation of each stakeholder in terms of influence, impact, and current level of support

    Assess

    Identify key stakeholders who own business processes that intersect with security processes

    Info-Tech Insight
    Most organizations don’t exist for the sole purpose of doing information security. For example, if your organization is in the business of selling pencils, then information security is in business to enable the selling of pencils. All the security in the world is meaningless if it doesn’t enable your primary business processes. The CISO must always remember the fundamental goals of the business.

    The above insight has two implications:

    1. The CISO needs to understand the key business processes and who owns them, because these are the people they will need to collaborate with. Like any C-level, the CISO should be one of the most knowledgeable people in the organization regarding business processes.
    2. Each of these stakeholders stands to win or lose depending on the performance of their process, and they can act to either block or enable your progress.
      • To work effectively with these stakeholders, you must learn what is important to them, and pose your initiatives so that you both benefit.

    When people are not receptive to the CISO, it’s usually because the CISO has not been part of the discussion when plans were being made. This is the heart of proactivity.

    You need to be involved from the start … from the earliest part of planning.

    The job is not to come in late and say “No” ... the job is to be involved early and find creative and intelligent ways to say “Yes.”

    The CISO needs to be the enabling security asset that drives business.

    – Elliot Lewis, CEO at Keyavi Data

    Evaluate the importance of business stakeholders and the support necessary from them

    The CISO Stakeholder Power Map Template is meant to provide a visualization of the CISO’s relationships within the organization. This should be a living document that can be updated throughout the year as relationships develop and the structure of an organization changes.

    At a glance, this tool should show:

    • How influential each stakeholder is within the company.
    • How supportive they currently are of the CISO’s initiatives.
    • How strongly each person is impacted by IT security activities.

    Once this tool has been created, it provides a good reference as the CISO works to develop lagging relationships. It shows the landscape of influence and impact within the organization, which may help to guide the CISO’s strategy in the future.

    Evaluate the importance of business stakeholders and the support necessary from them

    Download the CISO Stakeholder Power Map Template

    Evaluate the importance of business stakeholders and the support necessary from them

    1. Identify key stakeholders.
      1. Focus on owners of important business processes.
    2. Evaluate and map each stakeholder in terms of:
      1. Influence (up/down)
      2. Support (left/right)
      3. Impact (size of circle)
      4. Involvement (color of circle)
    3. Decide whether the level of support from each stakeholder needs to change to facilitate success.

    Evaluate the importance of business stakeholders and the support necessary from them

    Info-Tech Insight
    Some stakeholders must work closely with your incoming CISO. It is worth consideration to include these individuals in the interview process to ensure you will have partners that can work well together. This small piece of involvement early on can save a lot of headache in the future.

    Where can you find your desired CISO?

    Once you know which competencies are a priority in your new CISO, the next step is to decide where to start looking. This person may already exist in your company.

    Internal

    Take some time to review your current top information security employees or managers. It may be immediately clear that certain people will or will not be suitable for the CISO role. For those that have potential, proceed to Step 2.2 to map their competencies.

    Recruitment

    If you do not have any current employees that will fit your new CISO profile, or you have other reasons for wanting to bring in an outside individual, you can begin the recruitment process. This could start by posting the position for applications or by identifying and targeting specific candidates.

    Ready to start looking for your ideal candidate? You can use Info-Tech’s Chief Information Security Officer job description template.

    Use the CISO job description template

    Alternatives to hiring a CISO

    Small organizations are less able to muster the resources required to find and retain a CISO,

    Technical Counselor Seat

    In addition to having access to our research and consulting services, you can acquire a Technical Counselor Seat from our Security & Risk practice, where one of our senior analysts would serve with you on a retainer. You may find that this option saves you the expense of having to hire a new CISO altogether.

    Virtual CISO

    A virtual CISO, or vCISO, is essentially a “CISO as a service.” A vCISO provides an organization with an experienced individual that can, on a part-time basis, lead the organization’s security program through policy and strategy development.

    Why would an organization consider a vCISO?

    • A vCISO can provide services that are flexible, technical, and strategic and that are based on the specific requirements of the organization.
    • They can provide a small organization with program maturation within the organization’s resources.
    • They can typically offer depth of experience beyond what a small business could afford if it were to pursue a full-time CISO.

    Source: InfoSec Insights by Sectigo Store

    Why would an organization not consider a vCISO?

    • The vCISO’s attention is divided among their other clients.
    • They won’t feel like a member of your organization.
    • They won’t have a deep understanding of your systems and processes.

    Source: Georgia State University

    Step 2.2

    Assess CISO candidates and evaluate their current competency

    Activities

    Assess CISO candidates in terms of desired core competencies

    or

    Self-assess your personal core competencies

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO

    or

    • Current CISO seeking to upgrade capabilities

    and

    • Any key stakeholders or collaborators you choose to include in the assessment process

    Outcomes of this step

    • You have assessed your requirements for a CISO candidate.
    • The process of hiring is under way, and you have decided whether to hire a CISO, develop a CISO, or consider a Counselor Seat as another option.

    Assess

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

    Use Info-Tech’s CISO Core Competency Evaluation Tool to assess your CISO candidate

    Download the CISO Core Competency Evaluation Tool

    Info-Tech Insight
    The most important competencies should be your focus. Unless you are lucky enough to find a candidate that is perfect across the board, you will see some areas that are not ideal. Don’t forget the importance you assigned to each competency. If a candidate is ideal in the most critical areas, you may not mind that some development is needed in a less important area.

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

    After deciding the importance of and requirements for each competency in Phase 1, assess your CISO candidates.

    Your first pass on this tool will be to look at internal candidates. This is the develop a CISO option.

    1. In the previous phase, you rated the Importance and Current Effectiveness for each competency in Tab 2. CISO Core Competencies. In this step, use Tab 3. Gap Analysis to enter a Minimum Level and a Desired Level for each competency. Keep in mind that it may be unrealistic to expect a candidate to be fully developed in all aspects.
    2. Next, enter a rating for your candidate of interest for each of the eight competencies.
    3. This scorecard will generate an overall suitability score for the candidate. The color of the output (from red to green) indicates the suitability, and the intensity of the color indicates the importance you assigned to that competency.

    Download the CISO Core Competency Evaluation Tool

    2.2 Use Info-Tech’s CISO Core Competency Evaluation Tool to evaluate your candidates

    • If the internal search does not identify a suitable candidate, you will want to expand your search.
    • Repeat the scoring process for external candidates until you find your new CISO.
    • You may want to skip your external search altogether and instead contact Info-Tech for more information on our Counselor Seat options.

    Download the CISO Core Competency Evaluation Tool

    Phase 3

    Plan

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Create a plan to develop your competency gaps.
    • Construct and consider your organizational model.
    • Create plan to cultivate key stakeholder relationships.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager changes the security culture by understanding what is meaningful to employees.

    Outcome: Engage with people on their terms. The CISO must speak the audience’s language and express security terms in a way that is meaningful to the audience.

    Actions Next Steps
    • The Security Manager identifies recent events where ransomware and social engineering attacks were successful in penetrating the organization.
    • He uses his newsletter to create organization-wide discussion on this topic.
    • This very personal example makes employees more receptive to the Security Manager’s message, enabling the culture of risk management.
    • The Security Manager will leverage his success in improving the information security culture and awareness to gain support for future initiatives.

    Follow this case study throughout the deck to see this organization’s results

    Step 3.1

    Identify resources for your CISO to remediate competency gaps

    Activities

    Create a plan to remediate competency gaps

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Identification of core competency deficiencies
    • A plan to close the gaps

    Plan

    3.1 Close competency gaps with Info-Tech’s Cybersecurity Workforce Development Training

    Resources to close competency gaps

    Info-Tech’s Cybersecurity Workforce Training develops critical cybersecurity skills missing within your team and organization. The leadership track provides the same deep coverage of technical knowledge as the analyst track but adds hands-on support and has a focus on strategic business alignment, program management, and governance.

    The program builds critical skills through:

    • Standardized curriculum with flexible projects tailored to business needs
    • Realistic cyber range scenarios
    • Ready-to-deploy security deliverables
    • Real assurance of skill development

    Info-Tech Insight
    Investing in a current employee that has the potential to be a world-class CISO may take less time, effort, and money than finding a unicorn.

    Learn more on the Cybersecurity Workforce Development webpage

    3.1 Identify resources for your CISO to remediate competency gaps

    < 2 hours

    CISO Competencies Description
    Business Acumen

    Info-Tech Workshops & Blueprints

    Actions/Activities

    • Take a business acumen course: Acumen Learning, What the CEO Wants You to Know: Building Business Acumen.
    • Meet with business stakeholders. Ask them to take you through the strategic plan for their department and then identify opportunities where security can provide support to help drive their initiatives.
    • Shadow another C-level executive. Understand how they manage their business unit and demonstrate an eagerness to learn.
    • Pursue an MBA or take a business development course.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Leadership

    Info-Tech Training and Blueprints

    Action/Activities

    • Communicate your vision for security to your team. You will gain buy-in from your employees by including them in the creation of your program, and they will be instrumental to your success.

    Info-Tech Insight
    Surround yourself with great people. Insecure leaders surround themselves with mediocre employees that aren’t perceived as a threat. Great leaders are supported by great teams, but you must choose that great team first.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Communication

    Info-Tech Workshops & Blueprints

    Build and Deliver an Optimized IT Update Presentation: Show IT’s value and relevance by dropping the technical jargon and speaking to the business in their terms.

    Master Your Security Incident Response Communications Program: Learn how to talk to your stakeholders about what’s going on when things go wrong.

    Develop a Security Awareness and Training Program That Empowers End Users: Your weakest link is between the keyboard and the chair, so use engaging communication to create positive behavior change.

    Actions/Activities

    Learn to communicate in the language of your audience (whether business, finance, or social), and frame security solutions in terms that are meaningful to your listener.

    Technical Knowledge

    Actions/Activities

    • In many cases, the CISO is progressing from a strong technical background, so this area is likely a strength already.
    • However, as the need for executive skills are being recognized, many organizations are opting to hire a business or operations professional as a CISO. In this case, various Info-Tech blueprints across all our silos (e.g. Security, Infrastructure, CIO, Apps) will provide great value in understanding best practices and integrating technical skills with the business processes.
    • Pursue an information security leadership certification: GIAC, (ISC)², and ISACA are a few of the many organizations that offer certification programs.

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Innovative Problem Solving

    Info-Tech Workshops & Blueprints

    Actions/Activities

    Vendor Management

    Info-Tech Blueprints & Resources

    Actions/Activities

    3.1 Identify resources for your CISO to remediate competency gaps (continued)

    < 2 hours

    CISO Competencies Description
    Change Management

    Info-Tech Blueprints

    Actions/Activities

    • Start with an easy-win project to create trust and support for your initiatives.
    Collaboration

    Info-Tech Blueprints

    Actions/Activities

    • Get out of your office. Have lunch with people from all areas of the business. Understanding the goals and the pains of employees throughout your organization will help you to design effective initiatives and cultivate support.
    • Be clear and honest about your goals. If people know what you are trying to do, then it is much easier for them to work with you on it. Being ambiguous or secretive creates confusion and distrust.

    3.1 Create the CISO’s personal development plan

    • Use Info-Tech’s CISO Development Plan Template to document key initiatives that will close previously identified competency gaps.
    • The CISO Development Plan Template is used to map specific actions and time frames for competency development, with the goal of addressing competency gaps and helping you become a world-class CISO. This template can be used to document:
      • Core competency gaps
      • Security process gaps
      • Security technology gaps
      • Any other career/development goals
    • If you have a coach or mentor, you should share your plan and report progress to that person. Alternatively, call Info-Tech to speak with an executive advisor for support and advice.
      • Toll-Free: 1-888-670-8889

    What you will need to complete this exercise

    • CISO Core Competency Evaluation Tool results
    • Information Security Business Satisfaction and Alignment diagnostic results
    • Insights gathered from business stakeholder interviews

    Step 3.2

    Plan an approach to improve your relationships

    Activities

    • Review engagement strategies for different stakeholder types
    • Create a stakeholder relationship development plan

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    • Stakeholder relationship strategy deliverable

    Plan

    Where should the CISO sit?

    Where the CISO sits in the organization can have a big impact on the security program.

    • Organizations with CISOs in the C-suite have a fewer security incidents.1
    • Organizations with CISOs in the C-suite generally have better IT ability.1
    • An organization whose CISO reports to the CIO risks conflict of interest.1
    • 51% of CISOs believe their effectiveness can be hampered by reporting lines.2
    • Only half of CISOs feel like they are in a position to succeed.2

    A formalized security organizational structure assigns and defines the roles and responsibilities of different members around security. Use Info-Tech’s blueprint Implement a Security Governance and Management Program to determine the best structure for your organization.

    Who the CISO reports to, by percentage of organizations3

    Who the CISO reports to, by percentage of organizations

    Download the Implement a Security Governance and Management Program blueprint

    1. Journal of Computer Science and Information
    2. Proofpoint
    3. Heidrick & Struggles International, Inc

    3.2 Make a plan to manage your key stakeholders

    Managing stakeholders requires engagement, communication, and relationship management. To effectively collaborate and gain support for your initiatives, you will need to build relationships with your stakeholders. Take some time to review the stakeholder engagement strategies for different stakeholder types.

    Influence Mediators
    (Satisfy)         		Key Players
    (Engage)
    Spectators
    (Monitor)     		Noisemakers
    (Inform)
    Support for you

    When building relationships, I find that what people care about most is getting their job done. We need to help them do this in the most secure way possible.

    I don’t want to be the “No” guy, I want to enable the business. I want to find to secure options and say, “Here is how we can do this.”

    – James Miller, Information Security Director, Xavier University

    Download the CISO Stakeholder Management Strategy Template

    Key players – Engage

    Goal Action
    Get key players to help champion your initiative and turn your detractors into supporters. Actively involve key players to take ownership.
    Keep It Positive Maintain a Close Relationship
    • Use their positive support to further your objectives and act as your foundation of support.
    • Key players can help you build consensus among other stakeholders.
    • Get supporters to be vocal in your town halls.
    • Ask them to talk to other stakeholders over whom they have influence.
    • Get some quick wins early to gain and maintain stakeholder support and help convert them to your cause.
    • Use their influence and support to help persuade blockers to see your point of view.
    • Collaborate closely. Key players are tuned in to information streams that are important. Their advice can keep you informed and save you from being blindsided.
    • Keep them happy. By definition, these individuals have a stake in your plans and can be affected positively or negatively. Going out of your way to maintain relationships can be well worth the effort.

    Info-Tech Insight
    Listen to your key players. They understand what is important to other business stakeholders, and they can provide valuable insight to guide your future strategy.

    Mediators – Satisfy

    Goal Action
    Turn mediators into key players Increase their support level.
    Keep It Positive Maintain a Close Relationship
    • Make stakeholders part of the conversation by consulting them for input on planning and strategy.
    • Sample phrases:
      • “I’ve heard you have experience in this area. Do you have time to answer a few questions?”
      • “I’m making some decisions and I would value your thoughts. Can I get your perspective on this?”
    • Enhance their commitment by being inclusive. Encourage their support whenever possible.
    • Make them feel acknowledged and solicit feedback.
    • Listen to blockers with an open mind to understand their point of view. They may have valuable insight.
    • Approach stakeholders on their individual playing fields.
      • They want to know that you understand their business perspective.
    • Stubborn mediators might never support you. If consulting doesn’t work, keep them informed of important decision-making points and give them the opportunity to be involved if they choose to be.

    Info-Tech Insight
    Don’t dictate to stakeholders. Make them feel like valued contributors by including them in development and decision making. You don’t have to incorporate all their input, but it is essential that they feel respected and heard.

    Noisemakers – Inform

    Goal Action
    Have noisemakers spread the word to increase their influence. Encourage noisemakers to influence key stakeholders.
    Keep It Positive Maintain a Close Relationship
    • Identify noisemakers who have strong relationships with key stakeholders and focus on them.
      • These individuals may not have decision-making power, but their opinions and advice may help to sway a decision in your favor.
    • Look for opportunities to increase their influence over others.
    • Put effort into maintaining the positive relationship so that it doesn’t dwindle.
    • You already have this group’s support, but don’t take it for granted.
    • Be proactive, pre-emptive, and transparent.
    • Address issues or bad news early and be careful not to exaggerate their significance.
    • Use one-on-one meetings to give them an opportunity to express challenges in a private setting.
    • Show individuals in this group that you are a problem-solver:
      • “The implementation was great, but we discovered problems afterward. Here is what we’re doing about it.”

    Spectators – Monitor

    Goal Action
    Keep spectators content and avoid turning them into detractors. Keep them well informed.
    Keep It Positive Maintain a Close Relationship
    • A hands-on approach is not required with this group.
    • Keep them informed with regular, high-altitude communications and updates.
    • Use positive, exciting announcements to increase their interest in your initiatives.
    • Select a good venue for generating excitement and assessing the mood of spectators.
    • Spectators may become either supporters or blockers. Monitor them closely and keep in touch with them to stop these individuals from becoming blockers.
    • Listen to questions from spectators carefully. View any engagement as an opportunity to increase participation from this group and generate a positive shift in interest.

    3.2 Create the CISO’s stakeholder management strategy

    Develop a strategy to manage key stakeholders in order to drive your personal development plan initiatives.

    • The purpose of the CISO Stakeholder Management Strategy Template is to document the results of the power mapping exercise, create a plan to proactively manage stakeholders, and track the actions taken.
    • Use this in concert with Info-Tech’s CISO Stakeholder Power Map Template to help visualize the importance of key stakeholders to your personal development. You will document:
      • Stakeholder role and type.
      • Current relationship with the stakeholder.
      • Level of power/influence and degree of impact.
      • Current and desired level of support.
      • Initiatives that require the stakeholder’s engagement.
      • Actions to be taken – along with the status and results.

    What you will need to complete this exercise

    • Completed CISO Stakeholder Power Map
    • Security Business Satisfaction and Alignment Diagnostic results

    Download the CISO Stakeholder Management Strategy Template

    Phase 4

    Execute

    Phase 1
    1.1 Understand Core Competencies
    1.2 Measure Security and Business Satisfaction and Alignment

    Phase 2
    2.1 Assess Stakeholder Relationships
    2.2 Assess the Core Competencies

    Phase 3
    3.1 Identify Resources to Address Competency Gaps
    3.2 Plan Approach to Improve Stakeholder Relationships

    Phase 4
    4.1 Decide Next Actions and Support Your CISO Moving Forward
    4.2 Regularly Reassess to Measure Development and Progress

    This phase will walk you through the following activities:

    • Populate the CISO Development Plan Template with appropriate targets and due dates.
    • Set review and reassess dates.
    • Review due dates with CISO.

    Hire or Develop a World-Class CISO

    Case study

    Mark Lester
    InfoSec Manager, SC Ports Authority

    The new Security Manager leverages successful cultural change to gain support for new security investments.

    Outcome: Integrating with the business on a small level and building on small successes will lead to bigger wins and bigger change.

    Actions Next Steps
    • By fostering positive relationships throughout the organization, the Security Manager has improved the security culture and established himself as a trusted partner.
    • In an organization that had seen very little change in years, he has used well developed change management, business acumen, leadership, communication, collaboration, and innovative problem-solving competencies to affect his initiatives.
    • He can now return to the board with a great deal more leverage in seeking support for security investments.
    • The Security Manager will leverage his success in improving the information security culture and awareness to gain support for future initiatives.

    Step 4.1

    Decide next actions and support your CISO moving forward

    Activities

    • Complete the Info-Tech CISO Development Plan Template
    • Create a stakeholder relationship development plan

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    Next actions for each of your development initiatives

    Execute

    Establish a set of first actions to set your plan into motion

    The CISO Development Plan Template provides a simple but powerful way to focus on what really matters to execute your plan.

    • By this point, the CISO is working on the personal competency development while simultaneously overseeing improvements across the security program, managing stakeholders, and seeking new business initiatives to engage with. This can be a lot to juggle effectively.
    • Disparate initiatives like these can hinder progress by creating confusion.
    • By distilling your plan down to Subject > Action > Outcome, you immediately restore focus and turn your plans into actionable items.
    • The outcome is most valuable when it is measurable. This makes progress (or lack of it) very easy to track and assess, so choose a meaningful metric.
    Item to Develop
    (competency/process/tech)
    First Action Toward Development
    Desired Outcome, Including a Measurable Indicator

    Download the CISO Development Plan Template

    4.1 Create a CISO development plan to keep all your objectives in one place

    Use Info-Tech’s CISO Development Plan Template to create a quick and simple yet powerful tool that you can refer to and update throughout your personal and professional development initiatives. As instructed in the template, you will document the following:

    Your Item to Develop The Next Action Required The Target Outcome
    This could be a CISO competency, a security process item, a security technology item, or an important relationship (or something else that is a priority). This could be as simple as “schedule lunch with a stakeholder” or “email Info-Tech to schedule a Guided Implementation call.” This part of the tool is meant to be continually updated as you progress through your projects. The strength of this approach is that it focuses your project into simple actionable steps that are easily achieved, rather than looking too far down the road and seeing an overwhelming task ahead. This will be something measurable like “reduce spending by 10%” or “have informal meeting with leaders from each department.”

    Info-Tech Insight
    A good plan doesn’t require anything that is outside of your control. Good measurable outcomes are behavior based rather than state based.
    “Increase the budget by 10%” is a bad goal because it is ultimately reliant on someone else and can be derailed by an unsupportive executive. A better goal is “reduce spending by 10%.” This is something more within the CISO’s control and is thus a better performance indicator and a more achievable goal.

    4.1 Create a CISO development plan to keep all your objectives in one place

    Below you will find sample content to populate your CISO Development Plan Template. Using this template will guide your CISO in achieving the goals identified here.

    The template itself is a metric for assessing the development of the CISO. The number of targets achieved by the due date will help to quantify the CISO’s progress.

    You may also want to include improvements to the organization’s security program as part of the CISO development plan.

    Area for Development Item for Development Next Action Required Key Stakeholders/ Owners Target Outcome Due Date Completed
    Core Competencies:
    Communication     		Executive
    communication     		Take economics course to learn business language Course completed [Insert date] [Y/N]
    Core Competencies:
    Communication     		Improve stakeholder
    relationships     		Email Bryce from finance to arrange lunch Improved relationship with finance department [Insert date] [Y/N]
    Technology Maturity: Security Prevention Identity and access management (IAM) system Call Info-Tech to arrange call on IAM solutions 90% of employees entered into IAM system [Insert date] [Y/N]
    Process Maturity: Response & Recovery Disaster recovery Read Info-Tech blueprint on disaster recovery Disaster recovery and backup policies in place [Insert date] [Y/N]

    Check out the First 100 Days as CISO blueprint for guidance on bringing improvements to the security program

    4.1 Use your action plan to track development progress and inform stakeholders

    • As you progress toward your goals, continually update the CISO development plan. It is meant to be a living document.
    • The Next Action Required should be updated regularly as you make progress so you can quickly jump in and take meaningful actions without having to reassess your position every time you open the plan. This is a simple but very powerful method.
    • To view your initiatives in customizable ways, you can use the drop-down menu on any column header to sort your initiatives (i.e. by due date, completed status, area for development). This allows you to quickly and easily see a variety of perspectives on your progress and enables you to bring upcoming or incomplete projects right to the top.
    Area for Development Item for Development Next Action Required Key Stakeholders/ Owners Target Outcome Due Date Completed
    Core Competencies:
    Communication     		Executive
    communication     		Take economics course to learn business language Course completed [Insert date] [Y/N]
    Core Competencies:
    Communication     		Improve stakeholder
    relationships     		Email Bryce from finance to arrange lunch Improved relationship with finance department [Insert date] [Y/N]
    Technology Maturity: Security Prevention Identity and access management (IAM) system Call Info-Tech to arrange call on IAM solutions 90% of employees entered into IAM system [Insert date] [Y/N]
    Process Maturity: Response & Recovery Disaster recovery Read Info-Tech blueprint on disaster recovery Disaster recovery and backup policies in place [Insert date] [Y/N]

    Step 4.2

    Regularly reassess to track development and progress

    Activities

    Create a calendar event for you and your CISO, including which items you will reassess and when

    This step involves the following participants:

    • CEO or other executive seeking to hire/develop a CISO
    • The newly hired CISO

    or

    • Current CISO seeking to upgrade capabilities

    Outcomes of this step

    Scheduled reassessment of the CISO’s competencies

    Execute

    4.2 Regularly evaluate your CISO’s progress

    < 1 day

    As previously mentioned, your CISO development plan is meant to be a living document. Your CISO will use this as a companion tool throughout project implementation, but periodically it will be necessary to re-evaluate the entire program to assess your progress and ensure that your actions are still in alignment with personal and organizational goals.

    Info-Tech recommends performing the following assessments quarterly or twice yearly with the help of our executive advisors (either over the phone or onsite).

    1. Sit down and re-evaluate your CISO core competencies using the CISO Core Competency Evaluation Tool.
    2. Analyze your relationships using the CISO Stakeholder Power Map Template.
    3. Compare all of these against your previous results to see what areas you have strengthened and decide if you need to focus on a different area now.
    4. Consider your CISO Development Plan Template and decide whether you have achieved your desired outcomes. If not, why?
    5. Schedule your next reassessment, then create a new plan for the upcoming quarter and get started.
    Materials
    • Laptop
    • CISO Development Plan Template
    Participants
    • CISO
    • Hiring executive (possibly)
    Output
    • Complete CISO and security program development plan

    Summary of Accomplishment

    Knowledge Gained

    • Understanding of the competencies contributing to a successful CISO
    • Strategic approach to integrate the CISO into the organization
    • View of various CISO functions from a variety of business and executive perspectives, rather than just a security view

    Process Optimized

    • Hiring of the CISO
    • Assessment and development of stakeholder relationships for the CISO
    • Broad planning for CISO development

    Deliverables Completed

    • IT Security Business Satisfaction and Alignment Diagnostic
    • CISO Core Competency Evaluation Tool
    • CISO Stakeholder Power Map Template
    • CISO Stakeholder Management Strategy Template
    • CISO Development Plan Template

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation

    Contact your account representative for more information

    workshop@infotech.com
    1-888-670-8889

    Related Info-Tech Research

    Build an Information Security Strategy
    Your security strategy should not be based on trying to blindly follow best practices but on a holistic risk-based assessment that is risk aware and aligns with your business context.

    The First 100 Days as CISO
    Every CISO needs to follow Info-Tech’s five-step approach to truly succeed in their new position. The meaning and expectations of a CISO role will differ from organization to organization and person to person, but the approach to the new position will be relatively the same.

    Implement a Security Governance and Management Program
    Business and security goals should be the same. Businesses cannot operate without security, and security's goal is to enable safe business operations.

    Research Contributors

    • Mark Lester, Information Security Manager, South Carolina State Ports Authority
    • Kyle Kennedy, CISO, CyberSN.com
    • James Miller, Information Security Director, Xavier University
    • Elliot Lewis, Vice President Security & Risk, Info-Tech Research Group
    • Andrew Maroun, Enterprise Security Lead, State of California
    • Brian Bobo, VP Enterprise Security, Schneider National
    • Candy Alexander, GRC Security Consultant, Towerall Inc.
    • Chad Fulgham, Chairman, PerCredo
    • Ian Parker, Head of Corporate Systems Information Security Risk and Compliance, Fujitsu EMEIA
    • Diane Kelly, Information Security Manager, Colorado State Judicial Branch
    • Jeffrey Gardiner, CISO, Western University
    • Joey LaCour, VP & Chief Security, Colonial Savings
    • Karla Thomas, Director IT Global Security, Tower Automotive
    • Kevin Warner, Security and Compliance Officer, Bridge Healthcare Providers
    • Lisa Davis, CEO, Vicinage
    • Luis Brown, Information Security & Compliance Officer, Central New Mexico Community College
    • Peter Clay, CISO, Qlik
    • Robert Banniza, Senior Director IT Center Security, AMSURG
    • Tim Tyndall, Systems Architect, Oregon State

    Bibliography

    Dicker, William. "An Examination of the Role of vCISO in SMBs: An Information Security Governance Exploration." Dissertation, Georgia State University, May 2, 2021. Accessed 30 Sep. 2022.

    Heidrick & Struggles. "2022 Global Chief Information Security Officer (CISO) Survey" Heidrick & Struggles International, Inc. September 6, 2022. Accessed 30 Sep. 2022.

    IBM Security. "Cost of a Data Breach Report 2022" IBM. August 1, 2022. Accessed 9 Nov. 2022.

    Mehta, Medha. "What Is a vCISO? Are vCISO Services Worth It?" Infosec Insights by Sectigo, June 23, 2021. Accessed Nov 22. 2022.

    Milica, Lucia. “Proofpoint 2022 Voice of the CISO Report” Proofpoint. May 2022. Accessed 6 Oct. 2022.

    Navisite. "The State of Cybersecurity Leadership and Readiness" Navisite. November 9, 2021. Accessed 9 Nov. 2022.

    Shayo, Conrad, and Frank Lin. “An Exploration of the Evolving Reporting Organizational Structure for the Chief Information Security Officer (CISO) Function” Journal of Computer Science and Information Technology, vol. 7, no. 1, June 2019. Accessed 28 Sep. 2022.

    Create a Customized Big Data Architecture and Implementation Plan

    • Buy Link or Shortcode: {j2store}388|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Big data architecture is different from traditional data for several key reasons, including:
      • Big data architecture starts with the data itself, taking a bottom-up approach. Decisions about data influence decisions about components that use data.
      • Big data introduces new data sources such as social media content and streaming data.
      • The enterprise data warehouse (EDW) becomes a source for big data.
      • Master data management (MDM) is used as an index to content in big data about the people, places, and things the organization cares about.
      • The variety of big data and unstructured data requires a new type of persistence.
    • Many data architects have no experience with big data and feel overwhelmed by the number of options available to them (including vendor options, storage options, etc.). They often have little to no comfort with new big data management technologies.
    • If organizations do not architect for big data, there are a couple of main risks:
      • The existing data architecture is unable to handle big data, which will eventually result in a failure that could compromise the entire data environment.
      • Solutions will be selected in an ad hoc manner, which can cause incompatibility issues down the road.

    Our Advice

    Critical Insight

    • Before beginning to make technology decisions regarding the big data architecture, make sure a strategy is in place to document architecture principles and guidelines, the organization’s big data business pattern, and high-level functional and quality of service requirements.
    • The big data business pattern can be used to determine what data sources should be used in your architecture, which will then dictate the data integration capabilities required. By documenting current technologies, and determining what technologies are required, you can uncover gaps to be addressed in an implementation plan.
    • Once you have identified and filled technology gaps, perform an architectural walkthrough to pull decisions and gaps together and provide a fuller picture. After the architectural walkthrough, fill in any uncovered gaps. A proof-of-technology project can be started as soon as you have evaluation copies (or OSS) products and at least one person who understands the technology.

    Impact and Result

    • Save time and energy trying to fix incompatibilities between technology and data.
    • Allow the Data Architect to respond to big data requests from the business more quickly.
    • Provide the organization with valuable insights through the analytics and visualization technologies that are integrated with the other building blocks.

    Create a Customized Big Data Architecture and Implementation Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Recognize the importance of big data architecture

    Big data is centered on the volume, variety, velocity, veracity, and value of data. Achieve a data architecture that can support big data.

    • Storyboard: Create a Customized Big Data Architecture and Implementation Plan

    2. Define architectural principles and guidelines while taking into consideration maturity

    Understand the importance of a big data architecture strategy. Assess big data maturity to assist with creation of your architectural principles.

    • Big Data Maturity Assessment Tool
    • Big Data Architecture Principles & Guidelines Template

    3. Build the big data architecture

    Come to accurate big data architecture decisions.

    • Big Data Architecture Decision Making Tool

    4. Determine common services needs

    What are common services?

    5. Plan a big data architecture implementation

    Gain business satisfaction with big data requests. Determine what steps need to be taken to achieve your big data architecture.

    • Big Data Architecture Initiative Definition Tool
    • Big Data Architecture Initiative Planning Tool

    Infographic

    Workshop: Create a Customized Big Data Architecture and Implementation Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Recognize the Importance of Big Data Architecture

    The Purpose

    Set expectations for the workshop.

    Recognize the importance of doing big data architecture when dealing with big data.

    Key Benefits Achieved

    Big data defined.

    Understanding of why big data architecture is necessary.

    Activities

    1.1 Define the corporate strategy.

    1.2 Define big data and what it means to the organization.

    1.3 Understand why doing big data architecture is necessary.

    1.4 Examine Info-Tech’s Big Data Reference Architecture.

    Outputs

    Defined Corporate Strategy

    Defined Big Data

    Reference Architecture

    2 Design a Big Data Architecture Strategy

    The Purpose

    Identification of architectural principles and guidelines to assist with decisions.

    Identification of big data business pattern to choose required data sources.

    Definition of high-level functional and quality of service requirements to adhere architecture to.

    Key Benefits Achieved

    Key Architectural Principles and Guidelines defined.

    Big data business pattern determined.

    High-level requirements documented.

    Activities

    2.1 Discuss how maturity will influence architectural principles.

    2.2 Determine which solution type is best suited to the organization.

    2.3 Define the business pattern driving big data.

    2.4 Define high-level requirements.

    Outputs

    Architectural Principles & Guidelines

    Big Data Business Pattern

    High-Level Functional and Quality of Service Requirements Exercise

    3 Build a Big Data Architecture

    The Purpose

    Establishment of existing and required data sources to uncover any gaps.

    Identification of necessary data integration requirements to uncover gaps.

    Determination of the best suited data persistence model to the organization’s needs.

    Key Benefits Achieved

    Defined gaps for Data Sources

    Defined gaps for Data Integration capabilities

    Optimal Data Persistence technology determined

    Activities

    3.1 Establish required data sources.

    3.2 Determine data integration requirements.

    3.3 Learn which data persistence model is best suited.

    3.4 Discuss analytics requirements.

    Outputs

    Data Sources Exercise

    Data Integration Exercise

    Data Persistence Decision Making Tool

    4 Plan a Big Data Architecture Implementation

    The Purpose

    Identification of common service needs and how they differ for big data.

    Performance of an architectural walkthrough to test decisions made.

    Group gaps to form initiatives to develop an Initiative Roadmap.

    Key Benefits Achieved

    Common service needs identified.

    Architectural walkthrough completed.

    Initiative Roadmap completed.

    Activities

    4.1 Identify common service needs.

    4.2 Conduct an architectural walkthrough.

    4.3 Group gaps together into initiatives.

    4.4 Document initiatives on an initiative roadmap.

    Outputs

    Architectural Walkthrough

    Initiative Roadmap

    Maximize the Benefits from Enterprise Applications with a Center of Excellence

    • Buy Link or Shortcode: {j2store}367|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $129,465 Average $ Saved
    • member rating average days saved: 12 Average Days Saved
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Processes pertaining to managing the application are inconsistent and do not drive excellence.
    • There is a lack of interdepartmental collaboration between different teams pertaining to the application.
    • There are no formalized roles and responsibilities for governance and support around enterprise applications.

    Our Advice

    Critical Insight

    • Scale the Center of Excellence (CoE) based on business needs. There is flexibility in how extensively the CoE methodology is applied and rigidity in how consistently it should be used.
    • The CoE is a refinery. It takes raw inputs from the business and produces an enhanced product, removing waste and isolating it from re-entering day-to-day operations.
    • Excellence is about people as much as it is about process. Documented best practices should include competencies, key resources, and identified champions to advocate the CoE practice.

    Impact and Result

    • Formalize roles and responsibilities for all application initiatives.
    • Develop a standard process of governance and oversight surrounding the application.
    • Develop a comprehensive support network that consists of IT, the business, and external stakeholders to address issues and problem areas surrounding the application.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a Center of Excellence for your enterprise application, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a vision for the CoE

    Understand the importance of developing an enterprise application CoE, define its scope, and identify key stakeholders.

    • Maximize the Benefits from Enterprise Applications with a Center of Excellence – Phase 1: Create a Vision for the Center of Excellence
    • Enterprise Application Center of Excellence Project Charter

    2. Design the CoE future state

    Gather high-level requirements to determine the ideal future state.

    • Maximize the Benefits from Enterprise Applications with a Center of Excellence – Phase 2: Design the Center of Excellence Future State
    • Center of Excellence Refinery Model Template

    3. Develop a CoE roadmap

    Assess the required capabilities to reach the ideal state CoE.

    • Maximize the Benefits from Enterprise Applications with a Center of Excellence – Phase 3: Develop a Center of Excellence Roadmap
    • Center of Excellence Exceptions Report
    • Track and Measure Benefits Tool
    • Enterprise Application Center of Excellence Stakeholder Presentation Template
    [infographic]

    Workshop: Maximize the Benefits from Enterprise Applications with a Center of Excellence

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Create a Vision for the CoE

    The Purpose

    Understand the importance of developing a CoE for enterprise applications.

    Determine how to best align the CoE mandate with business objectives.

    Complete a CoE project charter to gain buy-in, build a project team, and track project success. 

    Key Benefits Achieved

    Key stakeholders identified.

    Project team created with defined roles and responsibilities.

    Project charter finalized to gain buy-in.

    Activities

    1.1 Evaluate business needs and priorities.

    1.2 Identify key stakeholders and the project team.

    1.3 Align CoE with business priorities.

    1.4 Map current state CoE.

    Outputs

    Project vision

    Defined roles and responsibilities

    Strategic alignment of CoE and the business

    CoE current state schematic

    2 Design the CoE Future State

    The Purpose

    Gain a thorough understanding of pains related to the lack of application governance.

    Identify and recycle existing CoE practices.

    Visualize the CoE enhancement process.

    Visualize your ideal state CoE. 

    Key Benefits Achieved

    Requirements to strengthen the case for the enterprise application CoE.

    CoE value-add refinery.

    Future potential of the CoE.

    Activities

    2.1 Gather requirements.

    2.2 Map the CoE enhancement process.

    2.3 Sketch future state CoE.

    Outputs

    Classified pains, opportunities, and existing practices

    CoE refinery model

    Future state CoE sketch

    3 Develop a CoE Roadmap

    The Purpose

    Assess required capabilities and resourcing.

    List and prioritize CoE initiatives.

    Track and monitor CoE performance. 

    Key Benefits Achieved

    Next steps for the enterprise application CoE.

    CoE resourcing plan.

    CoE benefits realization tracking.

    Activities

    3.1 Build CoE capabilities.

    3.2 Identify risks and mitigation efforts.

    3.3 Prioritize and track CoE initiatives.

    3.4 Finalize stakeholder presentation.

    Outputs

    CoE potential capabilities

    Risk management plan

    CoE initiatives roadmap

    CoE stakeholder presentation

    Build a Security Compliance Program

    • Buy Link or Shortcode: {j2store}257|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $23,879 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Most organizations spend between 25 and 40 percent of their security budget on compliance-related activities.
    • Despite this growing investment in compliance, only 28% of organizations believe that government regulations help them improve cybersecurity.
    • The cost of complying with cybersecurity and data protection requirements has risen to the point where 58% of companies see compliance costs as barriers to entering new markets.
    • However, recent reports suggest that while the costs of complying are higher, the costs of non-compliance are almost three times greater.

    Our Advice

    Critical Insight

    • Test once, attest many. Having a control framework allows you to satisfy multiple compliance requirements by testing a single control.
    • Choose your own conformance adventure. Conformance levels allow your organization to make informed business decisions on how compliance resources will be allocated.
    • Put the horse before the cart. Take charge of your audit costs by preparing test scripts and evidence repositories in advance.

    Impact and Result

    • Reduce complexity within the control environment by using a single framework to align multiple compliance regimes.
    • Provide senior management with a structured framework for making business decisions on allocating costs and efforts related to cybersecurity and data protection compliance obligations.
    • Reduces costs and efforts related to managing IT audits through planning and preparation.
    • This blueprint can help you comply with NIST, ISO, CMMC, SOC2, PCI, CIS, and other cybersecurity and data protection requirements.

    Build a Security Compliance Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should manage your security compliance obligations, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Infographic

    Workshop: Build a Security Compliance Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Program

    The Purpose

    Establish the security compliance management program.

    Key Benefits Achieved

    Reviewing and adopting an information security control framework.

    Understanding and establishing roles and responsibilities for security compliance management.

    Identifying and scoping operational environments for applicable compliance obligations.

    Activities

    1.1 Review the business context.

    1.2 Review the Info-Tech security control framework.

    1.3 Establish roles and responsibilities.

    1.4 Define operational environments.

    Outputs

    RACI matrix

    Environments list and definitions

    2 Identify Obligations

    The Purpose

    Identify security and data protection compliance obligations.

    Key Benefits Achieved

    Identifying the security compliance obligations that apply to your organization.

    Documenting obligations and obtaining direction from management on conformance levels.

    Mapping compliance obligation requirements into your control framework.

    Activities

    2.1 Identify relevant security and data protection compliance obligations.

    2.2 Develop conformance level recommendations.

    2.3 Map compliance obligations into control framework.

    2.4 Develop process for operationalizing identification activities.

    Outputs

    List of compliance obligations

    Completed Conformance Level Approval forms

    (Optional) Mapped compliance obligation

    (Optional) Identification process diagram

    3 Implement Compliance Strategy

    The Purpose

    Understand how to build a compliance strategy.

    Key Benefits Achieved

    Updating security policies and other control design documents to reflect required controls.

    Aligning your compliance obligations with your information security strategy.

    Activities

    3.1 Review state of information security policies.

    3.2 Recommend updates to policies to address control requirements.

    3.3 Review information security strategy.

    3.4 Identify alignment points between compliance obligations and information security strategy.

    3.5 Develop compliance exception process and forms.

    Outputs

    Recommendations and plan for updates to information security policies

    Compliance exception forms

    4 Track and Report

    The Purpose

    Track the status of your compliance program.

    Key Benefits Achieved

    Tracking the status of your compliance obligations.

    Managing exceptions to compliance requirements.

    Reporting on the compliance management program to senior stakeholders.

    Activities

    4.1 Define process and forms for self-attestation.

    4.2 Develop audit test scripts for selected controls.

    4.3 Review process and entity control types.

    4.4 Develop self-assessment process.

    4.5 Integrate compliance management with risk register.

    4.6 Develop metrics and reporting process.

    Outputs

    Self-attestation forms

    Completed test scripts for selected controls

    Self-assessment process

    Reporting process

    Recommended metrics

    Responsibly Resume IT Operations in the Office

    • Buy Link or Shortcode: {j2store}423|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity

    Having shifted operations almost overnight to a remote work environment, and with the crisis management phase of the COVID-19 pandemic winding down, IT leaders and organizations are faced with the following issues:

    • A reduced degree of control with respect to the organization’s assets.
    • Increased presence of unapproved workaround methods, including applications and devices not secured by the organization.
    • Pressure to resume operations at pre-pandemic cadence while still operating in recovery mode.
    • An anticipated game plan for restarting the organization’s project activities.

    Our Advice

    Critical Insight

    An organization’s shift back toward the pre-pandemic state cannot be carried out in isolation. Things have changed. Budgets, resource availability, priorities, etc., will not be the same as they were in early March. Organizations must ensure that all departments work collaboratively to support office repatriation. IT must quickly identify the must-dos to allow safe return to the office, while prioritizing tasks relating to the repopulation of employees, technical assets, and operational workloads via an informed and streamlined roadmap.

    As employees return to the office, PMO and portfolio leaders must sift through unclear requirements and come up with a game plan to resume project activities mid-pandemic. You need to develop an approach, and fast.

    Impact and Result

    Responsibly resume IT operations in the office:

    • Evaluate risk tolerance
    • Prepare to repatriate people to the office
    • Prepare to repatriate assets to the office
    • Prepare to repatriate workloads to the office
    • Prioritize your tasks and build your roadmap

    Quickly restart the engine of your PPM:

    • Restarting the engine of the project portfolio won’t be as simple as turning a key and hitting the gas. The right path forward will differ for every project portfolio practice.
    • Therefore, in this publication we put forth a multi-pass approach that PMO and portfolio managers can follow depending on their unique situations and needs.
    • Each approach is accompanied by a checklist and recommendations for next steps to get you on right path fast.

    Responsibly Resume IT Operations in the Office Research & Tools

    Start here – read the Executive Brief

    As the post-pandemic landscape begins to take shape, ensure that IT can effectively prepare and support your employees as they move back to the office.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate your new risk tolerance

    Identify the new risk landscape and risk tolerance for your organization post-pandemic. Determine how this may impact the second wave of pandemic transition tasks.

    • Responsibly Resume IT Operations in the Office – Phase 1: Evaluate Your New Risk Tolerance
    • Resume Operations Information Security Pressure Analysis Tool

    2. Repatriate people to the office

    Prepare to return your employees to the office. Ensure that IT takes into account the health and safety of employees, while creating an efficient and sustainable working environment

    • Responsibly Resume IT Operations in the Office – Phase 2: Repatriate People to the Office
    • Mid-Pandemic IT Prioritization Tool

    3. Repatriate assets to the office

    Prepare the organization's assets for return to the office. Ensure that IT takes into account the off-license purchases and new additions to the hardware family that took place during the pandemic response and facilitates a secure reintegration to the workplace.

    • Responsibly Resume IT Operations in the Office – Phase 3: Repatriate Assets to the Office

    4. Repatriate workloads to the office

    Prepare and position IT to support workloads in order to streamline office reintegration. This may include leveraging pre-existing solutions in different ways and providing additional workstreams to support employee processes.

    • Responsibly Resume IT Operations in the Office – Phase 4: Repatriate Workloads to the Office

    5. Prioritize your tasks and build the roadmap

    Once you've identified IT's supporting tasks, it's time to prioritize. This phase walks through the activity of prioritizing based on cost/effort, alignment to business, and security risk reduction weightings. The result is an operational action plan for resuming office life.

    • Responsibly Resume IT Operations in the Office – Phase 5: Prioritize Your Tasks and Build the Roadmap

    6. Restart the engine of your project portfolio

    Restarting the engine of the project portfolio mid-pandemic won’t be as simple as turning a key and hitting the gas. Use this concise research to find the right path forward for your organization.

    • Restart the Engine of Your Project Portfolio
    [infographic]

    Select a Sourcing Partner for Your Development Team

    • Buy Link or Shortcode: {j2store}508|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Application Development
    • Parent Category Link: /application-development
    • You have identified that a change to your sourcing strategy is required, based on market and company factors.
    • You are ready to select a new sourcing partner to drive innovation, time to market, increased quality, and improved financial performance.
    • Taking on a new partner is a significant investment and risk, and you must get it right the first time.
    • You need to make a change now to prevent losing clients and falling further behind your performance targets and your market.

    Our Advice

    Critical Insight

    Selecting a sourcing partner is a function of matching complex factors to your own firm. It is not a simple RFP exercise; it requires significant introspection, proactive planning, and in-depth investigation of potential partners to choose the right fit.

    Impact and Result

    Choosing the right sourcing partner is a four-step process:

    1. Assess your companies' skills and processes in the key areas of risk to sourcing initiatives.
    2. Based on the current situation, define a profile for the matching sourcing partner.
    3. Seek matching partners from the market, either in terms of vendor partners or in terms of sourcing locations.
    4. Based on the choice of partner, build a plan to implement the partnership, define metrics to measure success, and a process to monitor.

    Select a Sourcing Partner for Your Development Team Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Select a Sourcing Partner for Your Development Team Storyboard – Use this presentation to select a partner to best fit your sourcing needs and deliver long-term value.

    This project helps select a partner for sourcing of your development team so that you can realize the benefits from changing your sourcing strategy.

    • Select a Sourcing Partner for Your Development Team Storyboard

    2. Select a Sourcing Partner for Your Development Team Presentation Template – Use this template to build a presentation to detail your decision on a sourcing partner for your development team.

    This presentation template is designed to capture the results from the exercises within the storyboard and allow users to build a presentation to leadership showing how selection was done.

    • Select a Sourcing Partner for Your Development Team Presentation Template

    3. Select a Sourcing Partner for Your Development Team Presentation Example – Use this as a completed example of the template.

    This presentation template portrays what the completed template looks like by showing sample data in all tables. It allows members to see how each exercise leads to the final selection of a partner.

    • Select a Sourcing Partner for Your Development Team Example Template
    [infographic]

    Further reading

    Select a Sourcing Partner for Your Application Development Team

    Choose the right partner to enable your firm to maximize the value realized from your sourcing strategy.

    Analyst Perspective

    Selecting the right partner for your sourcing needs is no longer a cost-based exercise. Driving long-term value comes from selecting the partner who best matches your firm on a wide swath of factors and fits your needs like a glove.

    Sourcing in the past dealt with a different kind of conversation involving two key questions:

    Where will the work be done?

    How much will it cost?

    How people think about sourcing has changed significantly. People are focused on gaining a partner, and not just a vendor to execute a single transaction. They will add skills your team lacks, and an ability to adapt to your changing needs, all while ensuring you operate within any constraints based on your business.

    Selecting a sourcing partner is a matching exercise that requires you to look deep into yourself, understand key factors about your firm, and then seek the partner who best meets your profile.

    The image contains a picture of Dr. Suneel Ghei.

    Dr. Suneel Ghei
    Principal Research Director, Application Development
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach
    • You have identified that a change to your sourcing strategy is required based on market and company factors.
    • You are ready to select a new sourcing partner to drive innovation, time to market, increased quality, and improve financial performance.
    • Taking on a new partner is a significant investment and risk, and you must get it right the first time.
    • You need to make a change now to avoid falling further behind your performance targets and your market, and losing clients.

    Almost half of all sourcing initiatives do not realize the projected savings, and the biggest reason is the choice of partner.

    The market for Application Development partners has become more diverse, increasing choice and the risk of making a costly mistake by choosing the wrong partner.

    Firms struggle with how best to support the sourcing partner and allocate resources with the right skills to maximize success, increasing the cost and time to implement, and limiting benefits.

    Making the wrong choice means inferior products, and higher costs and losing both clients and reputation.
    • Choosing the right sourcing partner is a four-step process:
    1. Assess your company's skills and processes in the key areas of risk to sourcing initiatives.
    2. Based on the current situation, define a profile for the matching sourcing partner.
    3. Seek matching partners from the market, either in terms of vendor partners or in terms of sourcing locations.
    4. Based on your choice of partner, build a plan to implement the partnership, and define metrics to measure success and a process to monitor.

    Info-Tech Insight

    Successfully selecting a sourcing partner is not a simple RFP exercise to choose the lowest cost. It is a complex process of introspection, detailed examination of partners and locations, and matching the fit. It requires you to seek a partner that is the Yin to your Yang, and failure is not an option.

    You need a new source for development resources

    You are facing immediate challenges that require a new approach to development resourcing.

    • Your firm is under fire; you are facing pressures financially from clients and your competitors.
    • Your pace of innovation and talent sourcing is too slow and too limiting.
    • Your competition is moving faster and your clients are considering their options.
    • Revenues and costs of development are trending in the wrong direction.
    • You need to act now to avoid spiraling further.

    Given how critical our applications are to the business and our clients, there is no room for error in choosing our partner.

    A study of 121 firms outsourcing various processes found that 50% of those surveyed saw no gains from the outsourcing arrangement, so it is critical to make the right choice the first time.

    Source: Zhang et al

    Big challenges await you on the journey

    The road to improving sourcing has many potholes.

    • In a study of 121 firms who moved development offshore, almost 50% of all outsourcing and offshoring initiatives do not achieve the desired results.
    • In another study focused on large corporations, it was shown that 70% of respondents saw negative outcomes from offshoring development.
    • Globalization of IT Services and the ability to work from anywhere have contributed to a significant increase in the number of development firms to choose from.
    • Choosing and implementing a new partner is costly, and the cost of choosing the wrong partner and then trying to correct your course is significant in dollars and reputation:
      • Costs to find a new partner and transition
      • Lost revenue due to product issues
      • Loss of brand and reputation due to poor choice
    • The wrong choice can also cost you in terms of your own resources, increasing the risk of losing more knowledge and skills.

    A survey of 25 large corporate firms that outsourced development offshore found that 70% of them had negative outcomes.

    (Source: University of Oregon Applied Information Management, 2019)

    Info-Tech’s approach

    Selecting the right partner is a matching exercise.

    Selecting the right partner is a complex exercise with many factors

    1. Look inward. Assess your culture, your skills, and your needs.
    • Market
    • People
    • Culture
    • Technical aspects
  • Create a profile for the perfect partner to fit your firm.
    • Sourcing Strategy
    • Priorities
    • Profile
  • Find the partner that best fits your needs
    • Define RFx
    • Target Partners
    • Evaluate
  • Implement the partner and put in metrics and process to manage.
    • Contract Partner
    • Develop Goals
    • Create Process and Metrics

    The Info-Tech difference:

    1. Assess your own organization’s characteristics and capabilities in four key areas.
    2. Based on these characteristics and the sourcing strategy you are seeking to implement, build a profile for your perfect partner.
    3. Define an RFx and assessment matrix to survey the market and select the best partner.
    4. Implement the partner with process and controls to manage the relationship, built collaboratively and in place day 1.

    Insight summary

    Overarching insight

    Successfully selecting a sourcing partner is not a simple RFP exercise to choose the lowest cost. It is a complex process of introspection, detailed examination of partners and locations, and matching the fit. It requires you to seek a partner that is the Yin to your Yang, and failure is not an option.

    Phase 1 insight

    Fitting each of these pieces to the right partner is key to building a long-term relationship of value.

    Selecting a partner requires you to look at your firm in depth from a business, technical, and organizational culture perspective.

    Phase 2 insight

    The factors we have defined serve to build us a profile for the ideal partner to engage in sourcing our development team. This profile will lead us to be able to define our RFP / RFI and assess respondents.

    Phase 3/4 insight

    Implement the relationship the same way you want it to work, as one team. Work together on contract mechanism, shared goals, metrics, and performance measurement. By making this transparent you hasten the development of a joint team, which will lead to long-term success.

    Tactical insight

    Ensure you assess not just where you are but where you are going, in choosing a partner. For example, you must consider future markets you might enter when choosing the right sourcing, or outsourcing location to maintain compliance.

    Tactical insight

    Sourcing is not a replacement for your full team. Skills must be maintained in house as well, so the partner must be willing to work with the in-house team to share knowledge and collaborate on deliverables.

    Addressing the myth – Single country offshoring or outsourcing

    Research shows that a multi-country approach has a higher chance of success.

    • Research shows that firms trying their own captive development centers fail 20% of the time. ( Journal of Information Technology, 2008)
    • Further, the overall cost of ownership for an offshore center has shown to be significantly higher than the cost of outsourcing, as the offshore center requires more internal management and leadership.
    • Research shows that offshoring requires the offshore location to also house business team members to allow key relationships to be built and ensure more access to expertise. (Arxiv, 2021)
    • Given the specificity of employment laws, cultural differences, and leadership needs, it is very beneficial to have a Corporate HR presence in countries where an offshore center is being set up. (Arxiv, 2021)
    • Lastly, given the changing climate on security, geopolitical changes, and economic factors, our research with service providers and corporate clients shows a need to have more diversity in provider location than a single center can provide.

    Info-Tech Insight

    Long-term success of sourcing requires more than a development center. It requires a location that houses business and HR staff to enable the new development team to learn and succeed.

    Addressing the myth – Outsourcing is a simple RFP for skills and lowest cost

    Success in outsourcing is an exercise in finding a match based on complex factors.

    • In the past, outsourcing was a simple RFP exercise to find the cheapest country with the skills.
    • Our research shows this is no longer true; the decision is now more complex.
    • Competition has driven costs higher, while time business integration and security constraints have served to limit the markets available.
    • Company culture fit is key to the ability to work as one team, which research shows is a key element in delivery of long-term value. (University of Oregon, 2019).
    • These are some of the many factors that need to be considered as you choose your outsourcing partner.
    • The right decision is to find the vendor that best matches the current state of your culture, meets your market constraints, and will allow for best integration to your team – it's not about cheapest or pure skills. (IEEE Access, 2020)

    Info-Tech Insight

    Finding the right outsourcing vendor is an exercise in knowing yourself and then finding the best match to align with your key traits. It's not just costs and skills, but the partner who best matches with your ability to mitigate the risks of outsourcing.

    Phase 1

    Look inward to gain insight on key factors

    Introspection

    1.1 Assess your market factors

    1.2 Determine your people factors

    1.3 Review your current culture

    1.4 Document your technical factors

    Profiling

    2.1 Recall your sourcing strategy

    2.2 Prioritize your company factors

    2.3 Create target profile

    Partner selection

    3.1 Review your RFx

    3.2 Identify target vendors

    3.3 Evaluate vendor

    responses

    Implementation

    4.1 Engage partner to choose contract mechanism

    4.2 Engage partner team to define goals

    4.3 Choose your success

    metrics

    This phase will walk you through assessing and documenting the key driving factors about your firm and the current situation.

    By defining these factors, you will be able to apply this information in the matching process to select the best fit in a partner.

    This phase involves the following participants:

    Line of Business leaders

    Technology leaders

    Key criteria to assess your firm

    Research shows firms must assess themselves in different areas.

    Market factors

    • Who are your clients and your competitors, and what legal constraints do you face?

    People / Process factors

    • What employee skills are you seeking, what is your maturity in product management and stakeholder engagement, and what languages are spoken most predominantly?

    Cultural factors

    • What is your culture around communications, collaboration, change management, and conflict resolution?

    Technical factors

    • What is your current / future technical platform, and what is the maturity of your applications?

    Info-Tech Best Practice

    When assessing these areas, consider where you are today and where you want to go tomorrow, as choosing a partner is a long-term endeavor.

    Step 1.1

    Assess your market factors

    Activities

    1.1.1 Review your client list and future projections to determine your market factors.

    1.1.2 Review your competitive analysis to determine your competitive factors

    This step involves the following participants:

    Business leaders

    Product Owners

    Technology leaders

    Outcomes of this step

    Details of key market factors that will drive the selection of the right partner.

    Market factors

    The Market has a lot to say about the best match for your application development partner.

    Research in the space has defined key market-based factors that are critical when selecting a partner.

    1. Market sectors you service or plan to service – This is critical, as many market sectors have constraints on where their data can be accessed or stored. These restrictions also change over time, so they must be consistently reviewed.
    • E.g. Canadian government data must be stored and only accessed in Canada.
    • E.g. US Government contracts require service providers to avoid certain countries.
  • Your competitors – Your competitors can often seize on differences and turn them to differentiators; for example, offshoring to certain countries can be played up as a risk by a competitor who does all their work in a particular country.
  • Your clients – Research shows that clients can have very distinct views on services being performed in certain countries due to perceived risk, culture, and geopolitical factors. Understanding the views of major clients on globalization of services is a key factor in maintaining client satisfaction.

    • Info-Tech Insight

    Understanding your current and future market factors ensure that your business can not only be successful with the chosen partner today, but also in the future.

    1.1.1 Assess your market factors

    30 min

    Market factors

    1. Group your current client list into three categories:
      1. Those that have no restrictions on data security, privacy or location.
      2. Those that ask for assurances on data security, privacy and location.
      3. Those clients who have compliance restrictions related to data security, privacy, and location.
    2. Categorize future markets into the same three categories.
    3. Based on revenue projections, estimate the revenue from each category as a percentage of your total revenue.

    Download the Select a Sourcing Partner Presentation Template

    Input Output
    • Current client list
    • Future market plans
    • Competitive analysis
    • Completion of the Market Factors chart in the Select a Sourcing Partner for Your Development Team template
    Materials Participants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Product owners
    • Line of business leaders
    • Finance leaders

    Assess your market factors

    Market and sector

    Market share and constraints

    Market category

    Sector – Public, private or both

    Market share of category

    Key areas of concern

    Not constrained by data privacy, security or location

    Private

    50%

    Require assurances on data security, privacy or location

    Public

    		45%

    Data access

    Have constraints that preclude choices related to data security, privacy and location

    Public

    		5%

    Data residency

    1.1.2 Review your competitive factors

    30 min

    Competitive factors

    1. List your largest competitors.
    2. Document their sourcing strategies for their development team – are they all onshore or nearshore? Do they outsource?
    3. Based on this, identify competitive threats based on changing sourcing strategies.

    Download the Select a Sourcing Partner Presentation Template

    Input Output
    • Current client list
    • Future market plans
    • Competitive analysis
    • Completion of the Market Factors chart in the Select a Sourcing Partner for Your Development Team template
    Materials Participants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Product owners
    • Line of business leaders
    • Finance leaders

    Review your competitive factors

    Competitors

    Competitor sourcing strategy

    Competitive threats

    Competitor

    Where is the market?

    Is this onshore / near shore / offshore?

    Data residency

    How could competitors take advantage of a change in our sourcing strategy?

    Competitor X

    Canada / US

    All work done in house and onshore

    Kept in Canada / US

    If we source offshore, we will face a Made in Canada / US threat

    Step 1.2

    Consider your people-related factors

    Activities

    1.2.1 Define your people factors

    1.2.2 Assess your process factors

    This step involves the following participants:

    Technical leaders

    Outcomes of this step

    Details of key people factors that will drive the selection of the right partner.

    People / process factors

    People and process have a large hand in the success or failure of a partner relationship.

    • Alignment of people and process are critical to the success of the partner relationship over the long term.
    • In research on outsourcing / offshoring, Rahman et al identified ten factors that directly impact success or failure in offshoring or outsourcing of development.
    • Key among them are the following:
      • Employee skills
      • Project management
      • Maturity of process concerning product and client management
      • Language barrier

    Info-Tech Insight

    People are a critical resource in any sourcing strategy. Making sure the people and the processes will mesh seamlessly is how to ensure success.

    1.2.1 Define your people factors

    30 min

    Skills Inventory

    1. List skills needed in the development team to service current needs.
    2. Based on future innovation and product direction, add skills you foresee needing in the next 12-24 months. Where do you see a new technology platform (e.g. move from .NET to Java) or innovation (addition of Mobile)?
    3. List current skills present in the team.
    4. Identify skills gaps.

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Product plans for current and future products
    • Technology platform plans for current products
    • Future innovation plans
    • People- and process-related factors that influence sourcing decisions
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Product owners
    • Solution architects

    Assess your people - Skills inventory

    Skills required

    Strategic value

    Skills present

    Skill you are seeking

    Required today or in the future

    Rate the skill level required in this area

    Is this a strategic focus for the firm for future targets?

    Is this skill present in the team today?

    Rate current skill level (H/M/L)

    Java Development

    Future

    High

    Yes

    No

    Low

    .Net Development

    Today

    Med

    No

    		 Yes

    High

    1.2.2 Assess your process factors

    30 min

    Process factors

    1. Do you have a defined product ownership practice?
    2. How mature is the product ownership for the product you are seeking to change sourcing for (H/M/L)?
    3. Do you have project management principles and governance in place for software releases?
    4. What is the relative maturity / skill in the areas you are seeking sourcing for (H/M/L)?

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Product plans for current and future products
    • Technology platform plans for current products
    • Future innovation plans
    • People- and process-related factors that influence sourcing decisions
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Product owners
    • Solution architects

    Assess your process factors

    Product ownership

    Project management

    Product where sourcing is being changed

    Product ownership in place?

    Skills / maturity rating (H/M/L)

    Project management / governance in place for software releases

    Rate current maturity / skill level (H/M/L)

    ABC

    Yes

    High

    Yes

    High

    SQW

    No

    Low

    Yes

    		High

    Step 1.3

    Review your current culture

    Activities

    1.3.1 Assess your communications factors

    1.3.2 Assess your conflict resolution factors

    This step involves the following participants:

    Technical leaders

    Product owners

    Project managers

    Outcomes of this step

    Details of key culture factors that will drive the selection of the right partner.

    Cultural factors

    Organization culture fit is a driver of collaboration between the teams, which drives success.

    • In their study of country attractiveness for sourcing development, Kotlarsky and Oshri point to the ability of the client and their sourcing partner to work as one team as a key to success.
    • This requires synergies in many cultural factors to avoid costly miscommunications and misinterpretations that damage collaboration.
    • Key factors in achieving this are:
      • Communications methodology and frequency; managing and communicating to the teams as one team vs two, and communicating at all levels, vs top down.
      • Managing the team as one integrated team, with collaboration enabled between all resources, rather than the more adversarial client vs partner approach.
      • Conflict resolution strategies must align so all members of the extended team work together to resolve conflict vs the traditional “Blame the Contractors”.
      • Strong change management is required to keep all team members aligned.

    Info-Tech Insight

    Synergy of culture is what enables a good partner selection to become a long-term relationship of value.

    1.3.1 Assess your communications factors

    30 min

    1. List all the methods you use to communicate with your development team – face to face, email, conference call, written.
    2. For each form of communication confirm frequency, medium, and audience (team vs one-on-one)
    3. Confirm if these communications take into account External vs Internal resources and different time zones, languages, and cultures.
    4. Is your development team broken up into teams by function, by location, by skill, etc., or do you operate as one team?

    Download the Select a Sourcing Partner Presentation Template

    Input Output
    • Communication process with existing development team
    • Examples of how external staff have been integrated into the process
    • Examples of conflicts and how they were resolved
    • Documentation of key cultural characteristics that need to be part of provider profiling
    Materials Participants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Product owners
    • Project managers

    Assess your communications strategy

    Communications

    Type

    Frequency

    Audience

    One communication or one per audience?

    Level of two-way dialogue

    Face-to-face team meetings

    Weekly

    All developers

    One

    High

    Daily standup

    Daily

    Per team

    One per audience

    Low

    1.3.2 Assess your conflict resolution factors

    30 min

    1. How does your organization handle the following types of conflict? Rate from 1-5, with 1 being hierarchical and 5 being openly collaborative.
      1. Developers on a team disagree.
      2. Development team disagrees with manager.
      3. Development team disagrees with product owner.
      4. Development team disagrees with line of business.
    2. Rate each conflict resolution strategy based on effectiveness.
    3. Confirm if this type of strategy is used for internal and external resources, or internal only.

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Communication process with existing development team
    • Examples of how external staff have been integrated into the process
    • Examples of conflicts and how they were resolved
    • Documentation of key cultural characteristics that need to be part of provider profiling
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Product owners
    • Project managers

    Assess your conflict resolution strategy

    Conflict

    Resolution strategy

    Effectiveness

    Audience

    Conflict type

    Rate the resolution strategy from hierarchical to collaborative (1-5)

    How effective is this method of resolution from 1-5?

    Is this strategy used for external parties as well as internal?

    Developer to product owner

    		44

    Yes

    Developer to manager

    		12

    Yes

    Step 1.4

    Document your technical factors

    Activities

    1.4.1 Document your product / platform factors

    1.4.2 Document your environment details

    This step involves the following participants:

    Technical leaders

    Product owners

    Outcomes of this step

    Details of key technical factors that will drive the selection of the right partner.

    Technical factors

    Technical factors are still the foundation for a Development sourcing relationship.

    • While there are many organizational factors to consider, the matching of technological factors is still the root on which the sourcing relationship is built; the end goal is to build better software.
    • Key technical Items that need to be aligned based on the research are:
      • Technical infrastructure
      • Development environments
      • Development methodology and tools
      • Deployment methodology and tools
      • Lack of/poor-quality technical documentation
    • Most RFPs focus purely on skills, but without alignment on the above items, work becomes impossible to move forward quickly, limiting the chances of success.

    Info-Tech Insight

    Technical factors are the glue that enables teams to function together. Ensuring that they are fully integrated is what enables team integration; seams in that integration represent failure points.

    1.4.1 Document your product / platform factors

    30 mins

    1. How many environments does each software release go through from the start of development through release to production?
    2. What is the infrastructure and development platform?

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Development process
    • Deployment process
    • Operations process
    • IT security policies
    • Documentation of key technical characteristics that need to be part of provider profiling
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Development leaders
    • Deployment team leaders
    • Infrastructure leaders
    • IT operations leaders
    • Product owners
    • Project managers

    Document your product / platform

    Product / Platform

    Product you are seeking a sourcing solution for

    What is the current infrastructure platform?

    How many environments does the product pass through?

    What is the current development toolset?

    ABC

    Windows

    Dev – QA – Preprod - Prod

    .Net / Visual Studio

    1.4.2 Document your environment details

    30 min

    For each environment detail the following:

    1. Environment on premises or in cloud
    2. Access allowed to external parties
    3. Production data present and unmasked
    4. Deployment process: automated or manual
    5. Tools used for automated deployment
    6. Can the environment be restored to last known state automatically?
    7. Does documentation exist on the environment, processes and procedures?

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Development process
    • Deployment process
    • Operations process
    • IT security policies
    • Documentation of key technical characteristics that need to be part of provider profiling
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Development leaders
    • Deployment team leaders
    • Infrastructure leaders
    • IT operations leaders
    • Product owners
    • Project managers

    Document Your Environment Details

    Environment

    Location

    Access

    Deployment

    Data

    Name of Environment

    Is the environment on premises or in the cloud (which cloud)?

    Is external access allowed?

    Is deployment automated or manual?

    Tool used for deployment

    Is reset automated?

    Does the environment contain unmasked production data?

    Dev

    Cloud

    Yes

    Automated

    Azure DevOps

    Yes

    No

    QA

    Cloud

    Yes

    Automated

    Azure DevOps

    Yes

    No

    Preprod

    On Premises

    No

    Manual

    N/A

    No

    Yes

    Phase 2

    Introspection

    1.1 Assess your market factors

    1.2 Determine your people factors

    1.3 Review your current culture

    1.4 Document your technical factors

    Profiling

    2.1 Recall your sourcing strategy

    2.2 Prioritize your company factors

    2.3 Create target profile

    Partner selection

    3.1 Review your RFx

    3.2 Identify target vendors

    3.3 Evaluate vendor

    responses

    Implementation

    4.1 Engage partner to choose contract mechanism

    4.2 Engage partner team to define goals

    4.3 Choose your success

    metrics

    This phase will help you to build a profile of the partner you should target in your search for a sourcing partner.

    This phase involves the following participants:

    Technology leaders

    Procurement leaders

    Product owners

    Project managers

    Build a profile for the right partner

    • Finding the perfect partner is a puzzle to solve, an exercise between the firm and the partners.
    • It is necessary to be able to prioritize and to identify opportunities where you can adapt to create a fit.
    • You must also bring forward the sourcing model you are seeking and prioritize factors based on that; for example, if you are seeking a nearshore partner, language may be less of a factor.

    Review factors based on sourcing choice

    Different factors are more important depending on whether you are insourcing or outsourcing.

    Key risks for insourcing

    • Alignment on communication strategy and method
    • Ability to align culturally
    • Need for face-to-face relationship building
    • Need for coaching skills

    Key risks for outsourcing

    • Giving control to the vendor
    • Legal and regulatory issues
    • Lack of knowledge at the vendor
    • Language and cultural fit

    Assessing your firm's position

    • The model you derived from the Sourcing Strategy research will inform the prioritization of factors for matching partners.

    Info-Tech Insight

    To find the best location for insourcing, or the best vendor for outsourcing, you need to identify your firm's positions on key risk areas.

    Step 2.1

    Recall your sourcing strategy

    Activities

    2.1.1 Define the key factors in your sourcing strategy

    This step involves the following participants:

    Technology Leaders

    Outcomes of this step

    Documentation of the Sourcing Strategy you arrived at in the Define a Sourcing Strategy exercises

    Choosing the right model

    The image contains a screenshot of the legend that will be used down below. The legend contains circles, from the left there is a empty circle, a one quarter filled circle, half filled circle, three-quarter filled circle , and a fully filled in circle.

    Determinant

    Key Questions to Ask

    Onshore

    Nearshore

    Offshore

    Outsource role(s)

    Outsource team

    Outsource product(s)

    Business dependence

    How much do you rely on business resources during the development cycle?

    		 The image contains a screenshot of the filled in whole circle to demonstrate high. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the half filled circle to demonstrate medium. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the empty circle to demonstrate low.

    Absorptive capacity

    How successful has the organization been at bringing outside knowledge back into the firm?

    		 The image contains a screenshot of the empty circle to demonstrate low. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the half filled circle to demonstrate medium. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the filled in whole circle to demonstrate high.

    Integration complexity

    How many integrations are required for the product to function – fewer than 5, 5-10, or more than 10?

    		 The image contains a screenshot of the filled in whole circle to demonstrate high. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the half filled circle to demonstrate medium. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the empty circle to demonstrate low.

    Product ownership

    Do you have full-time product owners in place for the products? Do product owners have control of their roadmaps?

    		 The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the half filled circle to demonstrate medium. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the half filled circle to demonstrate medium. The image contains a screenshot of the filled in whole circle to demonstrate high. The image contains a screenshot of the filled in whole circle to demonstrate high.

    Organization culture fit

    What are your organization’s communication and conflict resolution strategies? Is your organization geographically dispersed?

    		 The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the filled in whole circle to demonstrate high.

    Vendor mgmt skills

    What is your skill level in vendor management? How old are your longest-standing vendor relationships?

    		 The image contains a screenshot of the empty circle to demonstrate low. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the one-quarter filled circle to demonstrate medium low. The image contains a screenshot of the half filled circle to demonstrate medium. The image contains a screenshot of the three-quarter filled circle to demonstrate medium high. The image contains a screenshot of the filled in whole circle to demonstrate high.

    2.1.1 Define the key factors in your sourcing strategy

    30 min

    For each product you are seeking a sourcing strategy for, document the following:

    1. Product or team name.
    2. Sourcing strategy based on Define a Sourcing Strategy.
    3. The primary drivers that led to this selection – Business Dependence, Absorptive Capacity, Integration Complexity, Product Ownership, Culture or Vendor Management.
    4. The reasoning for the selection based on that factor – e.g. we chose nearshoring based on high business dependence by our development team.

    Download the Select a Sourcing Partner Presentation Template

    Input Output
    • Sourcing Strategy from Define a Sourcing Strategy for your Development Team
    • Reasoning that drove the sourcing strategy selection
    Materials Participants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leadership

    Define sourcing strategy factors

    Sourcing strategy

    Factors that led to selection

    Product you are seeking a sourcing solution for

    Strategy defined

    Key factors that led to that choice

    Reasoning

    ABC

    Outsourcing - Offshore

    • Product ownership
    • Business integration
    • Product maturity
    • Technical environment

    Mature product ownership and low requirement for direct business involvement.

    Mature product with lower environments in cloud.

    Step 2.2

    Prioritize your company factors

    Activities

    2.2.1 Prioritize the factors from your sourcing strategy and confirm if mitigation or adaptation are possible.

    This step involves the following participants:

    IT Leadership team

    Outcomes of this step

    Prioritized list of key factors

    2.2.1 Prioritize your sourcing strategy factors

    30 min

    1. For each of the factors listed in exercise 2.1, prioritize them by importance to the firm.
    2. For each factor, please confirm if there is room to drive change internally to overcome the lack of a match – for example, if the culture being changed in language and conflict resolution is an option, then say Yes for that factor.

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Sourcing Strategy factors from 2.1
    • Prioritized list of sourcing strategy factors
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders

    Sourcing strategy factors and priority

    Sourcing strategy

    Factors that led to selection

    Priority of factor in decision

    Change possible

    Product you are seeking a sourcing solution for

    Strategy defined

    Key factors that led to your choice

    Reasoning

    Priority of factor 1-x

    Is there an opportunity to adapt this factor to a partner?

    ABC

    Outsourcing - offshore

    • Product ownership
    • Business integration
    • Product maturity
    • Technical environment

    Mature product ownership

    Low requirement for direct business involvement

    Mature product with lower environments in cloud

    2

    1

    3

    N

    N

    Y

    Step 2.3

    Create target profile

    Activities

    2.3.1 Profile your best fit

    This step involves the following participants:

    IT Leadership team

    Outcomes of this step

    Profile of the target partner

    Profiling your best fit

    Creating a target profile will help you determine which partners should be included in the process.

    Given the complexity of all the factors and trying to find the best fit from a multitude of partners, Info-Tech recommends forming a target profile for your best fit of partner.

    This profile provides a detailed assessment matrix to use to review potential partners.

    Profile should be created based on priority; "must haves" are high priority, while properties that have mitigation opportunities are optional or lower priority.

    Criteria

    Priority

    Some US Govt contracts – data and staff in NATO

    		 1

    Windows environment – Azure DEVOPS

    		2

    Clients in FS

    		 3

    Agile SDLC

    		 4

    Collaborative communication and conflict resolution

    		 5

    Mature product management

    		 6

    Languages English and Spanish

    		 7

    Partner Profile

    • Teams in NATO and non-NATO countries
    • Windows skills with Azure
    • Financial Services experience
    • Utilize Agile and willing to plug into our teams
    • Used to collaborating with clients in one team environment
    • One centre in Latin / South America

    Info-Tech Insight

    The factors we have defined serve to build us a profile for the ideal partner to engage in sourcing our development team. This profile will lead us to be able to define our RFP / RFI and assess respondents.

    Case study: Cognizant is partnering with clients on product development

    INDUSTRY: Technology Services

    SOURCE: Interview with Jay MacIsaac, Cognizant

    Cognizant is driving quality solutions for clients

    • Strives to be primarily an industry-aligned organization that delivers multiple service lines in multiple geographies.
    • Seeks to carefully consider client culture to create one team.
    • Value proposition is a consultative approach bringing thought leadership and mutually adding value to the relationship vs the more traditional order taker development partner
    • Wants to share in solution development to facilitate shared successes. Geographic alignment drives knowledge of the client and their challenges, not just about time zone and supportability.
    • Offers one of the largest offshore capabilities in the world, supported by local and nearshore resources to drive local knowledge.
    • Realizes today’s clients don’t typically want a black box, they are sophisticated and want transparency around the process and solution, to have a partner.
    • Understands that clients do want to know where the work is being delivered from and how it's being delivered, and want to help manage expectations and overall risk.

    Synergy with Info-Tech’s approach

    • Best relationship comes when teams operate as one.
    • Clients are seeking value, not a development black box.
    • Clients want to have a partner they can engage with, not just an order taker.
    • Goal is a one-team culture with shared goals and delivering business value.
    • Ideal is a partner that will add to their thinking, not echo it.

    Results of this approach

    • Cognizant is continuing to deliver double-digit growth and continues to strive for top quartile performance.
    • Growth in the client base has seen the company grow to over 340,000 associates worldwide.

    Case study: Cabot Technology Solutions uses industry knowledge to drive successful partnerships

    INDUSTRY: Technology Services

    SOURCE: Interview with Shibu Basheer, Cabot Technology Solutions

    Cabot Technology Solutions findings

    • Cabot Technology Solutions looks to partner with clients and deliver expertise and value, not just application development.
      • Focus on building deep knowledge in their chosen vertical, Healthcare.
      • Focus on partnering with clients in this space who are seeking a partner to provide industry knowledge and use this to propel them forward.
      • Look to work with clients seeking a one team philosophy.
      • Avoid clients looking for a cheap provider.
    • Recognizing the initial apprehension to India as a location, they have built a practice in Ontario that serves as a bridge for their offshore team.
    • Cabot overcame initial views and built trust, while integrating the India team in parallel.

    Synergy with Info-Tech approach

    • Preference is partners, not a client/vendor relationship.
    • Single country model is set aside in favor of mix of near and offshore.
    • Culture is a one team approach, not the more adversarial order-taker approach.
    • Goal is to build long-term relationships of value, not task management.

    Results of this approach

    • Cabot is a recognized as a top software development company in many markets across the USA.
    • Cabot continues to drive growth and build referenceable client relationships across North America.

    2.3.1 Profile your best fit

    30 min

    1. Document the list of skills you are seeking from the People Factors – Skills Inventory in Section 1.2 – these represent the skills you are seeking in a partner.
    2. Document the culture you are looking for in a partner with respect to communications and conflict resolution in the culture section of the requirements – this comes from Section 1.3.
    3. Confirm the type of partner you are seeking – nearshore, offshore, or outsourcing based on the sourcing strategy priorities in Section 2.2.
    4. Confirm constraints that the partner must work under based on constraints from your market and competitor factors in Section 1.1.
    5. Confirm your technical requirements in terms of environments, tools, and processes that the vendor must align to from Section 1.4.

    Download the Select a Sourcing Partner Presentation Template

    Input Output

    All exercises done in Steps 11-1.4 and 2.1-2.2

    Profile of a target partner to drive the RFx Criteria
    Materials Participants

    Select a Sourcing Partner for Your Development Team Presentation template

    Development leaders

    Deployment team leaders

    Infrastructure leaders

    IT operations leaders

    Product owners

    Project managers

    RFP skills requirement

    People skills required

    Product ownership

    Project management

    Skill

    Skill level required

    Tools / platform requirement

    Details of product management methodology and skills

    Details of firm's project management methodology

    .NET

    Medium

    Windows

    Highly mature, high skill

    Highly mature, high skill

    Java

    High

    Windows

    Low

    High

    RFx cultural characteristics

    Communication strategy

    Conflict resolution

    Organization / management

    Communication mediums supported

    Frequency of meetings expected

    Conflict resolutions strategies used at the firm

    Management methodology

    Face to face

    Weekly

    Collaborative

    Online

    Daily

    Hierarchical with manager

    Hierarchical

    RFx market constraints

    Constraints

    Partner proposal

    Constraint type

    Restrictions

    Market size required for

    Reasoning

    Data residency

    Data must stay in Canada for Canadian Gov't clients

    5% Canada public sector

    Competitive

    Offshoring dev means competition can take advantage

    95% Clients

    Need strategy to show data and leadership in NA, but delivering more innovation at lower cost by going offshore

    RFx technical requirements

    Technical environments

    Infrastructure

    Alignment of SDLC

    Tools required for development team

    Access control software required

    Infrastructure location

    Number of environments from development to production

    .Net Visual Studio

    Microsoft

    Azure

    		 4

    RFx scope of services

    Work being sourced

    Team sizing

    Work being sourced

    Skill level required

    Average size of release

    Releases per year

    Java development of new product

    High

    3-month development

    		6

    .NET staff augmentation

    Medium

    ½-month development

    		12

    Phase 3

    Choose the partner that will best enable you to move forward as one integrated team.

    Introspection

    1.1 Assess your market factors

    1.2 Determine your people factors

    1.3 Review your current culture

    1.4 Document your technical factors

    Profiling

    2.1 Recall your sourcing strategy

    2.2 Prioritize your company factors

    2.3 Create target profile

    Partner selection

    3.1 Review your RFx

    3.2 Identify target vendors

    3.3 Evaluate vendor

    responses

    Implementation

    4.1 Engage partner to choose contract mechanism

    4.2 Engage partner team to define goals

    4.3 Choose your success

    metrics

    For more details on Partner Selection, please refer to our research blueprint entitled Select an ERP Partner

    This phase will help you define your RFx for your provider search

    This phase involves the following participants:

    Vendor Management Team

    IT Leadership

    Finance Team

    Finding the right fit should always come before rates to determine value

    The right fit

    Determined in previous activities

    Negotiating will eventually bring the two together

    Value

    Rates

    Determined by skill and location

    Statement of Work (SOW) quality

    A quality SOW is the result of a quality RFI/RFP (RFx).

    The process up to now has been gathering the materials needed to build a quality RFx. Take this opportunity to review the outputs of the preceding activities to ensure that:

    • All the right stake holders have been engaged.
    • The requirements are complete.

    Info-Tech’s RFP Review as a Service looks for key items to ensure your RFx will generate quality responses and SOWs.

    • Is it well-structured with a consistent use of fonts and bullets?
    • Is it laid out in sections that are easily identifiable and progress from high-level to more detailed information?
    • Can a vendor quickly identify the ten (or fewer) things that are most important to you?

    The image contains a screenshot of the Request for Proposal Review as a Service.

    Step 3.1

    Review your RFx

    Activities

    3.1.1 Select your RFx template

    3.1.2 Finalize your RFx

    3.1.3 Weight each evaluation criteria

    This step involves the following participants:

    • Project team
    • Evaluation team
    • Vendor management team
    • CIO

    Outcomes of this step

    • Completed RFx

    Info-Tech’s RFI/RFP process

    Info-Tech has well-established vendor management templates and practices

    • Identify Need
    • Define Business Requirements
    • Gain Business Authorization
    • Perform RFI/RFP
    • Negotiate Agreement
    • Purchase Goods and Services
    • Assess and Measure Performance

    Info-Tech Best Practice

    You’ll want to customize templates for your organization, but we strongly suggest that you take whatever you feel best meets your needs from both the long- and short-form RFPs presented in this blueprint.

    The secret to managing an RFP is to make it manageable. And the secret to making an RFP manageable is to treat it like any other aspect of business – by developing a process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.

    Your RFP process should be tailored to fit the needs and specifics of your organization and IT.

    Info-Tech Insight

    Create a better RFP process using Info-Tech’s well-established templates and methodology.

    Create a Better RFP Process

    In a hurry? Consider an enhanced RFI instead of an RFP.

    While many organizations rarely use RFIs, they can be an effective tool in the vendor manager’s toolbox when used at the right time in the right way. RFIs can be deployed in competitive targeted negotiations. An enhanced RFI (ERFI) is a two-stage strategy that speeds up the typical RFP process. The first stage is like an RFI on steroids, and the second stage is targeted competitive negotiation.

    Stage 1:

    Create an RFI with all the customary components. Next, add a few additional RFP-like requirements (e.g. operational and technical requirements). Make sure you include a request for budgetary pricing and provide any significant features and functionality requirements so that the vendors have enough information to propose solutions. In addition, allow the vendors to ask questions through your single point of coordination and share answers with all the vendors. Finally, notify the vendors that you will not be doing an RFP – this is it!

    Stage 2:

    Review the vendors’ proposals and select the best two. Negotiate with both vendors and then make your decision.

    The ERFI shortens the typical RFP process, maintains leverage for your organization, and works great with low- to medium-spend items (however your organization defines them). You’ll get clarification on vendors’ competencies and capabilities, obtain a fair market price, and meet your internal clients’ aggressive timelines while still taking steps to protect your organization.

    RFI Template

    The image contains a screenshot of the RFI Template.

    Use this template to create your RFI baseline template. Be sure to modify and configure the template to your organization’s specifications.

    Request for Information Template

    Long-Form RFP Template

    Configure Info-Tech’s Long-Form RFP Template for major initiatives

    The image contains a screenshot of the long-form RFP Template.

    A long-form or major RFP is an excellent tool for more complex and complicated requirements. This example is for a baseline RFP.

    It starts with best-in-class RFP terms and conditions that are essential to maintaining your control throughout the RFP process. The specific requirements for the business, functional, technical, and pricing areas should be included in the exhibits at the end of the template. That makes it easier to tailor the RFP for each deal, since you and your team can quickly identify specific areas that need modification. Grouping the exhibits together also makes it convenient for both your team to review, and the vendors to respond.

    You can use this sample RFP as the basis for your template RFP, taking it all as is or picking and choosing the sections that best meet the mission and objectives of the RFP and your organization.

    Source: Info-Tech’s The Art of Creating a Quality RFP

    Short-Form RFP Template

    Configure Info-Tech’s Short-Form RFP Template for minor or smaller initiatives

    The image contains a screenshot of the Short-Form RFP Template.

    This example is for a less complex RFP that has relatively basic requirements and perhaps a small window in which the vendors can respond. As with the long-form RFP, exhibits are placed at the end of the RFP, an arrangement that saves time for both your team and the vendors. Of course, the short-form RFP contains fewer specific instructions, guidelines, and rules for vendors’ proposal submissions.

    We find that short-form RFPs are a good choice when you need to use something more than a request for quote (RFQ) but less than an RFP running 20 or more pages. It’s ideal, for example, when you want to send an RFP to only one vendor or to acquire items such as office supplies, contingent labor, or commodity items that require significant vendor's risk assessment.

    Source: The Art of Creating a Quality RFP

    3.1.1 Select your RFx template

    1-3 hours

    1. As a group, download the RFx templates from the previous three slides.
    2. Review your RFx process as a group. Be sure to include the vendor management team.
    3. Be sure to consider organization-specific procurement guidelines. These can be included. The objective here is to find the template that is the best fit. We will finalize the template in the next activity.
    4. Determine the best template for this project.
    Input Output
    • RFx templates
    • The RFx template that will be used for this project
    Materials Participants
    • Info-Tech’s Enhanced RFI Template, Long-Form RFP Template, and Short-Form RFP Template
    • Vendor management team
    • Project team
    • Project manager

    Finalize your RFx

    Key insights

    Leverage the power of the RFP

    • Too often RFPs fail to achieve their intended purposes, and your organization feels the effects of a poorly created RFP for many years.
    • If you are faced with a single source vendor, you can perform an RFP to one to create the competitive leverage.

    Make the response and evaluation process easier

    • Being strategic in your wording and formatting makes it easier on both parties – easier for the vendors to submit meaningful proposals, and easier for customer teams to evaluate.
    • Create a level playing field to encourage competition. Without multiple proposals, your options are limited and your chances for a successful project plummet.

    Maximize the competition

    • Leverage a pre-proposal conference to resolve vendor questions and to ensure all vendors receive the same answers to all questions. No vendor should have an information advantage.

    Do’s

    • Leverage your team’s knowledge.
    • Document and explain your RFP process to stakeholders and vendors.
    • Include contract terms in your RFP.
    • Measure and manage performance after contract award.
    • Seek feedback from the RFP team on your process and improve it as necessary.

    Don'ts

    • Reveal your budget.
    • Do an RFP in a vacuum.
    • Send an RFP to a vendor your team is not willing to award the business to.
    • Hold separate conversations with candidate vendors during your RFP process.
    • Skimp on the requirements definition to speed the process.
    • Tell the vendor they are selected before negotiating.

    3.1.2 Finalize your RFx

    1-3 hours

    1. As a group, review the selected RFI or RFP template.
    2. This is YOUR document. Modify it to suit the needs of the organization and even add sections from the other RFP templates that are relevant to your project.
    3. Use the Supplementary RFx Material as a guide.
    4. Add the content created in Steps 1 and 2.
    5. Add any organization-specific clauses or requirements.
    6. Have the project team review and comment on the RFP.
    7. Optional: Use Info-Tech’s RFP Review Concierge Service.

    Download the RFx Vendor Evaluation Tool

    Download the Supplementary RFx Material

    InputOutput
    • RFx template
    • Organizational specific guidelines
    • Materials from Steps 1 and 2
    • Supplementary RFx Material
    • Finalized RFx
    MaterialsParticipants
    • Electronic RFP document for editing
    • Vendor management team
    • Project team
    • Project manager

    3.1.2 Bring it all together

    Supplementary RFx Material

    		 The image contains a screenshot of Supplementary RFx Material.

    Review the sample content to get a feel for how to incorporate the results of the activities you have worked through into the RFx template.

    RFx Templates

    Use one of our templates to build a ready-for-distribution implementation partner RFx tailored to the unique success factors of your implementation.

    Exercises in Steps 1 and 2

    		 The image contains a screenshot of Exercises in Steps 1 and 2

    Use the material gathered during each activity to inform and populate the implementation partner requirements that are specific for your organization and project.

    		 The image contains a screenshot of the Long Form RFx template.The image contains a screenshot of the Short Form RFx template.

    3.1.3 Weight each evaluation criteria

    1-3 hours

    1. As a group, review the selected RFI or RFP template.
    2. This is your document. Modify it to suit the needs of the organization and even add sections from the other RFP templates that are relevant to your project.
    3. Use the Supplementary RFx Material as a guide.
    4. Utilize the content defined in Steps 1 and 2.
    5. Add any organization-specific clauses or requirements.
    6. Have the project team review and comment on the RFP.
    7. Optional: Use Info-Tech’s RFP Review Concierge Service.

    Download the Supplementary RFx Material

    InputOutput

    RFx Vendor Evaluation Tool

    Exercises from Steps 1 and 2

    • Weighted scoring tool to evaluate responses
    MaterialsParticipants
    • RFx Vendor Evaluation Tool
    • Supplementary RFx Material
    • Vendor management team
    • Project team
    • Project manager

    3.1.3 Apply weight to each evaluation criteria

    Use this tool to weight each critical success factor based on results of the activities within the vendor selection workbook for later scoring results.

    The image contains a screenshot of the RFx Vendor Evaluation Tool.

    Download the RFx Vendor Evaluation Tool

    Step 3.2

    Identify target vendors

    Activities

    3.2.1 Identify target vendors

    3.2.2 Define your RFx timeline

    This step involves the following participants:

    • Project team
    • Vendor management team

    Outcomes of this step

    • Targeted vendor list
    • Initial RFx timeline

    3.2.1 Identify target vendors

    1-3 hours

    1. Based on the profile defined in Step 2.3, research potential partners that fit the profile, starting with those you may have used in the past. From this, build your initial list of vendors to target with your RFx.
    2. Break into smaller groups (or continue as a single group if it is already small) and review each shortlisted vendor to see if they will likely respond to the RFx.
    Input Output
    • Websites
    • Peers
    • Advisory groups
    • A shortlist of vendors to target with your RFx
    Materials Participants
    • RFx Vendor Evaluation Tool
    • CIO
    • Vendor management team
    • Project team
    • Evaluation team

    Download the RFx Vendor Evaluation Tool

    Define your RFx timeline

    Provider RFx timelines need to be clearly defined to keep the project and participants on track. These projects and processes can be long. Set yourself up for success by identifying the time frames clearly and communicating them to participants.

    1. Current
    • Concurrent ERP product selection
    • RFx preparation
    • Release of RFX
  • Near-term
    • Responses received
    • Scoring responses
    • Shortlisting providers
    • Provider interviews
    • Provider selection
    • Provider contract negotiations
    • Contract with provider
  • Future
    • Initiation of knowledge transfer
    • Joint development period
    • Cutover to provider team

    89% of roadmap views have at least some representation of time. (Roadmunk, n.d.)

    Info-Tech Insight

    The true value of time horizons is in dividing your timeline and applying different standards and rules, which allows you to speak to different audiences and achieve different communication objectives.

    3.2.2 Define your RFx timeline

    1-3 hours

    1. As a group identify an appropriate timeline for your RFP process. Info-Tech recommends no less than three months from RFx release to contract signing.

      Keep in mind that you need to allow for time to engage the team and perform some level of knowledge transfer, and to seed the team with internal resources for the initial period.
    2. Leave enough time for vendor responses, interviews, and reference checks.
    3. Once the timeline is finalized, document it and communicate it to the organization.

    Download the RFx Vendor Evaluation Tool

    Input Output
    • RFx template
    • Provider RFx timeline
    Materials Participants
    • RFx Vendor Evaluation Tool
    • Vendor management team
    • Project team
    • Project manager

    Define your RFx timeline

    The image contains a screenshot of an example of an RFx timeline.

    Step 3.3

    Evaluate vendor responses

    Activities

    3.3.1 Evaluate responses

    This step involves the following participants:

    • Evaluation team

    Outcomes of this step

    • Vendor submission scores

    3.3.1 Evaluate responses

    1-3 hours

    1. Use the RFx Vendor Evaluation Tool to collect and record the evaluation team's scores for each vendor's response to your RFx.
    2. Then record and compare each team member's scores to rank the vendors' responses.
    3. The higher the score, the closer the fit.

    Download the RFx Vendor Evaluation Tool

    InputOutput
    • Vendor responses
    • Vendor presentations
    • Vendor scores
    MaterialsParticipants
    • RFx Vendor Evaluation Tool
    • Evaluation team

    3.3.1 Score vendor results

    Use the RFx Vendor Evaluation Tool to score the vendors' responses to your RFx using the weighted scale from Activity 3.1.3.

    The image contains a screenshot of the RFx Vendor Evaluation Tool.

    Download the RFx Vendor Evaluation Tool

    Phase 4

    Measuring the new relationship

    Introspection

    1.1 Assess your market factors

    1.2 Determine your people factors

    1.3 Review your current culture

    1.4 Document your technical factors

    Profiling

    2.1 Recall your sourcing strategy

    2.2 Prioritize your company factors

    2.3 Create target profile

    Partner selection

    3.1 Review your RFx

    3.2 Identify target vendors

    3.3 Evaluate vendor

    responses

    Implementation

    4.1 Engage partner to choose contract mechanism

    4.2 Engage partner team to define goals

    4.3 Choose your success

    metrics

    This phase will allow you to define the relationship with your newly chosen partner, including choosing the right contract mechanism, defining shared goals for the relationship, and selecting the metrics and processes to measure performance.

    This phase involves the following participants:

    IT leadership

    Procurement team

    Product owners

    Project managers

    Implementing the Partner

    Implementing the new partner is an exercise in collaboration

    • Successfully implementing your new partner is an exercise in working together
    1. Define a contract mechanism that is appropriate for the relationship, but is not meant as punitive, contract-based management – this sets you up for failure.
    2. Engage with your team and your partner as one team to build shared, measurable goals
    3. Work with the team to define the metrics and processes by which progress against these goals will be measured
  • Goals, metrics and process should be transparent to the team so all can see how their performance ties to success
  • Make sure to take time to celebrate successes with the whole team as one

    • Info-Tech Insight

    Implement the relationship the same way you want it to work: as one team. Work together on contract mechanism, shared goals, metrics, and performance measurement. This transparency and collaboration will build a one team view, leading to long-term success.

    Step 4.1

    Engage partner to choose contract mechanism

    Activities

    4.1.1 Confirm your contract mechanism

    This step involves the following participants:

    IT leadership

    Procurement team

    Vendor team

    Outcomes of this step

    Contract between the vendor and the firm for the services

    Negotiate agreement

    Evaluate your RFP responses to see if they are complete and if the vendor followed your instructions.

    Then:

    Plan negotiation(s) with one or more vendors based on your questions and opportunities identified during evaluation.

    Select finalist(s).

    Apply selection criteria.

    Resolve vendors' exceptions.

    Negotiate before you select your vendor:

    Negotiating with two or more vendors will maintain your competitive leverage while decreasing the time it takes to negotiate the deal.

    Perform legal reviews as necessary.

    Use sound competitive negotiations principles.

    Info-Tech Insight

    Be certain to include any commitments made in the RFP, presentations, and proposals in the agreement, as the standard for an underperforming vendor.

    Info-Tech Insight

    Providing contract terms in an RFP can dramatically reduce time for this step by understanding the vendor’s initial contractual position for negotiation.

    Leverage ITRG's negotiation process research for additional information

    For more details on this process please see our research Drive Successful Sourcing Outcomes with a Robust RFP Process

    4.1.1 Confirm your contract mechanism

    30 min

    1. Does the firm have prior experience with this type of sourcing arrangement?
    2. Does the firm have an existing services agreement with the selected partner?
    3. What contract mechanisms have been used in the past for these types of arrangements?
    4. What mechanism was proposed by the partner in their RFP response?

    Download the Select a Sourcing Partner Presentation Template

    Input Output
    • Past sourcing agreements from Procurement
    • Proposed agreement from partner
    • Agreed upon contract mechanism
    Materials Participants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Vendor management group
    • Partner leaders

    Choose the appropriate contract method

    Work being sourced

    Partner proposal

    Agreed-upon mechanism

    Work being sourced

    Vendor management experience with type

    Partner proposed contract method

    Agreed-upon contract method

    Java development team to build new product

    Similar work done with fixed price with another vendor

    Time and materials per scrum team

    Time and materials per scrum team to avoid vendor conflicts inherent in fixed price which limit innovation

    Step 4.2

    Engage partner team to define shared goals

    Activities

    4.2.1 Define your shared goals

    This step involves the following participants:

    IT leadership

    Vendor leadership

    Outcomes of this step

    Shared goals for the team

    Define success and shared goals

    Work together to define how you will measure yourselves.

    One team

    • Treating the new center and the existing team as one team is critical to long-term success.
    • Having a plan that allows for teams to meet frequently face-to-face "get to know you" and "stay connected" sessions will help the team gel.

    Shared goals

    • New group must share common goals and measurements.

    Common understanding

    • New team must have a common understanding and culture on key facets such as:
      • Measurement of quality
      • Openness to feedback and knowledge sharing
      • Culture of collaboration
      • Issue and Risk Management

    4.2.1 Define your shared goals

    30 min

    1. List each item in the scope of work for the sourcing arrangement – e.g. development of product XXX.
    2. For each scope item, detail the benefit expected by the firm – e.g. development cost expected to drop by 10% per year, or customer satisfaction improvement.
    3. For each benefit define how you will measure success – e.g. track cost of development for the development team assigned, or track Customer Satisfaction Survey results.
    4. For each measure, define a target for this year – e.g. 10% decrease over last year's cost, or customer satisfaction improvement from 6 to 7.

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Services being procured from RFx
    • Benefits expected from the sourcing strategy
    • Baseline scores for measurements
    • Shared goals agreed upon between team and partner
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Technology leaders
    • Partner leaders

    Define goals collaboratively

    Role and benefit

    Goals and objectives

    Role / work being sourced

    Benefit expected

    Measure of success

    Year over year targets

    Java development team to build new product

    New product to replace aging legacy

    Launch of new product

    Agree on launch schedule and MVP for each release / roadmap

    Step 4.3

    Choose your success metrics

    Activities

    4,3.1 Define metrics and process to monitor

    This step involves the following participants:

    IT leadership

    Product owners

    Project managers

    Vendor leaders

    Outcomes of this step

    Metrics and process to measure performance

    4.3.1 Define metrics and process to monitor

    30 min

    1. For each goal defined and measure of success, break down the measure into quantifiable, measurable factors – e.g. Development cost is defined as all the costs tracked to the project including development, deployment, project management, etc.
    2. For each factor choose the metric that can be reported on – e.g. project actuals.
    3. For each metric define the report and reporting frequency – e.g. monthly project actuals from project manager.

    Download the Select a Sourcing Partner Presentation Template

    InputOutput
    • Development process
    • Deployment process
    • Operations process
    • IT Security policies
    • Documentation of key technical characteristics that need to be part of provider profiling
    MaterialsParticipants
    • Select a Sourcing Partner for Your Development Team Presentation template
    • Development leaders
    • Deployment team leaders
    • Infrastructure leaders
    • IT operations leaders
    • Product owners
    • Project managers

    Agreed-upon metrics

    Goal

    Metrics and process

    Agreed-upon goal

    Year 1 target

    Metric to measure success

    Measurement mechanism

    Deliver roadmap of releases

    3 releases – MVP in roadmap

    Features and stories delivered

    Measure delivery of stories from Jira

    Research Contributor

    The image contains a picture of Alaisdar Graham.

    Alaisdar Graham

    Executive Counsellor

    Info-Tech Research Group

    During Alaisdar’s 35-year career in information and operational technology, Alaisdar has been CIO for public sector organizations and private sector companies. He has been an entrepreneur with his own consultancy and a founder or business advisor with four cyber-security start-ups, Alaisdar has developed experience across a broad range of industries within a number of different countries and become known for his ability to drive business benefits and improvements through the use of technology.

    Alaisdar has worked with CXO-level executives across different businesses. Whether undertaking a digital transformation, building and improving IT functions across your span of control, or helping you create and execute an integrated technology strategy, Alaisdar can provide insight while introducing you to Info-Tech Research Group’s experts. Alaisdar’s experience with organizational turn- around, governance, project, program and portfolio management, change management, risk and security will support your organization’s success.

    Research Contributor

    The image contains a picture of Richard Nachazel.

    Richard Nachazel

    Executive Counsellor

    Info-Tech Research Group

    • Richard has more than 40 years working in various Fortune 500 organizations. His specialties are collaborating with business and IT executives and senior stakeholders to define strategic goals and transform operational protocols, standards, and methodologies. He has established a reputation at multiple large companies for taking charge of critical, high-profile enterprise projects in jeopardy of failure and turning them around. Colleagues and peers recognize his ability to organize enterprise efforts, build, develop, and motivate teams, and deliver outstanding outcomes.
    • Richard has worked as a Global CISO & Head of IT Governance for a Swiss Insurance company, Richard developed and led a comprehensive Cyber-Security Framework that provided leadership and oversight of the cyber-security program. Additionally, he was responsible for their IT Governance Risk & Compliance Operation and the information data security compliance in a complex global environment. Richard’s experience with organizational turn around, governance, risk, and controls, and security supports technology delivery integration with business success. Richard’s ability to engage executive and senior management decision makers and champion vision will prove beneficial to your organization.

    Research Contributor

    The image contains a picture of Craig Broussard.

    Craig Broussard

    Executive Counsellor

    Info-Tech Research Group

    • Craig has over 35 years of IT experience including software development, enterprise system management, infrastructure, and cyber security operations. Over the last 20 years, his focus has been on infrastructure and security along with IT service management. He’s been an accomplished speaker and panelist at industry trade events over the past decade.
    • Craig has served as Global Infrastructure Director for NCH Corporation, VP of Information Technology at ATOS, and earlier in his career as the Global Head of Data Center Services at Nokia Siemens Networks. Craig also worked for MicroSolutions (a Mark Cuban Company). Additionally, Craig received formal consulting training while working for IBM Global Services.
    • Craig’s deep experience across many aspects of IT from Governance through Delivery makes him an ideal partner for Info-Tech members.

    Bibliography

    Offshore, Onshore or Hybrid–Choosing the Best IT Outsourcing Model. (n.d.).
    Offshore Dedicated Development Team – A Compelling Hiring Guide. (n.d.).
    The Three Non-Negotiables Of IT Offshoring. (n.d.). Forbes.
    Top Ten Countries For Offshoring. Forbes, 2004.
    Nearshoring in Europe: Choose the Best Country for IT Outsourcing - The World Financial Review. (n.d.).
    Select an Offshore Jurisdiction. The Best Countries for Business in 2021-2022! | InternationalWealth.info. (n.d.).
    How to Find the Best Country to Set Up an Offshore Company. (n.d.). biz30.
    Akbar, M. A., Alsanad, A., Mahmood, S., & Alothaim, A. (2021). Prioritization-based taxonomy of global software development challenges: A FAHP based analysis. IEEE Access, 9, 37961–37974
    Ali, S. (2018). Practices in Software Outsourcing Partnership: Systematic Literature Review Protocol with Analysis. Journal of Computers, (February), 839–861
    Baird Georgia, A. (2007). MISQ Research Curation on Health Information Technology 2. Progression of Health IT Research in MIS Quarterly. MIS Quarterly, 2007(June), 1–14.
    Akbar, M. A., Alsanad, A., Mahmood, S., & Alothaim, A. (2021). Prioritization-based taxonomy of global software development challenges: A FAHP based analysis. IEEE Access, 9, 37961–37974
    Ali, S. (2018). Practices in Software Outsourcing Partnership: Systematic Literature Review Protocol with Analysis. Journal of Computers, (February), 839–861
    Baird Georgia, A. (2007). MISQ Research Curation on Health Information Technology 2. Progression of Health IT Research in MIS Quarterly. MIS Quarterly, 2007(June), 1–14.
    Carmel, E., & Abbott, P. (2006). Configurations of global software development: offshore versus nearshore. … on Global Software Development for the Practitioner, 3–7.
    Hanafizadeh, P., & Zare Ravasan, A. (2018). A model for selecting IT outsourcing strategy: the case of e-banking channels. Journal of Global Information Technology Management, 21(2), 111–138.
    Ishizaka, A., Bhattacharya, A., Gunasekaran, A., Dekkers, R., & Pereira, V. (2019). Outsourcing and offshoring decision making. International Journal of Production Research, 57(13), 4187–4193.
    Jeong, J. J. (2021). Success in IT offshoring: Does it depend on the location or the company? Arxiv.
    Joanna Minkiewicz, J. E. (2009). Deakin Research Online Online. 2007, Interrelationships between Innovation and Market Orientation in SMEs, Management Research News, Vol. 30, No. 12, Pp. 878-891., 30(12), 878–891.

    Bibliography

    King, W. R., & Torkzadeh, G. (2016). Special Issue Information Systems Offshoring : Research Status and Issues. MIS Quarterly, 32(2), 205–225.
    Kotlarsky, J., & Oshri, I. (2008). Country attractiveness for offshoring and offshore outsourcing: Additional considerations. Journal of Information Technology, 23(4), 228–231.
    Lehdonvirta, V., Kässi, O., Hjorth, I., Barnard, H., & Graham, M. (2019). The Global Platform Economy: A New Offshoring Institution Enabling Emerging-Economy Microproviders. Journal of Management, 45(2), 567–599.
    Mahajan, A. (2018). Risks and Benefits of Using Single Supplier in Software Development. Oulu University of Applied Sciences. Retrieved from
    Murberg, D. (2019). IT Offshore Outsourcing: Best Practices for U.S.-Based Companies. University of Oregon Applied Information Management, 1277(800), 824–2714.
    Nassimbeni, G., Sartor, M., & Dus, D. (2012). Security risks in service offshoring and outsourcing. Industrial Management and Data Systems, 112(3), 405–440.
    Olson, G. M., & Olson, J. S. (2000). Distance matters. Human-Computer Interaction, 15(2–3), 139–178.
    Pilkova, A., & Holienka, M. (2018). Home-Based Business in Visegrad Countries: Gem Perspective. Innovation Management, Entrepreneurship and Sustainability 2018 Proceedings of the 6th International Conference.
    Rahman, H. U., Raza, M., Afsar, P., Alharbi, A., Ahmad, S., & Alyami, H. (2021). Multi-criteria decision making model for application maintenance offshoring using analytic hierarchy process. Applied Sciences (Switzerland), 11(18).
    Rahman, H. U., Raza, M., Afsar, P., Khan, H. U., & Nazir, S. (2020). Analyzing factors that influence offshore outsourcing decision of application maintenance. IEEE Access, 8, 183913–183926.
    Roadmunk. What is a product roadmap? Roadmunk, n.d. Accessed 12 Oct. 2021.
    Rottman, J. W., & Lacity, M. C. (2006). Proven practices for effectively offshoring IT work. MIT Sloan Management Review.
    Smite, D., Moe, N. B., Krekling, T., & Stray, V. (2019). Offshore Outsourcing Costs: Known or Still Hidden? Proceedings - 2019 ACM/IEEE 14th International Conference on Global Software Engineering, ICGSE 2019, 40–47.
    Welsum, D. Van, & Reif, X. (2005). Potential Offshoring: Evidence from Selected OECD Countries. Brookings Trade Forum, 2005(1), 165–194.
    Zhang, Y., Liu, S., Tan, J., Jiang, G., & Zhu, Q. (2018). Effects of risks on the performance of business process outsourcing projects: The moderating roles of knowledge management capabilities. International Journal of Project Management, 36(4), 627–639.

    Evolve Your Business Through Innovation

    • Buy Link or Shortcode: {j2store}330|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Innovation teams are tasked with the responsibility of ensuring that their organizations are in the best position to succeed while the world is in a period of turmoil, chaos, and uncertainty.
    • CIOs have been expected to help the organization transition to remote work and collaboration instantaneously.
    • CEOs are under pressure to redesign, and in some cases reinvent, their business model to cope with and compete in a new normal.

    Our Advice

    Critical Insight

    It is easy to get swept up during a crisis and cling to past notions of normal. Unfortunately, there is no controlling the fact that things have changed fundamentally, and it is now incumbent upon you to help your organization adapt and evolve. Treat this as an opportunity because that is precisely what this is.

    Impact and Result

    There are some lessons we can learn from innovators who have succeeded through past crises and from those who are succeeding now.

    There are a number of tactics an innovation team can employ to help their business evolve during this time:

    1. Double down on digital transformation (DX)
    2. Establish a foresight capability
    3. Become a platform for good

    Evolve Your Business Through Innovation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evolve your business through innovation

    Download our guide to learn what you can do to evolve your business and innovate your way through uncertainty.

    • Evolve Your Business Through Innovation Storyboard
    [infographic]

    Build a More Effective Brand Architecture

    • Buy Link or Shortcode: {j2store}571|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Neglecting to maintain the brand architecture can have the following consequences:

    • Inconsistent branding across product lines, services, and marketing communications.
    • Employee confusion regarding product lines, services, and brand structure.
    • Difficulties in launching new products or services or integrating acquired brands.
    • Poor customer experience in navigating the website or understanding the offerings.
    • Inability to differentiate from competitors.
    • Weak brand equity and a lack of brand loyalty.

    Our Advice

    Critical Insight

    Brand architecture is the way a company organizes and manages its portfolio of brands to achieve strategic goals. It encompasses the relationships between brands, from sub-brands to endorsed brands to independent brands, and how they interact with each other and with the master brand. With a clear brand architecture, businesses can optimize their portfolio, enhance their competitive position, and achieve sustainable growth and success in the long run.

    Impact and Result

    Establishing and upholding a well-defined brand architecture is critical to achieve:

    • Easy recognition and visibility
    • Consistent branding
    • Operational efficiency
    • Customer loyalty
    • Ability to easily adapt to changes
    • Competitive differentiation
    • Distinctive brand image
    • Business success

    Build a More Effective Brand Architecture Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a More Effective Brand Architecture Storyboard – Develop a brand architecture that supports your business goals, clarifies your brand portfolio, and enhances your overall brand equity.

    We recommend a two-step approach that involves defining or reimagining the brand architecture. This means choosing the right strategy by analyzing the current brand portfolio, identifying the core brand elements, and determining and developing the structure that fits with the brand and business goals. A well-thought-out brand architecture also facilitates the integration of new brands and new product launches.

    • Build a More Effective Brand Architecture Storyboard

    2. Brand Architecture Strategy Template – The brand architecture template is a tool for creating a coherent brand identity.

    Create a brand identity that helps you launch new products and services, prepare for acquisitions, and modify your brand strategy. Allocate resources more effectively and identify new opportunities for growth. A brand architecture can provide insights into how different brands fit together and contribute to the overall brand strategy.

    • Brand Architecture Strategy Template

    Infographic

    Workshop: Build a More Effective Brand Architecture

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Brand Mind Mapping

    The Purpose

    The brand mind mapping workshop is an exercise that helps with visualizing brand architecture and improving coherence and effectiveness in brand portfolio management.

    Key Benefits Achieved

    This exercise can help businesses:

    Allocate their resources more effectively.

    Identify new opportunities for growth.

    Gain a competitive advantage in their market.

    Activities

    1.1 Brand Mind Mapping

    Outputs

    Visual representation of the brand architecture and its various components

    Further reading

    Build a More Effective Brand Architecture

    Strategically optimize your portfolio to increase brand recognition and value.

    Analyst perspective

    Brand Architecture

    Nathalie Vezina, Marketing Research Director, SoftwareReviews Advisory

    Nathalie Vezina
    Marketing Research Director
    SoftwareReviews Advisory

    This blueprint highlights common brand issues faced by companies, such as inconsistencies in branding and sub-branding due to absent or inadequate planning and documentation or non-compliance with the brand architecture. It emphasizes the importance of aligning or modifying the company's brand strategy with the existing architecture to create a consistent brand when launching new products, services, or divisions or preparing for acquisitions.

    Changing the brand architecture can be challenging, as it often requires significant resources, time, and effort. Additionally, there may be resistance from stakeholders who have become attached to the existing brand architecture and may not see the value in making changes. However, it's important for companies to address suboptimal brand architecture to ensure consistency and clarity in brand messaging and support business growth and success.

    This blueprint guides brand leaders on building and updating their brand architecture for optimal clarity, consistency, adaptability, and efficiency.

    Executive summary

    Your Challenge Common Obstacles SoftwareReviews’ Approach
    A company's brand architecture can help brand managers build a stronger brand that supports the company's goals and increases brand value. Failing to maintain the brand architecture can have the following consequences:
    • Inconsistent branding across product lines, services, and marketing communications
    • Employee confusion regarding product lines, services, and brand structure.
    • Difficulties in launching new products or services or integrating acquired brands.
    • Poor customer experience in navigating the website or understanding the offerings.
    • Inability to differentiate from competitors.
    • Weak brand equity and a lack of brand loyalty.
    		 Establishing and maintaining a clear brand architecture can pose significant issues for brand leaders. Despite these obstacles, defining the brand architecture can yield substantial benefits for businesses. Common constraints are:
    • Lack of knowledge on the subject, resulting in difficulties securing buy-in from stakeholders.
    • Siloed teams and competing priorities.
    • Limited resources and time constraints.
    • Resistance to change from employees or customers.
    • Inconsistent execution and adherence to brand guidelines.
    • Lack of communication and coordination when acquiring new brands.
    		 With focused and effective efforts and guidance, brand leaders can define or reimagine their brand architecture. Developing and maintaining a clear and consistent brand architecture involves:
    • Defining the brand architecture strategy.
    • Analyzing the current brand portfolio and identifying the core brand elements.
    • Determining and developing the proper brand structure.
    • Updating brand guidelines and messaging.
    • Rolling out the brand architecture across touchpoints and assets.
    • Facilitating the integration of new brands.
    • Monitoring and adjusting the architecture as needed for relevance to business goals.

    "[B]rand architecture is like a blueprint for a house...the foundation that holds all the pieces together, making sure everything fits and works seamlessly."
    Source: Verge Marketing

    The basics of brand architecture

    The significance of brand hierarchy organization

    Brand architecture is the hierarchical organization and its interrelationships. This includes shaping the brand strategy and structuring the company's product and service portfolio.

    A well-designed brand architecture helps buyers navigate a company's product offerings and creates a strong brand image and loyalty.

    A company's brand architecture typically includes three levels:

    • Master or parent brand
    • Sub-brands
    • Endorsed brands

    Choosing the right architecture depends on business strategy, products and services, and target audience. It should be reviewed periodically as the brand evolves, new products and services are launched, or new brands are acquired.

    "A brand architecture is the logical, strategic, and relational structure for your brands, or put another way, it is the entity's 'family tree' of brands, sub-brands, and named products."
    Source: Branding Strategy Insider

    Enhancing a company's brand hierarchy for better business outcomes

    Maximize brand strategy with a well-defined and managed brand architecture.

    Align brand architecture with business goals
    A well-defined brand architecture aligned with business objectives contributes to building brand recognition, facilitating brand extension, and streamlining brand portfolio management. In addition, it improves marketing effectiveness and customer experience.
    With a clear and consistent brand architecture, companies can strengthen their brand equity, increase awareness and loyalty, and grow in their competitive environment.

    Effectively engage with the desired buyers
    A clear and consistent brand architecture enables companies to align their brand identity and value proposition with the needs and preferences of their target audience, resulting in increased customer loyalty and satisfaction.
    Establishing a unique market position and reinforcing brand messaging and positioning allows companies to create a more personalized and engaging customer experience, driving business growth.

    Maintain a competitive edge
    An effective brand architecture allows companies to differentiate themselves from their competitors by establishing their unique position in the market. It also provides a structured framework for introducing new products or services under the same brand, leveraging the existing one.
    By aligning their brand architecture with their business objectives, companies can achieve sustainable growth and outperform their competitors in the marketplace.

    "A well-defined brand architecture provides clarity and consistency in how a brand is perceived by its audience. It helps to create a logical framework that aligns with a brand's overall vision and objectives."
    Source: LinkedIn

    Pitfalls of neglecting brand guidelines

    Identifying the negative effects on business and brand value.

    Deficient brand architecture can manifest in various ways.

    Here are some common symptoms:

    • Lack of clarity around the brand's personality and values
    • Inconsistent messaging and branding
    • Inability to differentiate from competitors
    • Weak brand identity
    • Confusion among customers and employees
    • Difficulty launching new products/services or integrating acquired brands
    • Lack of recognition and trust from consumers, leading to potential negative impacts on the bottom line

    Brand architecture helps to ensure that your company's brands are aligned with your business goals and objectives, and that they work together to create a cohesive and consistent brand image.

    The most common obstacles in developing and maintaining a clear brand architecture

    Establishing and maintaining a clear brand architecture requires the commitment of the entire organization and a collaborative effort.

    Lack of stakeholder buy-in > Resistance to change

    Siloed teams > Inconsistent execution

    Limited resources > Lack of education and communication

    Types of brand architectures

    Different approaches to structuring brand hierarchy

    Brand architecture is a framework that encompasses three distinct levels, each comprising a different type of branding strategy.

    Types of brand architectures

    Examples of types of brand architectures

    Well-known brands with different brand and sub-brands structures

    Examples of types of brand architectures

    Pros and cons of each architecture types

    Different approaches to organizing a brand portfolio

    The brand architecture impacts the cohesiveness, effectiveness, and market reach. Defining or redefining organization changes is crucial for company performance.

    Branded House Endorsed Brands House of Brands
    Other Designations
    • "Monolithic brands"
    • "Sub-brands"
    • "Freestanding brands"
    Description
    • Single brand name for all products/services
    • Creates a unique and powerful image that can easily be identified
    • The master brand name endorses a range of products/services marketed under different sub-brands
    • Decentralized brands
    • Can target diverse markets with separate brand names for each product/service
    Marketing & Comms
    • Highly efficient
    • Eliminates split branding efforts by product/service
    • Product differentiation and tailoring messages to specific customer segments are limited
    • Each brand has its unique identity
    • Benefit from the support and resources of the master brand
    • Allows for unique branding and messaging per products/services for specific customer segments
    • Can experiment with different offerings and strategies
    Impact on Sales
    • Good cross-selling opportunities by leveraging a strong brand name
    • Benefit from the master brand's credibility, building customer trust and increasing sales
    • Tailored marketing to specific segments can increase market share and profitability
    • Creates competitive advantage and builds loyalty
    Cost Effectiveness
    • Cost-effective
    • No separate branding efforts per product/service
    • Lack of economy of scale
    • Fragmentation of resources and duplication of effort
    • Lack of economy of scale
    • Fragmentation of resources and duplication of effort
    Reputation and Image
    • More control over the brand image, messages, and perception, leading to strong recognition
    • Increased vulnerability to negative events can damage the entire brand, products/services offered
    • Mitigated risk, protecting the master brand's reputation and financial performance
    • Negative events with one brand can damage the master and other brands, causing a loss of credibility
    • Reduced risk, safeguarding the master brand's reputation and financial performance
    • Each brand builds its own equity, enhancing the company's financial performance and value
    Consistency
    • Ensures consistency with the company's brand image, values, and messaging
    • Helps build trust and loyalty
    • Inconsistent branding and messaging can cause confusion and misunderstandings
    • Unclear link between master/endorsed brands
    • Reduces trust and brand loyalty
    • Difficult to establish a clear and consistent corporate identity
    • Can reduce overall brand recognition and loyalty

    Brand naming decision tree

    Create a naming process for brand alignment and resonance with the target audience

    To ensure a chosen name is effective and legally/ethically sound, consider the ease of pronunciation/spelling, the availability for registration of brand/domain name, any negative connotations/associations in any language/culture, and potential legal/ethical issues.

    Brand naming decision tree

    To ensure a chosen name is effective and legally/ethically sound, consider the ease of pronunciation/spelling, the availability for registration of brand/domain name, any negative connotations/associations in any language/culture, and potential legal/ethical issues.

    Advantages of defining brand architecture

    Maximize your brand potential with a clear architecture strategy.

    Clear offering

    Adaptability

    Consistent branding

    Competitive differentiation

    Operational efficiency

    Strong brand identity

    Customer loyalty

    Business success

    "Responding to external influences, all brands must adapt and change over time. A clear system can aid in managing the process, ensuring that necessary changes are implemented effectively and efficiently."
    Source: The Branding Journal

    SoftwareReviews' brand architecture creation methodology

    Develop and Implement a Robust Brand Architecture

    Phase Steps

    		 Step 1 Research and Analysis
    1.1 Define brand architecture strategy
    1.2 Brand audit
    1.3 Identify brand core elements

    Step 2 Development and Implementation
    2.1 Determine brand hierarchy
    2.2 Develop or update brand guidelines
    2.3 Roll out brand architecture
    Phase Outcomes
    • Brand current performance is assessed
    • Issues are highlighted and can be addressed
    • Brand structure is developed and implemented across touchpoints and assets
    • Adjustments are made on an ongoing basis for consistency and relevance to business goals

    Insight summary

    Brand Architecture: Organize and manage your portfolio of brands
    Brand architecture is the way a company organizes and manages its portfolio of brands to achieve strategic goals. It encompasses the relationships between brands, from sub-brands to endorsed brands to independent brands, and how they interact with each other and with the master brand. With a clear brand architecture, businesses can optimize their portfolio, enhance their competitive position, and achieve sustainable growth and success in the long run.

    Aligning brand architecture to business strategy
    Effective brand architecture aligns with the company's business strategy, marketing objectives, and customer needs. It provides clarity and coherence to the brand portfolio, helps customers navigate product offerings, and maximizes overall equity of the brand.

    Choosing between three types of brand architecture
    A company's choice of brand architecture depends on factors like product range, target markets, and strategic objectives. Each approach, Branded House, Endorsed, or House of Brands, has its own pros and cons, and the proper option relies on the company's goals, resources, and constraints.

    A logical brand hierarchy for more clarity
    The order of importance of brands in the portfolio, including the relationships between the master and sub-brands, and the positioning of each in the market is fundamental. A clear and logical hierarchy helps customers understand the value proposition of each brand and reduces confusion.

    A win-win approach
    Clear brand architecture can help customers easily navigate and understand the product offering, reinforce the brand identity and values, and improve customer loyalty and retention. Additionally, it can help companies optimize their marketing strategies, streamline their product development and production processes, and maximize their revenue and profitability.

    Brand architecture, an ongoing process
    Brand architecture is not a one-time decision but an ongoing process that requires regular review and adjustment. As business conditions change, companies may need to revise their brand portfolio, brand hierarchy, or brand extension and acquisition strategies to remain competitive and meet customer needs.

    Brand architecture creation tools

    This blueprint comes with tools to help you develop your brand architecture.

    Brand Architecture Toolkit

    This kit includes a Brand Architecture Mini-Audit, a Brand Architecture template, and templates for Brand Matrix, Ecosystem, and Development Strategy.

    Use this kit to develop a strong brand architecture that aligns with your business goals, clarifies your brand portfolio, and enhances overall brand equity.

    Brand Architecture Toolkit

    Brand Architecture

    Develop a robust brand architecture that supports your business goals, clarifies your brand portfolio, and enhances your overall brand equity.

    "A brand architecture is the logical, strategic, and relational structure for your brands, or put another way, it is the entity's 'family tree' of brands, sub-brands, and named products."
    Source: Branding Strategy Insider

    Consequences of Neglected Brand Guidelines

    When a company neglects its brand architecture and guidelines, it can result in a number of negative consequences, such as:

    • Lack of clarity around the brand's personality and values
    • Inconsistent messaging and branding
    • Inability to differentiate from competitors
    • Weak brand identity
    • Confusion among customers and employees
    • Difficulty launching new products/services or integrating acquired brands
    • Lack of recognition and trust from consumers, leading to potential negative impacts on the bottom line.

    Benefits of SoftwareReviews' Methodology

    By following SoftwareReviews' methodology to develop and maintain a brand architecture, businesses can:

    • Establish a unique market position and stand out from competitors
    • Ensure that marketing efforts are focused and effective
    • Create personalized and engaging customer experiences
    • Reinforce messaging and positioning
    • Increase customer loyalty and satisfaction
    • Build brand recognition and awareness

    Marq, formerly Lucidpress, surveyed over 400 brand management experts and found that "if the brand was consistent, revenue would increase by 10-20%."

    Methodology for Defining Brand Architecture

    Who benefits from this research?

    This research is designed for:

    • Organizations that value their brand and want to ensure that it is communicated effectively and consistently across all touchpoints.
    • Business owners, marketers, brand managers, creative teams, and anyone involved in the development and implementation of brand strategy.

    This research will also assist:

    • Sales and customer experience teams
    • Channel partners
    • Buyers

    This research will help you:

    • Establish a unique market position and stand out from competitors.
    • Create a more personalized and engaging customer experience.
    • Ensure that marketing efforts are focused and effective.
    • Reinforce brand messaging and positioning.

    This research will help them:

    • Increase customer loyalty and satisfaction
    • Build brand recognition and awareness
    • Drive business growth and profitability.

    SoftwareReviews offers various levels of support to best suit your needs

    DIY Toolkit
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."     		Guided Implementation
    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."    		 Workshop
    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."    		 Consulting
    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
    Included Within Advisory Membership Optional Add-Ons

    Guided Implementation

    What does a typical GI on this topic look like?

    Research & Analysis
    Call #1: Discuss brand architecture strategy (define objectives, scope and stakeholders). Call #3: Identify core brand components and ensure they align with the brand strategy. Call #5: Develop or update brand guidelines. Optional Calls:
    • Brand Diagnostic
    • Brand Strategy and Tactics
    • Brand Voice Guidelines
    • Asset Creation and Management
    • Brand Messaging
    Call #2: Conduct a brand audit. Call #4: Define and document the brand hierarchy. Call #6: Roll out the brand architecture and monitoring.

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

    Your engagement managers will work with you to schedule analyst calls.

    Brand Mind Mapping Workshop Overview

    Total duration: 3-4 hours

    Activities
    Visually map out the different elements of your brand portfolio, including corporate brands, sub-brands, product brands, and their relationships with each other.

    The workshop also aims to explore additional elements, such as brand expansions, acquisitions, and extensions, and brand attributes and positioning.

    Deliverables
    Get a mind map that represents the brand architecture and its various components, which can be used to evaluate and improve the overall coherence and effectiveness of the brand portfolio. The mind map can also provide insights into how different brands fit together and contribute to the overall brand strategy.

    Participants

    • Business owners
    • Head of Branding and anyone involved with the brand strategy

    Tools

    • Brand Architecture Template, slides 7 and 8

    Brand Mind Mapping

    Contact your account representative for more information
    workshops@infotech.com | 1-888-670-8889

    Get started!

    Develop a brand architecture that supports your business goals, clarifies your brand portfolio, and enhances your overall brand equity.

    Develop and Implement a Robust Brand Architecture

    Step 1 Research and Analysis
    1.1 Define architecture strategy
    1.2 Perform brand audit
    1.3 Identify brand core elements

    Step 2 Development and Implementation
    2.1 Determine brand hierarchy
    2.2 Develop or update brand guidelines
    2.3 Roll out brand architecture

    Phase Outcome

    • Brand current performance is assessed
    • Issues are highlighted and can be addressed
    • Brand structure is developed and implemented across touchpoints and assets
    • Adjustments made on an ongoing basis for consistency and relevance to business goals

    Develop and implement a robust brand architecture

    Steps 1.1, 1.2 & 1.3 Define architecture strategy, audit brand, and identify core elements.

    Total duration: 2.5-4.5 hours

    Objective
    Define brand objectives (hierarchy, acquired brand inclusion, product distinction), scope, and stakeholders. Analyze the brand portfolio to identify gaps or inconsistencies. Identify brand components (name, logo, tagline, personality) and align them with the brand and business strategy.

    Output
    By completing these steps, you will assess your current brand portfolio and evaluate its consistency and alignment with the overall brand strategy.

    Participants

    • Business owners
    • Head of Branding and anyone involved with the brand strategy

    Tools

    • Diagnose Brand Health to Improve Business Growth Blueprint (optional)
    • Brand Awareness Strategy Template (optional)

    1.1 Define Brand Architecture Strategy
    (60-120 min.)

    Define

    Define brand objectives (hierarchy, inclusion of an acquired brand, product distinction), scope, and stakeholders.

    1.2 Conduct Brand Audit
    (30-60 min.)

    Assess

    Assess the state of your brand architecture using the "Brand architecture mini-audit checklist," slide 9 of the Brand Architecture Strategy Template. Check the boxes that correspond to the state of your brand architecture. Those left unchecked represent areas for improvement.

    For a more in-depth analysis of your brand performance, follow the instructions and use the tools provided in the Diagnose Brand Health to Improve Business Growth blueprint (optional).

    1.3 Identify Core Brand Elements
    (60-90 min.)

    Identify

    Define brand components (name, logo, tagline, personality). Align usage with strategy. You can develop your brand strategy, if not already existing, using the Brand Awareness Strategy Template (optional).

    Tip!

    Continuously monitor and adjust your brand architecture - it's not static and should evolve over time. You can also adapt your brand strategy as needed to stay relevant and competitive.

    Develop and implement a robust brand architecture

    Steps 2.1. 2.2 & 2.3 Develop brand hierarchy, guidelines, and rollout architecture.

    Total duration: 3.5-5.5 hours

    Objective
    Define your brand structure and clarify the role and market position of each. Create concise brand expression guidelines, implement them across all touchpoints and assets, and adjust as needed to stay aligned with your business goals.

    Output
    This exercise will help you establish and apply your brand structure, with a plan for ongoing updates and adjustments to maintain consistency and relevance.

    Participants

    • Business owners
    • Head of Branding and anyone involved with the brand strategy

    Tools

    • Brand Architecture Template
    • Brand Voice Guidelines
    • Brand Messaging Template
    • Asset Creation and Management List Template

    2.1 Determine Brand Hierarchy
    (30-60 min.)

    Analyze & Document

    In the Brand Architecture Strategy Template, complete the brand matrix, ecosystem, development strategy matrix, mind mapping, and architecture, to develop a strong brand architecture that aligns with your business goals and clarifies your brand portfolio and market position.

    2.2 Develop/Update Brand Guidelines
    (120-180 min.)

    Develop/Update

    Develop (or update existing) clear, concise, and actionable brand expression guidelines using the Brand Voice Guidelines and Brand Messaging Template.

    2.2 Rollout Brand Architecture
    Preparation (60-90 min.)

    Create & Implement

    Use the Asset Creation and Management List Template to implement brand architecture across touchpoints and assets.

    Monitor and Adjust

    Use slide 8, "Brand Strategy Development Matrix," of the Brand Architecture Strategy Template to identify potential and future brand development strategies to build or enhance your brand based on your current brand positioning and business goals. Monitor, and adjust as needed, for relevance to the brand and business strategy.

    Tip!

    Make your brand architecture clear and simple for your target audience, employees, and stakeholders. This will avoid confusion and help your audience understand your brand structure.

    Prioritizing clarity and simplicity will communicate your brand's value proposition effectively and create a strong brand that resonates with your audience and supports your business goals.

    Related SoftwareReviews research

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix them.

    • Increase brand awareness and equity.
    • Build trust and improve customer retention and loyalty.
    • Achieve higher and faster growth.

    Accelerate Business Growth and Valuation by Building Brand Awareness

    Successfully build awareness and help the business grow. Stand out from the competition and continue to grow in a sustainable way.

    • Get a clear understanding of the buyer's needs and your key differentiator.
    • Achieve strategy alignment and readiness.
    • Create and manage assets.

    Bibliography

    "Brand Architecture: Definition, Types, Strategies, and Examples." The Branding Journal, 2022.

    "Brand Architecture: What It Is and How to Build Your Brand's Framework." HubSpot, 2021.

    "Brand Architecture Framework." Verge Marketing, 2021.

    "Brand consistency-the competitive advantage and how to achieve it." Marq/Lucidpress, 2021.

    "Building brands for growth: A fresh perspective." McKinsey & Company. Accessed on 31 March 2023.

    Daye, Derrick. "Brand Architecture Strategy Guide." Branding Strategy Insider, The Blake Project, 13 May 2021.

    Todoran, Adrian. "Choosing the Perfect Brand Architecture Strategy for Your Business." LinkedIn, 2023.

    Optimize the Service Desk With a Shift-Left Strategy

    • Buy Link or Shortcode: {j2store}478|cart{/j2store}
    • member rating overall impact: 9.4/10 Overall Impact
    • member rating average dollars saved: $21,171 Average $ Saved
    • member rating average days saved: 11 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Tier 2 and 3 specialists lose time and resources working on tickets instead of more complex projects.
    • The service desk finds themselves resolving the same incidents over and over, wasting manual work on tasks that could be automated.
    • Employees expect modern, consumer-like experiences when they need help; they want to access information and resources from wherever they are and have the tools to solve their problems themselves without waiting for help.

    Our Advice

    Critical Insight

    • It can be difficult to overcome the mindset that difficult functions need to be escalated. Shift left involves a cultural change to the way the service desk works, and overcoming objections and getting buy-in up front is critical.
    • Many organizations have built a great knowledgebase but fail to see the value of it over time as it becomes overburdened with overlapping and out-of-date information. Knowledge capture, updating, and review must be embedded into your processes if you want to keep the knowledgebase useful.
    • Similarly, the self-service portal is often deployed out of the box with little input from end users and fails to deliver its intended benefits. The portal needs to be designed from the end user’s point of view with the goal of self-resolution if it will serve its purpose of deflecting tickets.

    Impact and Result

    • Embrace a shift-left strategy by moving repeatable service desk tasks and requests into lower-cost delivery channels such as self-help tools and automation.
    • Shift work from Tier 2 and 3 support to Tier 1 through good knowledge management practices that empower the first level of support with documented solutions to recurring issues and free up more specialized resources for project work and higher value tasks.
    • Shift knowledge from the service desk to the end user by enabling them to find their own solutions. A well-designed and implemented self-service portal will result in fewer logged tickets to the service desk and empowered, satisfied end users.
    • Shift away manual repetitive work through the use of AI and automation.
    • Successfully shifting this work left can reduce time to resolve, decrease support costs, and increase end-user satisfaction.

    Optimize the Service Desk With a Shift-Left Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand why a shift-left strategy can help to optimize your service desk, review Info-Tech's methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare to shift left

    Assess whether you’re ready to optimize the service desk with a shift-left strategy, get buy-in for the initiative, and define metrics to measure success.

    • Optimize the Service Desk With a Shift-Left Strategy – Phase 1: Prepare to Shift Left
    • Shift-Left Prerequisites Assessment
    • Shift-Left Strategy
    • Shift-Left Stakeholder Buy-In Presentation

    2. Design shift-left model

    Build strategy and identify specific opportunities to shift service support left to Level 1 through knowledge sharing and other methods, to the end-user through self-service, and to automation and AI.

    • Optimize the Service Desk With a Shift-Left Strategy – Phase 2: Design Shift Left Model
    • Shift-Left Action Plan
    • Knowledge Management Workflows (Visio)
    • Knowledge Management Workflows (PDF)
    • Self-Service Portal Checklist
    • Self-Service Resolution Workflow (Visio)
    • Self-Service Resolution Workflow (PDF)

    3. Implement and communicate

    Identify, track, and implement specific shift-left opportunities and document a communications plan to increase adoption.

    • Optimize the Service Desk With a Shift-Left Strategy – Phase 3: Implement & Communicate
    • Incident Management Workflow (Visio)
    • Incident Management Workflow (PDF)
    [infographic]

    Workshop: Optimize the Service Desk With a Shift-Left Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare to Shift Left

    The Purpose

    Define how shift left would apply in your organization, get buy-in for the initiative, and define metrics to measure success.

    Key Benefits Achieved

    Defined scope and objectives for the shift-left initiative

    Buy-in for the program

    Metrics to keep the project on track and evaluate success

    Activities

    1.1 Review current service desk structure

    1.2 Discuss challenges

    1.3 Review shift-left model and discuss how it would apply in your organization

    1.4 Complete the Shift-Left Prerequisites Assessment

    1.5 Complete a RACI chart for the project

    1.6 Define and document objectives

    1.7 Review the stakeholder buy-in presentation

    1.8 Document critical success factors

    1.9 Define KPIs and metrics

    Outputs

    Shift-left scope

    Completed shift-left prerequisites assessment

    RACI chart

    Defined objectives

    Stakeholder buy-in presentation

    Critical success factors

    Metrics to measure success

    2 Plan to Shift to Level 1

    The Purpose

    Build strategy and identify specific opportunities to shift service support left to Level 1 through knowledge sharing and other methods.

    Key Benefits Achieved

    Identified initiatives to shift work to Level 1

    Documented knowledge management process workflows and strategy

    Activities

    2.1 Identify barriers to Level 1 resolution

    2.2 Discuss knowledgebase challenges and areas for improvement

    2.3 Optimize KB input process

    2.4 Optimize KB usage process

    2.5 Optimize KB review process

    2.6 Discuss and document KCS strategy and roles

    2.7 Document knowledge success metrics

    2.8 Brainstorm additional methods of increasing FLR

    Outputs

    KB input workflow

    KB usage workflow

    KB review workflow

    KCS strategy and roles

    Knowledge management metrics

    Identified opportunities to shift to Level 1

    3 Plan to Shift to End User and Automation

    The Purpose

    Build strategy and identify specific opportunities to shift service support left to the end user through self-service and to automation and AI.

    Key Benefits Achieved

    Identified initiatives to shift work to self-service and automation

    Evaluation of self-service portal and identified opportunities for improvement

    Activities

    3.1 Review existing self-service portal and discuss vision

    3.2 Identify opportunities to improve portal accessibility, UI, and features

    3.3 Evaluate the user-facing knowledgebase

    3.4 Optimize the ticket intake form

    3.5 Document plan to improve, communicate, and evaluate portal

    3.6 Map the user experience with a workflow

    3.7 Document your AI strategy

    3.8 Identify candidates for automation

    Outputs

    Identified opportunities to improve portal

    Improvements to knowledgebase

    Improved ticket intake form

    Strategy to communicate and measure success of portal

    Self-service resolution workflow

    Strategy to apply AI and automation

    Identified opportunities to shift tasks to automation

    4 Build Implementation and Communication Plan

    The Purpose

    Build an action plan to implement shift left, including a communications strategy.

    Key Benefits Achieved

    Action plan to track and implement shift-left opportunities

    Communications plan to increase adoption

    Activities

    4.1 Examine process workflows for shift-left opportunities

    4.2 Document shift-left-specific responsibilities for each role

    4.3 Identify and track shift-left opportunities in the action plan

    4.4 Brainstorm objections and responses

    4.5 Document communications plan

    Outputs

    Incident management workflow with shift-left opportunities

    Shift left responsibilities for key roles

    Shift-left action plan

    Objection handling responses

    Communications plan

    Sustain and Grow the Maturity of Innovation in Your Enterprise

    • Buy Link or Shortcode: {j2store}91|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Customers are not waiting – they are insisting on change now. The recent litany of business failures and the ongoing demand for improved services means that “not in my backyard” will mean no backyard.
    • Positive innovation is about achieving tomorrow’s success today, where everyone is a leader and ideas and people can flourish – in every sector.

    Our Advice

    Critical Insight

    • Many innovation programs are not delivering value at a time when change is constant and is impacting both public and private sector organizations.
    • Organizations are not well-positioned in terms of leadership skills to advance their innovation programs.
    • Unlock your innovation potential by looking at your innovation projects on both a macro and micro level.
    • Innovation capacity is directly linked with creativity; allow your employees' creativity to flourish using Info-Tech’s positive innovation techniques.
    • Innovations need to be re-harvested each year in order to maximize your return on investment.

    Impact and Result

    • From an opportunity perspective, create an effective innovation program that spawns more innovations, realizes benefits from existing assets not fully being leveraged, and lays the groundwork for enhanced products and services.
    • This complementary toolkit and method (to existing blueprints/research) guides you to assess the “aspiration level” of innovations and the innovation program, assess the resources/capabilities that an entity has to date employed in its innovation program, and position IT for success to achieve the strategic objectives of the enterprise.

    Sustain and Grow the Maturity of Innovation in Your Enterprise Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should formalize processes to improve your innovation program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Scope and define

    Understand your current innovation capabilities and create a mandate for the future of your innovation program.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 1: Scope and Define
    • Innovation Program Mandate and Terms of Reference Template
    • Innovation Program Overview Presentation Template
    • Innovation Assessment Tool

    2. Assess and aspire

    Assess opportunities for your innovation program on a personnel and project level, and provide direction on how to improve along these dimensions.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 2: Assess and Aspire
    • Appreciative Inquiry Questionnaire

    3. Implement and inspire

    Formalize the innovation improvements you identified earlier in the blueprint by mapping them to your IT strategy.

    • Sustain and Grow the Maturity of Innovation in Your Enterprise – Phase 3: Implement and Inspire
    • Innovation Planning Tool
    [infographic]

    Workshop: Sustain and Grow the Maturity of Innovation in Your Enterprise

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-Work

    The Purpose

    Gather data that will be analyzed in the workshop.

    Key Benefits Achieved

    Information gathered with which analysis can be performed.

    Activities

    1.1 Do an inventory of innovations/prototypes underway.

    1.2 High-level overview of all existing project charters, and documentation of innovation program.

    1.3 Poll working group or key stakeholders in regards to scope of innovation program.

    Outputs

    Up-to-date inventory of innovations/prototypes

    Document review of innovation program and its results to date

    Draft scope of the innovation program and understanding of the timelines

    2 Scope and Define

    The Purpose

    Scope the innovation program and gain buy-in from major stakeholders.

    Key Benefits Achieved

    Buy-in from IT steering committee for innovation program improvements.

    Activities

    2.1 Establish or re-affirm values for the program.

    2.2 Run an initial assessment of the organization’s innovation potential (macro level).

    2.3 Set/reaffirm scope and budget for the program.

    2.4 Define or refine goals and outcomes for the program.

    2.5 Confirm/re-confirm risk tolerance of organization.

    2.6 Update/document innovation program.

    2.7 Create presentation to gain support from the IT steering committee.

    Outputs

    Innovation program and terms of reference

    Presentation on organization innovation program for IT steering committee

    3 Assess and Aspire

    The Purpose

    Analyze the current performance of the innovation program and identify areas for improvement.

    Key Benefits Achieved

    Identify actionable items that can be undertaken in order to improve the performance of the innovation program.

    Activities

    3.1 Assess your level of innovation per innovation project (micro level).

    3.2 Update the risk tolerance level of the program.

    3.3 Determine if your blend of innovation projects is ideal.

    3.4 Re-prioritize your innovation projects (if needed).

    3.5 Plan update to IT steering committee.

    3.6 Assess positive innovation assessment of team.

    3.7 Opportunity analysis of innovation program and team.

    Outputs

    Positive innovation assessment

    Re-prioritized innovation projects

    Updated presentation for IT steering committee

    4 Implement and Inspire

    The Purpose

    Formalize the innovation program by tying it into the IT strategy.

    Key Benefits Achieved

    A formalized innovation program that is closely tied to the IT strategy.

    Activities

    4.1 Update business context in terms of impact on IT implications.

    4.2 Update IT strategy in terms of impact and benefits of innovation program.

    4.3 Update/create innovation program implementation plan.

    4.4 Plan update for IT steering committee.

    Outputs

    Updated business context

    Updated IT strategy

    Innovation implementation plan, including roadmap

    Updated presentation given to IT steering committee

    Requirements Gathering

    • Buy Link or Shortcode: {j2store}49|cart{/j2store}
    • Related Products: {j2store}49|crosssells{/j2store}
    • member rating overall impact: 9.5/10
    • member rating average dollars saved: $33,901
    • member rating average days saved: 23
    • Parent Category Name: Project Portfolio Management and Projects
    • Parent Category Link: /ppm-and-projects
    • byline: Back to basics: before you build, know what they want.

    The challenge

    • The number reason projects fail because from the outset, what people wanted was not clear.
    • Without proper due diligence, IT will deliver projects that fail to meet business expectations and fail to provide business value.
    • If you failed to accurately capture the needs and desires, your projects are set up for costly rework. That will hurt your business's financial performance and result in damage to your relationship with your business partners.
    • Even with requirements gathering processes in place, your business analysts may not have the required competencies to execute them.

    Our advice

    Insight

    • You need to gather requirements with your organizations' end-state in mind. That requires IT and business alignment.
    • You would be good to create a set of standard operating procedures around requirements gathering. But many companies fail to do so.
    • Bring standardization and conformity to your requirements gathering processes via a centralized center of excellence. That brings cohesion and uniformity to your practice.
    • It is critical that your business analysts have the necessary competencies to execute your processes and that they ask the right questions.

    Impact and results 

    • Better requirements analysis will result in shorter cycle timed and reduced project rework and overhead.
    • You will enjoy better relationships with your business partners, greater stakeholder satisfaction, and gradually a better standing of IT.
    • Most importantly, the applications and systems you deliver will contain all must-haves and some nice-to-haves. Your minimal viable deliverable will start to create business value immediately.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started.

    Read our executive brief to understand why you should invest in optimizing requirements gathering in your company. We show you how we can support you.

    Build the target state

    Fully understand the target needs of the requirements gathering process.

    • Build a Strong Approach to Business Requirements Gathering – Phase 1: Build the Target State for the Requirements Gathering Process (ppt)
    • Requirements Gathering SOP and BA Playbook (doc)
    • Requirements Gathering Maturity Assessment (xls)
    • Project Level Selection Tool (xls)
    • Business Requirements Analyst (doc)
    • Requirements Gathering Communication Tracking Template (xls)

    Develop best practices to gather business requirements

    • Build a Strong Approach to Business Requirements Gathering – Phase 2: Define the Elicitation Process (ppt)
    • Business Requirements Document Template (xls)
    • Scrum Documentation Template (doc)

    Analyze and validate requirements

    Standardize your frameworks for analysis and validation of the business requirements

    • Build a Strong Approach to Business Requirements Gathering – Phase 3: Analyze and Validate Requirements (ppt)
    • Requirements Gathering Documentation Tool (xls)
    • Requirements Gathering Testing Checklist (doc)

    Build your requirements gathering governance action plan

    Formalize governance.

    • Build a Strong Approach to Business Requirements Gathering – Phase 4: Create a Requirements Governance Action Plan (ppt)
    • Requirements Traceability Matrix (xls)

     

     

    Build an IT Risk Management Program

    • Buy Link or Shortcode: {j2store}192|cart{/j2store}
    • member rating overall impact: 8.3/10 Overall Impact
    • member rating average dollars saved: $31,532 Average $ Saved
    • member rating average days saved: 17 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks AFTER they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Our Advice

    Critical Insight

    • IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Impact and Result

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program, and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks most critical to the organization.

    Build an IT Risk Management Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Risk Management Program – A holistic approach to managing IT risks within your organization and involving key business stakeholders.

    Gain business buy-in to understanding the key IT risks that could negatively impact the organization and create an IT risk management program to properly identify, assess, respond, monitor, and report on those risks.

    • Build an IT Risk Management Program – Phases 1-3

    2. Risk Management Program Manual – A single source of truth for the risk management program to exist and be updated to reflect changes.

    Leverage this Risk Management Program Manual to ensure that the decisions around how IT risks will be governed and managed can be documented in a single source accessible by those involved.

    • Risk Management Program Manual

    3. Risk Register & Risk Costing Tool – A set of tools to document identified risk events. Assess each risk event and consider the appropriate response based on your organization’s threshold for risk.

    Engage these tools in your organization if you do not currently have a GRC tool to document risk events as they relate to the IT function. Consider the best risk response to high severity risk events to ensure all possible situations are considered.

    • Risk Register Tool
    • Risk Costing Tool

    4. Risk Event Action Plan and Risk Report – A template to document the chosen risk responses and ensure accountable owners agree on selected response method.

    Establish clear guidelines and responses to risk events that will leave your organization vulnerable to unwanted threats. Ensure risk owners have agreed to the risk responses and are willing to take accountability for that response.

    • Risk Event Action Plan
    • Risk Report

    Infographic

    Workshop: Build an IT Risk Management Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review IT Risk Fundamentals and Governance

    The Purpose

    To assess current risk management maturity, develop goals, and establish IT risk governance.

    Key Benefits Achieved

    Identified obstacles to effective IT risk management.

    Established attainable goals to increase maturity.

    Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.

    Activities

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events

    Outputs

    Maturity Assessment

    Risk Management Program Manual

    Risk Register

    2 Identify IT Risks

    The Purpose

    Identify and assess all IT risks.

    Key Benefits Achieved

    Created a comprehensive list of all IT risk events.

    Risk events prioritized according to risk severity – as defined by the business.

    Activities

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT 5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment

    Outputs

    Finalized List of IT Risk Events

    Risk Register

    Risk Management Program Manual

    3 Identify IT Risks (continued)

    The Purpose

    Prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.

    Key Benefits Achieved

    Risk monitoring responsibilities are established.

    Risk response strategies have been identified for all key risks.

    Activities

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Root cause analysis

    3.6 Identify and assess risk responses

    Outputs

    Risk Register

    Risk Management Program Manual

    Risk Event Action Plans

    4 Monitor, Report, and Respond to IT Risk

    The Purpose

    Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.

    Key Benefits Achieved

    Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.

    Authoritative risk response recommendations can be made to senior leadership.

    A finalized Risk Management Program Manual is ready for distribution to key stakeholders.

    Activities

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers

    Outputs

    Risk Report

    Risk Management Program Manual

    Further reading

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    Table of Contents

    3 Executive Brief

    4 Analyst Perspective

    5 Executive Summary

    19 Phase 1: Review IT Risk Fundamentals & Governance

    43 Phase 2: Identify and Assess IT Risk

    74 Phase 3: Monitor, Communicate, and Respond to IT Risk

    102 Appendix

    108 Bibliography

    Build an IT Risk Management Program

    Mitigate the IT risks that could negatively impact your organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    Siloed risks are risky business for any enterprise.

    Photo of Valence Howden, Principal Research Director, CIO Practice.
    Valence Howden
    Principal Research Director, CIO Practice    		 Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
    Brittany Lutes
    Senior Research Analyst, CIO Practice

    Risk is an inherent part of life but not very well understood or executed within organizations. This has led to risk being avoided or, when it’s implemented, being performed in isolated siloes with inconsistencies in understanding of impact and terminology.

    Looking at risk in an integrated way within an organization drives a truer sense of the thresholds and levels of risks an organization is facing – making it easier to manage and leverage risk while reducing risks associated with different mitigation responses to the same risk events.

    This opens the door to using risk information – not only to prevent negative impacts but as a strategic differentiator in decision making. It helps you know which risks are worth taking, driving strong positive outcomes for your organization.

    Executive Summary

    Your Challenge

    IT has several challenges when it comes to addressing risk management:

    • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks.
    • The business could be making decisions that are not informed by risk.
    • Reacting to risks after they occur can be costly and crippling, yet it is one of the most common tactics used by IT departments.

    Common Obstacles

    Many IT organizations realize these obstacles:

    • IT risks and business risks are often addressed separately, causing inconsistencies in the approach.
    • Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable.
    • Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well.

    Info-Tech’s Approach

    • Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur.
    • Involve key stakeholders, including the business senior management team, to gain buy-in and to focus on the IT risks most critical to the organization.

    Info-Tech Insight

    IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business.

    Ad hoc approaches to managing risk fail because…

    If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

    1. Ad hoc risk management is reactionary.
    2. Ad hoc risk management is often focused only on IT security.
    3. Ad hoc risk management lacks alignment with business objectives.

    The results:

    • Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business.
    • Increased IT non-compliance, resulting in costly settlements and fines.
    • IT audit failure.
    • Ineffective management of risk caused by poor risk information and wrong risk response decisions.
    • Increased unnecessary and avoidable IT failures and fixes.

    58% of organizations still lack a systematic and robust method to actually report on risks (Source: AICPA, 2021)

    Data is an invaluable asset – ensure it’s protected

    Case Studies

    Logo for Cognyte.

    Cognyte, a vendor hired to be a cybersecurity analytics company, had over five billion records exposed in Spring 2021. The data was compromised for four days, providing attackers with plenty of opportunities to obtain personally identifying information. (SecureBlink., 2021 & Security Magazine, 2021)

    Logo for Facebook.

    Facebook, the world’s largest social media giant, had over 533 million Facebook users’ personal data breached when data sets were able to be cross-listed with one another. (Business Insider, 2021 & Security Magazine, 2021)

    Logo for MGM Resorts.

    In 2020, over 10.6 million customers experienced some sort of data being accessible, with 1,300 having serious personally identifying information breached. (The New York Times, 2020)

    Risk management is a business enabler

    Formalize risk management to increase your likelihood of success.

    By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem.

    A certain amount of risk is healthy and can stimulate innovation:

    • A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk.
    • Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept.
    • Organizations with high risk management maturity will vault themselves ahead of the competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take.

    Only 12% of organizations are using risk as a strategic tool most or all of the time (Source: AICPA, 2021)

    IT risk is enterprise risk

    Accountability for IT risks and the decisions made to address them should be shared between IT and the business.

    Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

    Follow the steps of this blueprint to build or optimize your IT risk management program

    Cycle of 'Goverance' beginning with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report'.

    Start Here

    		 PHASE 1
    Review IT Risk Fundamentals and Governance
    		 PHASE 2
    Identify and Assess IT Risk
    		 PHASE 3
    Monitor, Report, and Respond to IT Risk

    1.1

    Review IT Risk Management Fundamentals

    1.2

    Establish a Risk Governance Framework

    2.1

    Identify IT Risks

    2.2

    Assess and Prioritize IT Risks

    3.1

    Monitor IT Risks and Develop Risk Responses

    3.2

    Report IT Risk Priorities

    Integrate Risk and Use It to Your Advantage

    Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

    Risk management is more than checking an audit box or demonstrating project due diligence.

    Risk Drivers
    • Audit & compliance
    • Preserve value & avoid loss
    • Previous risk impact driver
    • Major transformation
    • Strategic opportunities
    		 Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
    1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
    2. Determine Authority with Governance
    Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
    IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

    Governance and related decision making is optimized with integrated and aligned risk data.

    		 List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in 'Enterprise Risk Management (ERM)': 'IT', 'Security', 'Digital', 'Vendor/TPRM', and 'Other'.

    ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

    The program plan is meant to consider all the major risk types in a unified approach.

    		 The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Risk Management Program Manual

    Use the tools and activities in each phase of the blueprint to create a comprehensive, customized program manual for the ongoing management of IT risk.

    Sample of the key deliverable, Risk Manangement Program Fund.    		 Integrated Risk Maturity Assessment

    Assess the organization's current maturity and readiness for integrated risk management (IRM).

    		 Sample of the Integrated Risk Maturity Assessment blueprint. Centralized Risk Register

    The repository for all the risks that have been identified within your environment.

    		 Sample of the Centralized Risk Register blueprint.
    Risk Costing Tool

    A potential cost-benefit analysis of possible risk responses to determine a good method to move forward.

    		 Sample of the Risk Costing Tool blueprint. Risk Report & Risk Event Action Plan

    A method to report risk severity and hold risk owners accountable for chosen method of responding.

    		 Samples of the Risk Report & Risk Event Action Plan blueprints.

    Benefit from industry-leading best practices

    As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensured that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

    Logo for COSO.

    COSO’s Enterprise Risk Management — Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. (COSO)

    Logo for ISO.

    ISO 31000
    Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment. (ISO 31000)

    Logo for COBIT.

    COBIT 2019’s IT functions were used to develop and refine our Ten IT Risk Categories used in our top-down risk identification methodology. (COBIT 2019)

    Abandon ad hoc risk management

    A strong risk management foundation is valuable when building your IT risk management program.

    This research covers the following IT risk fundamentals:

    • Benefits of formalized risk management
    • Key terms and definitions
    • Risk management within ERM
    • Risk management independent of ERM
    • Four key principles of IT risk management
    • Importance of a risk management program manual
    • Importance of buy-in and support from the business

    Drivers of Formalized Risk Management:
    Drivers External to IT
    External Audit Internal Audit
    Mandated by ERM
    Occurrence of Risk Event
    Demonstrating IT’s value to the business Proactive initiative
    Emerging IT risk awareness
    Grassroots Drivers

    Blueprint benefits

    IT Benefits

    • Increased on-time, in-scope, and on-budget completion of IT projects.
    • Meet the business’ service requirements.
    • Improved satisfaction with IT by senior leadership and business units.
    • Fewer resources wasted on fire-fighting.
    • Improved availability, integrity, and confidentiality of sensitive data.
    • More efficient use of resources.
    • Greater ability to respond to evolving threats.

    Business Benefits

    • Reduced operational surprises or failures.
    • Improved IT flexibility when responding to risk events and market fluctuations.
    • Reduced budget uncertainty.
    • Improved ability to make decisions when developing long-term strategies.
    • Improved stakeholder and shareholder confidence.
    • Achieved compliance with external regulations.
    • Competitive advantage over organizations with immature risk management practices.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 3 to 6 months.

    What does a typical GI on this topic look like?

      Phase 1

    • Call #1: Assess current risk maturity and organizational buy-in.
    • Call #2: Establish an IT risk council and determine IT risk management program goals.

      • Phase 2

    • Call #3: Identify the risk categories used to organize risk events.
    • Call #4: Identify the threshold for risk the organization can withstand.

      • Phase 3

    • Call #5: Create a method to assess risk event severity.
    • Call #6: Establish a method to monitor priority risks and consider possible risk responses.
    • Call #7: Communicate risk priorities to the business and implement risk management plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    Activities
    Review IT Risk Fundamentals and Governance

    1.1 Assess current program maturity

    1.2 Complete RACI chart

    1.3 Create the IT risk council

    1.4 Identify and engage key stakeholders

    1.5 Add organization-specific risk scenarios

    1.6 Identify risk events
    Identify IT Risks

    2.1 Identify risk events (continued)

    2.2 Augment risk event list using COBIT5 processes

    2.3 Determine the threshold for (un)acceptable risk

    2.4 Create impact and probability scales

    2.5 Select a technique to measure reputational cost

    2.6 Conduct risk severity level assessment
    Assess IT Risks

    3.1 Conduct risk severity level assessment

    3.2 Document the proximity of the risk event

    3.3 Conduct expected cost assessment

    3.4 Develop key risk indicators (KRIs) and escalation protocols

    3.5 Perform root cause analysis

    3.6 Identify and assess risk responses
    Monitor, Report, and Respond to IT Risk

    4.1 Identify and assess risk responses

    4.2 Risk response cost-benefit analysis

    4.3 Create multi-year cost projections

    4.4 Review techniques for embedding risk management in IT

    4.5 Finalize the Risk Report and Risk Management Program Manual

    4.6 Transfer ownership of risk responses to project managers
    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps
    Outcomes
    1. Maturity Assessment
    2. Risk Management Program Manual
    1. Finalized List of IT Risk Events
    2. Risk Register
    3. Risk Management Program Manual
    1. Risk Register
    2. Risk Event Action Plans
    3. Risk Management Program Manual
    1. Risk Report
    2. Risk Management Program Manual
    1. Workshop Report
    2. Risk Management Program Manual

    Build an IT Risk Management Program

    Phase 1

    Review IT Risk Fundamentals and Governance

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework
      •

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Gain buy-in from senior leadership
    • Assess current program maturity
    • Identify obstacles and pain points
    • Determine the risk culture of the organization
    • Develop risk management goals
    • Develop SMART project metrics
    • Create the IT risk council
    • Complete a RACI chart

    This phase involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Step 1.1

    Review IT Risk Management Fundamentals

    Activities
    • 1.1.1 Gain buy-in from senior leadership
    • 1.1.2 Assess current program maturity

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Reviewed key IT principles and terminology
    • Gained understanding of the relationship between IT risk management and ERM
    • Introduced to Info-Tech’s IT Risk Management Framework
    • Obtained the support of senior leadership
    Step 1.1 Step 1.2

    Effective IT risk management is possible with or without ERM

    Whether or not your organization has ERM, integrating your IT risk management program with the business is possible.

    Most IT departments find themselves in one of these two organizational frameworks for managing IT risk:

    Core Responsibilities With an ERM Without an ERM
    • Risk Decision-Making Authority
    • Final Accountability
    		 Senior Leadership Team Senior Leadership Team
    • Risk Governance
    • Risk Prioritization & Communication
    		 ERM IT Risk Management
    • Risk Identification
    • Risk Assessment
    • Risk Monitoring
    		 IT Risk Management
    Pro: IT’s risk management responsibilities are defined (assessment schedules, escalation and reporting procedures).
    Con: IT may lack autonomy to implement IT risk management best practices.    		 Pro: IT is free to create its own IT risk council and develop customized processes that serve its unique needs.
    Con: Lack of clear reporting procedures and mechanisms to share accountability with the business.

    Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

    IT Risk Management Framework

    Risk Governance
    • Optimize Risk Management Processes
    • Assess Risk Maturity
    • Measure the Success of the Program
    		 A cycle surrounds the words 'Business Objectives', referring to the surrounding lists. On the top half is 'Communication', and the bottom is 'Monitoring'. Risk Identification
    • Engage Stakeholder Participation
    • Use Risk Identification Frameworks
    • Compile IT-Related Risks
    Risk Response
    • Establish Monitoring Responsibilities
    • Perform Cost-Benefit Analysis
    • Report Risk Response Actions
    		 Risk Assessment
    • Establish Thresholds for Unacceptable Risk
    • Calculate Expected Cost
    • Determine Risk Severity & Prioritize IT Risks

    Effective IT risk management benefits

    Obtain the support of the senior leadership team or IT steering committee by communicating how IT risk impacts their priorities.

    Risk management benefits To engage the business...
    IT is compliant with external laws and regulations. Identify the industry or legal legislation and regulations your organization abides by.
    IT provides support for business compliance. Find relevant business compliance issues, and relate compliance failures to cost.
    IT regularly communicates costs, benefits, and risks to the business. Acknowledge the number of times IT and the business miscommunicate critical information.
    Information and processing infrastructure are very secure. Point to past security breaches or potential vulnerabilities in your systems.
    IT services are usually delivered in line with business requirements. Bring up IT services that the business was unsatisfied with. Explain that their inputs in identifying risks are correlated with project quality.
    IT related business risks are managed very well. Make it clear that with no risk tracking process, business processes become exposed and tend to slow down.
    IT projects are completed on time and within budget. Point out late or over-budget projects due to the occurrence of unforeseen risks.

    1.1.1 Gain buy-in from senior leadership

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Buy-in from senior leadership for an IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    The resource demands of IT risk management will vary from organization to organization. Here are typical requirements:

    • Occasional participation of key IT personnel and select business stakeholders in IT risk council meetings (e.g. once every two weeks).
    • Periodic risk assessments (e.g. 4 days, twice a year).
    • IT personnel must take on risk monitoring responsibilities (e.g. 1-4 hours per week).
    • Record the results in the Program Manual sections 3.3, 3.4 and 3.5.

    Record the results in the Risk Management Program Manual.

    Integrated Risk Maturity Assessment

    The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM)

    Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

    Integrated Risk Maturity Assessment
    A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization.    		 Sample of the Integrated Risk Maturity Assessment deliverable.

    Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organizations.

    Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

    1.1.2 Assess current program maturity

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Maturity scores across four key risk categories

    Materials: Integrated Risk Maturity Assessment Tool

    Participants: IT executive leadership, Business executive leadership

    This assessment is intended for frequent use; process completeness should be re-evaluated on a regular basis.

    How to Use This Assessment:

    1. Download the Integrated Risk Management Maturity Assessment Tool.
    2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk management process and is organized by the categories of integrated risk maturity. You will be asked to rate the extent to which you are executing the activities required to successfully complete each phase of the assessment. Use the drop-down menus provided to select the appropriate level of execution for each activity listed.
    3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity. You will receive a score for each category as well as an overall score. The results will be displayed numerically, by percentage, and graphically.

    Record the results in the Integrated Risk Maturity Assessment.

    Integrated Risk Maturity Categories

    		 Semi-circle with colored points indicating four categories.

    1

    		Context & Strategic Direction Understanding of the organization’s main objectives and how risk can support or enhance those objectives.

    2

    		Risk Culture and Authority Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture.

    3

    		Risk Management Process Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization.

    4

    		Risk Program Optimization Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise.

    Step 1.2

    Establish a Risk Governance Framework

    Activities
    • 1.2.1 Identify pain points/obstacles and opportunities
    • 1.2.2 Determine the risk culture of the organization
    • 1.2.3 Develop risk management goals
    • 1.2.4 Develop SMART project metrics
    • 1.2.5 Create the IT risk council
    • 1.2.6 Complete a RACI chart

    This step involves the following participants:

    • IT executive leadership
    • Business executive leadership

    Outcomes of this step

    • Developed goals for the risk management program
    • Established the IT risk council
    • Assigned accountability and responsibility for risk management processes

    Review IT Risk Fundamentals and Governance

    Step 1.1 Step 1.2

    Create an IT risk governance framework that integrates with the business

    Follow these best practices to make sure your requirements are solid:

    1. Self-assess your current approach to IT risk management.
    2. Identify organizational obstacles and set attainable risk management goals.
    3. Track the effectiveness and success of the program using SMART risk management metrics.
    4. Establish an IT risk council tasked with managing IT risk.
    5. Set clear risk management accountabilities and responsibilities for IT and business stakeholders.

    Key metrics for your IT risk governance framework

    Challenges:
    • Key stakeholders are left out or consulted once risks have already occurred.
    • Failure to employ consistent risk identification methodologies results in omitted and unknown risks.
    • Risk assessments do not reflect organizational priorities and may not align with thresholds for acceptable risk.
    • Risk assessment occurs sporadically or only after a major risk event has already occurred.
    		 Key metrics:
    • Number of risk management processes done ad hoc.
    • Frequency that IT risk appears as an agenda item at IT steering committee meetings.
    • Percentage of IT employees whose performance evaluations reflect risk management objectives.
    • Percentage of IT risk council members who are trained in risk management activities.
    • Number of open positions in the IT risk council.
    • Cost of risk management program operations per year.

    Info-Tech Insight

    Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate risk responses.

    IT risk management success factors

    Support and sponsorship from senior leadership

    IT risk management has more success when initiated by a member of the senior leadership team or the board, rather than emerging from IT as a grassroots initiative.

    Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. It also ensures that IT risk accountability is assumed by senior leadership.

    		 Risk culture and awareness

    A risk-aware organizational culture embraces new policies and processes that reflect a proactive approach to risk.

    An organization with a risk-aware culture is better equipped to facilitate communication vertically within the organization.

    Risk awareness can be embedded by revising job descriptions and performance assessments to reflect IT risk management responsibilities.

    		 Organization size

    Smaller organizations can often institute a mature risk management program much more quickly than larger organizations.

    It is common for key personnel within smaller organizations to be responsible for multiple roles associated with risk management, making it easier to integrate IT and business risk management.

    Larger organizations may find it more difficult to integrate a more complex and dispersed network of individuals responsible for various risk management responsibilities.

    1.2.1 Identify obstacles and pain points

    1-4 hours

    Input: Integrated Risk Maturity Assessment

    Output: Obstacles and pain points identified

    Materials: IT Risk Management Success Factors

    Participants: IT executive leadership, Business executive leadership

    Anticipate potential challenges and “blind spots” by determining which success factors are missing from your current situation.

    Instructions:

    1. List the potential obstacles and missing success factors that you must overcome to effectively manage IT risk and build a risk management program.
    2. Consider some opportunities that could be leveraged to increase the success of this program.
    3. Use this list in Activity 1.2.3 to develop program goals.

    Risk Management

    Replace the example pain points and opportunities with real scenarios in your organization.

    Pain Points/Obstacles
    • Lack of leadership buy-in
    • Skills and understanding around risk management within IT
    • Skills and understanding around risk management within the organization
    • Lack of a defined risk management posture
    		 Opportunities
    • Changes in regulations related to risk
    • Organization moving toward an integrated risk management program
    • Ability to leverage lessons learned from similar companies
    • Strong process management and adherence to policies by employees in the organization

    1.2.2 Determine the risk culture of your organization

    1-3 hours

    Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

    Risk Tolerant
    • You have no compliance requirements.
    • You have no sensitive data.
    • Customers do not expect you to have strong security controls.
    • Revenue generation and innovative products take priority and risk is acceptable.
    • The organization does not have remote locations.
    • It is likely that your organization does not operate within the following industries:
      • Finance
      • Health care
      • Telecom
      • Government
      • Research
      • Education
    		 Moderate
    • You have some compliance requirements, e.g.:
      • HIPAA
      • PIPEDA
    • You have sensitive data, and are required to retain records.
    • Customers expect strong security controls.
    • Information security is visible to senior leadership.
    • The organization has some remote locations.
    • Your organization most likely operates within the following industries:
      • Government
      • Research
      • Education
    		 Risk Averse
    • You have multiple, strict compliance and/or regulatory requirements.
    • You house sensitive data, such as medical records.
    • Customers expect your organization to maintain strong and current security controls.
    • Information security is highly visible to senior management and public investors.
    • The organization has multiple remote locations.
    • Your organization operates within the following industries:
      • Finance
      • Healthcare
      • Telecom

    Be aware of the organization’s attitude towards risk

    Risk culture is an organization’s attitude towards taking risks. This attitude manifests itself in two ways:

    One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are deemed unacceptable. This is often called risk appetite.
    Risk tolerant

    Risk-tolerant organizations embrace the potential of accelerating growth and the attainment of business objectives by taking calculated risks.

    		 Risk averse

    Risk-averse organizations prefer consistent, gradual growth and goal attainment by embracing a more cautious stance toward risk.
    The other component of risk culture is the degree to which risk factors into decision making.
    Risk conscious

    Risk-conscious organizations place a high priority on being aware of all risks impacting business objectives, regardless of whether they choose to accept or respond to those risks.

    		 Unaware

    Organizations that are largely unaware of the impact of risk generally believe there are few major risks impacting business objectives and choose to invest resources elsewhere.

    Info-Tech Insight

    Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-related decision making.

    1.2.3 Develop goals for the IT risk management program

    1-4 hours

    Input: Integrated Risk Maturity Assessment, Risk Culture, Pain Points and Opportunities

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: IT executive leadership, Business executive leadership

    Translate your maturity assessment and knowledge about organizational risk culture, potential obstacles, and success factors to develop goals for your IT risk management program.

    Instructions:

    1. In the Risk Management Program Manual, revise, replace, or add to the high-level goals provided in section 2.4.
    2. Make sure that you have three to five high-level goals that reflect the current and targeted maturity of IT risk management processes.
    3. Integrate potential obstacles, pain points, and insights from the organization’s risk culture.

    Record the results in the Risk Management Program Manual.

    1.2.4 Develop SMART project metrics

    1-3 hours

    Create metrics for measuring the success of the IT risk management program.

    Ensure that all success metrics are SMART Instructions
    1. Document a list of appropriate metrics to assess the success of the IT risk management program on a whiteboard.
    2. Use the sample metrics listed in the table on the next slide as a starting point.
    3. Fill in the chart to indicate the:
      1. Name of the success metric
      2. Method for measuring success
      3. Baseline measurement
      4. Target measurement
      5. Actual measurements at various points throughout the process of improving the risk management program
      6. A deadline for each metric to meet the target measurement
    Strong Make sure the objective is clear and detailed.
    Measurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
    Actionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
    Realistic Objectives must be achievable given your current resources or known available resources.
    Time-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.

    1.2.4 Develop SMART project metrics (continued)

    1-3 hours

    Attach metrics to your goals to gauge the success of the IT risk management program.

    Replace the example metrics with accurate KPIs or metrics for your organization.

    Sample Metrics
    Name Method Baseline Target Deadline Checkpoint 1 Checkpoint 2 Final
    Number of risks identified (per year) Risk register 0 100 Dec. 31
    Number of business units represented (risk identification) Meeting minutes 0 5 Dec. 31
    Frequency of risk assessment Assessments recorded in risk management program manual 0 2 per year Year 2
    Percentage of identified risk events that undergo expected cost assessment Ratio of risks assessed in the risk costing tool to risks assessed in the risk register 0 20% Dec. 31
    Number of top risks without an identified risk response Risk register 5 0 March 1
    Cost of risk management program operations per year Meeting frequency and duration, multiplied by the cost of participation $2,000 $5,000 Dec. 31

    Create the IT risk committee (ITRC)

    Responsibilities of the ITRC:
    1. Formalize risk management processes.
    2. Identify and review major risks throughout the IT department.
    3. Recommend an appropriate risk appetite or level of exposure.
    4. Review the assessment of the impact and likelihood of identified risks.
    5. Review the prioritized list of risks.
    6. Create a mitigation plan to minimize risk likelihood and impact.
    7. Review and communicate overall risk impact and risk management success.
    8. Assign risk ownership responsibilities of key risks to ensure key risks are monitored and risk responses are effectively implemented.
    9. Address any concerns in regards to the risk management program, including, but not limited to, reviewing their risk management duties and resourcing.
    10. Communicate risk reports to senior management annually.
    11. Make any alterations to the committee roster and the individuals’ responsibilities as needed and document changes.
    		 Must be on the ITRC:
    • CIO
    • CRO (if applicable)
    • Senior Directors
    • Security Officer
    • Head of Operations

    Must be on the ITRC:

    • CFO
    • Senior representation from every business unit impacted by IT risk

    1.2.5 Create the IT risk council

    1-4 hours

    Input: List of IT personnel and business stakeholders

    Output: Goals for the IT risk management program

    Materials: Risk Management Program Manual

    Participants: CIO, CRO (if applicable), Senior Directors, Head of Operations

    Identify the essential individuals from both the IT department and the business to create a permanent committee that meets regularly and carries out IT risk management activities.

    Instructions:

    1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT Risk Committee Charter, located in the Risk Management Program Manual. Make any necessary revisions.
    2. In section 3.3, document how frequently the council is scheduled to meet.
    3. In section 3.4, document members of the IT risk council.
    4. Obtain sign-off for the IT risk council from the CIO or another member of the senior leadership team in section 3.5 of the manual.

    Record the results in the Risk Management Program Manual.

    1.2.6 Complete RACI chart

    1-3 hours

    A RACI diagram is a useful visualization that identifies redundancies and ensures that every role, project, or task has an accountable party.

    RACI is an acronym made up of four participatory roles: Instructions
    1. Use the template provided on the following slide, and add key stakeholders who do not appear and are relevant for your organization.
    2. For each activity, assign each stakeholder a letter.
    3. There must be an accountable party for each activity (every activity must have an “A”).
    4. For activities that do not apply to a particular stakeholder, leave the space blank.
    5. Once the chart is complete, copy/paste it into section 4.1 of the Risk Management Program Manual.
    Responsible Stakeholders who undertake the activity.
    Accountable Stakeholders who are held responsible for failure or take credit for success.
    Consulted Stakeholders whose opinions are sought.
    Informed Stakeholders who receive updates.

    1.2.6 Complete RACI chart (continued)

    1-3 hours

    Assign risk management accountabilities and responsibilities to key stakeholders:

    Stakeholder Coordination Risk Identification Risk Thresholds Risk Assessment Identify Responses Cost-Benefit Analysis Monitoring Risk Decision Making
    ITRC A R I R R R A C
    ERM C I C I I I I C
    CIO I A A A A A I R
    CRO I R C I R
    CFO I R C I R
    CEO I R C I A
    Business Units I C C C
    IT I I I I I I R C
    PMO C C C
    Legend: Responsible Accountable Consulted Informed

    Build an IT Risk Management Program

    Phase 2

    Identify and Assess IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks
      •

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities

    This phase will walk you through the following activities:

    • Add organization-specific risk scenarios
    • Identify risk events
    • Augment risk event list using COBIT 2019 processes
    • Conduct a PESTLE analysis
    • Determine the threshold for (un)acceptable risk
    • Create a financial impact assessment scale
    • Select a technique to measure reputational cost
    • Create a likelihood scale
    • Assess risk severity level
    • Assess expected cost

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business Risk Owners

    Step 2.1

    Identify IT Risks

    Activities
    • 2.1.1 Add organization-specific risk scenarios
    • 2.1.2 Identify risk events
    • 2.1.3 Augment risk event list using COBIT 19 processes
    • 2.1.4 Conduct a PESTLE analysis

    This step involves the following participants:

    • IT executive leadership
    • IT Risk Council
    • Business executive leadership
    • Business risk owners

    Outcomes of this step

    • Participation of key stakeholders
    • Comprehensive list of IT risk events
    Identify and Assess IT Risk
    Step 2.1 Step 2.2

    Get to know what you don’t know

    1. Engage the right stakeholders in risk identification.
    2. Employ Info-Tech’s top-down approach to risk identification.
    3. Augment your risk event list using alternative frameworks.
    		 Key metrics:
    • Total risks identified
    • New risks identified
    • Frequency of updates to the Risk Register Tool
    • Number of realized risk events not identified in the Risk Register Tool
    • Level of business participation in enterprise IT risk identification
      • Number of business units represented
      • Number of meetings attended in person
      • Number of risk reports received

    Info-Tech Insight

    What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.

    Engage key stakeholders

    Ensure that all key risks are identified by engaging key business stakeholders.

    Benefits of obtaining business involvement during the risk identification stage:
    • You will identify risk events you had not considered or you weren’t aware of.
    • You will identify risks more accurately.
    • Risk identification is an opportunity to raise awareness of IT risk management early in the process.

    Executive Participation:

    • CIO participation is integral when building a comprehensive register of risk events impacting IT.
    • CIOs and IT directors possess a holistic view of all of IT’s functions.
    • CIOs and IT directors are uniquely placed to identify how IT affects other business units and the attainment of business objectives. If applicable, CRO and CTO participation is also critical.

    Prioritizing and Selecting Stakeholders

    1. Reliance on IT services and technologies to achieve business objectives.
    2. Relationship with IT, and willingness to engage in risk management activities.
    3. Unique perspectives, skills, and experiences that IT may not possess.

    Info-Tech Insight

    While IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process.

    Enable IT to target risk holistically

    Take a top-down approach to risk identification to guide brainstorming

    Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.

    A risk prompt list is a list that categorizes risks into types or areas. The n10 risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.

    Risk Category: High-level groupings that describe risk pertaining to major IT functions. See the following slide for all ten of Info-Tech’s IT risk categories. Risk Scenario: An abstract profile representing common risk groups that are more specific than risk categories. Typically, organizations are able to identify two to five scenarios for each category. Risk Event: Specific threats and vulnerabilities that fall under a particular risk scenario. Organizations are able to identify anywhere between 1 and 20 events for each scenario. See the Appendix of the Risk Management Program Manual for a list of risk event examples.

    Risk Category

    Risk Scenario

    Risk Event
    Compliance Regulatory compliance Being fined for not complying/being aware of a new regulation.
    Externally originated attack Phishing attack on the organization.
    Operational Technology evaluation & selection Partnering with a vendor that is not in compliance with a key regulation.
    Capacity planning Not having sufficient resources to support a DRP.
    Third-Party Risk Vendor management Vendor performance requirements are improperly defined.
    Vendor selection Vendors are improperly selected to meet the defined use case.

    2.1.1 Add organization-specific risk scenarios

    1-3 hours

    Review Info-Tech’s ten IT risk categories and add risk scenarios to the examples provided.

    IT Reputational
    • Negative PR
    • Consumers writing negative reviews
    • Employees writing negative reviews
    		 IT Financial
    • Stock prices drop
    • Value of the organization is reduced
    		 IT Strategic
    • Organization prioritizes innovation but remains focused on operational
    • Unable to access data to support strategic initiative
    		 Operational
    • Enterprise architecture
    • Technology evaluation and selection
    • Capacity planning
    • Operational errors
    		 Availability
    • Power outage
    • Increased data workload
    • Single source of truth
    • Lacking knowledge transfer processes for critical tasks
    Performance
    • Network failure
    • Service levels not being met
    • Capacity overload
    		 Compliance
    • Regulatory compliance
    • Standards compliance
    • Audit compliance
    		Security
    • Malware
    • Internally originated attack
    		 Third Party
    • Vendor selection
    • Vendor management
    • Contract termination
    		 Digital
    • No back-up process if automation fails

    2.1.2 Identify risk events

    1-4 hours

    Input: IT risk categories

    Output: Risk events identified and categorized

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owners, CRO (if applicable)

    Use Info-Tech’s IT risk categories and scenarios to brainstorm a comprehensive list of IT-related threats and vulnerabilities impacting your organization.

    Instructions:

    1. Document risk events in the Risk Register Tool.
    2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
    3. Disseminate the list to key stakeholders who were unable to participate and solicit their feedback.
      • Consult the RACI chart located in section 4.1 of the Risk Management Program Manual.
    4. Attack one scenario at a time, exhausting all realistic risk events for that grouping before moving onto the next scenario. Each scenario should take approximately 45-60 minutes.

    Tip: If disagreement arises regarding whether a specific risk event is relevant to the organization or not and it cannot be resolved quickly, include it in the list. The applicability of these risks will become apparent during the assessment process.

    Record the results in the Risk Register Tool.

    2.1.3 Augment the risk event list using COBIT 2019 processes (Optional)

    1-3 hours

    Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

    1. Managed IT Management Framework
    2. Managed Strategy
    3. Managed Enterprise Architecture
    4. Managed Innovation
    5. Managed Portfolio
    6. Managed Budget and Costs
    7. Managed Human Resources
    8. Managed Relationships
    9. Managed Service Agreements
    10. Managed Vendors
    11. Managed Quality
    12. Managed Risk
    13. Managed Security
    14. Managed Data
    15. Managed Programs
    16. Managed Requirements Definition
    17. Managed Solutions Identification and Build
    18. Managed Availability and Capacity
    19. Managed Organizational Change Enablement
    20. Managed IT Changes
    1. Managed IT Change Acceptance and Transitioning
    2. Managed Knowledge
    3. Managed Assets
    4. Managed Configuration
    5. Managed Projects
    6. Managed Operations
    7. Managed Service Requests and Incidents
    8. Managed Problems
    9. Managed Continuity
    10. Managed Security Services
    11. Managed Business Process Controls
    12. Managed Performance and Conformance Monitoring
    13. Managed System of Internal Control
    14. Managed Compliance with External Requirements
    15. Managed Assurance
    16. Ensured Governance Framework Setting and Maintenance
    17. Ensured Benefits Delivery
    18. Ensured Risk Optimization
    19. Ensured Resource Optimization
    20. Ensured Stakeholder Engagement

    Instructions:

    1. Review COBIT 2019’s 40 IT processes and identify additional risk events.
    2. Match risk events to the corresponding risk category and scenario and add them to the Risk Register Tool.

    2.1.4 Finalize your risk register by conducting a PESTLE analysis (Optional)

    1-3 hours

    Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”

    Consider the External Environment – PESTLE Analysis

    Despite efforts to encourage equal participation in the risk identification process, key risks may not have been shared in previous exercises.

    Conduct a PESTLE analysis as a final safety net to ensure that all key risk events have been identified.

    		 Avoid “Groupthink” – Nominal Group Technique

    The Nominal Group Technique uses the silent generation of ideas and an enforced “safe” period of time where ideas are shared but not discussed to encourage judgement-free idea generation.

    • Ideas are generated silently and independently.
    • Ideas are then shared and documented; however, discussion is delayed until all of the group’s ideas have been recorded.
    • Idea generation can occur before the meeting and be kept anonymous.

    Note: Employing either of these techniques will lengthen an already time-consuming process. Only consider these techniques if you have concerns regarding the homogeneity of the ideas being generated or if select individuals are dominating the exercise.
    List the following factors influencing the risk event:
    • Political factors
    • Economic factors
    • Social factors
    • Technological factors
    • Legal factors
    • Environmental factors
    		 'PESTLE Analysis' presented as a wheel with the acronym's meanings surrounding the title. 'Political Factors', 'Economic Factors', 'Social Factors', 'Technological Factors', 'Legal Factors', and 'Environmental Factors'.

    Step 2.2

    Assess and Prioritize IT Risks

    Activities
    • 2.2.1 Determine the threshold for (un)acceptable risk
    • 2.2.2 Create a financial impact assessment scale
    • 2.2.3 Select a technique to measure reputational cost
    • 2.2.4 Create a likelihood scale
    • 2.2.5 Risk severity level assessment
    • 2.2.6 Expected cost assessment

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owners

    Outcomes of this step

    • Business-approved thresholds for unacceptable risk
    • Completed Risk Register Tool with risks prioritized according to severity
    • Expected cost calculations for high-priority risks

    Identify and Assess IT Risk

    Step 2.1 Step 2.2

    Reveal the organization’s greatest IT threats and vulnerabilities

    1. Establish business-approved risk thresholds for acceptable and unacceptable risk.
    2. Conduct a streamlined assessment of all risks to separate acceptable and unacceptable risks.
    3. Perform a deeper, cost-based assessment of prioritized risks.
    		 Key metrics:
    • Frequency of IT risk assessments
      • (Annually, bi-annually, etc.)
    • Assessment accuracy
      • Percentage of risk assessments that are substantiated by later occurrences or testing
      • Ratio of cumulative actual costs to expected costs
    • Assessment consistency
      • Percentage of risk assessments that are substantiated by third-party audit
    • Assessment rigor
      • Percentage of identified risk events that undergo first-level assessment (severity scores)
      • Percentage of identified risk events that undergo second-level assessment (expected cost)
    • Stakeholder oversight and participation
      • Level of executive participation in IT risk assessment (attend in person, receive report, etc.)
      • Number of business stakeholder reviews per risk assessment

    Info-Tech Insight

    Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be.

    Review risk assessment fundamentals

    Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and make robust risk response decisions.

    In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.

    Calculating risk severity

    How much you expect a risk event to cost if it were to occur:

    Likelihood of Risk Impact

    e.g. $250,000 or “High”

    X

    		 Calibrated by how likely the risk is to occur:

    Likelihood of Risk Occurrence

    e.g. 10% or “Low”

    =

    		 Produces a dollar value or “severity level” for comparing risks:

    Risk Severity

    e.g. $25,000 or “Medium”    		 Which must be evaluated against thresholds for acceptable risk and the cost of risk responses.

    Risk Tolerance
    Risk Response
    CBA
    Cost-benefit analysis

    Maintain the engagement of key stakeholders in the risk assessment process

    1

    Engage the Business During Assessment Process

    Asking business stakeholders to make significant contributions to the assessment exercise may be unrealistic (particularly for members of the senior leadership team, other than the CIO).

    Ensure that they work with you to finalize thresholds for acceptable or unacceptable risk.

    2

    Verify the Risk Impact and Assessment

    If IT has ranked risk events appropriately, the business will be more likely to offer their input. Share impact and likelihood values for key risks to see if they agree with the calculated risk severity scores.

    3

    Identify Where the Business Focuses Attention

    While verifying, pay attention to the risk events that the business stresses as key risks. Keep these risks in mind when prioritizing risk responses as they are more likely to receive funding.

    Try to communicate the assessments of these risk events in terms of expected cost to attract the attention of business leaders.

    Info-Tech Insight

    If business executives still won’t provide the necessary information to update your initial risk assessments, IT should approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and business managers or supervisors to obtain any additional information.

    Info-Tech recommends a two-level approach to risk assessment

    Review the two levels of risk assessment offered in this blueprint.

    Risk severity level assessment (mandatory)

    1

    		Information

    Number of risks: Assess all risk events identified in Phase 1.
    Units of measurement: Use customized likelihood and impact “levels.”
    Time required: One to five minutes per risk event.

    		Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    X

    		Assess Likelihood

    Negligible
    Low
    Moderate
    High
    Very High

    =

    		Output


    Risk Security Level:

    Moderate

    Example of a risk severity level assessment chart.
    Chart risk events according to risk severity as this allows you to organize and prioritize IT risks.

    Assess all of your identified risk events with a risk severity-level assessment.

    • By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you can evaluate every risk event quickly while being confident that risks are being assessed accurately.
    • In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and tolerance.
    • Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed in greater detail by incorporating expected cost into your evaluation.

    Info-Tech recommends a two-level approach to risk assessment (continued)

    Expected cost assessment (optional)

    2

    		Information

    Number of risks: Only assess high-priority risks revealed by severity-level assessment.
    Units of measurement: Use actual likelihood values (%) and impact costs ($).
    Time required: 10-20 minutes per risk event.

    		Assess Likelihood

    15%

    Moderate

    X

    		Assess Likelihood

    $100,000

    High

    =

    		Output


    Expected Cost:

    $15,000

    Expected cost is useful for conducting cost-benefit analysis and comparing IT risks to non-IT risks and other budget priorities for the business.

    Conduct expected cost assessments for IT’s greatest risks.

    For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.

    Why conduct expected cost assessments?
    • Expected cost represents how much you would expect to pay in an average year for each risk event.
    • Communicate risk priorities to the business in language they can understand.
    • While risk severity levels are useful for comparing one IT risk to another, expected cost data allows the business to compare IT risks to non-IT risks that may not use the same scales.
    		 Why is expected cost assessment optional?
    • Determining robust likelihood values and precise impact estimates can be challenging and time consuming.
    • Some risk events may require extensive data gathering and industry analysis.

    Implement and leverage a centralized risk register

    The purpose of the risk register is to act as the repository for all the risks that have been identified within your environment.

    Use this tool to:

    1. Collect and maintain a repository for all IT risk events impacting the organization and relevant information for each risk.
      • Capture all relevant IT risk information in one location.
      • Organize risk identification and assessment information for transparent risk management, stakeholder review, and/or internal audit.
    2. Calculate risk severity scores to prioritize risk events and determine which risks require a risk response.
      • Separate acceptable and unacceptable risks (as determined by the business).
      • Rank risks based on severity levels.
    3. Assess risk responses and calculate residual risk.
      • Evaluate the effect that proposed risk response actions will have on top risk events and quantify residual risk magnitude.
      • This step will be completed in section 3.1

    2.2.1 Determine the threshold for (un)acceptable risk

    1-4 hours

    Input: Risk events, Risk appetite

    Output: Threshold for risk identified

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    There are times when the business needs to know about IT risks with high expected costs.

    1. Create an expected cost threshold that defines what constitutes an acceptable and unacceptable risk for the organization. This figure should be a concrete dollar value. In the next exercises, you will build risk impact and likelihood scales with this value in mind, ensuring that “high” or “extreme” risks are immediately communicated to senior leadership.
    2. Do not consider IT budget restrictions when developing this number. The acceptable risk threshold should reflect the business’ tolerance/appetite for risk.

    This threshold is typically based on the organization’s ability to absorb financial losses, and its tolerance/appetite towards risk.

    If your organization has ERM, adopt the existing acceptability threshold.

    Record this threshold in section 5.3 of the Risk Management Program Manual

    2.2.2 Create a financial impact assessment scale

    1-4 hours

    Input: Risk events, Risk threshold

    Output: Financial impact scale created

    Materials: Risk Register Tool, Risk Management Program Manual

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Create a scale to assess the financial impact of risk events.
      • Typically, risk impacts are assessed on a scale of 1-5; however, some organizations may prefer to assess risks using 3, 4, 7, or 9-point scales.
    2. Ensure that the unacceptable risk threshold is reflected in the scale.
      • In the example provided, the unacceptable risk threshold ($100,000) is represented as “High” on the impact scale.
    3. Attach labels to each point on the scale. Effective labels will easily distinguish between risks on either side of the unacceptable risk threshold.

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    Convert project overruns and service outages into costs

    Use the tables below to quickly convert impacts typically measured in units of time to financial cost. Replace the values in the table with those that reflect your own costs.

    • While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue (such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact estimations for risk assessment.
    • Remember, complex risk events can be analyzed further with an expected cost assessment.
    Project Overruns Scale for the use of cost assessment with dollar amounts associated with impact levels. '$250,000 - Extreme', '$100,000 - High', '$60,000 - Moderate', '$35,000 - Low', '$10,000 - Negligible'.

    Project

    Time (days)

    20 days

    Number of employees

    8

    Average cost per employee (per day)

    $300

    Estimated cost

    $48,000
    Service Outages

    Service

    Time (hours)

    4 hours

    Lost revenue (per hour)

    $10,000

    Estimated cost

    $40,000

    Impact scale

    Low

    2.2.3 Select a technique to measure reputational cost (1 of 3)

    1-3 hours

    Realized risk events may have profound reputational costs that do not immediately impact your bottom line.

    Reputational cost can take several forms, including the internal and external perception of:
    1. Brand likeability
    2. Product quality
    3. Leadership capability
    4. Social responsibility

    Based on your industry and the nature of the risk, select one of the three techniques described in this section to incorporate reputational costs into your risk assessment.

    		 Technique #1 – Use financial indicators:

    For-profit companies typically experience reputational loss as a gradual decline in the strength of their brand, exclusion from industry groups, or lost revenue.

    If possible, use these measures to put a price on reputational loss:

    • Lost revenue attributable to reputation loss
    • Loss of market share attributable to reputation loss
    • Drops in share price attributable to reputation loss (for public companies)

    Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.

    • If you are not able to effectively translate all reputational costs into financial costs, proceed to techniques 2 and 3 on the following slides.

    2.2.3 Select a technique to measure reputational cost (2 of 3)

    1-3 hours
    It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs.
    • For example, a government organization may be unable to directly quantify the cost of losing the confidence and/or support of the public.
    • A helpful technique is to reframe how reputation is assigned value.
    		 Technique #2 – Calculate the value of avoiding reputational cost:
    1. Imagine that the particular risk event you are assessing has occurred. Describe the resulting reputational cost using qualitative language.

    For example:

    A data breach, which caused the unsanctioned disclosure of 2,000 client files, has inflicted high reputational costs on the organization. These have impacted the organization in the following ways:

    • Loss of organizational trust in IT
    • IT’s reputation as a value provider to the organization is tarnished
    • Loss of client trust in the organization
    • Potential for a public reprimand of the organization by the government to restore public trust
  • Then, determine (hypothetically) how much money the organization would be willing to spend to prevent the reputational cost from being incurred.
  • Match this dollar value to the corresponding level on the impact scale created in Activity 2.2.2.
    		•

    2.2.3 Select a technique to measure reputational cost (3 of 3)

    1-3 hours

    If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly matches your financial impact scale.

    Technique #3 – Create a parallel scale for reputational impact:

    Visibility is a useful metric for measuring reputational impact. Visibility measures how widely knowledge of the risk event has spread and how negatively the organization is perceived. Visibility has two main dimensions:

    • Internal vs. External
    • Low Amplification vs. High Amplification

      • Internal/External: The further outside of the organization that the risk event is visible, the higher the reputational impact.
      Low/High Amplification: The greater the ability of the actor to communicate and amplify the occurrence of a risk event, the higher the reputational impact.
      After establishing a scale for reputational impact, test whether it reflects the severity of the financial impact levels in the financial impact scale.

    • For example, if the media learns about a recent data breach, does that feel like a $100,000 loss?
    		 Example:
    Scale for the use of cost assessment of reputational impact with dimension combinations associated with impact levels. 'External, High Amp, (regulators, lawsuits) - Extreme', 'Internal, High Amp, (CEO) - Low', 'Internal, Low Amp (IT) - Negligible'.

    2.2.4 Create a likelihood scale

    1-3 hours

    Instructions:
    1. Create a scale to assess the likelihood that a risk event will occur over a given period of time.
      • Info-Tech recommends assessing the likelihood that the risk event will occur over a period of one year (the IT risk council should be reassessing the risk event no less than once per year).
    2. Ensure that the likelihood scale contains the same number of levels as the financial impact scale (3, 4, 5, 7, or 9).
    3. The example provided is likely to satisfy most IT departments; however, you may customize the distribution of likelihood values to reflect the organization’s aversion towards uncertainty.
      • For example, an extremely risk-averse organization may consider any risk event with a likelihood greater than 20% to have a “High” likelihood of occurrence.
    4. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.)

    Record the risk impact scale in section 5.3 of the Risk Management Program Manual

    		 Scale to assess the likelihood that a risk event will occur. '80-99% - Extreme', '60-79% - High', '40-59% - Moderate' '20-39% - Low', '1-19% - Negligible'.

    Info-Tech Insight

    Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
    For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix.

    2.2.5 Risk severity level assessment

    6-10 hours

    Input: Risk events identified

    Output: Assessed the likelihood of occurrence and impact for all identified risk events

    Materials: Risk Register Tool

    Participants: IT risk council, Relevant business stakeholders, Representation from senior management team, Business risk owner

    Instructions:

    1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
      • (See the slide following this activity for tips on identifying existing controls.)
    2. Assign each risk event a likelihood and impact level.
      • Remember, you are assessing the impact that a risk event will have on the organization as a whole, not just on IT.
    3. When assigning a financial impact level to a risk event, factor in the likely number of instances that the event will occur within the time frame for which you are assessing (usually one year).
      • For risk events like third-party service outages that typically occur a few times each year, assign them an impact level that reflects the likelihood of financial impact the risk event will have over the entire year.
      • E.g. If your organization is likely to experience two major service outages next year and each outage costs the organization approximately $15,000, the total financial impact is $30,000.

    Record results in the Risk Register Tool

    2.2.5 Risk severity level assessment (continued)

    Instructions (continued):
    1. Assign a risk owner to non-negligible risk events.
      • For organizations that practice ongoing risk management and frequently reassess their risk portfolio (minimum once per year), risk ownership does not need to be assigned to “Negligible” or low-level risks.
      • View the following slides for advice on how to select a risk owner and information on their responsibilities.
    2. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy:
      • Is a service outage really twice as impactful as our primary software provider going out of business?
      • Is a data breach far more likely than a ›1 hour web-services outage?
    		 Tips for Selecting Likelihood Values:

    Does ~10% sound right?

    Test a likelihood estimate by assessing the truth of the following statements:

    • The risk event will likely occur once in the next ten years (if the environment remains nearly identical).
    • If ten organizations existed that were nearly identical to our own, it is likely that one out of ten would experience the risk event this year.

    Screenshot of a risk severity level assessment.

    Identify current risk controls

    Consider how IT is already addressing key risks.

    Types of current risk control

    Tactical controls

    Apply to individual risks only.

    Example: A tactical control for backup/replication failure is faster WAN lines.

    		 Tactical risk control Strategic controls

    Apply to multiple risks.

    Example: A strategic control for backup/replication failure is implementing formal DR plans.

    		 Strategic risk control
    Risk event Risk event Risk event

    Screenshot of the column headings on the risk severity level assessment with 'Current Controls' highlighted.
    Consider both tactical and strategic controls already in place when filling out risk event information in the Risk Register Tool.

    Info-Tech Insight

    Identifying existing risk controls (past risk responses) provides a clear picture of the measures already in place to avoid, mitigate, or transfer key risks. This reveals opportunities to improve existing risk controls, or where new strategies are needed, to reduce risk severity levels below business thresholds.

    Assign a risk owner for each risk event

    Designate a member of the IT risk council to be responsible for each risk event.

    Selecting the Appropriate Risk Owner

    Use the following considerations to determine the best owner for each risk:

    • The risk owner should be familiar with the process, project, or IT function related to the risk event.
    • The risk owner should have access to the necessary data to monitor and measure the severity of the risk event.
    • The risk owner’s performance assessment should reflect their ability to demonstrate the ongoing management of their assigned risk events.

    Screenshot of the column headings on the risk severity level assessment with 'Risk Owner' highlighted.

    		 Risk Owner Responsibilities

    Risk ownership means that an individual is responsible for the following activities:

    • Monitoring the threat or vulnerability for changes in the likelihood of occurrence and/or likely impact.
    • Monitoring changes in the market and external environment that may alter the severity of the risk event.
    • Monitoring changes of closely related risks with interdependencies.
    • Developing and using key risk indicators (KRIs) to measure changes in risk severity.
    • Regularly reporting changes in risk severity to the IT risk council.
    • If necessary, escalating the risk event to other IT risk council personnel or senior management for reassessment.
    • Monitoring risk severity levels for risk events after a risk response has been implemented.

    Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s high-priority risks (optional)

    Sample of the Risk Costing Tool.

    Use this tool to:

    1. Conduct a deeper analysis of severe risks.
      • Determine specific likelihood and financial impact values to communicate the severity of the risk in the Expected Cost tab.
      • Identify the maximum financial impact that the risk event may inflict.
    2. Assess the effectiveness of multiple risk responses for each risk event.
      • Determine how proposed risk events will change the likelihood of occurrence and financial impact of the risk event.
    3. Incorporate risk proximity into your cost-benefit analysis of risk responses.
      • Illustrate how spending decisions will impact the expected cost of the risk event over time.

    2.2.6 Expected cost assessment (optional)

    Assign likelihood and financial impact values to high-priority risks.

    Select risks with these characteristics:

    Strongly consider conducting an expected cost assessment for risk events that meet one or more of the following criteria.

    The risk:

    • Has been assigned to the highest risk severity level.
    • Has exposed the organization previously and had severe implications.
    • Exceeds the organization’s threshold for financial impact.
    • Involves an IT function that is highly visible to the business.
    • Will likely require risk response actions that will exceed current IT budgetary constraints.
    • Is conducive to expected cost assessment:
      • There is general consensus on likelihood estimates.
      • There is general consensus on financial impact estimates.
      • Historical data exists to support estimates.
    		 Determine which risks require a deeper assessment:

    Info-Tech recommends conducting a second-level assessment for 5-15% of your IT risk register.

    Communicating the expected cost of high-priority risks significantly increases awareness of IT risks by the business.

    Communicating risks to the business using their language also increases the likelihood that risk responses will receive the necessary support and investment


    Record the list of risk events requiring second-level assessment in the Risk Costing Tool.

    • Transfer the likelihood and impact levels for each event into the Risk Costing Tool using data from the Risk Register Tool.

    2.2.6 Expected cost assessment (continued)

    Assign likelihood and financial impact values to high-priority risks.

    Instructions:
    1. Go through the list of prioritized risks in the Risk Costing Tool one by one. Indicate the likelihood and impact level (from the Risk Register Tool) for the risk event being assessed.
    2. Record likelihood values (1-99%) and impact values ($) from participants.
      • Only record values from individuals that indicate they are fairly confident with their estimates.
      • Keep likelihood estimates to values that are multiples of five.
    3. Estimate and record the maximum impact that the risk event could inflict.
      • See Appendix III for information on how the possibility of high-impact scenarios may influence your decision making.
    4. Discuss the estimates provided. Eliminate outliers and retracted estimates.
      • If you are unable to achieve consensus, take the average of the values provided.
    5. If you are having difficulty arriving at a likelihood or impact value, select the median value of the level assigned to the risk during the risk severity level assessment.
      • E.g. Risk event assigned to likelihood level “Moderate” (20-39%). Select a likelihood value of 30%.

    Screenshot of the column headings on the risk severity level assessment with 'Optional Inherent Likelihood Parameters' and 'Optional Inherent Impact Parameters' highlighted.

    		 Who should participate?
    • Depending on the size of your IT risk council, you may want to consider conducting this exercise in a smaller group.
    • Ideally, you should try to find the right balance between ensuring that the necessary experience and knowledge is in the room while insulating the exercise from outlier opinions, noise, and distractions.

    Evaluate likelihood and impact

    Refine your risk assessment process by developing more accurate measurements of likelihood and impact.

    Intersubjective likelihood

    The goal of the expected cost assessment is to develop robust intersubjective estimates of likelihood and financial impact.

    By aggregating a number of expert opinions of what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion.

    Example: The Delphi Method

    The Delphi Method is a common technique to produce a judgement that is representative of the collective opinion of a group.

    • Participants are sent a series of sequential questionnaires (typically by email).
    • The first questionnaire asks them what the likelihood, likely impact, and expected cost is for a specific risk event.
    • Data from the questionnaire is compiled and then communicated in a subsequent questionnaire, which encourages participants to restate or revise their estimates given the group’s judgements.
    • With each successive questionnaire, responses will typically converge around a single intersubjective value.
    		Justifying Your Estimates:

    When asked to explain the numbers you arrived at during the risk assessment, pointing to an assessment methodology gives greater credibility to your estimates.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    Info-Tech Insight

    The underlying assumption behind intersubjective forecasting is that group judgements are more accurate than individual judgements. However, this may not be the case at all.

    Sometimes, a single expert opinion is more valuable than many uninformed opinions. Defining whose opinion is valuable and whose is not is an unpleasant exercise; therefore, selecting the right personnel to participate in the exercise is crucially important.

    Build an IT Risk Management Program

    Phase 3

    Monitor, Respond, and Report on IT Risk

    Phase 1

    • 1.1 Review IT Risk Management Fundamentals
    • 1.2 Establish a Risk Governance Framework

    Phase 2

    • 2.1 Identify IT Risks
    • 2.2 Assess and Prioritize IT Risks

    Phase 3

    • 3.1 Develop Risk Responses and Monitor IT Risks
    • 3.2 Report IT Risk Priorities
      •

    This phase will walk you through the following activities:

    • Develop key risk indicators (KRIs) and escalation protocols
    • Establish the reporting schedule
    • Identify and assess risk responses
    • Analyze risk response cost-benefit
    • Create multi-year cost projections
    • Obtain executive approval for risk action plans
    • Socialize the Risk Report
    • Transfer ownership of risk responses to project managers
    • Finalize the Risk Management Program Manual

    This phase involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Risk business owner

    Step 3.1

    Monitor IT Risks and Develop Risk Responses

    Activities
    • 3.1.1 Develop key risk indicators (KRIs) and escalation protocols
    • 3.1.2 Establish the reporting schedule
    • 3.1.3 Identify and assess risk responses
    • 3.1.4 Risk response cost-benefit analysis
    • 3.1.5 Create multi-year cost projections

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team
    • Business risk owner

    Outcomes of this step

    • Completed risk event action plans
    • Risk responses identified and assessed for top risks
    • Risk response selected for top risks

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Use Info-Tech’s Risk Event Action Plan to manage high-priority risks

    Manage risks in between risk assessments and create a paper trail for key risks that exceed the unacceptable risk threshold. Use a new form for every high-priority risk that requires tracking.

    Risk Event Action Plan Sample of the Risk Event Action Plan deliverable.

    Obtaining sign-off from the senior leadership team or from the ERM office is an important step of the risk management process. The Risk Event Action Plan ensures that high-priority risks are closely monitored and that changes in risk severity are detected and reported.

    Clear documentation is a way to ensure that critical information is shared with management so that they can make informed risk decisions. These reports should be succinct yet comprehensive; depending on time and resources, it is good practice to fill out this form and obtain sign-off for the majority of IT risks.

    3.1.1 Develop key risk indicators (KRIs) and escalation protocols

    The risk owner should be held accountable for monitoring their assigned risks but may delegate responsibility for these tasks.

    Instructions:
    1. Design key risk indicators (KRIs) for risks that measure changes in their severity and document them in the Risk Event Action Plan.
      • See the following slide for examples.
    2. Clearly document the risk owner and the individual(s) carrying out risk monitoring activities (delegates) in the Risk Event Action Plan.

    Note: Examples of KRIs can be found on the following slide.

    		 What are KRIs?
    • KRIs should be observable metrics that alert the IT risk council and management when risk severity exceeds acceptable risk thresholds.
    • KRIs should serve as tripwires or early-warning indicators that trigger further actions to be taken on the risk.
    • Further actions may include:
      • Escalation to the risk owner (if delegated) or to a member of the senior leadership team.
      • Reporting to the IT risk council or IT steering committee.
      • Reassessment.
      • Updating the risk monitoring schedule.

    Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk Event Action Plan.

    Developing KRIs for success

    Visualization of KRI development, from the 'Risk Event' to the 'Intermediate Steps' with 'KRI Measurements' to the image of a growing seed.

    Examples of KRIs

    • Number of resources who quit or were fired who had access to critical data
    • Number of risk mitigation initiatives unfunded
    • Changes in time horizon of mitigation implementation
    • Number of employees who did not report phishing attempts
    • Amount of time required to get critical operations access to necessary data
    • Number of days it takes to implement a new regulation or compliance control

    3.1.2 Establish the reporting schedule

    For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event Action Plan.

    • A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
    • The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.
    Reporting Risk Event
    Weekly reports to ITRC Risk event severity represented as a thermometer with levels 'Extreme', 'High', 'Moderate', 'Low', and 'Negligible'.
    Bi-weekly reports to ITRC
    Monthly reports to ITRC
    Report to ITRC only if KRI thresholds triggered
    No reports; reassessed bi-annually

    Use Info-Tech’s tools to identify, analyze, and select risk responses

    1

    (Mandatory)    		Tool

    Screenshot of the Risk Register Tool.

    Risk Register Tool

    		Information
    • Develop risk responses for all risk events pre-populated on the “2. Risk Register” sheet of the Risk Register Tool.
    • Document the root cause of the risk (Activity 3.1.3) and other contributing factors (Activity 3.1.4).
    • Identify risk responses (Activity 3.1.5).
    • Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk (Activity 3.1.5).
    • The tool will calculate the residual severity of the risk after applying the risk response.

    2

    (Optional)    		Tool

    Screenshot of the Risk Costing Tool.

    Risk Costing Tool

    		Information
    • Continue your second-level risk analysis for top risks for which you calculated expected cost in section 2.2.
    • Activity 3.1.5:
      • Identify between one and four risk response options for each risk.
      • Develop precise values for residual likelihood and impact.
      • Compare expected cost of the risk event to expected residual cost.
      • Select the risk response to recommend to senior leadership and document it in the Risk Register Tool.

    Determine the root cause of IT risks

    Root cause analysis

    Use the “Five Whys” methodology to identify the root cause and contributing/exacerbating factors for each risk event.

    Diagnosing the root cause of a risk as well as the environmental factors that increase its potential impact and likelihood of occurring allow you to identify more effective risk responses.

    Risk responses that only address the symptoms of the risk are less likely to succeed than responses that address the core issue.

    Concentric circles with 'Root Cause' at the center, 'Contributing Factors' around it, and 'Symptoms' on the outer circle.

    		 Example of 'The Five Whys Methodology', tracing symptoms to their root cause. In 'Symptoms' we see 'Risk Event: Network outage', Why? 'Network congestion', Why? Then on to 'Contributing Factors' the answer is 'Inadequate bandwidth for latency-sensitive applications', Why? 'Increased business use of latency-sensitive applications', Why? And finally to the 'Root Cause', 'Business units rely on 'real-time' data gathered from latency-sensitive applications', Why?

    Identify factors that contribute to the severity of the risk

    Environmental factors interact with the root cause to increase the likelihood or impact of the risk event.

    What factors matter?

    Identify relevant actors and assets that amplify or diminish the severity of the risk.

    Actors

    • Internal (business units)
    • External (vendor, regulator, market, competitor, hostile actor)

    Assets/Resources

    • Infrastructure
    • Applications
    • Processes
    • Information/data
    • Personnel
    • Reputation
    • Operations
    		 Develop risk responses that target contributing factors.
    Root cause:
    Business units rely on “real-time” data gathered from latency-sensitive applications

    Actors: Enterprise App users (Finance, Product Development, Product Management)

    Asset/resource: Applications, network

    Risk response:
    Decrease the use of latency-sensitive applications.

    X

    Decreasing the use of key apps contradicts business objectives.

    		 Contributing factors:
    Unreliable router software

    Actors: Network provider, router vendor, router software vendor, IT department

    Asset/resource: Network, router, router software

    Risk response:
    Replace the vendor that provides routers and router software.

    Replacing the vendor would reduce network outages at a relatively low cost.

    		 Symptoms:
    Network outage

    Actors: All business units, network provider

    Asset/resource: Network, business operations, employee productivity

    Risk response:
    Replace legacy systems.

    X

    Replacing legacy systems would be too costly.

    3.1.3 Identify and assess risk responses

    Instructions:
    Complete the following steps for each risk event.
    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the event were to occur.
      • Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level.
      • This is the same step performed in Activity 2.2.6, when initial likelihood and impact levels were determined; however, now you are estimating the likelihood and impact of the risk event after the risk response action has been implemented successfully.
      • The Risk Register Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Risk Register Tool.
    		 Document the following in the Risk Event Action Plan for each risk event:
      • Risk response actions
      • Residual likelihood and impact levels
      • Residual risk severity level
    • Review the following slides about the four types of risk response to help complete the activity.
      1. Avoidance
      2. Mitigation
      3. Transfer
      4. Acceptance

    Record the results in the Risk Event Action Plan.

    Take actions to avoid the risk entirely

    Risk Avoidance

    • Risk avoidance involves taking evasive maneuvers to avoid the risk event.
    • Risk avoidance targets risk likelihood, decreasing the likelihood of the risk event occurring.
    • Since risk avoidance measures are fairly drastic, the likelihood is often reduced to negligible levels.
    • However, risk avoidance response actions often sacrifice potential benefits to eliminate the possibility of the risk entirely.
    • Typically, risk avoidance measures should only be taken for risk events with extremely high severity and when the severity (expected cost) of the risk event exceeds the cost (benefits sacrificed) of avoiding the risk.

    Example

    Risk event: Information security vulnerability from third-party cloud services provider.

    • Risk avoidance action: Store all data in-house.
    • Benefits sacrificed: Cost savings, storage flexibility, etc.
    		 Stock photo of a person hikiing along a damp, foggy, valley path.

    Pursue projects that reduce the likelihood or impact of the risk event

    Risk Mitigation

    • Risk mitigation actions are risk responses that reduce the likelihood and impact of the risk event.
    • Risk mitigation actions can be to either implement new controls or enhance existing ones.
    Example 1

    Most risk responses will reduce both the likelihood of the risk event occurring and its potential impact.

    Example

    Mitigation: Purchase and implement enterprise mobility management (EMM) software with remote wipe capability.

    • EMM reduces the likelihood that sensitive data is accessed by a nefarious actor.
    • The remote-wipe capability reduces the impact by closing the window that sensitive data can be accessed from.
    		 Example 2

    However, some risk responses will have a greater effect on decreasing the likelihood of a risk event with little effect on decreasing impact.

    Example

    Mitigation: Create policies that restrict which personnel can access sensitive data on mobile devices.

    • This mitigation decreases the number of corporate phones that have access to (or are storing) sensitive data, thereby decreasing the likelihood that a device is compromised.
    		 Example 3

    Others will reduce the potential impact without decreasing its likelihood of occurring.

    Example

    Mitigation: Use robust encryption for all sensitive data.

    • Corporate-issued mobile phones are just as likely to fall into the hands of nefarious actors, but the financial impact they can inflict on the organization is greatly reduced.

    Pursue projects that reduce the likelihood or impact of the risk event (continued)

    Use the following IT functions to guide your selection of risk mitigation actions:

    Process Improvement

    Key processes that would most directly improve the risk profile:

    • Change Management
    • Project Management
    • Vendor Management
    		 Infrastructure Management
    • Disaster Recovery Plan/Business Continuity Plan
    • Redundancy and Resilience
    • Preventative Maintenance
    • Physical Environment Security
    Personnel
    • Greater staff depth in key areas
    • Increased discipline around documentation
    • Knowledge Management
    • Training
    		 Rationalization and Simplification

    This is a foundational activity, as complexity is a major source of risk:

    • Application Rationalization – reducing the number of applications
    • Data Management – reducing the volume and locations of data

    Transfer risks to a third party

    Risk transfer: the exchange of uncertain future costs for fixed present costs.

    Insurance

    The most common form of risk transfer is the purchase of insurance.

    • The uncertain future cost of an IT risk event can be transferred to an insurance company who assumes the risk in exchange for insurance premiums.
    • The most common form of IT-relevant insurance is cyberinsurance.

    Not all risks can be insured. Insurable risks typically possess the following five characteristics:

    1. The loss must be accidental (the risk event cannot be insured if it could have been avoided by taking reasonable actions).
    2. The insured cannot profit from the occurrence of the risk event.
    3. The loss must be able to be measured in monetary terms.
    4. The organization must have an insurable interest (it must be the party that incurs the loss).
    5. An insurance company must offer insurance against that risk.
    		 Other Forms of Risk Transfer

    Other forms of risk transfer include:

    • Self-insurance
      • Appropriate funds can be set aside in advance to address the financial impact of a risk event should it occur.
    • Warranties
    • Contractual transfer
      • The financial impact of a risk event can be transferred to a third party through clauses agreed to in a contract.
      • For example, a vendor can be contractually obligated to assume all costs resulting from failing to secure the organization’s data.

      • Example email addressing fields of an IT Risk Transfer to an insurance company.

    Accept risks that fall below established thresholds

    Risk Acceptance

    Accepting a risk means tolerating the expected cost of a risk event. It is a conscious and deliberate decision to retain the threat.

    You may choose to accept a risk event for one of the following three reasons:

    1. The risk severity (expected cost) of the risk event falls below acceptability thresholds and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
    2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive.
    3. The risk severity (expected cost) exceeds acceptability thresholds but there are no feasible risk avoidance, mitigation, and transfer measures to be implemented.

    Info-Tech Insight

    Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.

    3.1.4 Risk response cost-benefit analysis (optional)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk response projects that cannot be addressed by IT’s existing budget.

    Instructions:
    1. Reopen the Risk Costing Tool. For each risk that you conducted an expected cost assessment in section 2.2 for, find the Excel sheet that corresponds to the risk number (e.g. R001).
    2. Identify between one and four risk response options for the risk event and document them in the Risk Costing Tool.
      • The “Risk Response 1” field will be automatically populated with expected cost data for a scenario where no action was taken (risk acceptance). This will serve as a baseline for comparing alternative responses.
      • For the following steps, go through the risk responses one by one.
    3. Estimate the first-year cost for the risk response.
      • This cost should reflect initial capital expenditures and first-year operating expenditures.
    		 Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with 'Capital Expenditures' and 'Operating Expenditures' highlighted.

    Record the results in the Risk Costing Tool.

    3.1.4 Risk response cost-benefit analysis (continued)

    The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.

    Instructions:

    1. Estimate residual risk likelihood and financial impact for Year 1 with the risk response in place.
      • Rather than estimating the likelihood level (low, medium, high), determine a precise likelihood value of the risk event occurring once the response has been implemented.
      • Estimate the dollar value of financial impacts if the risk event were to occur with the risk response in place.
        • Screenshot of the Risk Response cost-benefit-analysis from the Risk Costing Tool with figured for 'Financial Impact' and 'Probability' highlighted. The tool will calculate the expected residual cost of the risk event: (Financial Impact x Likelihood) - Costs = Expected Residual Cost
    2. Select the highest value risk response and document it in the Risk Register Tool.
    3. Document your analysis and recommendations in the Risk Event Action Plan.

    Note: See Activity 3.1.5 to build multi-year cost projections for risk responses.

    3.1.5 Create multi-year cost projections (optional)

    Select between risk response options by projecting their costs and benefits over multiple years.

    • It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less in the long run (e.g. replacing the system).
    • However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the short term but reach similar levels as a full system replacement in a few years.
    Instructions:

    Calculate expected cost for multiple years using the Risk Costing Tool for:

    • Risk events that are subject to change in severity over time.
    • Risk responses that reduce the severity of the risk gradually.
    • Risk responses that cannot be implemented immediately.

    Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the risk event.

    		Sample charts on the cost of risk responses from the Risk Costing Tool.

    Record the results in the Risk Costing Tool.

    Step 3.2

    Report IT Risk Priorities

    Activities
    • 3.2.1 Obtain executive approval for risk action plans
    • 3.2.2 Socialize the Risk Report
    • 3.2.3 Transfer ownership of risk responses to project managers
    • 3.2.4 Finalize the Risk Management Program Manual

    This step involves the following participants:

    • IT risk council
    • Relevant business stakeholders
    • Representation from senior management team

    Outcomes of this step

    • Obtained approval for risk action plans
    • Communicated IT’s risk recommendations to senior leadership
    • Embedded risk management into day-to-day IT operations

    Monitor, Respond, and Report on IT Risk

    Step 3.1 Step 3.2

    Effectively deliver IT risk expertise to the business

    Communicate IT risk management in two directions:

    1. Up to senior leadership (and ERM if applicable)
    2. Down to IT employees (embedding risk awareness)

      3. Visualization of communicating Up to 'Senior Leadership' and Down to 'IT Personnel'.

    		 Create a strong paper trail and obtain sign-off for the ITRC’s recommendations.

    Now that you have collected all of the necessary raw data, you must communicate your insights and recommendations effectively.

    A fundamental task of risk management is communicating risk information to senior management. It is your responsibility to enable them to make informed risk decisions. This can be considered upward communication.

    The two primary goals of upward communication are:

    1. Transferring accountability for high-priority IT risks to the ERM or to senior leadership.
    2. Obtaining funds for risk response projects recommended by the ITRC.

    Good risk management also has a trickle-down effect impacting all of IT. This can be considered downward communication.

    The two primary goals of downward communication are:

    1. Fostering a risk-aware IT culture.
    2. Ensuring that the IT risk management program maintains momentum and runs effectively.

    3.2.1 Obtain executive approval for risk action plans

    Best Practices and Key Benefits

    Best practice is for all acceptable risks to also be signed-off by senior leadership. However, for ITRCs that brainstorm 100+ risks, this may not be possible. If this is the case, prioritize accepted risks that were assessed to be closest to the organization’s thresholds.

    By receiving a stamp of approval for each key risk from senior management, you ensure that:

    1. The organization is aware of important IT risks that may impact business objectives.
    2. The organization supports the risk assessment conducted by the ITRC.
    3. The organization supports the plan of action and monitoring responsibilities proposed by the ITRC.
    4. If a risk event were to occur, the organization holds ultimate accountability.
    		 Sample of the Risk Event Action Plan template.

    Task:
    All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior leadership team.

    • In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
    • Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.

    3.2.2 Socialize the risk report

    Create a succinct, impactful document that summarizes the outcomes of risk assessment and highlights the IT risk council’s top recommendations to the senior leadership team.

    The Risk Report contains:
    • An executive summary page highlighting the main takeaways for senior management:
      • A short summary of results from the most recent risk assessment
      • Dashboard
      • A list of top 10 risks ordered from most severe to least
    • Subsequent individual risk analyses (1 to 10)
      • Detailed risk assessment data
      • Risk responses
      • Risk response analysis
      • Multi-year cost projection (see the following slide)
      • Dashboard
      • Recommendations
    		 Sample of the Risk Report template.

    Risk Report

    Pursue projects that reduce the likelihood or impact of the risk event

    Encourage risk awareness to extend the benefits of risk management to every aspect of IT.

    Benefits of risk awareness:

    • More preventative and proactive approaches to IT projects are discussed and considered.
    • Changes to the IT threat landscape are more likely to be detected, communicated, and acted upon.
    • IT possesses a realistic perception of its ability to perform functions and provide services.
    • Contingency plans are put in place to hedge against risk events.
    • Fewer IT risks go unidentified.
    • CIOs and business executives make better risk decisions.

    Consequences of low risk awareness:

    • False confidence about the number of IT risks impacting the organization and their severity.
    • Risk-relevant information is not communicated to the ITRC, which may result in inaccurate risk assessments.
    • Confusion surrounding whose responsibility it is to consider how risk impacts IT decision making.
    • Uncertainty and panic when unanticipated risks impact the IT department and the organization.

    Embedding risk management in the IT department is a full-time job

    Take concrete steps to increase risk-aware decision making in IT.

    The IT risk council plays an instrumental role in fostering a culture of risk awareness throughout the IT department. In addition to periodic risk assessments, fulfilling reporting requirements, and undertaking ongoing monitoring responsibilities, members of the ITRC can take a number of actions to encourage other IT employees to adopt a risk-focused approach, particularly at the project planning stage.

    Embed risk management in project planning

    Make time for discussing project risks at every project kick-off.
    • A main benefit of including senior personnel from across IT in the ITRC is that they are able to disseminate the IT risk council’s findings to their respective practices.
    • At project kick-off meetings, schedule time to identify and assess project-specific risks.
    • Encourage the project team to identify strategies to reduce the likelihood and impact of those risks and document these in the project charter.
    • Lead by example by being clear and open about what constitutes acceptable and unacceptable risks.

    Embed risk management with employee

    Train IT staff on the ITRC’s planned responses to specific risk events.
    • If a response to a particular risk event is not to implement a project but rather to institute new policies or procedures, ensure that changes are communicated to employees and that they receive training.
    Provide risk management education opportunities.
    • Remember that a more risk-aware IT employee provides more value to the organization.
    • Invest in your employees by encouraging them to pursue education opportunities like receiving risk management accreditation or providing them with educational experiences such as workshops, seminars, and eLearning.

    Embedding risk management in the IT department is a full-time job (continued)

    Encourage risk awareness by adjusting performance metrics and job titles.

    Performance metrics:

    Depending on the size of your IT department and the amount of resources dedicated to ongoing risk management, you may consider embedding risk management responsibilities into the performance assessments of certain ITRC members or other IT personnel.

    • Personalize the risk management program metrics you have documented in your Risk Management Program Manual.
    • Evidence that KPIs are monitored and frequently reported is also a good indicator that risk owners are fulfilling their risk management responsibilities.

      • Info-Tech Insight

      If risk management responsibilities are not built into performance assessments, it is less likely that they will invest time and energy into these tasks. Adding risk management metrics to performance assessments directly links good job performance with good risk management, making it more likely that ITRC activities and initiatives gain traction throughout the IT department.

    Job descriptions:

    Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing KRIs and monitoring risks on a week-to-week basis.

    • Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.

    3.2.3 Transfer ownership of risk responses to project managers

    Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged projects.

    Image of a hand giving a key to another hand and a circle split into quadrants of Governance with 'Governance of Risks' being put into 'Governance of Projects'.

    3.2.4 Finalize the Risk Management Program Manual

    Go back through the Risk Management Program Manual and ensure that the material will accurately reflect your approach to risk management going forward.

    Remember, the program manual is a living document that should be evolving alongside your risk management program, reflecting best practices, knowledge, and experiences accrued from your own assessments and experienced risk events.

    The best way to ensure that the program manual continues to guide and document your risk management program is to make it the focal point of every ITRC meeting and ensure that one participant is tasked with making necessary adjustments and additions.

    Sample of the Risk Management Program Manual. Risk Management Program Manual

    “Upon completing the Info-Tech workshop, the deliverables that we were left with were really outstanding. We put together a 3-year project plan from a high level, outlining projects that will touch upon our high risk areas.” (Director of Security & Risk, Water Management Company)

    Don’t allow your risk management program to flatline

    54% of small businesses haven’t implemented controls to respond to the threat of cyber attacks (Source: Insurance Bureau of Canada, 2021)

    Don’t be lulled into a false sense of security. It might be your greatest risk.

    So you’ve identified the most important IT risks and implemented projects to protect IT and the business.

    Unfortunately, your risk assessment is already outdated.

    Perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation.

    To continue the momentum of your newly forged IT risk management program, read Info-Tech’s research on conducting periodic risk assessments and “health checks”:

    Revive Your Risk Management Program With a Regular Health Check

    • Complete Info-Tech’s Risk Management Health Check to seize the momentum you created by building a robust IT risk management program and create a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT.
    • Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data.

    Appendix I: Familiarize yourself with key risk terminology

    Review important risk management terms and definitions.

    Risk

    		An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the likelihood of a perceived threat or opportunity occurring and the magnitude of its impact on objectives (Office of Government Commerce, 2007).

    Threat

    		An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors).

    Vulnerability

    		A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes).

    Risk Management

    		The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks, and then planning and implementing risk responses. This provides a disciplined environment for proactive decision making (Office of Government Commerce, 2007).

    Risk Category

    		Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For example, you can group certain types of risks under the risk category of IT Operations Risks.

    Risk Event

    		A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk event that falls under the risk category of IT Security Risks.

    Risk Appetite

    		An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable. Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is influenced by the organization’s capacity to financially bear risk.

    Enterprise Risk Management

    		(ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS, 2015).

    Appendix II: Likelihood vs. Frequency

    Why we measure likelihood, not frequency:

    The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some frameworks measure likelihood using Frequency rather than Likelihood.

    Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).

    • For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event will happen in the future.

    Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25% likelihood that the event will occur within the next year).

    False Objectivity

    While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.

    Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher degree of belief that the risk event will occur within the next year.

    Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next year has an expected impact of $30,000.

    Appendix III: Should max impacts sway decision making?

    Don’t just fixate on the most likely impact – be aware of high-impact outcomes.

    During assessment, risks are evaluated according to their most likely financial impact.

    • For example, a service outage will likely last for two hours and may have an expected cost of $14,000.

    Naturally, focusing on the most likely financial impact will exclude higher impacts that – while theoretically possible – are so unlikely that they do not warrant any real consideration.

    • For example, it is possible that a service outage could last for days; however, the likelihood for such an event may be well below 1%.

    While the risk severity level assessment allows you to present impacts as a range of values (e.g. $50,000 to $75,000), the expected cost assessment requires you to select specific values.

    • However, this analysis may fail to consider much higher potential impacts that have non-negligible likelihood values (likelihood values that you cannot ignore).
    • What you consider “non-negligible” will depend on your organizational risk tolerance/appetite.

    Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).

    • A good example is a data breach. While small to medium impacts are far more likely to occur than a devastating intrusion, the high-impact scenario cannot be ignored completely.

    For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating the risk severity level or expected cost.

    		 Figure 1 is a graph presenting a 'Normal Likelihood Distribution', the axes being 'Likelihood' and 'Financial Impact'.
    Figure 2 is a graph presenting a 'Fat-Tailed Likelihood Distribution' with a point at the top of the parabola labelled 'Most Likely Impact' but with a much wider bottom labelled 'Fat-Tailed Outcomes', the axes being 'Likelihood' and 'Financial Impact'.

    Leverage Info-Tech’s research on security and compliance risk to identify additional risk events

    Title card of the Info-tech blueprint 'Take Control of Compliance Improvement to Conquer Every Audit' with subtitle 'Don't gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.


    Take Control of Compliance Improvement to Conquer Every Audit

    Info-Tech Insight

    Don’t gamble recklessly with external compliance. Play a winning system and take calculated risks to stack the odds in your favor.

    Take an agile approach to analyze your gaps and prioritize your remediations. You don’t always have to be fully compliant as long as your organization understands and can live with the consequences.

    Stock photo of a woman sitting at a computer surrounded by rows of computers.


    Develop and Implement a Security Risk Management Program

    Info-Tech Insight

    Security risk management equals cost effectiveness.

    Time spent upfront identifying and prioritizing risks can mean the difference between spending too much and staying on budget.

    Research Contributors and Experts

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Christine Coz
    Executive Counsellor
    Info-Tech Research Group

    Milena Litoiu
    Principal Research Director
    Info-Tech Research Group

    Scott Magerfleisch
    Executive Advisor
    Info-Tech Research Group

    Aadil Nanji
    Research Director
    Info-Tech Research Group

    Andy Neill
    Associate Vice-President of Research
    Info-Tech Research Group

    Daisha Pennie
    IT Risk Management
    Oklahoma State University

    Ken Piddington
    CIO and Executive Advisor
    MRE Consulting

    Frank Sewell
    Research Director
    Info-Tech Research Group

    Andrew Sharpe
    Research Director
    Info-Tech Research Group

    Chris Warner
    Consulting Director- Security
    Info-Tech Research Group

    Sterling Bjorndahl
    Director of IT Operations
    eHealth Saskatchewan

    Research Contributors and Experts

    Ibrahim Abdel-Kader
    Research Analyst
    Info-Tech Research Group

    Tamara Dwarika
    Internal Auditor
    A leading North American Utility

    Anne Leroux
    Director
    ES Computer Training

    Ian Mulholland
    Research Director
    Info-Tech Research Group

    Michel Fossé
    Consulting Services Manager
    IBM Canada (LGS)

    Petar Hristov
    Research Director
    Info-Tech Research Group

    Steve Woodward
    Research Director
    CEO, Cloud Perspectives

    *Plus 10 additional interviewees who wish to remain anonymous.

    Bibliography

    “2021 State of the CIO.” IDG, 28 January 2021. Web.

    “4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.

    Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Oversight,” AICPA, April 2021. Web.

    COBIT 2019. ISACA, 2019. Web.

    “Cognyte jeopardized its database exposing 5 billion records, including earlier data breaches.” SecureBlink, 21 June 2021. Web.

    Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.

    Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Committee of Sponsoring Organizations of the Treadway Commission, Deloitte & Touche LLP, 2012. Web.

    “Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.

    Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and Its Risks.” Harvard Business Review, February 2007. Web.

    Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic Management. Sage Publications, 1998.

    “Enterprise Risk Management Maturity Model.” OECD, 9 February 2021. Web.

    Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun Rowshankish. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 February 2017. Web.

    “Governance Institute of Australia Risk Management Survey 2020.” Governance Institute of Australia, 2020. Web.

    “Guidance on Enterprise Risk Management.” COSO, 2022. Web.

    Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine, 9 December 2021. Web.

    Holmes, Aaron. “533 million Facebook users’ phone numbers and personal data have been leaked online.” Business Insider, 3 April 2021. Web.

    Bibliography

    “Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.

    “ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.

    ISO 31000 Risk Management. ISO, 2018. Web.

    Lawton, George. “10 Enterprise Risk Management Trends in 2022.” TechTarget, 2 February 2022. Web.

    Levenson, Michael. “MGM Resorts Says Data Breach Exposed Some Guests’ Personal Information.” The New York Times, 19 February 2020. Web.

    Management of Risk (M_o_R): Guidance for Practitioners. Office of Government Commerce, 2007. Web.

    “Many small businesses vulnerable to cyber attacks.” Insurance Bureau of Canada (IBC), 5 October 2021.

    Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 December 2019. Web.

    “Measuring and Mitigating Reputational Risk.” Marsh, September 2014. Web.

    Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 22 December 2021. Web.

    “Operational Risk Management Excellence – Get to Strong Survey: Executive Report.” KMPG and RMA, 2014. Web.

    “Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.

    Thomas, Adam, and Dan Kinsella. “Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.

    Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.

    Webb, Rebecca. “6 Reasons Data is Key for Risk Management.” ClearRisk, 13 January 2021. Web.

    “What is Enterprise Risk Management (ERM)?” RIMS, 2015. Web.

    Wiggins, Perry. “Do you spend enough time assessing strategic risks?” CFO, 26 January 2022. Web.

    Master the Secrets of Adobe’s Creative Cloud Contracts to Right-Size Your Adobe Spend

    • Buy Link or Shortcode: {j2store}139|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $63,667 Average $ Saved
    • member rating average days saved: 110 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Adobe operates in its own niche in the creative space, and Adobe users have grown accustomed to their products, making switching very difficult.
    • With Adobe’s transition to a cloud-based subscription model, it’s important for organizations to actively manage licenses, software provisioning, and consumption.
    • Without a detailed understanding of Adobe’s various purchasing models, overspending often occurs.
    • Organizations have experienced issues in identifying commercial licensed packages with their install files, making it difficult to track and assign licenses.

    Our Advice

    Critical Insight

    • Focus on user needs first. Examine which products are truly needed versus nice to have to prevent overspending on the Creative Cloud suite.
    • Examine what has been deployed. Knowing what has been deployed and what is being used will greatly aid in completing your true-up.
    • Compliance is not automatic with products that are in the cloud. Shared logins or computers that have desktop installs that can be access by multiple users can cause noncompliance.

    Impact and Result

    • Visibility into license deployments and needs
    • Compliance with internal audits

    Master the Secrets of Adobe’s Creative Cloud Contracts to Right-Size Your Adobe Spend Research & Tools

    Start here – read the Executive Brief

    Procuring Adobe software is not the same game as it was just a few years ago. Adopt a comprehensive approach to understanding Adobe licensing to avoid overspending and to maximize negotiation leverage.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage your Adobe agreements

    Use Info-Tech’s licensing best practices to avoid overspending on Adobe licensing and to remain compliant in case of audit.

    • Adobe ETLA vs. VIP Pricing Table
    • Adobe ETLA Forecasted Costs and Benefits
    • Adobe ETLA Deployment Forecast
    [infographic]

    Further reading

    Master the Secrets of Adobe’s Creative Cloud Contracts to Right-Size Your Adobe Spend

    Learn the essential steps to avoid overspending and to maximize negotiation leverage with Adobe.

    ANALYST PERSPECTIVE

    Only 18% of Adobe licenses are genuine copies: are yours?

    "Adobe has designed and executed the most comprehensive evolution to the subscription model of pre-cloud software publishers with Creative Cloud. Adobe's release of Document Cloud (replacement for the Acrobat series of software) is the final nail in the coffin for legacy licensing for Adobe. Technology procurement functions have run out of time in which to act while they still retain leverage, with the exception of some late adopter organizations that were able to run on legacy versions (e.g. CS6) for the past five years. Procuring Adobe software is not the same game as it was just a few years ago. Adopt a comprehensive approach to understanding Adobe licensing, contract, and delivery models in order to accurately forecast your software needs, transact against the optimal purchase plan, and maximize negotiation leverage. "

    Scott Bickley

    Research Lead, Vendor Practice

    Info-Tech Research Group

    Our understanding of the problem

    This Research is Designed For:

    • IT managers scoping their Adobe licensing requirements and compliance position.
    • CIOs, CTOs, CPOs, and IT directors negotiating licensing agreements in search of cost savings.
    • ITAM/Software asset managers responsible for tracking and managing Adobe licensing.
    • IT and business leaders seeking to better understand Adobe licensing options (Creative Cloud).
    • Vendor management offices in the process of a contract renewal.

    This Research Will Help You:

    • Understand and simplify licensing per product to help optimize spend.
    • Ensure agreement type is aligned to needs.
    • Navigate the purchase process to negotiate from a position of strength.
    • Manage licenses more effectively to avoid compliance issues, audits, and unnecessary purchases.

    This Research Will Also Assist:

    • CFOs and the finance department
    • Enterprise architects
    • ITAM/SAM team
    • Network and IT architects
    • Legal
    • Procurement and sourcing

    This Research Will Help Them:

    • Understand licensing methods in order to make educated and informed decisions.
    • Understand the future of the cloud in your Adobe licensing roadmap.

    Executive summary

    Situation

    • Adobe’s dominant market position and ownership of the creative software market is forcing customers to refocus the software acquisition process to ensure a positive ROI on every license.
    • In early 2017, Adobe announced it would stop selling perpetual Creative Suite 6 products, forcing future purchases to be transitioned to the cloud.

    Complication

    • Adobe operates in its own niche in the creative space, and Adobe users have grown accustomed to their products, making switching very difficult.
    • With transition to a cloud-based subscription model, organizations need to actively manage licenses, software provisioning, and consumption.
    • Without a detailed understanding of Adobe’s various purchasing models, overspending often occurs.
    • Organizations have experienced issues in identifying commercial licensed packages with their install files, making it difficult to track and assign licenses.

    Resolution

    • Gain visibility into license deployments and needs with a strong SAM program/tool; this will go a long way toward optimizing spend.
      • Number of users versus number of installs are not the same, and confusing the two can result in overspending. Device-based licensing historically would have required two licenses, but now only one may be required.
    • Ensure compliance with internal audits. Adobe has a very high rate of piracy stemming from issues such as license overuse, misunderstanding of contract language, using cracks/keygens, virtualized environments, indirect access, and sharing of accounts.
    • A handful of products are still sold as perpetual – Acrobat Standard/Pro, Captivate, ColdFusion, Photoshop, and Premiere Elements – but be aware of what is being purchased and used in the organization.
      • Beware of products deployed on server, where the number of users accessing that product cannot easily be counted.

    Info-Tech Insight

    1. Your user-need analysis has shifted in the new subscription-based model. Determine which products are needed versus nice to have to prevent overspending on the Creative Cloud suite.
    2. Examine what you need, not what you have. You can no longer mix and match applications.
    3. Compliance is not automatic with products that are in the cloud. Shared logins or computers with desktop installs that can be accessed by multiple users can cause noncompliance.

    The aim of this blueprint is to provide a foundational understanding of Adobe

    Why Adobe

    In 2011 Adobe took the strategic but radical move toward converting its legacy on-premises licensing to a cloud-based subscription model, in spite of material pushback from its customer base. While revenues initially dipped, Adobe’s resolve paid off; the transition is mostly complete and revenues have doubled. This was the first enterprise software offering to effect the transition to the cloud in a holistic manner. It now serves as a case study for those following suit, such as Microsoft, Autodesk, and Oracle.

    What to know

    Adobe elected to make this market pivot in a dramatic fashion, foregoing a gradual transition process. Enterprise clients were temporarily allowed to survive on legacy on-premises editions of Adobe software; however, as the Adobe Creative Cloud functionality was quickly enhanced and new applications were launched, customer capitulation to the new subscription model was assured.

    The Future

    Adobe is now leveraging the power of connected customers, the availability of massive data streams, and the ongoing digitalization trend globally to supplement the core Creative Cloud products with online services and analytics in the areas of Creative Cloud for content, Marketing Cloud for marketers, and Document Cloud for document management and workflows. This blueprint focuses on Adobe's Creative Cloud and Document Cloud solutions and the enterprise term license agreement (ETLA).

    Info-Tech Insight

    Beware of your contract being auto-renewed and getting locked into the quantities and product subset that you have in your current agreement. Determining the number of licenses you need is critical. If you overestimate, you're locked in for three years. If you underestimate, you have to pay a big premium in the true-up process.

    Learn the “Adobe way,” whether you are reviewing existing spend or considering the purchase of new products

    1. Legacy on-premises Adobe Creative Suite products used to be available in multiple package configurations, enabling right-sized spend with functionality. Adobe’s support for legacy Creative Suites CS6 products ended in May 2017.
    2. While early ETLAs allowed customer application packaging at a lower price than the full Creative Cloud suite, this practice has been discontinued. Now, the only purchasing options are the full suite or single-application subscriptions.
    3. Buyers must now assess alternative Adobe products as an option for non-power users. For example, QuarkXPress, Corel PaintShop Pro, CorelDRAW, Bloom, and Affinity Designer are possible replacements for some Creative Cloud applications.
    4. Document Cloud, Adobe’s latest step in creating an Acrobat-focused subscription model, limits the ability to reduce costs with an extended upgrade cycle. These changes go beyond the licensing model.
    5. Organizations need to perform a cost-benefit analysis of single app purchases vs. the full suite to right-size spend with functionality.

    As Adobe’s dominance continues to grow, organizations must find new ways to maintain a value-added relationship

    Adobe estimates the total addressable market for creative and document cloud to be $21 billion. With no sign of growth slowing down, Adobe customers must learn how to work within the current design monopoly.

    The image contains two pie graphs. The first is labelled FY2014 Revenue Mix, and the second graph is titled FY2017E Revenue Mix.

    Source: Adobe, 2017

    "Adobe is not only witnessing a steady increase in Creative Cloud subscriptions, but it also gained more visibility into customers’ product usage, which enables it to consistently push out software updates relevant to user needs. The company also successfully transformed its sales organization to support the recurring revenue model."

    – Omid Razavi, Global Head of Success, ServiceNow

    Consider your route forward

    Consider your route forward, as ETLA contract commitments, scope, and mechanisms differ in structure to the perpetual models previously utilized. The new model shortchanges technology procurement leaders in their expectations of cost-usage alignment and opex flexibility (White, 2016).

    ☑ Implement a user profile to assign licenses by version and limit expenditures. Alternatives can include existing legacy perpetual and Acrobat classic versions that may already be owned by the organization.

    ☑ Examine the suitability and/or dependency on Document Cloud functions, such as existing business workflows and e-signature integration.

    ☑ Involve stakeholders in the evaluation of alternate products for use cases where dependency on Acrobat-specific functionality is limited.

    ☑ Identify not just the installs and active use of the applications but also the depth and breadth of use across the various features so that the appropriate products can be selected.

    The image contains a screenshot of a diagram listing the adobe toolkit. The toolkit includes: Adobe ETLA Deployment Forecast Tool, Adobe ETLA Forecasted Cost and Benefits, Adobe ETLA vs. VIP Pricing Table.

    Use Info-Tech’s Adobe toolkit to prepare for your new purchases or contract renewal

    Info-Tech Insight

    IT asset management (ITAM) and software asset management (SAM) are critical! An error made in a true-up can cost the organization for the remaining years of the ETLA. Info-Tech worked with one client that incurred a $600k error in the true-up that they were not able to recoup from Adobe.

    Apply licensing best practices and examine the potential for cost savings through an unbiased third-party perspective

    Establish Licensing Requirements

    • Understand Adobe’s product landscape and transition to cloud.
    • Analyze users and match to correct Adobe SKU.
    • Conduct an internal software assessment.
    • Build an effective licensing position.

    Evaluate Licensing Options

    • Value Incentive Plan (VIP)
    • Cumulative Licensing Program (CLP)
    • Transactional Licensing Program (TLP)
    • Enterprise Term License Agreement (ETLA)

    Evaluate Agreement Options

    • Price
    • Discounts
    • Price protection
    • Terms and conditions

    Purchase and Manage Licenses

    • Learn negotiation tactics to enhance your current strategy.
    • Control the flow of communication.
    • Assign the right people to manage the environment.

    Preventive practices can help find measured value ($)

    Time and resource disruption to business if audited

    Lost estimated synergies in M&A

    Cost of new licensing

    Cost of software audit, penalties, and back support

    Lost resource allocation and time

    Third party, legal/SAM partners

    Cost of poor negotiation tactics

    Lost discount percentage

    Terms and conditions improved

    Explore Adobe licensing and optimize spend – project overview

    Establish Licensing Requirements

    Evaluate Licensing Options

    Evaluate Agreement Options

    Purchase and Manage Licenses

    Best-Practice Toolkit
    • Assess current state and align goals; review business feedback.
    • Interview key stakeholders to define business objectives and drivers.
    • Review licensing options.
    • Review licensing rules.
    • Determine the ideal contract type.
    • Review final contract.
    • Discuss negotiation points.
    • License management.
    • Future licensing strategy.

    Guided Implementations
    • Engage in a scoping call.
    • Assess the current state.
    • Determine licensing position.
    • Review product options.
    • Review licensing rules.
    • Review contract option types.
    • Determine negotiation points.
    • Finalize the contract.
    • Discuss license management.
    • Evaluate and develop a roadmap for future licensing.

    PHASE 1

    Manage Your Adobe Agreements

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Managing Adobe Contracts

    Proposed Time to Completion: 3-6 weeks

    Step 1.1: Establish Licensing Requirements

    Start with a kick-off call:

    • Assess the current state.
    • Determine licensing position.

    Then complete these activities…

    • Complete a deployment count, needs analysis, and internal audit.

    With these tools & templates:

    Adobe ETLA Deployment Forecast

    Step 1.2: Determine Licensing Options

    Review findings with analyst:

    • Review licensing options.
    • Review licensing rules.
    • Review contract option types.

    Then complete these activities…

    • Select licensing option.
    • Document forecasted costs and benefits.

    With these tools & templates:

    Adobe ETLA vs. VIP Pricing Table

    Adobe ETLA Forecasted Costs and Benefits

    Step 1.3: Purchase and Manage Licenses

    Review findings with analyst:

    • Review final contract.
    • Discuss negotiation points.
    • Plan a roadmap for SAM.

    Then complete these activities…

    • Negotiate final contract.
    • Evaluate and develop a roadmap for SAM.

    With these tools & templates:

    Adobe ETLA Deployment Forecast

    Adobe’s Cloud – Snapshot of what has changed

    1. Since Adobe has limited the procurement and licensing options with the introduction of Creative Cloud, there are three main choices:
      1. Direct online purchase at Adobe.com
      2. Value Incentive Plan (VIP): Creative Cloud for teams–based purchase with a volume discount (minimal, usually ~10%); may have some incentives or promotional pricing
      3. Enterprise Term License Agreement (ETLA): Creative Cloud for Enterprise (CCE)
    2. Adobe has discontinued support for legacy perpetual licenses, with the latest version being CS6, which is steering organizations to prioritize their options for products in the creative and document management space.
    3. Document Cloud (DC) is the cloud product replacing the Acrobat perpetual licensing model. DC extends the subscription-based model further and limits options to extend the lifespan of legacy on-premises licenses through a protracted upgrade process.
    4. The subscription model, coupled with limited discount options on transactional purchases, forces enterprises to consider the ETLA option. The ETLA brings with it unique term commitments, new pricing structures, and true-up mechanisms and inserts the "land and expand" model vs. license reassignment.

    Info-Tech Insight

    Adobe’s move from a perpetual license to a per-user subscription model can be positive in some scenarios for organizations that experienced challenges with deployment, management of named users vs. devices, and license tracking.

    Core concepts of Adobe agreements: Discounting, pricing, and bundling

    ETLA

    Adobe has been systematically reducing discounts on ETLAs as they enter the second renewal cycle of the original three-year terms.

    Adobe Cloud Bundling

    Adobe cloud services are being bundled with ETLAs with a mandate that companies that do not accept the services at the proposed cost have Adobe management’s approval to unbundle the deal, generally with no price relief.

    Custom Bundling

    The option for custom bundling of legacy Creative Suite component applications has been removed, effectively raising the price across the board for licensees that require more than two Adobe applications who must now purchase the full Creative Cloud suite.

    Higher and Public Education

    Higher education/public education agreements have been revamped over the past couple of years, increasing prices for campus-wide agreements by double-digit percentages (~10-30%+). While they still receive an 80% discount over list price, IT departments in this industry are not prepared to absorb the budget increase.

    Info-Tech Insight

    Adobe has moved to an all-or-one bundle model. If you need more than two application products, you will likely need to purchase the full Creative Cloud suite. Therefore, it is important to focus on creating accurate user profiles to identify usage needs.

    Use Info-Tech’s Adobe deployment tool for SAM: Track deployment and needs

    The image contains a screenshot of Info-Tech's Adobe deployment tool for SAM: Track deployment and needs.

    Use Info-Tech’s Adobe deployment tool for SAM: Audit

    The image contains a screenshot of the Adobe Deployment Tool for SAM, specifically the Audit tab.

    Use Info-Tech’s Adobe deployment tool for SAM: Cost

    The image contains a screenshot of the Adobe Deployment Tool for SAM, specifically the Cost tab.

    Use Info-Tech’s tools to compare ETLA vs. VIP and to document forecasted costs and benefits

    Is the ETLA or VIP option better for your organization?

    Use Info-Tech’s Adobe ETLA vs. VIP Pricing Table tool to compare ETLA costs against VIP costs.

    The image contains a screenshot of Info-Tech's Adobe ETLA vs. VIP Pricing Table.

    Your ETLA contains multiple products and is a multi-year agreement.

    Use Info-Tech’s ETLA Forecasted Costs and Benefits tool to forecast your ETLA costs and document benefits.

    The image contains a screenshot of Info-Tech's ETLA Forecasted Costs and Benefits.

    Adobe’s Creative Cloud Complete offering provides access to all Adobe creative products and ongoing upgrades

    Why subscription model?

    The subscription model forces customers to an annuity-based pricing model, so Adobe has recurring revenue from a subscription-based product. This increases customer lifetime value (CLTV) for Adobe while providing ongoing functionality updates that are not version/edition dependent.

    Key Characteristics:

    • Available as a month-to-month or annual subscription license
    • Can be purchased for one user, for a team, or for an enterprise
    • Subject to annual payment and true-up of license fees
    • Can only true-up during lifespan of contract; quantities cannot be reduced until renewal
    • May contain auto-renewal clauses – beware!

    Key things to know:

    1. Applications can be purchased individually if users require only one specific product. A few products continue to have on-premises licensing options, but most are offered by per-user subscriptions.
    2. At the end of the subscription period, the organization no longer has any rights to the software and would have to return to a previously owned version.
    3. True-downs are not possible (in contrast to Microsoft’s Office 365).
    4. Downgrade rights are not included or are limited by default.

    Which products are in the Creative Cloud bundle?

    Adobe Acrobat® XI Pro

    Adobe After Effects® CC

    Adobe Audition® CC

    Adobe Digital Publishing Suite, Single Edition

    Adobe InDesign® CC

    Adobe Dreamweaver® CC

    Adobe Edge Animate

    Adobe Edge Code preview

    Adobe Edge Inspect

    Adobe Photoshop CC

    Adobe Edge Reflow preview

    Adobe Edge Web Fonts

    Adobe Extension Manager

    ExtendScript Toolkit

    Adobe Fireworks® CS6

    Adobe Flash® Builder® 4.7 Premium Edition

    Adobe Flash Professional CC

    Adobe Illustrator® CC

    Adobe Prelude® CC

    Adobe Premiere® Pro CC

    Adobe Scout

    Adobe SpeedGrade® CC

    Adobe Muse CC

    Adobe Photoshop Lightroom 6

    Adobe offers different solutions for teams vs. enterprise licensing

    Evaluate the various options for Creative Cloud, as they can be purchased individually, for teams, or for enterprise.

    Bundle Name

    Target Customer

    Included Applications

    Features

    CC (for Individuals)

    Individual users

    The individual chooses
    • Sync, store, and share assets
    • Adobe Portfolio website
    • Adobe Typekit font collection
    • Microsoft Teams integration
    • Can only be purchased through credit card

    CC for Teams (CCT)

    Small to midsize organizations with a small number of Adobe users who are all within the same team

    Depends on your team’s requirements. You can select all applications or specific applications.

    Everything that CC (for individuals) does, plus

    • One license per user; can reassign CC licenses
    • Web-based admin console
    • Centralized deployment
    • Usage tracking and reporting
    • 100GB of storage per user
    • Volume discounts for 10+ seats

    CC for Enterprise (CCE)

    Large organizations with users who regularly use multiple Adobe products on multiple machines

    All applications including Adobe Stock for images and Adobe Enterprise Dashboard for managing user accounts

    Everything that CCT does, plus

    • Employees can activate a second copy of software on another device (e.g. home computer) as long as they share the same Adobe ID and are not used simultaneously
    • Ability to reassign licenses from old users to new users
    • Custom storage options
    • Greater integration with other Adobe products
    • Larger volume discounts with more seats

    For further information on specific functionality differences, reference Adobe’s comparison table.

    A Cloud-ish solution: Considerations and implications for IT organizations

    ☑ True cloud products are typically service-based, scalable and elastic, shared resources, have usage metering, and rely upon internet technologies. Currently, Adobe’s Creative Cloud and Document Cloud products lack these characteristics. In fact, the core products are still downloaded and physically installed on endpoint devices, then anchored to the cloud provisioning system, where the software can be automatically updated and continuously verified for compliance by ensuring the subscription is active.

    ☑ Adobe Cloud allows Adobe to increase end-user productivity by releasing new features and products to market faster, but the customer will increase lock-in to the Adobe product suite. The fast-release approach poses a different challenge for IT departments, as they must prepare to test and support new functionality and ensure compatibility with endpoint devices.

    ☑ There are options at the enterprise level that enable IT to exert more granular control over new feature releases, but these are tied to the ETLA and the provided enterprise portal and are not available on other subscription plans. This is another mechanism by which Adobe has been able to spur ETLA adoption.

    Not all CIOs consider SaaS/subscription applications their first choice, but the Adobe’s dominant position in the content and document management marketplace is forcing the shift regardless. It is significant that Adobe bypassed the typical hybrid transition model by effectively disrupting the ability to continue with perpetual licensing without falling behind the functionality curve.

    VIP plans do allow for annual terms and payment, but you lose the price elasticity that comes with multi-year terms.

    Download Info-Tech’s Adobe ETLA vs. VIP Pricing Table tool to compare ETLA costs against VIP costs.

    When moving to Adobe cloud, validate that license requirements meet organizational needs, not a sales quota

    Follow these steps in your transition to Creative Cloud.

    Step 1: Make sure you have a software asset management (SAM) tool to determine Adobe installs and usage within your environment.

    Step 2: Look at the current Adobe install base and usage. We recommend reviewing three months’ worth of reliable usage data to decide which users should have which licenses going forward.

    Step 3: Understand the changes in Adobe packages for Creative Cloud (CC). Also, take into account that the license types are based on users, not devices.

    Step 4: Identify those users who only need a single license for a single application (e.g. Photoshop, InDesign, Muse).

    Step 5: Identify the users who require CC suites. Look at their usage of previous Adobe suites to get an idea of which CC suite they require. Did they have Design Suite Standard installed but only use one or two elements? This is a good way to ensure you do not overspend on Adobe licenses.

    Source: The ITAM Review

    Download Info-Tech’s Adobe ETLA Deployment Forecast tool to track Adobe installs within your environment and to determine usage needs.

    Acquiring Adobe Software

    Adobe offers four common licensing methods, which are reviewed in detail in the following slides.

    Most common purchasing models

    Points for consideration
    • Value Incentive Plan (VIP)
    • Cumulative Licensing Program (CLP)
    • Transactional Licensing Program (TLP)
    • Enterprise Term License Agreement (ETLA)
    • Adobe, as with many other large software providers, includes special benefits and rights when its products are purchased through volume licensing channels.
    • Businesses should typically refrain from purchasing individual OEM (shrink wrap) licenses or those meant for personal use.
    • Purchase record history is available online, making it easier for your organization to manage entitlements in the case of an audit.

    "Customers are not even obliged to manage all the licenses themselves. The reseller partners have access to the cloud console and can manage licenses on behalf of their customers. Even better, they can seize cross and upsell opportunities and provide good insight into the environment. Additionally, Adobe itself provides optimization services."

    B-lay

    CLP and TLP

    The CLP and TLP are transactional agreements generally used for the purchase of perpetual licenses. For example, they could be used for making Acrobat purchases if Creative Suite products are purchased on the ETLA.

    The image contains a screenshot of a table comparing CLP and TLP.

    Source: “Adobe Buying Programs Comparison Guide for Commercial and Government Organizations”

    VIP and ETLA

    The Value Incentive Plan is aimed at small- to medium-sized organizations with no minimum quantity required. However, there is limited flexibility to reduce licenses and limited price protection for future purchases. The ETLA is aimed at large organizations who wish to have new functionality as it comes out, license management portal, services, and security/IT control aspects.

    The image contains a screenshot of a table comparing VIP and ETLA.

    Source: “Adobe Buying Programs Comparison Guide for Commercial and Government Organizations”

    ETLA commitments risk creating “shelfware-as-a-service”

    The Adobe ETLA’s rigid contract parameters, true-up process, and unique deployment/provisioning mechanisms give technology/IT procurement leaders fewer options to maximize cost-usage alignment and to streamline opex costs.

    ☑ No ETLA price book is publicly published; pricing is controlled by the Adobe enterprise sales team.

    ☑ Adobe's retail pricing is a good starting point for negotiating discounted pricing.

    ☑ ETLA commitments are usually for three years, and the lack of a true-down option increases the risk involved in overbuying licenses should the organization encounter a business downturn or adverse event.

    ☑ Pricing discounts are the highest at the initial ETLA signing for the upfront volume commitment. The true-up pricing is discounted from retail but still higher than the signing cost per license.

    ☑ Technical support is included in the ETLA.

    ☑ While purchases typically go through value-added resellers (VARs), procurement can negotiate directly with Adobe.

    "For cloud products, it is less complex when it comes to purchasing and pricing. If larger quantities are purchased on a longer term, the discount may reach up to 15%. As soon as you enroll in the VIP program, you can control all your licenses from an ‘admin console’. Any updates or new functionalities are included in the original price. When the licenses expire, you may choose to renew your subscriptions or remove them. Partial renewal is also accepted. Of course, you can also re-negotiate your price if more subscriptions are added to your console."

    B-lay

    ETLA recommendations

    1. Assess the end-user requirements with a high degree of scrutiny. Perform an analysis that matches the licensee with the correct Adobe product SKU to reduce the risk of overspending.
    • Leverage metering data that identifies actual usage and lack thereof, match to user profile functional requirements, and then determine end users’ actual license requirements.
  • Build in time to evaluate alternative products where possible and position the organization to leverage a Plan B vendor to replace or mitigate growth on the Adobe platform. Re-evaluate options well in advance of the ETLA renewal.
  • Secure price protection through negotiating a price cap or an extended ETLA term beyond the standard three-year term. Short of obtaining an escalation cap, which Adobe is strongly resisting, build in price increases for the ETLA renewal years.
    • Demand price transparency and granularity in the proposal process.
    • Validate that volume discounts are appropriate and show through to the true-up line item pricing.
  • Negotiate a true-down mechanism upfront with Adobe if usage decline is inevitable or expected due to a merger or acquisition, divestiture, or material restructuring event.

    • INFO-TECH TIP: For further guidance on ETLAs and pricing, contact your Info-Tech representative to set up a call with an analyst.

    Use Info-Tech’s Adobe ETLA Deployment Forecast tool to match licensees with Adobe product SKUs.

    Prepare for Adobe’s true-up process

    How the true-up process works

    When adding a license, the true-up price will be prorated to 50% of the license cost for previous year’s usage plus 100% of the license cost for the next year. This back-charging adds up to 150% of the overall true-up license cost. In some rare cases, Adobe has provided an “unlimited” quantity for certain SKUs; these Unlimited ETLAs generally align with FTE counts and limit FTE increases to about 5%. Procurement must monitor and work with SAM/ITAM and stakeholder groups to restrain unnecessary growth during the term of an Unlimited ETLA to avoid the risk of cost escalation at renewal time.

    Higher-education specific

    Higher-education clients can license under the ETLA based on a prescribed number of user and classroom/lab devices and/or on a FTE basis. In these cases, the combination of Creative Cloud and Acrobat Pro volume must equal the FTE total, creating an enterprise footprint. FTE calculations establish the full-time faculty plus one-third of part-time faculty plus one-half of part-time staff.

    Info-Tech Insight

    Compliance takes a different form in terms of the ETLA true-up process. The completion of Adobe's transition to cloud-based licensing and verification has improved compliance rates via phone home telemetry such that pirated software is less available and more easily detected. Adobe has actually decommissioned its audit arm in the Americas and EMEA.

    Audits and software asset management with Adobe

    Watch out for:

    • Virtual desktops, freeware, and test and trial licenses
    • Adobe products that may be bundled into a suite; a manual check will be needed to ensure the suite isn’t recognized as a standalone license
    • Pirated licenses with a “crack” built into the software

    Simplify your process – from start to finish – with these steps:

    Determine License Entitlements

    Obtain documentation from internal records and Adobe to track licenses and upgrades to determine what licenses you own and have the right to use.

    Gather Deployment Information

    Leverage a software asset management tool or process to determine what software is deployed and what is/is not being used.

    Determine Effective License Position

    Compare license entitlements with deployment data to uncover surpluses and deficits in licensing. Look for opportunities.

    Plan Changes to License Position

    Meet with IT stakeholders to discuss the enterprise license program (ELP), short- and long-term project plans, and budget allocation. Plan and document licensing requirements.

    Adobe Genuine Software Integrity Service

    • This service was started in 2014 to combat non-genuine software sold by non-authorized resellers.
    • The service works hand in hand with the cloud movement to reduce piracy.
    • Every Adobe product now contains an executable file that will scan your machine for non-genuine software.
    • If non-genuine software is detected, the user will be notified and directed to the official Adobe website for next steps.

    Detailed list of Adobe licensing contract types

    The table below describes Adobe contract types beyond the four typical purchasing models explained in the previous slides:

    Option

    What is it?

    What’s included?

    For

    Term

    CLP (Cumulative Licensing Program)

    10,000 plus points, support and maintenance optional

    Select Adobe perpetual desktop products

    Business

    2 years

    EA (Adobe Enterprise Agreement)

    100 licenses plus maintenance and support for eligible Adobe products

    All applications

    100+ users requirement

    3 years

    EEA (Adobe Enterprise Education Agreement)

    Creative Cloud enterprise agreement for education establishments

    Creative Cloud applications without services

    Education

    1 or 2 years

    ETLA (Enterprise Term License Agreement)

    Licensing program designed for Adobe’s top commercial, government, and education customers

    All Creative Cloud applications

    Large enterprise companies

    3 years

    K-12 – Enterprise Agreement

    Enterprise agreement for primary and secondary schools

    Creative Cloud applications without services

    Education

    1 year

    K-12 – School Site License

    Allows a school to install a Creative Cloud on up to 500 school-owned computers regardless of school size

    Creative Cloud applications without services

    Education

    1 year

    TLP (Transactional Licensing Program)

    Agreement for SMBs that want volume licensing bonuses

    Perpetual desktop products only

    Aimed at SMBs, but Enterprise customers can use the TLP for smaller requirements

    N/A

    Upgrade Plan

    Insurance program for software purchased under a perpetual license program such as CLP or TLP for Creative Cloud upgrade

    Dependent on the existing perpetual estate

    Anyone

    N/A

    VIP (Value Incentive Plan)

    VIP allows customers to purchase, deploy, and manage software through a term-based subscription license model

    Creative Cloud of teams

    Business, government, and education

    Insight breakdown

    Insight 1

    Adobe operates in its own niche in the creative space, and Adobe users have grown accustomed to their products, making switching very difficult.

    Insight 2

    Adobe has transitioned the vast majority of its software offerings to the cloud-based subscription model. Active management of licenses, software provisioning, and consumption of cloud services is now an ongoing job.

    Insight 3

    With the vendor lock-in process nearly complete via the transition to a SaaS subscription model, Adobe is raising prices on an annual basis. Advance planning and strategic use of the ETLA is key to avoid budget-breaking surprises.

    Summary of accomplishment

    Knowledge Gained

    • The key pieces of licensing information that should be gathered about the current state of your own organization.
    • An in-depth understanding of the required licenses across all of your products.
    • Clear methodology for selecting the most effective contract type.
    • Development of measurable, relevant metrics to help track future project success and identify areas of strength and weakness within your licensing program.

    Processes Optimized

    • Understanding of the importance of licensing in relation to business objectives.
    • Understanding of the various licensing considerations that need to be made.
    • Contract negotiation.

    Deliverables Completed

    • Adobe ETLA Deployment Forecast
    • Adobe ETLA Forecasted Cost and Benefits
    • Adobe ETLA vs. VIP Pricing Table

    Related Info-Tech Research

    Take Control of Microsoft Licensing and Optimize Spend

    Create an Effective Plan to Implement IT Asset Management

    Establish an Effective System of Internal IT Controls to Mitigate Risks

    Optimize Software Asset Management

    Take Control of Compliance Improvement to Conquer Every Audit

    Cut PCI Compliance and Audit Costs in Half

    Bibliography

    “Adobe Buying Programs: At-a-glance comparison guide for Commercial and government organizations.” Adobe Systems Incorporated, 2014. Web. 1 Feb. 2018.

    “Adobe Buying Programs Comparison Guide for Commercial and Government Organizations.” Adobe Systems Incorporated, 2018. Web.

    “Adobe Buying Programs Comparison Guide for Education.” Adobe Systems Incorporated, 2018. Web. 1 Feb 2018.

    “Adobe Education Enterprise Agreement: Give your school access to the latest industry-leading creative tools.” Adobe Systems Incorporated, 2014. Web. 1 Feb. 2018.

    “Adobe Enterprise Term License Agreement for commercial and government organizations.” Adobe Systems Incorporated, 2016. Web. 1 Feb. 2018.

    Adobe Investor Presentation – October 2017. Adobe Systems Incorporated, 2017. Web. 1 Feb. 2018.

    Cabral, Amanda. “Students react to end of UConn-Adobe contract.” The Daily Campus (Uconn), 5 April 2017. Web. 1 Feb. 2018.

    de Veer, Patrick and Alecsandra Vintilescu. “Quick Guide to Adobe Licensing.” B-lay, Web. 1 Feb. 2018.

    “Find the best program for your organization.” Adobe, Web. 1 Feb 2018.

    Foxen, David. “Adobe Upgrade Simplified.” Snow Software, 7 Oct. 2016. Web.

    Frazer, Bryant. “Adobe Stops Reporting Subscription Figures for Creative Cloud.” Studio Daily. Access Intelligence, LLC. 17 March 2016. Web.

    “Give your students the power to create bright futures.” Adobe, Web. 1 Feb 2018.

    Jones, Noah. “Adobe changes subscription prices, colleges forced to pay more.” BG Falcon Media. Bowling Green State University, 18 Feb. 2015. Web. 1 Feb. 2018.

    Mansfield, Adam. “Is Your Organization Prepared for Adobe’s Enterprise Term License Agreements (ETLA)?” UpperEdge,30 April 2013. Web. 1 Feb. 2018.

    Murray, Corey. “6 Things Every School Should Know About Adobe’s Move to Creative Cloud.” EdTech: Focus on K-12. CDW LLC, 10 June 2013. Web.

    “Navigating an Adobe Software Audit: Tips for Emerging Unscathed.” Nitro, Web. 1 Feb. 2018.

    Razavi, Omid. “Challenges of Traditional Software Companies Transitioning to SaaS.” Sand Hill, 12 May 2015. Web. 1 Feb. 2018.

    Rivard, Ry. “Confusion in the Cloud.” Inside Higher Ed. 22 May 2013. Web. 1 Feb. 2018.

    Sharwood, Simon. “Adobe stops software licence audits in Americas, Europe.” The Register. Situation Publishing. 12 Aug. 2016. Web. 1 Feb. 2018.

    “Software Licensing Challenges Faced In The Cloud: How Can The Cloud Benefit You?” The ITAM Review. Enterprise Opinions Limited. 20 Nov. 2015. Web.

    White, Stephen. “Understanding the Impacts of Adobe’s Cloud Strategy and Subscriptions Before Negotiating an ETLA.” Gartner, 22 Feb. 2016. Web.

    Implement a Social Media Program

    • Buy Link or Shortcode: {j2store}560|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • IT is being caught in the middle of various business units, all separately attempting to create, staff, implement, and instrument a social media program.
    • Requests for procuring social media tools and integrating with CRM systems are coming from all directions, with no central authority governing a social media program or coordinating business goals.
    • Public Relations and Corporate Communications groups have been acting as the first level of response to social media channels since the company’s first Twitter account went live, but the volume of inquiries received through social channels has become too great for these groups to continue in a first responder role.

    Our Advice

    Critical Insight

    • Social media immaturity is an opportunity for IT leadership. As with so many of the “next new things,” IT has an opportunity to help the business understand social media technologies, trends, and risks, and coordinate efforts to approach social media as a united company.
    • Social media maturity must reach the Social Media Steering Committee stage before major investments in technology can proceed. As with all business initiatives, technology automation decisions cannot be made without respect to organizational and process maturity. Social media strategy stakeholders must join together and form a steering committee to create policies and procedures, govern strategy, develop workflows, and facilitate technology selection processes. IT not only belongs on such a steering committee, but it can also be instrumental in the formation of it.
    • Info-Tech’s research repeatedly indicates that the greatest return from social media investments is in the customer service domain, by reacting to incoming social inquiries and proactively listening to social conversations for product and service inquiry opportunities. This means CRM integration is essential to long-term social media program success.

    Impact and Result

    • Assess your organization’s social maturity to know where to begin and where to go in implementation of a social media program.
    • Form a social media steering committee to bring order to chaos among different business units.
    • Develop comprehensive workflows to categorize and prioritize inquiries, and then route them to the appropriate part of the business for resolution.
    • Consider creating one or more physical social media command centers to process large volumes of social inquiries more efficiently and monitor real-time social media metrics to improve critical response times.

    Implement a Social Media Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your organization's social maturity

    Know where to begin and where to go in implementation of a social media program.

    • Storyboard: Implement a Social Media Program
    • Social Media Maturity Assessment Tool

    2. Form a social media steering committee

    Bring order to chaos among different business units.

    • Social Media Steering Committee Charter Template
    • Social Media Acceptable Use Policy
    • Blogging and Microblogging Guidelines Template

    3. Consider creating one or more physical social media command centers

    Process large volumes of social inquiries more efficiently, and monitor real-time social media metrics to improve critical response times.

    • Social Media Representative
    • Social Media Manager
    [infographic]

    Build an IT Risk Taxonomy

    • Buy Link or Shortcode: {j2store}197|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
    • IT risk managers need to balance the emerging threat landscape with not losing sight of the risks of today.
    • IT needs to strengthen IT controls and anticipate risks in an age of disruption.

    Our Advice

    Critical Insight

    A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

    Impact and Result

    • Use this blueprint as a baseline to build a customized IT risk taxonomy suitable for your organization.
    • Learn about the role and drivers of integrated risk management and the benefits it brings to enterprise decision-makers.
    • Discover how to set up your organization up for success by understanding how risk management links to organizational strategy and corporate performance.

    Build an IT Risk Taxonomy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build an IT Risk Taxonomy – Develop a common approach to managing risks to enable faster, more effective decision making.

    Learn how to develop an IT risk taxonomy that will remain relevant over time while providing the granularity and clarity needed to make more effective risk-based decisions.

    • Build an IT Risk Taxonomy – Phases 1-3

    2. Build an IT Risk Taxonomy Guideline and Template – A set of tools to customize and design an IT risk taxonomy suitable for your organization.

    Leverage these tools as a starting point to develop risk levels and definitions appropriate to your organization. Take a collaborative approach when developing your IT risk taxonomy to gain greater acceptance and understanding of accountability.

    • IT Risk Taxonomy Committee Charter Template
    • Build an IT Risk Taxonomy Guideline
    • Build an IT Risk Taxonomy Definitions
    • Build an IT Risk Taxonomy Design Template

    3. IT Risk Taxonomy Workbook – A place to complete activities and document decisions that may need to be communicated.

    Use this workbook to document outcomes of activities and brainstorming sessions.

    • Build an IT Risk Taxonomy Workbook

    4. IT Risk Register – An internal control tool used to manage IT risks. Risk levels archived in this tool are instrumental to achieving an integrated and holistic view of risks across an organization.

    Leverage this tool to document risk levels, risk events, and controls. Smaller organizations can leverage this tool for risk management while larger organizations may find this tool useful to structure and define risks prior to using a risk management software tool.

    • Risk Register Tool

    Infographic

    Workshop: Build an IT Risk Taxonomy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review IT Risk Fundamentals and Governance

    The Purpose

    Review IT risk fundamentals and governance.

    Key Benefits Achieved

    Learn how enterprise risk management and IT risk management intersect and the role the IT taxonomy plays in integrated risk management.

    Activities

    1.1 Discuss risk fundamentals and the benefits of integrated risk.

    1.2 Create a cross-functional IT taxonomy working group.

    Outputs

    IT Risk Taxonomy Committee Charter Template

    Build an IT Risk Taxonomy Workbook

    2 Identify Level 1 Risk Types

    The Purpose

    Identify suitable IT level 1 risk types.

    Key Benefits Achieved

    Level 1 IT risk types are determined and have been tested against ERM level one risk types.

    Activities

    2.1 Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.

    2.2 Establish level 1 risk types.

    2.3 Test soundness of IT level 1 types by mapping to ERM level 1 types.

    Outputs

    Build an IT Risk Taxonomy Workbook

    3 Identify Level 2 and Level 3 Risk Types

    The Purpose

    Define level 2 and level 3 risk types.

    Key Benefits Achieved

    Level 2 and level 3 risk types have been determined.

    Activities

    3.1 Establish level 2 risk types.

    3.2 Establish level 3 risk types (and level 4 if appropriate for your organization).

    3.3 Begin to test by working backward from controls to ensure risk events will aggregate consistently.

    Outputs

    Build an IT Risk Taxonomy Design Template

    Risk Register Tool

    4 Monitor, Report, and Respond to IT Risk

    The Purpose

    Test the robustness of your IT risk taxonomy by populating the risk register with risk events and controls.

    Key Benefits Achieved

    Your IT risk taxonomy has been tested and your risk register has been updated.

    Activities

    4.1 Continue to test robustness of taxonomy and iterate if necessary.

    4.2 Optional activity: Draft your IT risk appetite statements.

    4.3 Discuss communication and continual improvement plan.

    Outputs

    Build an IT Risk Taxonomy Design Template

    Risk Register Tool

    Build an IT Risk Taxonomy Workbook

    Further reading

    Build an IT Risk Taxonomy

    If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

    Analyst Perspective

    Donna Bales.

    The pace and uncertainty of the current business environment introduce new and emerging vulnerabilities that can disrupt an organization’s strategy on short notice.

    Having a long-term view of risk while navigating the short term requires discipline and a robust and strategic approach to risk management.

    Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise.

    Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making. This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level.

    Donna Bales
    Principal Research Director
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    IT has several challenges when managing and responding to risk events:

    • Business leaders, driven by the need to make more risk-informed decisions, are putting pressure on IT to provide more timely and consistent risk reporting.
    • Navigating today’s ever-evolving threat landscape is complex. IT risk managers need to balance the emerging threat landscape while not losing sight of the risks of today.
    • IT needs to strengthen IT controls and anticipate risks in an age of disruption.

    Many IT organizations encounter obstacles in these areas:

    • Ensuring an integrated, well-coordinated approach to risk management across the organization.
    • Developing an IT risk taxonomy that will remain relevant over time while providing sufficient granularity and definitional clarity.
    • Gaining acceptance and ensuring understanding of accountability. Involving business leaders and a wide variety of risk owners when developing your IT risk taxonomy will lead to greater organizational acceptance.

    .

    • Take a collaborative approach when developing your IT risk taxonomy to gain greater acceptance and understanding of accountability.
    • Spend the time to fully analyze your current and future threat landscape when defining your level 1 IT risks and consider the causal impact and complex linkages and intersections.
    • Recognize that the threat landscape will continue to evolve and that your IT risk taxonomy is a living document that must be continually reviewed and strengthened.

    Info-Tech Insight

    A common understanding of risks, threats, and opportunities gives organizations the flexibility and agility to adapt to changing business conditions and drive corporate value.

    Increasing threat landscape

    The risk landscape is continually evolving, putting greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact.

    Financial Impact

    Strategic Risk

    Reputation Risk

    In IBM’s 2021 Cost of a Data Breach Report, the Ponemon Institute found that data security breaches now cost companies $4.24 million per incident on average – the highest cost in the 17-year history of the report.

    58% percent of CROs who view inability to manage cyber risks as a top strategic risk.

    EY’s 2022 Global Bank Risk Management survey revealed that Chief Risk Officers (CROs) view the inability to manage cyber risk and the inability to manage cloud and data risk as the top strategic risks.

    Protiviti’s 2023 Executive Perspectives on Top Risks survey featured operational resilience within its top ten risks. An organization’s failure to be sufficiently resilient or agile in a crisis can significantly impact operations and reputation.

    Persistent and emerging threats

    Organizations should not underestimate the long-term impact on corporate performance if emerging risks are not fully understood, controlled, and embedded into decision-making.

    Talent Risk

    Sustainability

    Digital Disruption

    Protiviti’s 2023 Executive Perspectives on Top Risks survey revealed talent risk as the top risk organizations face, specifically organizations’ ability to attract and retain top talent. Of the 38 risks in the survey, it was the only risk issue rated at a “significant impact” level.

    Sustainability is at the top of the risk agenda for many organizations. In EY’s 2022 Global Bank Risk Management survey, environmental, social, and governance (ESG) risks were identified as a risk focus area, with 84% anticipating it to increase in priority over the next three years. Yet Info-Tech’s Tech Trends 2023 report revealed that only 24% of organizations could accurately report on their carbon footprint.

    Source: Info-Tech 2023 Tech Trends Report

    The risks related to digital disruption are vast and evolving. In the short term, risks surface in compliance and skills shortage, but Protiviti’s 2023 Executive Perspectives survey shows that in the longer term, executives are concerned that the speed of change and market forces may outpace an organization’s ability to compete.

    Build an IT risk taxonomy: As technology and digitization continue to advance, risk management practices must also mature. To strengthen operational and financial resiliency, it is essential that organizations move away from a siloed approach to IT risk management wart an integrated approach. Without a common IT risk taxonomy, effective risk assessment and aggregation at the enterprise level is not possible.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Simple, customizable approach to build an IT risk taxonomy
    • Improved satisfaction with IT for senior leadership and business units
    • Greater ability to respond to evolving threats
    • Improved understanding of IT’s role in enterprise risk management (ERM)
    • Stronger, more reliable internal control framework
    • Reduced operational surprises and failures
    • More dynamic decision making
    • More proactive risk responses
    • Improve transparency and comparability of risks across silos
    • Better financial resilience and confidence in meeting regulatory requirements
    • More relevant risk assurance for key stakeholders

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    IT Risk Taxonomy Committee Charter Template

    Create a cross-functional IT risk taxonomy committee.

    		The image contains a screenshot of the IT risk taxonomy committee charter template.

    Build an IT Risk Taxonomy Guideline

    Use IT risk taxonomy as a baseline to build your organization’s approach.

    		The image contains a screenshot of the build an it risk taxonomy guideline.

    Build an IT Risk Taxonomy Design Template

    Use this template to design and test your taxonomy.

    		The image contains a screenshot of the build an IT risk taxonomy design template.

    Risk Register Tool

    Update your risk register with your IT risk taxonomy.

    		The image contains a screenshot of the risk register tool.

    Key deliverable:

    Build an IT Risk Taxonomy Workbook

    Use the tools and activities in each phase of the blueprint to customize your IT risk taxonomy to suit your organization’s needs.

    The image contains a screenshot of the build an IT risk taxonomy workbook.

    Benefit from industry-leading best practices

    As a part of our research process, we used the COSO, ISO 31000, and COBIT 2019 frameworks. Contextualizing IT risk management within these frameworks ensures that our project-focused approach is grounded in industry-leading best practices for managing IT risk.

    COSO’s Enterprise Risk Management —Integrating with Strategy and Performance addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.

    ISO 31000 – Risk Management can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.

    COBIT 2019’s IT functions were used to develop and refine the ten IT risk categories used in our top-down risk identification methodology.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    Phase 1 Phase 2 Phase 3

    Call #1: Review risk management fundamentals.

    Call #2: Review the role of an IT risk taxonomy in risk management.

    Call #3: Establish a cross-functional team.

    Calls #4-5: Identify level 1 IT risk types. Test against enterprise risk management.

    Call #6: Identify level 2 and level 3 risk types.

    Call #7: Align risk events and controls to level 3 risk types and test.

    Call #8: Update your risk register and communicate taxonomy internally.

    A Guided Implementation (GI) is a series

    of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 6 to 8 calls over the course of 3 to 6 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Review IT Risk Fundamentals and Governance

    Identify Level 1 IT Risk Types

    Identify Level 2 and Level 3 Risk Types

    Monitor, Report, and Respond to IT Risk

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Discuss risk fundamentals and the benefits of integrated risk.

    1.2 Create a cross-functional IT taxonomy working group.

    2.1 Discuss corporate strategy, business risks, macro trends, and organizational opportunities and constraints.

    2.2 Establish level 1 risk types.

    2.3 Test soundness of IT level 1 types by mapping to ERM level 1 types.

    3.1 Establish level 2 risk types.

    3.2 Establish level 3 risk types (and level 4 if appropriate for your organization).

    3.3 Begin to test by working backward from controls to ensure risk events will aggregate consistently.

    4.1 Continue to test robustness of taxonomy and iterate if necessary.

    4.2 Optional activity: Draft your IT risk appetite statements.

    4.3 Discuss communication and continual improvement plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. T Risk Taxonomy Committee Charter Template
    2. Build an IT Risk Taxonomy Workbook
    1. Build an IT Risk Taxonomy Workbook
    1. IT Risk Taxonomy Design Template
    2. Risk Register
    1. IT Risk Taxonomy Design Template
    2. Risk Register
    3. Build an IT Risk Taxonomy Workbook
    1. Workshop Report

    Phase 1

    Understand Risk Management Fundamentals

    Phase 1

    Phase 2

    Phase 3

    • Governance, Risk, and Compliance
    • Enterprise Risk Management
    • Enterprise Risk Appetite
    • Risk Statements and Scenarios
    • What Is a Risk Taxonomy?
    • Functional Role of an IT Risk Taxonomy
    • Connection to Enterprise Risk Management
    • Establish Committee
    • Steps to Define IT Risk Taxonomy
    • Define Level 1
    • Test Level 1
    • Define Level 2 and 3
    • Test via Your Control Framework

    Governance, risk, and compliance (GRC)

    Risk management is one component of an organization’s GRC function.

    GRC principles are important tools to support enterprise management.

    Governance sets the guardrails to ensure that the enterprise is in alignment with standards, regulations, and board decisions. A governance framework will communicate rules and expectations throughout the organization and monitor adherence.

    Risk management is how the organization protects and creates enterprise value. It is an integral part of an organization’s processes and enables a structured decision-making approach.

    Compliance is the process of adhering to a set of guidelines; these could be external regulations and guidelines or internal corporate policies.

    GRC principles are tightly bound and continuous

    The image contains a screenshot of a continuous circle that is divided into three parts: risk, compliance, and governance.

    Enterprise risk management

    Regardless of size or structure, every organization makes strategic and operational decisions that expose it to uncertainties.

    Enterprise risk management (ERM) is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio (RIMS).

    An ERM is program is crucial because it will:

    • Help shape business objectives, drive revenue growth, and execute risk-based decisions.
    • Enable a deeper understanding of risks and assessment of current risk profile.
    • Support forward-looking risk management and more constructive dialogue with the board and regulatory agencies.
    • Provide insight on the robustness and efficacy of risk management processes, tools, and controls.
    • Drive a positive risk culture.

    ERM is supported by strategy, effective processes, technology, and people

    The image contains a screenshot that demonstrates how ERM is supported by strategy, effective processes, technology, and people.

    Risk frameworks

    Risk frameworks are leveraged by the industry to “provide a structure and set of definitions to allow enterprises of all types and sizes to understand and better manage their risk environments.” COSO Enterprise Risk Management, 2nd edition

    • Many organizations lean on the Committee of Sponsoring Organizations’ Enterprise Risk Management framework (COSO ERM) and ISO 31000 to view organizational risks from an enterprise perspective.
    • Prior to the introduction of standardized risk frameworks, it was difficult to quantify the impact of a risk event on the entire enterprise, as the risk was viewed in a silo or as an individual risk component.
    • Recently, the National Institute of Science and Technology (NIST) published guidance on developing an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

    The image contains a screenshot of NIST ERM approach to strategic risk.

    Source: National Institute of Standards and Technology

    New NIST guidance (NISTIR 8286) emphasizes the complexity of risk management and the need for the risk management process to be carried out seamlessly across three tiers with the overall objective of continuous improvement.

    Enterprise risk appetite

    “The amount of risk an organization is willing to take in pursuit of its objectives”

    – Robert R. Moeller, COSO ERM Framework Model
    • A primary role of the board and senior management is to balance value creation with effectively management of enterprise risks.
    • As part of this role, the board will approve the enterprise’s risk appetite. Placing this responsibility with the board ensures that the risk appetite is aligned with the company’s strategic objectives.
    • The risk appetite is used throughout the organization to assess and respond to individual risks, acting as a constant to make sure that risks are managed within the organization’s acceptable limits.
    • Each year, or in reaction to a risk trigger, the enterprise risk appetite will be updated and approved by the board.
    • Risk appetite will vary across organizations for several reasons, such as industry, company culture, competitors, the nature of the objectives pursued, and financial strength.

    Change or new risks » adjust enterprise risk profile » adjust risk appetite

    Risk profile vs. risk appetite

    Risk profile is the broad parameters an organization considers in executing its business strategy. Risk appetite is the amount of risk an entity is willing to accept in pursuit of its strategic objectives. The risk appetite can be used to inform the risk profile or vice versa. Your organization’s risk culture informs and is used to communicate both.

    Risk Tolerant

    Moderate

    Risk Averse

    • You have no compliance requirements.
    • You have no sensitive data.
    • Customers do not expect you to have strong security controls.
    • Revenue generation and innovative products take priority and risk is acceptable.
    • The organization does not have remote locations.
    • It is likely that your organization does not operate within the following industries:
      • Finance
      • Healthcare
      • Telecom
      • Government
      • Research
      • Education
    • You have some compliance requirements, such as:
      • HIPAA
      • PIPEDA
    • You have sensitive data and are required to retain records.
    • Customers expect strong security controls.
    • Information security is visible to senior leadership.
    • The organization has some remote locations.
    • Your organization most likely operates within the following industries:
      • Government
      • Research
      • Education
    • You have multiple strict compliance and/or regulatory requirements.
    • You house sensitive data, such as medical records.
    • Customers expect your organization to maintain strong and current security controls.
    • Information security is highly visible to senior management and public investors.
    • The organization has multiple remote locations.
    • Your organization operates within the following industries:
      • Finance
      • Healthcare
      • Telecom

    Where the IT risk appetite fits into the risk program

    • Your organization’s strategy and associated risk appetite cascade down to each business department. Overall strategy and risk appetite also set a strategy and risk appetite for each department.
    • Both risk appetite and risk tolerances set boundaries for how much risk an organization is willing or prepared to take. However, while appetite is often broad, tolerance is tactical and focused.
    • Tolerances apply to specific objectives and provide guidance to those executing on a day-to-day basis. They measure the variation around performance expectations that the organization will tolerate.
    • Ideally, they are incorporated into existing governance, risk, and compliance systems and are also considered when evaluated business cases.
    • IT risk appetite statements are based on IT level 1 risk types.

    The risk appetite has a risk lens but is also closely linked to corporate performance.

    The image contains a screenshot of a diagram that demonstrates how risk appetite has a risk lens, and how it is linked to corporate performance.

    Statements of risk

    The image contains a screenshot of a diagram of the risk landscape.

    Risk Appetite

    Risk Tolerance

    • The general amount of risk an organization is willing to accept while pursuing its objectives.
    • Proactive, future view of risks that reflects the desired range of enterprise performance.
    • Reflects the longer-term strategy of what needs to be achieved and the resources available to achieve it, expressed in quantitative criteria.
    • Risk appetites will vary for several reasons, such as the company culture, financial strength, and capabilities.
    • Risk tolerance is the acceptable deviation from the level set by the risk appetite.
    • Risk tolerance is a tactical tool often expressed in quantitative terms.
    • Key risk indicators are often used to align to risk tolerance limits to ensure the organization stays within the set risk boundary.

    Risk scenarios

    Risk scenarios serve two main purposes: to help decision makers understand how adverse events can affect organizational strategy and objectives and to prepare a framework for risk analysis by clearly defining and decomposing the factors contributing to the frequency and the magnitude of adverse events.

    ISACA
    • Organizations’ pervasive use of and dependency on technology has increased the importance of scenario analysis to identify relevant and important risks and the potential impacts of risk events on the organization if the risk event were to occur.
    • Risk scenarios provide “what if” analysis through a structured approach, which can help to define controls and document assumptions.
    • They form a constructive narrative and help to communicate a story by bringing in business context.
    • For the best outcome, have input from business and IT stakeholders. However, in reality, risk scenarios are usually driven by IT through the asset management practice.
    • Once the scenarios are developed, they are used during the risk analysis phase, in which frequency and business impacts are estimated. They are also a useful tool to help the risk team (and IT) communicate and explain risks to various business stakeholders.

    Top-down approach – driven by the business by determining the business impact, i.e. what is the impact on my customers, reputation, and bottom line if the system that supports payment processing fails?

    Bottom-up approach – driven by IT by identifying critical assets and what harm could happen if they were to fail.

    Example risk scenario

    Use level 1 IT risks to derive potential scenarios.

    Risk Scenario Description

    Example: IT Risks

    Risk Scenario Title

    A brief description of the risk scenario

    The enterprise is unable to recruit and retain IT staff

    Risk Type

    The process or system that is impacted by the risk

    • Service quality
    • Product and service cost

    Risk Scenario Category

    Deeper insight into how the risk might impact business functions

    • Inadequate capacity to support business needs
    • Talent and skills gap due to inability to retain talent

    Risk Statement

    Used to communicate the potential adverse outcomes of a particular risk event and can be used to communicate to stakeholders to enable informed decisions

    The organization chronically fails to recruit sufficiently skilled IT workers, leading to a loss of efficiency in overall technology operation and an increased security exposure.

    Risk Owner

    The designated party responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements

    • Head of Human Resources
    • Business Process Owner

    Risk Oversight

    The person (role) who is responsible for risk assessments, monitoring, documenting risk response, and establishing key risk indicators

    CRO/COO

    Phase 2

    Set Your Organization Up for Success

    Phase 1

    Phase 2

    Phase 3

    • Governance, Risk, and Compliance
    • Enterprise Risk Management
    • Enterprise Risk Appetite
    • Risk Statements and Scenarios
    • What Is a Risk Taxonomy?
    • Functional Role of an IT Risk Taxonomy
    • Connection to Enterprise Risk Management
    • Establish Committee
    • Steps to Define IT Risk Taxonomy
    • Define Level 1
    • Test Level 1
    • Define Level 2 and 3
    • Test via Your Control Framework

    This phase will walk you through the following activities:

    • How to set up a cross-functional IT risk taxonomy committee

    This phase involves the following participants:

    • CIO
    • CISO
    • CRO
    • IT Risk Owners
    • Business Leaders
    • Human Resources

    What is a risk taxonomy?

    A risk taxonomy provides a common risk view and enables integrated risk

    • A risk taxonomy is the (typically hierarchical) categorization of risk types. It is constructed out of a collection of risk types organized by a classification scheme.
    • Its purpose is to assist with the management of an organization’s risk by arranging risks in a classification scheme.
    • It provides foundational support across the risk management lifecycle in relation to each of the key risks.
    • More material risk categories form the root nodes of the taxonomy, and risk types cascade into more granular manifestations (child nodes).
    • From a risk management perspective, a taxonomy will:
      • Enable more effective risk aggregation and interoperability.
      • Provide the organization with a complete view of risks and how risks might be interconnected or concentrated.
      • Help organizations form a robust control framework.
      • Give risk managers a structure to manage risks proactively.

    Typical Tree Structure

    The image contains a screenshot of the Typical Tree Structure.

    What is integrated risk management?

    • Integrated risk management is the process of ensuring all forms of risk information, including risk related to information and technology, are considered and included in the organization’s risk management strategy.
    • It removes the siloed approach of classifying risks related to specific departments or areas of the organization, recognizing that each risk is a potential threat to the overarching enterprise.
    • By aggregating the different threats or uncertainty that might exist within an organization, integrated risk management enables more informed decisions to be made that align to strategic goals and continue to drive value back to the business.
    • By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

    The image contains a screenshot of the ERM.

    Integrated risk management: A strategic and collaborative way to manage risks across the organization. It is a forward-looking, business-specific outlook with the objective of improving risk visibility and culture.

    Drivers and benefits of integrated risk

    Drivers for Integrated Risk Management

    • Business shift to digital experiences
    • The breadth and number of risks requiring oversight
    • The need for faster risk analysis and decision making

    Benefits of Integrated Risk Management

    • Enables better scenario planning
    • Enables more proactive risk responses
    • Provides more relevant risk assurance to key stakeholders
    • Improves transparency and comparability of risks across organizational silos
    • Supports better financial resilience

    Business velocity and complexity are making real-time risk management a business necessity.

    If integrated risk is the destination, your taxonomy is your road to get you there

    Info-Tech’s Model for Integrated Risk

    The image contains a screenshot of Info-Tech's Model for Integrated Risk.

    How the risk practices intersect

    The risk taxonomy provides a common classification of risks that allows risks to roll up systematically to enterprise risk, enabling more effective risk responses and more informed decision making.

    The image contains a screenshot of a diagram that demonstrates how the risk practices intersect.

    ERM taxonomy

    Relative to the base event types, overall there is an increase in the number of level 1 risk types in risk taxonomies

    Oliver Wyman
    • The changing risk profile of organizations and regulatory focus in some industries is pushing organizations to rethink their risk taxonomies.
    • Generally, the expansion of level 1 risk types is due to the increase in risk themes under the operational risk umbrella.
    • Non-financial risks are risks that are not considered to be traditional financial risks, such as operational risk, technology risk, culture, and conduct. Environmental, social, and governance (ESG) risk is often referred to as a non-financial risk, although it can have both financial and non-financial implications.
    • Certain level 1 ERM risks, such as strategic risk, reputational risk, and ESG risk, cover both financial and non-financial risks.

    The image contains a screenshot of a diagram of the Traditional ERM Structure.

    Operational resilience

    • The concept of operational resiliency was first introduced by European Central Bank (ECB) in 2018 as an attempt to corral supervisory cooperation on operational resiliency in financial services.
    • The necessity for stronger operational resiliency became clear during the early stages of COVID-19 when many organizations were not prepared for disruption, leading to serious concern for the safety and soundness of the financial system.
    • It has gained traction and is now defined in global supervisory guidance. Canada’s prudential regulator, Office of the Superintendent of Financial Institutions (OSFI), defines it as “the ability of a financial institution to deliver its operations, including its critical operations, through disruption.”
    • Practically, its purpose is to knit together several operational risk management categories such as business continuity, security, and third-party risk.
    • The concept has been adopted by information and communication technology (ICT) companies, as technology and cyber risks sit neatly under this risk type.
    • It is now not uncommon to see operational resiliency as a level 1 risk type in a financial institution’s ERM framework.

    Operational resilience will often feature in ERM frameworks in organizations that deliver critical services, products, or functions, such as financial services

    Operational Resilience.

    ERM level 1 risk categories

    Although many organizations have expanded their enterprise risk management taxonomies to address new threats, most organizations will have the following level 1 risk types:

    ERM Level 1

    Definition

    Definition Source

    Financial

    The ability to obtain sufficient and timely funding capacity.

    Global Association of Risk Professionals (GARP)

    Non-Financial

    Non-financial risks are risks that are not considered to be traditional financial risks such as operational risk, technology risk, culture and conduct.

    Office of the Superintendent of Financial Institutions (OSFI)

    Reputational

    Potential negative publicity regarding business practices regardless of validity.

    US Federal Reserve

    Global Association of Risk Professionals (GARP)

    Strategic

    Risk of unsuccessful business performance due to internal or external uncertainties, whether the event is event or trend driven. Actions or events that adversely impact an organizations strategies and/or implementation of its strategies.

    The Risk Management Society (RIMS)

    Sustainability (ESG)

    This risk of any negative financial or reputational impact on an organizations stemming from current or prospective impacts of ESG factors on its counterparties or invested assets.

    Open Risk Manual

    Info-Tech Research Group

    Talent and Risk Culture

    The widespread behaviors and mindsets that can threaten sound decision-making, prudent risk-taking, and effective risk management and can weaken an institution’s financial and operational resilience.

    Info-Tech Research Group

    Different models of ERM

    Some large organizations will elevate certain operational risks to level 1 organizational risks due to risk materiality.

    Every organization will approach its risk management taxonomy differently; the number of level 1 risk types will vary and depend highly on perceived impact.

    Some of the reasons why an organization would elevate a risk to a level 1 ERM risk are:

    • The risk has significant impact on the organization's strategy, reputation, or financial performance.
    • The regulator has explicitly called out board oversight within legislation.
    • It is best practice in the organization’s industry or business sector.
    • The organization has structured its operations around a particular risk theme due to its potential negative impact. For example, the organization may have a dedicated department for data privacy.

    Level 1

    Potential Rationale

    Industries

    Risk Definition

    Advanced Analytics

    Use of advanced analytics is considered material

    Large Enterprise, Marketing

    Risks involved with model risk and emerging risks posed by artificial intelligence/machine learning.

    Anti-Money Laundering (AML) and Fraud

    Risk is viewed as material

    Financial Services, Gaming, Real Estate

    The risk of exposure to financial crime and fraud.

    Conduct Risk

    Sector-specific risk type

    Financial Services

    The current or prospective risk of losses to an institution arising from inappropriate supply of financial services including cases of willful or negligent misconduct.

    Operational Resiliency

    Sector-specific risk type

    Financial Services, ICT

    Organizational risk resulting from an organization’s failure to deliver its operations, including its critical operations, through disruption.

    Privacy

    Board driven – perceived as material risk to organization

    Healthcare, Financial Services

    The potential loss of control over personal information.

    Information Security

    Board driven – regulatory focus

    All may consider

    The people, processes, and technology involved in protecting data (information) in any form – whether digital or on paper – through its creation, storage, transmission, exchange, and destruction.

    Risk and impact

    Mapping risks to business outcomes happens within the ERM function and by enterprise fiduciaries.

    • When mapping risk events to enterprise risk types, the relationship is rarely linear. Rather, risk events typically will have multiple impacts on the enterprise, including strategic, reputational, ESG, and financial impacts.
    • As risk information is transmitted from lower levels, it informs the next level, providing the appropriate information to prioritize risk.
    • In the final stage, the enterprise portfolio view will reflect the enterprise impacts according to risk dimensions, such as strategic, operational, reporting, and compliance.

    Rolling Up Risks to a Portfolio View

    The image contains a screenshot to demonstrate rolling up risks to a portfolio view.

    1. A risk event within IT will roll up to the enterprise via the IT risk register.
    2. The impact of the risk on cash flow and operations will be aggregated and allocated in the enterprise risk register by enterprise fiduciaries (e.g. CFO).
    3. The impacts are translated into full value exposures or modified impact and likelihood assessments.

    Common challenges

    How to synthesize different objectives between IT risk and enterprise risk

    Commingling risk data is a major challenge when developing a risk taxonomy, but one of the underlying reasons is that the enterprise and IT look at risk from different dimensions.

    • The role of the enterprise in risk management is to provide and preserve value, and therefore the enterprise evaluates risk on an adjusted risk-return basis.
    • To do this effectively, the enterprise must break down silos and view risk holistically.
    • ERM is a top-down process of evaluating risks that may impact the entity. As part of the process, ERM must manage risks within the enterprise risk framework and provide reasonable assurances that enterprise objectives will be met.
    • IT risk management focuses on internal controls and sits as a function within the larger enterprise.
    • IT takes a bottom-up approach by applying an ongoing process of risk management and constantly identifying, assessing, prioritizing, and mitigating risks.
    • IT has a central role in risk mitigation and, if functioning well, will continually reduce IT risks, simplifying the role for ERM.

    Establish a team

    Cross-functional collaboration is key to defining level 1 risk types.

    Establish a cross-functional working group.

    • Level 1 IT risk types are the most important to get right because they are the root nodes that all subtypes of risk cascade from.
    • To ensure the root nodes (level 1 risk types) address the risks of your organization, it is vital to have a strong understanding or your organization’s value chain, so your organizational strategy is a key input for defining your IT level 1 risk types.
    • Since the taxonomy provides the method for communicating risks to the people who need to make decisions, a wide understanding and acceptance of the taxonomy is essential. This means that multiple people across your organization should be involved in defining the taxonomy.
    • Form a cross-functional tactical team to collaborate and agree on definitions. The team should include subject matter experts and leaders in key risk and business areas. In terms of governance structure, this committee might sit underneath the enterprise risk council, and members of your IT risk council may also be good candidates for this tactical working group.
    • The committee would be responsible for defining the taxonomy as well as performing regular reviews.
    • The importance of collaboration will become crystal clear as you begin this work, as risks should be connected to only one risk type.

    Governance Layer

    Role/ Responsibilities

    Enterprise

    Defines organizational goals. Directs or regulates the performance and behavior of the enterprise, ensuring it has the structure and capabilities to achieve its goals.

    Enterprise Risk Council

    • Approve of risk taxonomy

    Strategic

    Ensures business and IT initiatives, products, and services are aligned to the organization’s goals and strategy and provide expected value. Ensures adherence to key principles.

    IT Risk Council

    • Provide input
    • May review taxonomy ahead of going to the enterprise risk council for approval

    Tactical

    Ensures key activities and planning are in place to execute strategic initiatives.

    Subcommittee

    • Define risk types and definitions
    • Establish and maintain taxonomy
    • Recommend changes
    • Advocate and communicate internally

    2.1 Establish a cross-functional working group

    2-3 hours

    1. Consider your organization’s operating model and current governance framework, specifically any current risk committees.
    2. Consider the members of current committees and your objectives and begin defining:
      1. Committee mandate, goals, and success factors.
      2. Responsibility and membership.
      3. Committee procedures and policies.
    3. Make sure you define how this tactical working group will interact with existing committees.

    Download Build an IT Risk Taxonomy Workbook

    Input Output
    • Organization chart and operating model
    • Corporate governance framework and existing committee charters
    • Cross-functional working group charter
    Materials Participants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • IT Taxonomy Committee Charter
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Phase 3

    Structure Your IT Risk Taxonomy

    Phase 1

    Phase 2

    Phase 3

    • Governance, Risk, and Compliance
    • Enterprise Risk Management
    • Enterprise Risk Appetite
    • Risk Statements and Scenarios
    • What Is a Risk Taxonomy?
    • Functional Role of an IT Risk Taxonomy
    • Connection to Enterprise Risk Management
    • Establish Committee
    • Steps to Define IT Risk Taxonomy
    • Define Level 1
    • Test Level 1
    • Define Level 2 and 3
    • Test via Your Control Framework

    This phase will walk you through the following activities:

    • Establish level 1 risk types
    • Test level 1 risk types
    • Define level 2 and level 3 risk types
    • Test the taxonomy via your control framework

    This phase involves the following participants:

    • CIO
    • CISO
    • CRO
    • IT Risk Owners
    • Business Leaders
    • Human Resources

    Structuring your IT risk taxonomy

    Do’s

    • Ensure your organization’s values are embedded into the risk types.
    • Design your taxonomy to be forward looking and risk based.
    • Make level 1 risk types generic so they can be used across the organization.
    • Ensure each risk has its own attributes and belongs to only one risk type.
    • Collaborate on and communicate your taxonomy throughout organization.

    Don’ts

    • Don’t develop risk types based on function.
    • Don’t develop your taxonomy in a silo.

    A successful risk taxonomy is forward looking and codifies the most frequently used risk language across your organization.

    Level 1

    Parent risk types aligned to organizational values

    Level 2

    Subrisks to level 1 risks

    Level 3

    Further definition

    Steps to define your IT risk taxonomy

    Step 1

    Leverage Info-Tech’s Build an IT Risk Taxonomy Guideline and identify IT level 1 risk types. Consider corporate inputs and macro trends.

    Step 2

    Test level 1 IT risk types by mapping to your enterprise's ERM level 1 risk types.

    Step 3

    Draft your level 2 and level 3 risk types. Be mutually exclusive to the extent possible.

    Step 4

    Work backward – align risk events and controls to the lowest level risk category. In our examples, we align to level 3.

    Step 5

    Add risk levels to your risk registry.

    Step 6

    Optional – Add IT risk appetite statements to risk register.

    Inputs to use when defining level 1

    To help you define your IT risk taxonomy, leverage your organization’s strategy and risk management artifacts, such as outputs from risk assessments, audits, and test results. Also consider macro trends and potential risks unique to your organization.

    Step 1 – Define Level 1 Risk Types

    Use corporate inputs to help structure your taxonomy

    • Corporate Strategy
    • Risk Assessment
    • Audit
    • Test Results

    Consider macro trends that may have an impact on how you manage IT risks

    • Geopolitical Risk
    • Economic Downturn
    • Regulation
    • Competition
    • Climate Risk
    • Industry Disruption

    Evaluate from an organizational lens

    Ask risk-based questions to help define level 1 IT risks for your organization.

    IT Risk Type

    Example Questions

    Technology

    How reliant is our organization on critical assets for business operations?

    How resilient is the organization to an unexpected crisis?

    How many planned integrations do we have (over the next 24 months)?

    Talent Risk

    What is our need for specialized skills, like digital, AI, etc.?

    Does our culture support change and innovation?

    How susceptible is our organization to labor market changes?

    Strategy

    What is the extent of digital adoption or use of emerging technologies in our organization?

    How aligned is IT with strategy/corporate goals?

    How much is our business dependent on changing customer preferences?

    Data

    How much sensitive data does our organization use?

    How much data is used and stored aggregately?

    How often is data moved? And to what locations?

    Third-party

    How many third-party suppliers do we have?

    How reliant are we on the global supply chain?

    What is the maturity level of our third-party suppliers?

    Do we have any concentration risk?

    Security

    How equipped is our organization to manage cyber threats?

    How many security incidents occur per year/quarter/day?

    Do we have regulatory obligations? Is there risk of enforcement action?

    Level 1 IT taxonomy structure

    Step 2 – Consider your organization’s strategy and areas where risks may manifest and use this guidance to advance your thinking. Many factors may influence your taxonomy structure, including internal organizational structure, the size of your organization, industry trends and organizational context, etc.

    Most IT organizations will include these level 1 risks in their IT risk taxonomy

    IT Level 1

    Definition

    Definition Source

    Technology

    Risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorized access modifications, or malicious use of information technology assets, people or processes that enable and support business needs, and can result in financial loss and/or reputational damage.

    Open Risk Manual

    Note how this definition by OSFI includes cyber risk as part of technology risk. Smaller organizations and organizations that do not use large amounts of sensitive information will typically fold cyber risks under technology risks. Not all organizations will take this approach. Some organizations may elevate security risk to level 1.

    “Technology risk”, which includes “cyber risk”, refers to the risk arising from the inadequacy, disruption, destruction, failure, damage from unauthorized access, modifications, or malicious use of information technology assets, people or processes that enable and support business needs, and can result in financial loss and/or reputational damage.

    Office of the Superintendent of Financial Institutions (OSFI)

    Talent

    The risk of not having the right knowledge and skills to execute strategy.

    Info-Tech Research Group/McLean & Company

    Human capital challenges including succession challenges and the ability to attract and retain top talent are considered the most dominant risk to organizations’ ability to meet their value proposition (Protiviti, 2023).

    Strategic

    Risks that threaten IT’s ability to deliver expected business outcomes.

    Info-Tech Research Group

    IT’s role as strategic enabler to the business has never been so vital. With the speed of disruptive innovation, IT must be able to monitor alignment, support opportunities, and manage unexpected crises.

    Level 1 IT taxonomy structure cont'd

    Step 2 – Large and more complex organizations may have more level 1 risk types. Variances in approaches are closely linked to the type of industry and business in which the organization operates as well as how they view and position risks within their organization.

    IT Level 1

    Definition

    Definition Source

    Data

    Data risk is the exposure to loss of value or reputation caused by issues or limitations to an organization’s ability to acquire, store, transform, move, and use its data assets.

    Deloitte

    Data risk encompasses the risk of loss value or reputation resulting from inadequate or failed internal processes, people and systems or from external events impacting on data.

    Australian Prudential Regulation Authority (APRA) CPG 235 -2013)

    Data is increasingly being used for strategic growth initiatives as well as for meeting regulatory requirements. Organizations that use a lot of data or specifically sensitive information will likely have data as a level 1 IT risk type.

    Third-Party

    The risk adversely impacting the institutions performance by engaging a third party, or their associated downstream and upstream partners or another group entity (intragroup outsourcing) to provide IT systems or related services.

    European Banking Association (EBA)

    Open Risk Manual uses EBA definition

    Third-party risk (supply chain risk) received heightened attention during COVID-19. If your IT organization is heavily reliant on third parties, you may want to consider elevating third-party risk to level 1.

    Security

    The risk of unauthorized access to IT systems and data from within or outside the institution (e.g., cyber-attacks). An incident is viewed as a series of events that adversely affects the information assets of an organization. The overall narrative of this type of risk event is captured as who, did what, to what (or whom), with what result.

    Open Risk Manual

    Some organizations and industries are subject to regulatory obligations, which typically means the board has strict oversight and will elevate security risk to a level 1.

    Common challenges

    Considerations when defining level 1 IT risk types

    • Ultimately, the identification of a level 1 IT risk type will be driven by the potential for and materiality of vulnerabilities that may impede an organization from delivering successful business outcomes.
    • Senior leaders within organizations play a central role in protecting organizations against vulnerabilities and threats.
    • The size and structure of your organization will influence how you manage risk.
    • The following slide shows typical roles and responsibilities for data privacy.
    • Large enterprises and organizations that use a lot of personal identifiable information (PII) data, such as those in healthcare, financial services, and online retail, will typically have data as a level 1 IT risk and data privacy as a level 2 risk type.
    • However, smaller organizations or organizations that do not use a lot of data will typically fold data privacy under either technology risk or security risk.

    Deciding placement in taxonomy

    Deciding Placement in Taxonomy.

    • In larger enterprises, data risks are managed within a dedicated functional department with its own governance structure. In small organizations, the CIO is typically responsible and accountable for managing data privacy risk.

    Global Enterprise

    Midmarket

    Privacy Requirement

    What Is Involved

    Accountable

    Responsible

    Accountable & Responsible

    Privacy Legal and Compliance Obligations

    • Ensuring the relevant Accountable roles understand privacy obligations for the jurisdictions operated in.

    Privacy Officer (Legal)

    Privacy Officer (Legal)

    Privacy Policy, Standards, and Governance

    • Defining polices and ensuring they are in place to ensure all privacy obligations are met.
    • Monitoring adherence to those policies and standards.

    Chief Risk Officer (Risk)

    Head of Risk Function

    Data Classification and Security Standards and Best-Practice Capabilities

    • Defining the organization’s data classification and security standards and ensuring they align to the privacy policy.
    • Designing and building the data security standards, processes, roles, and technologies required to ensure all security obligations under the privacy policy can be met.
    • Providing oversight of the effectiveness of data security practices and leading resolution of data security issues/incidents.

    Chief Information Security Officer (IT)

    Chief Information Security Officer (IT)

    Technical Application of Data Classification, Management and Security Standards

    • Ensuring all technology design, implementation, and operational decisions adhere to data classification, data management, and data security standards.

    Chief Information Officer (IT)

    Chief Data Architect (IT)

    Chief Information Officer (IT)

    Data Management Standards and Best-Practice Capabilities

    • Defining the organization’s data management standards and ensuring they align to the privacy policy.
    • Designing and building the data management standards, processes, roles, and technologies required to ensure data classification, access, and sharing obligations under the privacy policy can be met.
    • Providing oversight of the effectiveness of data classification, access, and sharing practices and leading resolution of data management issues/incidents.

    Chief Data Officer

    Where no Head of Data Exists and IT, not the business, is seen as de facto owner of data and data quality

    Execution of Data Management

    • Ensuring business processes that involve data classification, sharing, and access related to their data domain align to data management standards (and therefore privacy obligations).

    L1 Business Process Owner

    L2 Business Process Owner

    Common challenges

    Defining security risk and where it resides in the taxonomy

    • For risk management to be effective, risk professionals need to speak the same language, but the terms “information security,” “cybersecurity,” and “IT security” are often used interchangeably.
    • Traditionally, cyber risk was folded under technology risk and therefore resided at a lower level of a risk taxonomy. However, due to heightened attention from regulators and boards stemming from the pervasiveness of cyber threats, some organizations are elevating security risks to a level 1 IT risk.
    • Furthermore, regulatory cybersecurity requirements have emphasized control frameworks. As such, many organizations have adopted NIST because it is comprehensive, regularly updated, and easily tailored.
    • While NIST is prescriptive and action oriented, it start with controls and does not easily integrate with traditional ERM frameworks. To address this, NIST has published new guidance focused on an enterprise risk management approach. The guidance helps to bridge the gap between best practices in enterprise risk management and processes and control techniques that cybersecurity professionals use to meet regulatory cybersecurity risk requirements.

    Definitional Nuances

    “Cybersecurity” describes the technologies, processes, and practices designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access.

    “IT security” describes a function as well as a method of implementing policies, procedures, and systems to defend the confidentiality, integrity, and availability of any digital information used, transmitted, or stored throughout the organization’s environment.

    “Information security” defines the people, processes, and technology involved in protecting data (information) in any form – whether digital or on paper – through its creation, storage, transmission, exchange, and destruction.

    3.1 Establish level 1 risk types

    2-3 hours

    1. Consider your current and future corporate goals and business initiatives, risk management artifacts, and macro industry trends.
    2. Ask questions to understand risks unique to your organization.
    3. Review Info-Tech’s IT level 1 risk types and identify the risk types that apply to your organization.
    4. Add any risk types that are missing and unique to your organization.
    5. Refine the definitions to suit your organization.
    6. Be mutually exclusive and collectively exhaustive to the extent possible.

    Download Build an IT Risk Taxonomy Workbook

    InputOutput
    • Organization's strategy
    • Other organizational artifacts if available (operating model, outputs from audits and risk assessments, risk profile, and risk appetite)
    • Build an IT Risk Taxonomy Guideline
    • IT Risk Taxonomy Definitions
    • Level 1 IT risk types customized to your organization
    MaterialsParticipants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    3.2 Map IT risk types against ERM level 1 risk types

    1-2 hours

    1. Using the output from Activity 3.1, map your IT risk types to your ERM level 1 risk types.
    2. Record in the Build an IT Risk Taxonomy Workbook.

    Download Build an IT Risk Taxonomy Workbook

    InputOutput
    • IT level 1 risk types customized to your organization
    • ERM level 1 risk types
    • Final level 1 IT risk types
    MaterialsParticipants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Map IT level 1 risk types to ERM

    Test your level 1 IT risk types by mapping to your organization’s level 1 risk types.

    Step 2 – Map IT level 1 risk types to ERM

    The image contains two tables. 1 table is ERM Level 1 Risks, the other table is IT Level 1 Risks.

    3.3 Establishing level 2 and 3 risk types

    3-4 hours

    1. Using the level 1 IT risk types that you have defined and using Info-Tech’s Risk Taxonomy Guideline, first begin to identify level 2 risk types for each level 1 type.
    2. Be mutually exclusive and collectively exhaustive to the extent possible.
    3. Once satisfied with your level 2 risk types, break them down further to level 3 risk types.

    Note: Smaller organizations may only define two risk levels, while larger organizations may define further to level 4.

    Download Build an IT Risk Taxonomy Design Template

    InputOutput
    • Output from Activity 3.1, Establish level 1 risk types
    • Build an IT Risk Taxonomy Workbook
    • Build an IT Risk Taxonomy Guideline
    • Level 2 and level 3 risk types recorded in Build an IT Risk Taxonomy Design Template
    MaterialsParticipants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Level 2 IT taxonomy structure

    Step 3 – Break down your level 1 risk types into subcategories. This is complicated and may take many iterations to reach a consistent and accepted approach. Try to make your definitions intuitive and easy to understand so that they will endure the test of time.

    The image contains a screenshot of Level 2 IT taxonomy Structure.

    Security vulnerabilities often surface through third parties, but where and how you manage this risk is highly dependent on how you structure your taxonomy. Organizations with a lot of exposure may have a dedicated team and may manage and report security risks under a level 1 third-party risk type.

    Level 3 IT taxonomy structure

    Step 3 – Break down your level 2 risk types into lower-level subcategories. The number of levels of risk you have will depend on the size of and magnitude of risks within your organization. In our examples, we demonstrate three levels.

    The image contains a screenshot of Level 3 IT taxonomy Structure.

    Risk taxonomies for smaller organizations may only include two risk levels. However, large enterprises or more complex organizations may extend their taxonomy to level 3 or even 4. This illustration shows just a few examples of level 3 risks.

    Test using risk events and controls

    Ultimately risk events and controls need to roll up to level 1 risks in a consistent manner. Test the robustness of your taxonomy by working backward.

    Step 4 – Work backward to test and align risk events and controls to the lowest level risk category.

    • A key function of IT risk management is to monitor and maintain internal controls.
    • Internal controls help to reduce the level of inherent risk to acceptable levels, known as residual risk.
    • As risks evolve, new controls may be needed to upgrade protection for tech infrastructure and strengthen connections between critical assets and third-party suppliers.

    Example – Third Party Risk

    Third Party Risk example.

    3.4 Test your IT taxonomy

    2-3 hours

    1. Leveraging the output from Activities 3.1 to 3.3 and your IT Risk Taxonomy Design Template, begin to test the robustness of the taxonomy by working backward from controls to level 1 IT risks.
    2. The lineage should show clearly that the control will mitigate the impact of a realized risk event. Refine the control or move the control to another level 1 risk type if the control will not sufficiently reduce the impact of a realized risk event.
    3. Once satisfied, update your risk register or your risk management software tool.

    Download Build an IT Risk Taxonomy Design Template

    InputOutput
    • Output from Activities 3.1 to 3.3
    • IT risk taxonomy documented in the IT Risk Taxonomy Design Template
    MaterialsParticipants
    • Whiteboard/flip charts
    • IT risk register
    • Build an IT Risk Taxonomy Workbook
    • CISO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Update risk register

    Step 5 – Once you are satisfied with your risk categories, update your risk registry with your IT risk taxonomy.

    Use Info-Tech’s Risk Register Tool or populate your internal risk software tool.

    Risk Register.

    Download Info-Tech’s Risk Register Tool

    Augment the risk event list using COBIT 2019 processes (Optional)

    Other industry-leading frameworks provide alternative ways of conceptualizing the functions and responsibilities of IT and may help you uncover additional risk events.

    1. Managed IT Management Framework
    2. Managed Strategy
    3. Managed Enterprise Architecture
    4. Managed Innovation
    5. Managed Portfolio
    6. Managed Budget and Costs
    7. Managed Human Resources
    8. Managed Relationships
    9. Managed Service Agreements
    10. Managed Vendors
    11. Managed Quality
    12. Managed Risk
    13. Managed Security
    14. Managed Data
    15. Managed Programs
    16. Managed Requirements Definition
    17. Managed Solutions Identification and Build
    18. Managed Availability and Capacity
    19. Managed Organizational Change Enablement
    20. Managed IT Changes
    21. Managed IT Change Acceptance and Transitioning
    22. Managed Knowledge
    23. Managed Assets
    24. Managed Configuration
    25. Managed Projects
    26. Managed Operations
    27. Managed Service Requests and Incidents
    28. Managed Problems
    29. Managed Continuity
    30. Managed Security Services
    31. Managed Business Process Controls
    32. Managed Performance and Conformance Monitoring
    33. Managed System of Internal Control
    34. Managed Compliance with External Requirements
    35. Managed Assurance
    36. Ensured Governance Framework Setting and Maintenance
    37. Ensured Benefits Delivery
    38. Ensured Risk Optimization
    39. Ensured Resource Optimization
    40. Ensured Stakeholder Engagement

    Example IT risk appetite

    When developing your risk appetite statements, ensure they are aligned to your organization’s risk appetite and success can be measured.

    Example IT Risk Appetite Statement

    Risk Type

    Technology Risk

    IT should establish a risk appetite statement for each level 1 IT risk type.

    Appetite Statement

    Our organization’s number-one priority is to provide high-quality trusted service to our customers. To meet this objective, critical systems must be highly performant and well protected from potential threats. To meet this objective, the following expectations have been established:

    • No appetite for unauthorized access to systems and confidential data.
    • Low appetite for service downtime.
      • Service availability objective of 99.9%.
      • Near real-time recovery of critical services – ideally within 30 minutes, no longer than 3 hours.

    The ideal risk appetite statement is qualitative and supported by quantitative measures.

    Risk Owner

    Chief Information Officer

    Ultimately, there is an accountable owner(s), but involve business and technology stakeholders when drafting to gain consensus.

    Risk Oversight

    Enterprise Risk Committee

    Supporting Framework(s)

    Business Continuity Management, Information Security, Internal Audit

    The number of supporting programs and frameworks will vary with the size of the organization.

    3.5 Draft your IT risk appetite statements

    Optional Activity

    2-3 hours

    1. Using your completed taxonomy and your organization’s risk appetite statement, draft an IT risk appetite statement for each level 1 risk in your workbook.
    2. Socialize the statements and gain approval.
    3. Add the approved risk appetite statements to your IT risk register.

    Download Build an IT Risk Taxonomy Workbook

    Input Output
    • Organization’s risk appetite statement
    • Build an IT Risk Taxonomy Workbook
    • IT Risk Taxonomy Design Template
    • IT risk appetite statements
    Materials Participants
    • Whiteboard/flip charts
    • Build an IT Risk Taxonomy Workbook
    • CISO, CIO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Key takeaways and next steps

    • The risk taxonomy is the backbone of a robust enterprise risk management program. A good taxonomy is frequently used and well understood.
    • Not only is the risk taxonomy used to assess organizational impact, but it is also used for risk reporting, scenarios analysis and horizon scanning, and risk appetite expression.
    • It is essential to capture IT risks within the ERM framework to fully understand the impact and allow for consistent risk discussions and meaningful aggregation.
    • Defining an IT risk taxonomy is a team sport, and organizations should strive to set up a cross-functional working group that is tasked with defining the taxonomy, monitoring its effectiveness, and ensuring continual improvement.
    • The work does not end when the taxonomy is complete. The taxonomy should be well socialized throughout the organization after inception through training and new policies and procedures. Ultimately, it should be an activity embedded into risk management practices.
    • The taxonomy is a living document and should be continually improved upon.

    3.6 Prepare to communicate the taxonomy internally

    1-2 hours

    To gain acceptance of your risk taxonomy within your organization, ensure it is well understood and used throughout the organization.

    1. Consider your audience and agree on the key elements you want to convey.
    2. Prepare your presentation.
    3. Test your presentation with a smaller group before communicating to senior leadership or the board.

    Coming soon: Look for our upcoming research Communicate Any IT Initiative.

    InputOutput
    • Build an IT Risk Taxonomy Workbook
    • Upcoming research: Communicate Any IT Initiative
    • Presentation
    MaterialsParticipants
    • Whiteboard/flip charts
    • Upcoming research: Communicate Any IT Initiative
    • Internal communication templates
    • CISO, CIO
    • Human resources
    • Corporate communications
    • CRO or risk owners
    • Business leaders

    Related Info-Tech Research

    Build an IT Risk Management Program

    • Use this blueprint to transform your ad hoc risk management processes into a formalized ongoing program and increase risk management success.
    • Learn how to take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest's risks before they occur.

    Integrate IT Risk Into Enterprise Risk

    • Use this blueprint to understand gaps in your organization’s approach to risk management.
    • Learn how to integrate IT risks into the foundational risk practice

    Coming Soon: Communicate Any IT initiative

    • Use this blueprint to compose an easy-to-understand presentation to convey the rationale of your initiative and plan of action.
    • Learn how to identify your target audience and tailor and deliver the message in an authentic and clear manner.

    Risk definitions

    Term Description
    Emergent Risk Risks that are poorly understood but expected to grow in significance.
    Residual Risk The amount of risk you have left after you have removed a source of risk or implemented a mitigation approach (controls, monitoring, assurance).
    Risk Acceptance If the risk is within the enterprise's risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses.
    Risk Appetite An organization’s general approach and attitude toward risk; the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes.
    Risk Assessment The process of estimating and evaluating risk.
    Risk Avoidance The risk response where an organization chooses not to perform a particular action or maintain an existing engagement due to the risk involved.
    Risk Event A risk occurrence (actual or potential) or a change of circumstances. Can consist of more than one occurrence or of something not happening. Can be referred to as an incident or accident.
    Risk Identification The process of finding, recognizing, describing, and documenting risks that could impact the achievement of objectives.
    Risk Management The capability and related activities used by an organization to identify and actively manage risks that affect its ability to achieve goals and strategic objectives. Includes principles, processes, and framework.
    Risk Likelihood The chance of a risk occurring. Usually measured mathematically using probability.
    Risk Management Policy Expresses an organization’s commitment to risk management and clarifies its use and direction.
    Risk Mitigation The risk response where an action is taken to reduce the impact or likelihood of a risk occurring.
    Risk Profile A written description of a set of risks.

    Risk definitions

    Term Description
    Risk Opportunity A cause/trigger of a risk with a positive outcome.
    Risk Owner The designated party responsible and accountable for ensuring that the risk is maintained in accordance with enterprise requirements.
    Risk Register A tool used to identify and document potential and active risks in an organization and to track the actions in place to manage each risk.
    Risk Response How you choose to respond to risk (accept, mitigate, transfer, or avoid).
    Risk Source The element that, alone or in combination, has potential to give rise to a risk. Usually this is the root cause of the risk.
    Risk Statement A description of the current conditions that may lead to the loss, and a description of the loss.
    Risk Tolerance The amount of risk you are prepared or able to accept (in terms of volume or impact); the amount of uncertainty an organization is willing to accept in the aggregate (or more narrowly within a certain business unit or for a specific risk category). Expressed in quantitative terms that can be monitored (such as volatility or deviation measures), risk tolerance often is communicated in terms of acceptable/unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and maximum levels beyond which the organization is unwilling to accept variations from the expected outcome.
    Risk Transfer The risk response where you transfer the risk to a third party.

    Research Contributors and Experts

    LynnAnn Brewer
    Director
    McLean & Company

    Sandi Conrad
    Principal Research Director
    Info-Tech Research Group

    Valence Howden
    Principal Research Director
    Info-Tech Research Group

    John Kemp
    Executive Counsellor – Executive Services
    Info-Tech Research Group

    Brittany Lutes
    Research Director
    Info-Tech Research Group

    Carlene McCubbin
    Practice Lead – CIO Practice
    Info-Tech Research Group

    Frank Sargent
    Senior Workshop Director
    Info-Tech Research Group

    Frank Sewell
    Advisory Director
    Info-Tech Research Group

    Ida Siahaan
    Research Director
    Info-Tech Research Group

    Steve Willis
    Practice Lead – Data Practice
    Info-Tech Research Group

    Bibliography

    Andrea Tang, “Privacy Risk Management”. ISACA Journal, June 2020, Accessed January 2023
    Anthony Kruizinga, “Reshaping the risk taxonomy”. PwC, April 2021, Accessed January 2023
    Auditboard, "The Essentials of Integrated Risk Management (IRM)", June 2022, Accessed January 2023
    Brenda Boultwood, “How to Design an ERM-Friendly Risk Data Architecture”. Global Association of Risk Professionals, February 2020, Accessed January 2023
    BSI Standards Publication, "Risk Management Guidelines", ISO 31000, 2018
    Dan Swinhoe, "What is Physical Security, How to keep your facilities and devices safe from onsite attackers", August 2021, Accessed January 2023
    Eloise Gratton, “Data governance and privacy risk in Canada: A checklist for boards and c-suite”. Borden Ladner Gervais, November 2022 , Accessed January 2023
    European Union Agency for Cyber Security Glossary
    European Banking Authority, "Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP)", September 2017, Accessed February 2023
    European Banking Authority, "Regulatory Framework for Mitigating Key Resilient Risks", Sept 2018, Accessed February 2023
    EY, "Seeking stability within volatility: How interdependent risks put CROs at the heart of the banking business", 12th annual EY/IFF global bank risk management survey, 2022, Accessed February 2023
    Financial Stability Board, "Cyber Lexicon", November 2018, Accessed February 2023
    Financial Stability Board, "Principles for Effective Risk Appetite Framework", November 2013, Accessed January 2023
    Forbes Technology Council, "14 Top Data Security Risks Every Business Should Address", January 2020, Accessed January 2023
    Frank Martens, Dr. Larry Rittenberg, "COSO, Risk Appetite Critical for Success, Using Risk Appetite to Thrive in a Changing World", May 2020, Accessed January 2023
    Gary Stoneurmer, Alice Goguen and Alexis Feringa, "NIST, Risk Management Guide for Information Technology Systems", Special Publication, 800-30, September 2012, Accessed February 2023
    Guy Pearce, "Real-World Data Resilience Demands and Integrated Approach to AI, Data Governance and the Cloud", ISACA Journal, May 2022
    InfoTech Tech Trends Report, 2023
    ISACA, "Getting Started with Risk Scenarios", 2022, Accessed February 2023
    James Kaplan, "Creating a technology risk and cyber risk appetite framework," McKinsey & Company, August 2022, Accessed February 2023
    Jean-Gregorie Manoukian, Wolters Kluwer, "Risk appetite and risk tolerance: what’s the difference?", Sept 2016, Accessed February 2023
    Jennifer Bayuk, “Technology’s Role in Enterprise Risk Management”, ISACA Journal, March 2018, Accessed in February 2023
    John Thackeray, "Global Association of Risk Professionals, 7 Key Elements of Effective ERM", January 2020, Accessed January 2023
    KPMG, "Regulatory rigor: Managing technology and cyber risk, How FRFI’s can achieve outcomes laid out in OSFI B-13", October 2022, Accessed January 2023
    Marc Chiapolino et al, “Risk and resilience priorities, as told by chief risk officers”, McKinsey and Company, December 2022, Accessed January 2023
    Mike Rost, Workiva, "5 Steps to Effective Strategic Management", Updated February 2023. Accessed February 2023
    NIST, "Risk Management Framework for Information Systems and Organization, The System Life Cycle Approach for Security and Privacy," December 2018, Accessed February 2023
    NIST, NISTIR, "Integrating CyberSecurity and Enterprise Risk", October 2020, Accessed February 2023
    Oliver Wyman, "The ORX Reference Taxonomy for operational and non-financial risk summary report", 2019, Accessed February 2023.
    Office of the Superintendent of Financial Institutions, "Operational Resilience Consultation Results Summary", December 2021, Accessed January 2023
    Open Risk Manual, Risk Taxonomy Definitions
    Ponemon. "Cost of a Data Breach Report 2021." IBM, July 2021. Web.
    Protiviti, "Executive Perspectives on Top Risks, 2023 & 2032, Key Issues being discussed in the boardroom and c-suite", February 2023, Accessed February 2023
    RIMS, ISACA, "Bridging the Digital Gap, How Collaboration Between IT and Risk Management can Enhance Value Creation", September 2019, Accessed February 2023
    Robert, R. Moeller, "COSO, Enterprise Risk Management, Second Edition, 2011", Accessed February 2023
    Robert Putrus, "Effective Reporting to the BoD on Critical Assets, Cyberthreats and Key Controls: The Qualitative and Quantitative Model", ISACA Journal, January 2021, Accessed January 2023
    Ron Brash, "Prioritizing Asset Risk Management in ICS Security", August 2020, Accessed February 2023
    Ronald Van Loon, "What is Data Culture and How to Implement it?", November 2023, Accessed February 2023
    SAS, "From Crisis to Opportunity, Redefining Risk Management", 2021Accessed January 2023
    Satori, Cloudian, "Data Protection and Privacy: 12 Ways to Protect User Data", Accessed January 2023
    Spector Information Security, "Building your Asset and Risk Register to Manage Technology Risk", November 2021, Accessed January 2023
    Talend, "What is data culture", Accessed February 2023
    Tom Schneider, "Managing Cyber Security Risk as Enterprise Risk", ISACA Journal, September 2022, Accessed February 2023
    Tony Martin –Vegue, "How to Write Strong Risk Scenarios and Statements", ISACA Journal, September 2021, Accessed February 2023
    The Wall Street Journal, "Making Data Risk a Top Priority", April 2018, Accessed February 2023

    Pandemic Preparation – The People Playbook

    • Buy Link or Shortcode: {j2store}513|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Keeping employees safe – limiting exposure of employees to the virus and supporting them in the event they become ill.
    • Reducing potential disruption to business operations through employee absenteeism and travel restrictions.

    Our Advice

    Critical Insight

    • Communication of facts and definitive action plans from credible leaders is the key to maintaining some stability during a time of uncertainty.
    • Remote work is no longer a remote possibility – implementing alternative temporary work arrangements that keep large groups of employees from congregating reduce risk of employee exposure and operational downtime.
    • Pandemic travel protocols are necessary to support staff and their continuation of work while traveling for business and/or if stuck in a high-risk, restricted area.

    Impact and Result

    • Assign accountability of key planning decisions to members of a pandemic response team.
    • Craft key messages in preparation for communicating to employees.
    • Cascade communications from credible sources in a way that will establish pandemic travel protocols.

    Pandemic Preparation – The People Playbook Research & Tools

    Start here. Read the Pandemic Preparation: The People Playbook

    Read our concise Playbook to find out how you can immediately prepare for the people side of pandemic planning.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Pandemic Preparation: The People Playbook
    [infographic]

    Establish a Communication and Collaboration System Strategy

    • Buy Link or Shortcode: {j2store}293|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $6,459 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications
    • Communication and collaboration portfolios are overburdened with redundant and overlapping services. Between Office 365, Slack, Jabber, and WebEx, IT is supporting a collection of redundant apps. This redundancy takes a toll on IT, and on the user.
    • Shadow IT is easier than ever, and cheap sharing tools are viral. Users are literally carrying around computers in their pockets (in the form of smartphones). IT often has no visibility into how these devices – and the applications on them – are used for work.

    Our Advice

    Critical Insight

    • You don’t know what you don’t know. Unstructured conversations with users will uncover insights.
    • Security is meaningless without usability. If security controls make a tool unusable, then users will rush to adopt something that’s free and easy.
    • Training users on a new tool once isn’t effective. Engage with users throughout the collaboration tool’s lifecycle.

    Impact and Result

    • Few supported apps and fewer unsupported apps. This will occur by ensuring that your collaboration tools will be useful to and used by users. Give users a say through surveys, focus groups, and job shadowing.
    • Lower total cost of ownership and greater productivity. Having fewer apps in the workplace, and better utilizing the functionality of those apps, will mean that IT can be much more efficient at managing your ECS.
    • Higher end-user satisfaction. Tools will be better suited to users’ needs, and users will feel heard by IT.

    Establish a Communication and Collaboration System Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a new approach to communication and collaboration apps, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a shared vision on the future of communication and collaboration

    Identify and validate goals and collaboration tools that are used by your users, and the collaboration capabilities that must be supported by your desired ECS.

    • Establish a Communication and Collaboration System Strategy – Phase 1: Create a Shared Vision on the Future of Communication and Collaboration
    • Enterprise Collaboration Strategy Template
    • Building Company Communication and Collaboration Technology Improvement Plan Executive Presentation
    • Communications Infrastructure Stakeholder Focus Group Guide
    • Enterprise Communication and Collaboration System Business Requirements Document

    2. Map a path forward

    Map a path forward by creating a collaboration capability map and documenting your ECS requirements.

    • Establish a Communication and Collaboration System Strategy – Phase 2: Map a Path Forward
    • Collaboration Capability Map

    3. Build an IT and end-user engagement plan

    Effectively engage everyone to ensure the adoption of your new ECS. Engagement is crucial to the overall success of your project.

    • Establish a Communication and Collaboration System Strategy – Phase 3: Proselytize the Change
    • Collaboration Business Analyst
    • Building Company Exemplar Collaboration Marketing One-Pager Materials
    • Communication and Collaboration Strategy Communication Plan
    [infographic]

    Workshop: Establish a Communication and Collaboration System Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify What Needs to Change

    The Purpose

    Create a vision for the future of your ECS.

    Key Benefits Achieved

    Validate and bolster your strategy by involving your end users.

    Activities

    1.1 Prioritize Components of Your ECS Strategy to Improve

    1.2 Create a Plan to Gather Requirements From End Users

    1.3 Brainstorm the Collaboration Services That Are Used by Your Users

    1.4 Focus Group

    Outputs

    Defined vision and mission statements

    Principles for your ECS

    ECS goals

    End-user engagement plan

    Focus group results

    ECS executive presentation

    ECS strategy

    2 Map Out the Change

    The Purpose

    Streamline your collaboration service portfolio.

    Key Benefits Achieved

    Documented the business requirements for your collaboration services.

    Reduced the number of supported tools.

    Increased the effectiveness of training and enhancements.

    Activities

    2.1 Create a Current-State Collaboration Capability Map

    2.2 Build a Roadmap for Desired Changes

    2.3 Create a Future-State Capability Map

    2.4 Identify Business Requirements

    2.5 Identify Use Requirements and User Processes

    2.6 Document Non-Functional Requirements

    2.7 Document Functional Requirements

    2.8 Build a Risk Register

    Outputs

    Current-state collaboration capability map

    ECS roadmap

    Future-state collaboration capability map

    ECS business requirements document

    3 Proselytize the Change

    The Purpose

    Ensure the system is supported effectively by IT and adopted widely by end users.

    Key Benefits Achieved

    Unlock the potential of your ECS.

    Stay on top of security and industry good practices.

    Greater end-user awareness and adoption.

    Activities

    3.1 Develop an IT Training Plan

    3.2 Develop a Communications Plan

    3.3 Create Initial Marketing Material

    Outputs

    IT training plan

    Communications plan

    App marketing one-pagers

    Create a Right-Sized Disaster Recovery Plan

    • Buy Link or Shortcode: {j2store}410|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $83,037 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a disaster recovery plan (DRP).
    • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors but will not be effective in a crisis.
    • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
    • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

    Our Advice

    Critical Insight

    • At its core, disaster recovery (DR) is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
    • Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
    • Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

    Impact and Result

    • Define appropriate objectives for service downtime and data loss based on business impact.
    • Document an incident response plan that captures all of the steps from event detection to data center recovery.
    • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

    Create a Right-Sized Disaster Recovery Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Disaster Recovery Plan (DRP) Research – A step-by-step document that helps streamline your DR planning process and build a plan that's concise, usable, and maintainable.

    Any time a major IT outage occurs, it increases executive awareness and internal pressure to create an IT DRP. This blueprint will help you develop an actionable DRP by following our four-phase methodology to define scope, current status, and dependencies; conduct a business impact analysis; identify and address gaps in the recovery workflow; and complete, extend, and maintain your DRP.

    • Create a Right-Sized Disaster Recovery Plan – Phases 1-4

    2. DRP Case Studies – Examples to help you understand the governance and incident response components of a DRP and to show that your DRP project does not need to be as onerous as imagined.

    These examples include a client who leveraged the DRP blueprint to create practical, concise, and easy-to-maintain DRP governance and incident response plans and a case study based on a hospital providing a wide range of healthcare services.

    • Case Study: Practical, Right-Sized DRP
    • Case Study: Practical, Right-Sized DRP – Healthcare Example

    3. DRP Maturity Scorecard – An assessment tool to evaluate the current state of your DRP.

    Use this tool to measure your current DRP maturity and identify gaps to address. It includes a comprehensive list of requirements for your DRP program, including core and industry requirements.

    • DRP Maturity Scorecard

    4. DRP Project Charter Template – A template to communicate important details on the project purpose, scope, and parameters.

    The project charter template includes details on the project overview (description, background, drivers, and objectives); governance and management (project stakeholders/roles, budget, and dependencies); and risks, assumptions, and constraints (known and potential risks and mitigation strategy).

    • DRP Project Charter Template

    5. DRP Business Impact Analysis Tool – An evaluation tool to estimate the impact of downtime to determine appropriate, acceptable recovery time objectives (RTOs) and recovery point objectives (RPOs) and to review gaps between objectives and actuals.

    This tool enables you to identify critical applications/systems; identify dependencies; define objective scoring criteria to evaluate the impact of application/system downtime; determine the impact of downtime and establish criticality tiers; set recovery objectives (RTO/RPO) based on the impact of downtime; record recovery actuals (RTA/RPA) and identify any gaps between objectives and actuals; and identify dependencies that regularly fail (and have a significant impact when they fail) to prioritize efforts to improve resiliency.

    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool

    6. DRP BIA Scoring Context Example – A tool to record assumptions you made in the DRP Business Impact Analysis Tool to explain the results and drive business engagement and feedback.

    Use this tool to specifically record assumptions made about who and what are impacted by system downtime and record assumptions made about impact severity.

    • DRP BIA Scoring Context Example

    7. DRP Recovery Workflow Template – A flowchart template to provide an at-a-glance view of the recovery workflow.

    This simple format is ideal during crisis situations, easier to maintain, and often quicker to create. Use this template to document the Notify - Assess - Declare disaster workflow, document current and planned future state recovery workflows, including gaps and risks, and review an example recovery workflow.

    • DRP Recovery Workflow Template (PDF)
    • DRP Recovery Workflow Template (Visio)

    8. DRP Roadmap Tool – A visual roadmapping tool that will help you plan, communicate, and track progress for your DRP initiatives.

    Improving DR capabilities is a marathon, not a sprint. You likely can't fund and resource all the measures for risk mitigation at once. Instead, use this tool to create a roadmap for actions, tasks, projects, and initiatives to complete in the short, medium, and long term. Prioritize high-benefit, low-cost mitigations.

    • DRP Roadmap Tool

    9. DRP Recap and Results Template – A template to summarize and present key findings from your DR planning exercises and documents.

    Use this template to present your results from the DRP Maturity Scorecard, BCP-DRP Fitness Assessment, DRP Business Impact Analysis Tool, tabletop planning exercises, DRP Recovery Workflow Template, and DRP Roadmap Tool.

    • DRP Recap and Results Template

    10. DRP Workbook – A comprehensive tool that enables you to organize information to support DR planning.

    Leverage this tool to document information regarding DRP resources (list the documents/information sources that support DR planning and where they are located) and DR teams and contacts (list the DR teams, SMEs critical to DR, and key contacts, including business continuity management team leads that would be involved in declaring a disaster and coordinating response at an organizational level).

    • DRP Workbook

    11. Appendix

    The following tools and templates are also included as part of this blueprint to use as needed to supplement the core steps above:

    • DRP Incident Response Management Tool
    • DRP Vendor Evaluation Questionnaire
    • DRP Vendor Evaluation Tool
    • Severity Definitions and Escalation Rules Template
    • BCP-DRP Fitness Assessment
    [infographic]

    Workshop: Create a Right-Sized Disaster Recovery Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Parameters for Your DRP

    The Purpose

    Identify key applications and dependencies based on business needs.

    Key Benefits Achieved

    Understand the entire IT “footprint” that needs to be recovered for key applications. 

    Activities

    1.1 Assess current DR maturity.

    1.2 Determine critical business operations.

    1.3 Identify key applications and dependencies.

    Outputs

    Current challenges identified through a DRP Maturity Scorecard.

    Key applications and dependencies documented in the Business Impact Analysis (BIA) Tool.

    2 Determine the Desired Recovery Timeline

    The Purpose

    Quantify application criticality based on business impact.

    Key Benefits Achieved

    Appropriate recovery time and recovery point objectives defined (RTOs/RPOs).

    Activities

    2.1 Define an objective scoring scale to indicate different levels of impact.

    2.2 Estimate the impact of downtime.

    2.3 Determine desired RTO/RPO targets for applications based on business impact.

    Outputs

    Business impact analysis scoring criteria defined.

    Application criticality validated.

    RTOs/RPOs defined for applications and dependencies.

    3 Determine the Current Recovery Timeline and DR Gaps

    The Purpose

    Determine your baseline DR capabilities (your current state).

    Key Benefits Achieved

    Gaps between current and desired DR capability are quantified.

    Activities

    3.1 Conduct a tabletop exercise to determine current recovery procedures.

    3.2 Identify gaps between current and desired capabilities.

    3.3 Estimate likelihood and impact of failure of individual dependencies.

    Outputs

    Current achievable recovery timeline defined (i.e. the current state).

    RTO/RPO gaps identified.

    Critical single points of failure identified.

    4 Create a Project Roadmap to Close DR Gaps

    The Purpose

    Identify and prioritize projects to close DR gaps.

    Key Benefits Achieved

    DRP project roadmap defined that will reduce downtime and data loss to acceptable levels.

    Activities

    4.1 Determine what projects are required to close the gap between current and desired DR capability.

    4.2 Prioritize projects based on cost, effort, and impact on RTO/RPO reduction.

    4.3 Validate that the suggested projects will achieve the desired DR capability.

    Outputs

    Potential DR projects identified.

    DRP project roadmap defined.

    Desired-state incident response plan defined, and project roadmap validated.

    5 Establish a Framework for Documenting Your DRP, and Summarize Next Steps

    The Purpose

    Outline how to create concise, usable DRP documentation.

    Summarize workshop results. 

    Key Benefits Achieved

    A realistic and practical approach to documenting your DRP.

    Next steps documented. 

    Activities

    5.1 Outline a strategy for using flowcharts and checklists to create concise, usable documentation.

    5.2 Review Info-Tech’s DRP templates for creating system recovery procedures and a DRP summary document.

    5.3 Summarize the workshop results, including current potential downtime and action items to close gaps.

    Outputs

    Current-state and desired-state incident response plan flowcharts.

    Templates to create more detailed documentation where necessary.

    Executive communication deck that outlines current DR gaps, how to close those gaps, and recommended next steps.

    Further reading

    Create a Right-Sized Disaster Recovery Plan

    Close the gap between your DR capabilities and service continuity requirements.

    ANALYST PERSPECTIVE

    An effective disaster recovery plan (DRP) is not just an insurance policy.

    "An effective DRP addresses common outages such as hardware and software failures, as well as regional events, to provide day-to-day service continuity. It’s not just insurance you might never cash in. Customers are also demanding evidence of an effective DRP, so organizations without a DRP risk business impact not only from extended outages but also from lost sales. If you are fortunate enough to have executive buy-in, whether it’s due to customer pressure or concern over potential downtime, you still have the challenge of limited time to dedicate to disaster recovery (DR) planning. Organizations need a practical but structured approach that enables IT leaders to create a DRP without it becoming their full-time job."

    Frank Trovato,

    Research Director, Infrastructure

    Info-Tech Research Group

    Is this research for you?

    This Research Is Designed For:

    • Senior IT management responsible for executing DR.
    • Organizations seeking to formalize, optimize, or validate an existing DRP.
    • Business continuity management (BCM) professionals leading DRP development.

    This Research Will Help You:

    • Create a DRP that is aligned with business requirements.
    • Prioritize technology enhancements based on DR requirements and risk-impact analysis.
    • Identify and address process and technology gaps that impact DR capabilities and day-to-day service continuity.

    This Research Will Also Assist:

    • Executives who want to understand the time and resource commitment required for DRP.
    • Members of BCM and crisis management teams who need to understand the key elements of an IT DRP.

    This Research Will Help Them:

    • Scope the time and effort required to develop a DRP.
    • Align business continuity, DR, and crisis management plans.

    Executive summary

    Situation

    • Any time a natural disaster or major IT outage occurs, it increases executive awareness and internal pressure to create a DRP.
    • Industry standards and government regulations are driving external pressure to develop business continuity and IT DR plans.
    • Customers are asking suppliers and partners to provide evidence that they have a workable DRP before agreeing to do business.

    Complication

    • Traditional DRP templates are onerous and result in a lengthy, dense plan that might satisfy auditors, but will not be effective in a crisis.
    • The myth that a DRP is only for major disasters leaves organizations vulnerable to more common incidents.
    • The growing use of outsourced infrastructure services has increased reliance on vendors to meet recovery timeline objectives.

    Resolution

    • Create an effective DRP by following a structured process to discover current capabilities and define business requirements for continuity:
      • Define appropriate objectives for service downtime and data loss based on business impact.
      • Document an incident response plan that captures all of the steps from event detection to data center recovery.
      • Create a DR roadmap to close gaps between current DR capabilities and recovery objectives.

    Info-Tech Insight

    1. At its core, DR is about ensuring service continuity. Create a plan that can be leveraged for both isolated and catastrophic events.
    2. Remember Murphy’s Law. Failure happens. Focus on improving overall resiliency and recovery, rather than basing DR on risk probability analysis.
    3. Cost-effective DR and service continuity starts with identifying what is truly mission critical so you can focus resources accordingly. Not all services require fast failover.

    An effective DRP is critical to reducing the cost of downtime

    If you don’t have an effective DRP when failure occurs, expect to face extended downtime and exponentially rising costs due to confusion and lack of documented processes.

    Image displayed is a graph that shows that delay in recovery causes exponential revenue loss.

    Potential Lost Revenue

    The impact of downtime tends to increase exponentially as systems remain unavailable (graph at left). A current, tested DRP will significantly improve your ability to execute systems recovery, minimizing downtime and business impact. Without a DRP, IT is gambling on its ability to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks or months – and substantial business impact.

    Adapted from: Philip Jan Rothstein, 2007

    Cost of Downtime for the Fortune 1000

    Cost of unplanned apps downtime per year: $1.25B to $2.5B.

    Cost of critical apps failure per hour: $500,000 to $1M.

    Cost of infrastructure failure per hour: $100,000.

    35% reported to have recovered within 12 hours.

    17% of infrastructure failures took more than 24 hours to recover.

    13% of application failures took more than 24 hours to recover.

    Source: Stephen Elliot, 2015

    Info-Tech Insight

    The cost of downtime is rising across the board, and not just for organizations that traditionally depend on IT (e.g. e-commerce). Downtime cost increase since 2010:

    Hospitality: 129% increase

    Transportation: 108% increase

    Media organizations: 104% increase

    An effective DRP also sets clear recovery objectives that align with system criticality to optimize spend

    The image displays a disaster recovery plan example, where different tiers are in place to support recovery in relation to time.

    Take a practical approach that creates a more concise and actionable DRP

    DR planning is not your full-time job, so it can’t be a resource- and time-intensive process.

    The Traditional Approach Info-Tech’s Approach

    Start with extensive risk and probability analysis.

    Challenge: You can’t predict every event that can occur, and this delays work on your actual recovery procedures.

    Focus on how to recover regardless of the incident.

    We know failure will happen. Focus on improving your ability to failover to a DR environment so you are protected regardless of what causes primary site failure.

    Build a plan for major events such as natural disasters.

    Challenge: Major destructive events only account for 12% of incidents while software/hardware issues account for 45%. The vast majority of incidents are isolated local events.

    An effective DRP improves day-to-day service continuity, and is not just for major events.

    Leverage DR planning to address both common (e.g. power/network outage or hardware failure) as well as major events. It must be documentation you can use, not shelfware.

    Create a DRP manual that provides step-by-step instructions that anyone could follow.

    Challenge: The result is lengthy, dense manuals that are difficult to maintain and hard to use in a crisis. The usability of DR documents has a direct impact on DR success.

    Create concise documentation written for technical experts.

    Use flowcharts, checklists, and diagrams. They are more usable in a crisis and easier to maintain. You aren’t going to ask a business user to recover your SQL Server databases, so you can afford to be concise.

    DR must be integrated with day-to-day incident management to ensure service continuity

    When a tornado takes out your data center, it’s an obvious DR scenario and the escalation towards declaring a disaster is straightforward.

    The challenge is to be just as decisive in less-obvious (and more common) DR scenarios such as a critical system hardware/software failure, and knowing when to move from incident management to DR. Don’t get stuck troubleshooting for days when you could have failed over in hours.

    Bridge the gap with clearly-defined escalation rules and criteria for when to treat an incident as a disaster.

    Image displays two graphs. The graph on the left measures the extent that service management processes account for disasters by the success meeting RTO and RPO. The graph on the right is a double bar graph that shows DRP being integrated and not integrated in the following categories: Incident Classifications, Severity Definitions, Incident Models, Escalation Procedures. These are measured based on the success meeting RTO and RPO.

    Source: Info-Tech Research Group; N=92

    Myth busted: The DRP is separate from day-to-day ops and incident management.

    The most common threats to service continuity are hardware and software failures, network outages, and power outages

    The image displayed is a bar graph that shows the common threats to service continuity. There are two areas of interest that have labels. The first is: 45% of service interruptions that went beyond maximum downtime guidelines set by the business were caused by software and hardware issues. The second label is: Only 12% of incidents were caused by major destructive events.

    Source: Info-Tech Research Group; N=87

    Info-Tech Insight

    Does this mean I don’t need to worry about natural disasters? No. It means DR planning needs to focus on overall service continuity, not just major disasters. If you ignore the more common but less dramatic causes of service interruptions, you are diminishing the business value of a DRP.

    Myth busted: DRPs are just for destructive events – fires, floods, and natural disasters.

    DR isn’t about identifying risks; it’s about ensuring service continuity

    The traditional approach to DR starts with an in-depth exercise to identify risks to IT service continuity and the probability that those risks will occur.

    Here’s why starting with a risk register is ineffective:

    • Odds are, you won’t think of every incident that might occur. If you think of twenty risks, it’ll be the twenty-first that gets you. If you try to guard against that twenty-first risk, you can quickly get into cartoonish scenarios and much more costly solutions.
    • The ability to failover to another site mitigates the risk of most (if not all) incidents (fire, flood, hardware failure, tornado, etc.). A risk and probability analysis doesn’t change the need for a plan that includes a failover procedure.

    Where risk is incorporated in this methodology:

    • Use known risks to further refine your strategy (e.g. if you are prone to hurricanes, plan for greater geographic separation between sites; ensure you have backups, in addition to replication, to mitigate the risk of ransomware).
    • Identify risks to your ability to execute DR (e.g. lack of cross-training, backups that are not tested) and take steps to mitigate those risks.

    Myth busted: A risk register is the critical first step to creating an effective DR plan.

    You can’t outsource accountability and you can’t assume your vendor’s DR capabilities meet your needs

    Outsourcing infrastructure services – to a cloud provider, co-location provider, or managed service provider (MSP) – can improve your DR and service continuity capabilities. For example, a large public cloud provider will generally have:

    • Redundant telecoms service providers, network infrastructure, power feeds, and standby power.
    • Round-the-clock infrastructure and security monitoring.
    • Multiple data centers in a given region, and options to replicate data and services across regions.

    Still, failure is inevitable – it’s been demonstrated multiple times1 through high-profile outages. When you surrender direct control of the systems themselves, it’s your responsibility to ensure the vendor can meet your DR requirements, including:

    • A DR site and acceptable recovery times for systems at that site.
    • An acceptable replication/backup schedule.

    Sources: Kyle York, 2016; Shaun Nichols, 2017; Stephen Burke, 2017

    Myth busted: I outsource infrastructure services so I don’t have to worry about DR. That’s my vendor’s responsibility.

    Choose flowcharts over process guides, checklists over procedures, and diagrams over descriptions

    IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

    In reality, you write a DR plan for knowledgeable technical staff, which allows you to summarize key details your staff already know. Concise, visual documentation is:

    • Quicker to create.
    • Easier to use.
    • Simpler to maintain.

    "Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow."

    – Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management

    A graph is displayed. It shows a line graph where the DR success is higher by using flowcharts, checklists, and diagrams.

    Source: Info-Tech Research Group; N=95

    *DR Success is based on stated ability to meet recovery time objectives (RTOs) and recovery point objectives (RPOs), and reported confidence in ability to consistently meet targets.

    Myth busted: A DRP must include every detail so anyone can execute recovery.

    A DRP is part of an overall business continuity plan

    A DRP is the set of procedures and supporting documentation that enables an organization to restore its core IT services (i.e. applications and infrastructure) as part of an overall business continuity plan (BCP), as described below. Use the templates, tools, and activities in this blueprint to create your DRP.

    Overall BCP
    IT DRP BCP for Each Business Unit Crisis Management Plan
    A plan to restore IT services (e.g. applications and infrastructure) following a disruption. This includes:
    • Identifying critical applications and dependencies.
    • Defining an appropriate (desired) recovery timeline based on a business impact analysis (BIA).
    • Creating a step-by-step incident response plan.
    		 A set of plans to resume business processes for each business unit. Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization. A set of processes to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage. This includes emergency response plans, crisis communication plans, and the steps to invoke BC/DR plans when applicable. Info-Tech’s Implement Crisis Management Best Practices blueprint provides a structured approach to develop a crisis management process.

    Note: For DRP, we focus on business-facing IT services (as opposed to the underlying infrastructure), and then identify required infrastructure as dependencies (e.g. servers, databases, network).

    Take a practical but structured approach to creating a concise and effective DRP

    Image displayed shows the structure of this blueprint. It shows the structure of phases 1-4 and the related tools and templates for each phase.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Info-Tech advisory services deliver measurable value

    Info-Tech members save an average of $22,983 and 22 days by working with an Info-Tech analyst on DRP (based on client response data from Info-Tech Research Group’s Measured Value Survey, following analyst advisory on this blueprint).

    Why do members report value from analyst engagement?

    1. Expert advice on your specific situation to overcome obstacles and speed bumps.
    2. Structured project and guidance to stay on track.
    3. Project deliverables review to ensure the process is applied properly.

    Guided implementation overview

    Your trusted advisor is just a call away.

    Define DRP scope (Call 1)

    Scope requirements, objectives, and your specific challenges. Identify applications/ systems to focus on first.

    Define current status and system dependencies (Calls 2-3)

    Assess current DRP maturity. Identify system dependencies.

    Conduct a BIA (Calls 4-6)

    Create an impact scoring scale and conduct a BIA. Identify RTO and RPO for each system.

    Recovery workflow (Calls 7-8)

    Create a recovery workflow based on tabletop planning. Identify gaps in recovery capabilities.

    Projects and action items (Calls 9-10)

    Identify and prioritize improvements. Summarize results and plan next steps.

    Your guided implementations will pair you with an advisor from our analyst team for the duration of your DRP project.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Image displays the workshop overview for this blueprint. It is a workshop that runs for 4 days and covers various activities and produces many deliverables.

    End-user complaints distract from serious IT-based risks to business continuity

    Case Study

    Industry: Manufacturing
    Source: Info-Tech Research Group Client Engagement

    A global manufacturer with annual sales over $1B worked with Info-Tech to improve DR capabilities.

    DRP BIA

    Conversations with the IT team and business units identified the following impact of downtime over 24 hours:

    • Email: Direct Cost: $100k; Goodwill Impact Score: 8.5/16
    • ERP: Direct Cost: $1.35mm; Goodwill Impact Score: 12.5/16

    Tabletop Testing and Recovery Capabilities

    Reviewing the organization’s current systems recovery workflow identified the following capabilities:

    • Email: RTO: minutes, RPO: minutes
    • ERP: RTO: 14 hours, RPO: 24 hours

    Findings

    Because of end-user complaints, IT had invested heavily in email resiliency though email downtime had a relatively minimal impact on the business. After working through the methodology, it was clear that the business needed to provide additional support for critical systems.

    Insights at each step:

    Identify DR Maturity and System Dependencies

    Conduct a BIA

    Outline Incident Response and Recovery Workflow With Tabletop Exercises

    Mitigate Gaps and Risks

    Create a Right-Sized Disaster Recovery Plan

    Phase 1

    Define DRP Scope, Current Status, and Dependencies

    Step 1.1: Set Scope, Kick-Off the DRP Project, and Create a Charter

    This step will walk you through the following activities:

    • Establish a team for DR planning.
    • Retrieve and review existing, relevant documentation.
    • Create a project charter.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team (Key IT SMEs)
    • IT Managers

    Results and Insights

    • Set scope for the first iteration of the DRP methodology.
    • Don’t try to complete your DR and BCPs all at once.
    • Don’t bite off too much at once.

    Kick-off your DRP project

    You’re ready to start your DR project.

    This could be an annual review – but more likely, this is the first time you’ve reviewed the DR plan in years.* Maybe a failed audit might have provided a mandate for DR planning, or a real disaster might have highlighted gaps in DR capabilities. First, set appropriate expectations for what the project is and isn’t, in terms of scope, outputs, and resource commitments. Very few organizations can afford to hire a full-time DR planner, so it’s likely this won’t be your full-time job. Set objectives and timelines accordingly.

    Gather a team

    • Often, DR efforts are led by the infrastructure and operations leader. This person can act as the DRP coordinator or may delegate this role.
    • Key infrastructure subject-matter experts (SMEs) are usually part of the team and involved through the project.

    Find and review existing documentation

    • An existing DRP may have information you can re-purpose rather than re-create.
    • High-level architecture diagrams and network diagrams can help set scope (and will become part of your DR kit).
    • Current business-centric continuity of operations plans (COOPs) or BCPs are important to understand.

    Set specific, realistic objectives

    • Create a project charter (see next slide) to record objectives, timelines, and assumptions.
    *Only 20% of respondents to an Info-Tech Research Group survey (N=165) had a complete DRP; only 38% of respondents with a complete or mostly complete DRP felt it would be effective in a crisis.

    List DRP drivers and challenges

    1(a) Drivers and roadblocks

    Estimated Time: 30 minutes

    Identify the drivers and challenges to completing a functional DRP plan with the core DR team.

    DRP Drivers

    • Past outages (be specific):
      • Hardware and software failures
      • External network and power outages
      • Building damage
      • Natural disaster(s)
    • Audit findings
    • Events in the news
    • Other?

    DRP Challenges

    • Lack of time
    • Insufficient DR budget
    • Lack of executive support
    • No internal DRP expertise
    • Challenges making the case for DRP
    • Other?

    Write down insights from the meeting on flip-chart paper or a whiteboard and use the findings to inform your DRP project (e.g. challenges to address).

    Clarify expectations with a project charter

    1(b) DRP Project Charter Template

    DRP Project Charter Template components:

    Define project parameters, roles, and objectives, and clarify expectations with the executive team. Specific subsections are listed below and described in more detail in the remainder of this phase.

    • Project Overview: Includes objectives, deliverables, and scope. Leverage relevant notes from the “Project Drivers” brainstorming exercise (e.g. past outages and near misses which help make the case).
    • Governance and Management: Includes roles, responsibilities, and resource requirements.
    • Project Risks, Assumptions, and Constraints: Includes risks and mitigation strategies, as well as any assumptions and constraints.
    • Project Sign-Off: Includes IT and executive sign-off (if required).

    Note: Identify the initial team roles and responsibilities first so they can assist in defining the project charter.

    The image is a screenshot of the first page of the DRP Project Charter Template.

    Step 1.2: Assess Current State DRP Maturity

    This step will walk you through the following activities:

    • Complete Info-Tech’s DRP Maturity Scorecard.

    This step involves the following participants:

    • DRP Coordinator
    • IT SMEs

    Results and Insights

    • Identify the current state of the organization’s DRP and continuity management. Set a baseline for improvement.
    • Discover where improvement is most needed to create an effective plan.

    Only 38% of IT departments believe their DRPs would be effective in a real crisis

    Even organizations with documented DRPs struggle to make them actionable.

    • Even when a DRP does become a priority (e.g. due to regulatory or customer drivers), the challenge is knowing where to start and having a methodical step-by-step process for doing the work. With no guide to plan and resource the project, it becomes work that you complete piecemeal when you aren’t working on other projects, or at night after the kids go to bed.
    • Far too many organizations create a document to satisfy auditors rather than creating a usable plan. People in this group often just want a fill-in-the-blanks template. What they will typically find is a template for the traditional 300-page manual that goes in a binder that sits on a shelf, is difficult to maintain, and is not effective in a crisis.
    Two bar graphs are displayed. The graph on the left shows that only 20% of survey respondents indicate they have a complete DRP. The graph on the right shows that 38% of those who have a mostly completed or full DRP actually feel it would be effective in a crisis.

    Use the DRP Maturity Scorecard to assess the current state of your DRP and identify areas to improve

    1(c) DRP Maturity Scorecard

    Info-Tech’s DRP Maturity Scorecard evaluates completion status and process maturity for a comprehensive yet practical assessment across three aspects of an effective DRP program – Defining Requirements, Implementation, and Maintenance.

    Image has three boxes. One is labelled Completion status, another below it is labelled Process Maturity. There is an addition sign in between them. With an arrow leading from both boxes is another box that is labelled DRP Maturity Assessment

    Completion Status: Reflects the progress made with each component of your DRP Program.

    Process Maturity: Reflects the consistency and quality of the steps executed to achieve your completion status.

    DRP Maturity Assessment: Each component (e.g. BIA) of your DRP Program is evaluated based on completion status and process maturity to provide an accurate holistic assessment. For example, if your BIA completion status is 4 out of 5, but process maturity is a 2, then requirements were not derived from a consistent defined process. The risk is inconsistent application prioritization and misalignment with actual business requirements.

    Step 1.3: Identify Applications, Systems, and Dependencies

    This step will walk you through the following activities:

    • Identify systems, applications, and services, and the business units that use them.
    • Document applications, systems, and their dependencies in the DRP Business Impact Analysis Tool.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team

    Results and Insights

    • Identify core services and the applications that depend on them.
    • Add applications and dependencies to the DRP Business Impact Analysis Tool.

    Select 5-10 services to get started on the DRP methodology

    1(d) High-level prioritization

    Estimated Time: 30 minutes

    Working through the planning process the first time can be challenging. If losing momentum is a concern, limit the BIA to a few critical systems to start.

    Run this exercise if you need a structured exercise to decide where to focus first and identify the business users you should ask for input on the impact of system downtime.

    1. On a whiteboard or flip-chart paper, list business units in a column on the left. List key applications/systems in a row at the top. Draw a grid.
    2. At a high level, review how applications are used by each unit. Take notes to keep track of any assumptions you make.
      • Add a ✓ if members of the unit use the application or system.
      • Add an ✱ if members of the unit are heavy users of the application or system and/or use it for time sensitive tasks.
      • Leave the box blank if the app isn’t used by this unit.
    3. Use the chart to prioritize systems to include in the BIA (e.g. systems marked with an *) but also include a few less-critical systems to illustrate DRP requirements for a range of systems.

    Image is an example of what one could complete from step 1(d). There is a table shown. In the column on the left lists sales, marketing, R&D, and Finance. In the top row, there is listed: dialer, ERP. CRM, Internet, analytics, intranet

    Application Notes
    CRM
    • Supports time-critical sales and billing processes.
    Dialer
    • Used for driving the sales-call queue, integration with CRM.

    Draw a high-level sketch of your environment

    1(e) Sketch your environment

    Estimated Time: 1-2 hours

    A high-level topology or architectural diagram is an effective way to identify dependencies, application ownership, outsourced services, hardware redundancies, and more.

    Note:

    • Network diagrams or high-level architecture diagrams help to identify dependencies and redundancies. Even a rough sketch is a useful reference tool for participants, and will be valuable documentation in the final DR plan.
    • Keep the drawings tidy. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
    • Collaborate with relevant SMEs to identify dependencies. Keep the drawing high-level.
    • Illustrate connections between applications or components with lines. Use color coding to illustrate where applications are hosted (e.g. in-house, at a co-lo, in a cloud or MSP environment).
    Example of a high-level topology or architectural diagram

    Document systems and dependencies

    Collaborate with system SMEs to identify dependencies for each application or system. Document the dependencies in the DRP Business Impact Analysis Tool (see image below)

    • When listing applications, focus on business-facing systems or services that business users will recognize and use terminology they’ll understand.
    • Group infrastructure components that support all other services as a single core infrastructure service to simplify dependency mapping (e.g. core router, virtual hosts, ID management, and DNS).
    • In general, each data center will have its own core infrastructure components. List each data center separately – especially if different services are hosted at each data center.
    • Be specific when documenting dependencies. Use existing asset tracking tables, discovery tools, asset management records, or configuration management tools to identify specific server names.
    • Core infrastructure dependencies, such as the network infrastructure, power supply, and centralized storage, will be a common set of dependencies for most applications, so group these into a separate category called “Core Infrastructure” to minimize repetition in your DR planning.
    • Document production components in the BIA tool. Capture in-production, redundant components performing the same work on a single dependency line. List standby systems in the notes.

    Info-Tech Best Practice

    In general, visual documentation is easier to use in a crisis and easier to maintain over time. Use Info-Tech’s research to help build your own visual SOPs.

    Document systems and dependencies

    1(f) DRP Business Impact Analysis Tool – Record systems and dependencies

    A screenshot of Info-Tech's DRP Business Impact Analysis Tool.

    Stories from the field: Info-Tech clients find value in Phase 1 in the following ways

    An organization uncovers a key dependency that needed to be treated as a Tier 1 system

    Reviewing the entire ecosystem for applications identified key dependencies that were previously considered non-critical. For example, a system used to facilitate secure data transfers was identified as a key dependency for payroll and other critical business processes, and elevated to Tier 1.

    A picture’s worth a thousand words (and 1600 servers)

    Drawing a simple architectural diagram was an invaluable tool to identify key dependencies and critical systems, and to understand how systems and dependencies were interconnected. The drawing was an aha moment for IT and business stakeholders trying to make sense of their 1600-server environment.

    Make the case for DRP

    A member of the S&P 500 used Info-Tech’s DRP Maturity Scorecard to provide a reliable objective assessment and make the case for improvements to the board of directors.

    State government agency initiates a DRP project to complement an existing COOP

    Info-Tech's DRP Project Charter enabled the CIO to clarify their DRP project scope and where it fit into their overall COOP. The project charter example provided much of the standard copy – objectives, scope, project roles, methodology, etc. – required to outline the project.

    Phase 1: Insights and accomplishments

    Image has two screenshots from Info-Tech's Phase 1 tools and templates.

    Created a charter and identified current maturity

    Image has two screenshots. One is from Info-Tech's DRP Business Impact Analysis Tool and the other is from the example in step 1(d).

    Identified systems and dependencies for the BIA

    Summary of Accomplishments:

    • Created a DRP project charter.
    • Completed the DRP Maturity Scorecard and identified current DRP maturity.
    • Prioritized applications/systems for a first pass through DR planning.
    • Identified dependencies for each application and system.

    Up Next: Conduct a BIA to establish recovery requirements

    Create a Right-Sized Disaster Recovery Plan

    Phase 2

    Conduct a BIA to Determine Acceptable RTOs and RPOs

    Step 2.1: Define an Objective Impact Scoring Scale

    This step will walk you through the following activities:

    • Create a scoring scale to measure the business impact of application and system downtime.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team

    Results and Insights

    • Use a scoring scale tied to multiple categories of real business impact to develop a more objective assessment of application and system criticality.

    Align capabilities to appropriate and acceptable RTOs and RPOs with a BIA

    Too many organizations avoid a BIA because they perceive it as onerous or unneeded. A well-managed BIA is straightforward and the benefits are tangible.

    A BIA enables you to identify appropriate spend levels, maintain executive support, and prioritize DR planning for a more successful outcome. Info-Tech has found that a BIA has a measurable impact on the organization’s ability to set appropriate objectives and investment goals.

    Two bar graphs are depicted. The one on the left shows 93% BIA impact on appropriate RTOs. The graph on the right shows that with BIA, there is 86% on BIA impact on appropriate spending.

    Info-Tech Insight

    Business input is important, but don’t let a lack of it delay a draft BIA. Complete a draft based on your knowledge of the business. Create a draft within IT, and use it to get input from business leaders. It’s easier to edit estimates than to start from scratch; even weak estimates are far better than a blank sheet.

    Pick impact categories that are relevant to your business to develop a holistic view of business impact

    Direct Cost Impact Categories

    • Revenue: permanently lost revenue.
      • Example: one third of daily sales are lost due to a website failure.
    • Productivity: lost productivity.
      • Example: finance staff can’t work without the accounting system.
    • Operating costs: additional operating costs.
      • Example: temporary staff are needed to re-key data.
    • Financial penalties: fines/penalties that could be incurred due to downtime.
      • Example: failure to meet contractual service-level agreements (SLAs) for uptime results in financial penalties.

    Goodwill, Compliance, and Health and Safety Categories

    • Stakeholder goodwill: lost customer, staff, or business partner goodwill due to harm, frustration, etc.
      • Example: customers can’t access needed services because the website is down.
      • Example: a payroll system outage delays paychecks for all staff.
      • Example: suppliers are paid late because the purchasing system is down.
    • Compliance, health, and safety:
      • Example: financial system downtime results in a missed tax filing.
      • Example: network downtime disconnects security cameras.

    Info-Tech Insight

    You don’t have to include every impact category in your BIA. Include categories that could affect your business. Defer or exclude other categories. For example, the bulk of revenue for governmental organizations comes from taxes, which won’t be permanently lost if IT systems fail.

    Modify scoring criteria to help you measure the impact of downtime

    The scoring scales define different types of business impact (e.g. costs, lost goodwill) using a common four-point scale and 24-hour timeframe to simplify BIA exercises and documentation.

    Use the suggestions below as a guide as you modify scoring criteria in the DRP Business Impact Analysis Tool:

    • All the direct cost categories (revenue, productivity, operating costs, financial penalties) require the user to define only a maximum value; the tool will populate the rest of the criteria for that category. Use the suggestions below to find the maximum scores for each of the direct cost categories:
      • Revenue: Divide total revenue for the previous year by 365 to estimate daily revenue. Assume this is the most revenue you could lose in a day, and use this number as the top score.
      • Loss of Productivity: Divide fully-loaded labor costs for the organization by 365 to estimate daily productivity costs. Use this as a proxy measure for the work lost if all business stopped for one day.
      • Increased Operating Costs: Isolate this to known additional costs that result from a disruption (e.g. costs for overtime or temporary staff). Estimate the maximum cost for the organization.
      • Financial Penalties: Isolate this to known financial penalties (e.g. due to failure to meet SLAs or compliance requirements). Use the estimated maximum penalty as the highest value on the scale.
    • Impact on Goodwill: Use an estimate of the percentage of all stakeholders impacted to assess goodwill impact.
    • Impact on Compliance; Impact on Health and Safety: The BIA tool contains default scoring criteria that account for the severity of the impact, the likelihood of occurrence, and in the case of compliance, whether a grace period is available. Use this scale as-is, or adapt this scale to suit your needs.

    Modify the default scoring scale in the DRP Business Impact Analysis Tool to reflect your organization

    2(a) DRP Business Impact Analysis Tool – Scoring criteria


    A screenshot of Info-Tech's DRP Business Impact Analysis Tool's scoring criteria

    Step 2.2: Estimate the Impact of Downtime

    This step will walk you through the following activities:

    • Identify the business impact of service/system/application downtime.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team
    • IT Service SMEs
    • Business-Side Technology Owners (optional)

    Results and Insights

    • Apply the scoring scale to develop a more objective assessment of the business impact of downtime.
    • Create criticality tiers based on the business impact of downtime.

    Estimate the impact of downtime for each system and application

    2(b) Estimate the impact of systems downtime

    Estimated Time: 3 hours

    On tab 3 of the DRP Business Impact Analysis Tool indicate the costs of downtime, as described below:

    1. Have a copy of the “Scoring Criteria” tab available to use as a reference (e.g. printed or on a second display). In tab 3 use the drop-down menu to assign a score of 0 to 4 based on levels of impact defined in the “Scoring Criteria” tab.
    2. Work horizontally across all categories for a single system or application. This will familiarize you with your scoring scales for all impact categories, and allow you to modify the scoring scales if needed before you proceed much further.

      3. For example, if a core call center phone system was down:

    • Loss of Revenue would be the portion of sales revenue generated through the call center. This might score a 1 or 2 depending on the percent of sales that are processed by the call center.
    • The Impact on Customers might be a 2 or 3 depending on the extent that some customers might be using the call center to receive support or purchase new products or services.
    • The Legal/Regulatory Compliance and Health or Safety Risk might be a 0, as the call center has no impact in either area.
  • Next, work vertically across all applications or systems within a single impact category. This will allow you to compare scores within the category as you create them to ensure internal consistency.

    • Add impact scores to the DRP Business Impact Analysis Tool

    2(c) DRP Business Impact Analysis Tool

    Screenshot of Info-Tech's DRP Business Impact Analysis Tool

    Record business reasons and assumptions that drive BIA scores

    2(d) DRP BIA Scoring Context Example

    Info-Tech suggests that IT leadership and staff identify the impact of downtime first to create a version that you can then validate with relevant business owners. As you work through the BIA as a team, have a notetaker record assumptions you make to help you explain the results and drive business engagement and feedback.

    Some common assumptions:

    • You can’t schedule a disaster, so Info-Tech suggests you assume the worst possible timing for downtime. Base the impact of downtime on the worst day for a disaster (e.g. year-end close, payroll run).
    • Record assumptions made about who and what are impacted by system downtime.
    • Record assumptions made about impact severity.
    • If you deviate from the scoring scale, or if a particular impact doesn’t fit well into the defined scoring scale, document the exception.

    Screenshot of Info-Tech's DRP BIA Scoring Context Example

    Use Info-Tech’s DRP BIA Scoring Context Example as a note-taking template.

    Info-Tech Insight

    You can’t build a perfect scoring scale. It’s fine to make reasonable assumptions based on your judgment and knowledge of the business. Just write down your assumptions. If you don’t write them down, you’ll forget how you arrived at that conclusion.

    Assign a criticality rating based on total direct and indirect costs of downtime

    2(e) DRP Business Impact Analysis Tool – Assign criticality tiers

    Once you’ve finished estimating the impact of downtime, use the following rough guideline to create an initial sort of applications into Tiers 1, 2, and 3.

    1. In general, sort applications based on the Total Impact on Goodwill, Compliance, and Safety first.
      • An effective tactic for a quick sort: assign a Tier 1 rating where scores are 50% or more of the highest total score, Tier 2 where scores are between 25% and 50%, and Tier 3 where scores are below 25%. Some organizations will also include a Tier 0 for the highest-scoring systems.
      • Then review and validate these scores and assignments.
    2. Next, consider the Total Cost of Downtime.
      • The Total Cost is calculated by the tool based on the Scoring Criteria in tab 2 and the impact scores on tab 3.
      • Decide if the total cost impact justifies increasing the criticality rating (e.g. from Tier 2 to Tier 1 due to high cost impact).
    3. Review the assigned impact scores and tiers to check that they’re in alignment. If you need to make an exception, document why. Keep exceptions to a minimum.

    Example: Highest total score is 12

    Screenshot of Info-Tech's DRP Business Impact Analysis Tool

    Step 2.3: Determine Acceptable RTO/RPO Targets

    This step will walk you through the following activities:

    • Review the “Debate Space” approach to setting RTO and RPO (recovery targets).
    • Set preliminary RTOs and RPOs by criticality tier.

    This step involves the following participants:

    • DRP Coordinator
    • DRP Team

    Results and Insights

    • Align recovery targets with the business impact of downtime and data loss.

    Use the “Debate Space” approach to align RTOs and RPOs with the impact of downtime

    The business must validate acceptable and appropriate RTOs and RPOs, but IT can use the guidelines below to set an initial estimate.

    Right-size recovery.

    A shorter RTO typically requires higher investment. If a short period of downtime has minimal impact, setting a low RTO may not be justifiable. As downtime continues, impact begins to increase exponentially to a point where downtime is intolerable – an acceptable RTO must be shorter than this. Apply the same thinking to RPOs – how much data loss is unnoticeable? How much is intolerable?

    A diagram to show the debate space in relation to RTOs and RPOs

    The “Debate Space” is between minimal impact and maximum tolerance for downtime.

    Estimate appropriate, acceptable RTOs and RPOs for each tier

    2(f) Set recovery targets

    Estimated Time: 30 minutes

    RTO and RPO tiers simplify management by setting similar recovery goals for systems and applications with similar criticality.

    Use the “Debate Space” approach to set appropriate and acceptable targets.

    1. For RTO, establish a recovery time range that is appropriate based on impact.
      • Overall, the RTO tiers might be 0-4 hours for gold, 4-24 hours for silver, and 24-48 hours for bronze.
    2. RPOs reflect target data protection measures.
      • Identify the lowest RPO within a tier and make that the standard.
      • For example, RPO for gold data might be five minutes, silver might be four hours, and bronze might be one day.
      • Use this as a guideline. RPO doesn’t always align perfectly with RTO tiers.
    3. Review RTOs and RPOs and make sure they accurately reflect criticality.

    Info-Tech Insight

    In general, the more critical the system, the shorter the RPO. But that’s not always the case. For example, a service bus might be Tier 1, but if it doesn’t store any data, RPO might be longer than other Tier 1 systems. Some systems may have a different RPO than most other systems in that tier. As long as the targets are acceptable to the business and appropriate given the impact, that’s okay.

    Add recovery targets to the DRP Business Impact Analysis Tool

    2(g) DRP Business Impact Analysis Tool – Document recovery objectives

    A screenshot of Info-Tech's DRP Business Impact Analysis Tool – Document recovery objectives

    Stories from the field: Info-Tech clients find value in Phase 2 in the following ways

    Most organizations discover something new about key applications, or the way stakeholders use them, when they work through the BIA and review the results with stakeholders. For example:

    Why complete a BIA? There could be a million reasons

    • A global manufacturer completed the DRP BIA exercise. When email went down, Service Desk phones lit up until it was resolved. That grief led to a high availability implementation for email. However, the BIA illustrated that ERP downtime was far more impactful.
    • ERP downtime would stop production lines, delay customer orders, and ultimately cost the business a million dollars a day.
    • The BIA results clearly showed that the ERP needed to be prioritized higher, and required business support for investment.

    Move from airing grievances to making informed decisions

    The DRP Business Impact Analysis Tool helped structure stakeholder consultations on DR requirements for a large university IT department. Past consultations had become an airing of grievances. Using objective impact scores helped stakeholders stay focused and make informed decisions around appropriate RTOs and RPOs.

    Phase 2: Insights and accomplishments

    Screenshots of the tools and templates from this phase.

    Estimated the business impact of downtime

    Screenshot of a tools from this phase

    Set recovery targets

    Summary of Accomplishments

    • Created a scoring scale tied to different categories of business impact.
    • Applied the scoring scale to estimate the business impact of system downtime.
    • Identified appropriate, acceptable RTOs and RPOs.

    Up Next:Conduct a tabletop planning exercise to establish current recovery capabilities

    Create a Right-Sized Disaster Recovery Plan

    Phase 3

    Identify and Address Gaps in the Recovery Workflow

    Step 3.1: Determine Current Recovery Workflow

    This step will walk you through the following activities:

    • Run a tabletop exercise.
    • Outline the steps for the initial response (notification, assessment, disaster declaration) and systems recovery (i.e. document your recovery workflow).
    • Identify any gaps and risks in your initial response and systems recovery.

    This step involves the following participants:

    • DRP Coordinator
    • IT Infrastructure SMEs (for systems in scope)
    • Application SMEs (for systems in scope)

    Results and Insights

    • Use a repeatable practical exercise to outline and document the steps you would use to recover systems in the event of a disaster, as well as identify gaps and risks to address.
    • This is also a knowledge-sharing opportunity for your team, and a practical means to get their insights, suggestions, and recovery knowledge down on paper.

    Tabletop planning: an effective way to test and document your recovery workflow

    In a tabletop planning exercise, the DRP team walks through a disaster scenario to map out what should happen at each stage, and effectively defines a high-level incident response plan (i.e. recovery workflow).

    Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

    A bar graph is displayed that shows that tabletop planning has the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.

    *Note: Relative importance indicates the contribution an individual testing methodology, conducted at least annually, had on predicting success meeting recovery objectives, when controlling for all other types of tests in a regression model. The relative-importance values have been standardized to sum to 100%.

    Success was based on the following items:

    • RTOs are consistently met.
    • IT has confidence in the ongoing ability to meet RTOs.
    • RPOs are consistently met.
    • IT has confidence in the ongoing ability to meet RPOs.

    Why is tabletop planning so effective?

    • It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more frequently than other testing methodologies.
    • It easily translates into the backbone of your recovery documentation, as it allows you to review all aspects of your recovery plan.

    Focus first on IT DR

    Your DRP is IT contingency planning. It is not crisis management or BCP.

    The goal is to define a plan to restore applications and systems following a disruption. For your first tabletop exercise, Info-Tech recommends you use a non-life-threatening scenario that requires at least a temporary relocation of your data center (i.e. failing over to a DR site/environment). Assume a gas leak or burst water pipe renders the data center inaccessible. Power is shut off and IT must failover systems to another location. Once you create the master procedure, review the plan to ensure it addresses other scenarios.

    Info-Tech Insight

    When systems fail, you are faced with two high-level options: failover or recover in place. If you document the plan to failover systems to another location, you’ll have documented the core of your DR procedures. This differs from traditional scenario planning where you define separate plans for different what-if scenarios. The goal is one plan that can be adapted to different scenarios, which reduces the effort to build and maintain your DRP.

    Conduct a tabletop planning exercise to outline DR procedures in your current environment

    3(a) Tabletop planning

    Estimated Time: 2-3 hours

    For each high-level recovery step, do the following:

    1. On white cue cards:
      • Record the step.
      • Indicate the task owner (if required for clarity).
      • Note time required to complete the step. After the exercise, use this to build a running recovery time where 00:00 is when the incident occurred.
    2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
    3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).
    An example is shown on what can be done during step 3(a). Three cue cards are showing in white, yellow, and red.

    Do:

    • Review the complete workflow from notification all the way to user acceptance testing.
    • Keep focused; stay on task and on time.
    • Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
    • Revise and improve the plan with task owners.

    Don't:

    • Get weighed down by tools.
    • Document the details right away – stick to the high-level plan for the first exercise.
    • Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.

    Flowchart the current-state incident response plan (i.e. document the recovery workflow)

    3(b) DRP Recovery Workflow Template and Case Study: Practical, Right-Sized DRP

    Why use flowcharts?

    • Flowcharts provide an at-a-glance view, ideal for disaster scenarios where pressure is high and quick upward communication is necessary.
    • For experienced staff, a high-level reminder of key steps is sufficient.

    Use the completed tabletop planning exercise results to build this workflow.

    "We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management." – Assistant Director, IT Operations, Healthcare Industry

    Source: Info-Tech Research Group Interview

    Screenshot of Info-Tech's DRP Recovery Workflow Template

    For a formatted template you can use to capture your plan, see Info-Tech’s DRP Recovery Workflow Template.

    For a completed example of tabletop planning results, review Info-Tech’s Case Study: Practical, Right-Sized DRP.

    Identify RPA

    What’s my RPA? Consider the following case:

    • Once a week, a full backup is taken of the complete ERP system and is transferred over the WAN to a secondary site 250 miles away, where it is stored on disk.
    • Overnight, an incremental backup is taken of the day’s changes, and is transferred to the same secondary site, and also stored on disk.
    • During office hours, the SAN takes a snapshot of changes which are kept on local storage (information on the accounting system usually only changes during office hours).
    • So what’s the RPA? One hour (snapshots), one day (incrementals), or one week (full backups)?

    When identifying RPA, remember the following:

    You are planning for a disaster scenario, where on-site systems may be inaccessible and any copies of data taken during the disaster may fail, be corrupt, or never make it out of the data center (e.g. if the network fails before the backup file ships). In the scenario above, it seems likely that off-site incremental backups could be restored, leading to a 24-hour RPA. However, if there were serious concerns about the reliability of the daily incrementals, the RPA could arguably be based on the weekly full backups.

    Info-Tech Best Practice

    The RPA is a commitment to the maximum data you would lose in a DR scenario with current capabilities (people, process, and technology). Pick a number you can likely achieve. List any situations where you couldn’t meet this RPA, and identify those for a risk tolerance discussion. In the example above, complete loss of the primary SAN would also mean losing the snapshots, so the last good copy of the data could be up to 24-hours old.

    Add recovery actuals (RTA/RPA) to your copy of the BIA

    3(c) DRP Business Impact Analysis Tool– Recovery actuals

    On the “Impact Analysis” tab in the DRP Business Impact Analysis Tool, enter the estimated maximum downtime and data loss in the RTA and RPA columns.

    1. Estimate the RTA based on the required time for complete recovery. Review your recovery workflow to identify this timeline. For example, if the notification, assessment, and declaration process takes two hours, and systems recovery requires most of a day, the estimated RTA could be 24 hours.
    2. Estimate the RPA based on the longest interval between copies of the data being shipped offsite. For example, if data on a particular system is backed up offsite once per day, and the onsite system was destroyed just before that backup began, the entire day’s data could be lost and estimated RPA could be 24 hours. Note: Enter 9999 to indicate that data is unrecoverable.

    A screenshot of Info-Tech's DRP Business Impact Analysis Tool – Recovery actuals

    Info-Tech Best Practice

    It’s okay to round numbers to the nearest shift, day, or week for simplicity (e.g. 24 hours rather than 22.5 hours, or 8 hours rather than 7.25 hours).

    Test the recovery workflow against additional scenarios

    3(d) Workflow review

    Estimated Time: 1 hour

    Review your recovery workflow with a different scenario in mind.

    • Work from and update the soft copy of your recovery workflow.
    • Would any steps be different if the scenario changes? If yes, capture the different flow with a decision diamond. Identify any new gaps or risks you encounter with red and yellow cards. Use as few decision diamonds as possible.

    Screenshot of testing the workflow against the additional scenarios

    Info-Tech Best Practice

    As you start to consider scenarios where injuries or loss of life are a possibility, remember that health and safety risks are the top priority in a crisis. If there’s a fire in the data center, evacuating the building is the first priority, even if that means foregoing a graceful shut down. For more details on emergency response and crisis management, see Implement Crisis Management Best Practices.

    Consider additional IT disaster scenarios

    3(e) Thought experiment – Review additional scenarios

    Walk through your recovery workflow in the context of additional, different scenarios to ensure there are no gaps. Collaborate with your DR team to identify changes that might be required, and incorporate these changes in the plan.

    Scenario Type Considerations
    Isolated hardware/software failure
    • Failover to the DR site may not be necessary (or only for affected systems).
    Power outage or network outage
    • Do you have standby power? Do you have network redundancy?
    Local hazard (e.g. chemical leak, police incident)
    • Systems might be accessible remotely, but hands-on maintenance will be required eventually.
    • An alternate site is required for service continuity.
    Equipment/building damage (e.g. fire, roof collapse)
    • Staff injuries or loss of life are a possibility.
    • Equipment may need repair or replacement (vendor involvement).
    • An alternate site is required for service continuity.
    Regional natural disasters
    • Staff injuries or loss of life are a possibility.
    • Utilities may be affected (power, running water, etc.).
    • Expect staff to take care of their families first before work.
    • A geographically distant alternate site may be required for service continuity.

    Step 3.2: Identify and Prioritize Projects to Close Gaps

    This step will walk you through the following activities:

    • Analyze the gaps that were identified from the maturity scorecard, tabletop planning exercise, and the RTO/RPO gaps analysis.
    • Brainstorm solutions to close gaps and mitigate risks.
    • Determine a course of action to close these gaps. Prioritize each project. Create a project implementation timeline.

    This step involves the following participants:

    • DRP Coordinator
    • IT Infrastructure SMEs

    Results and Insights

    • Prioritized list of projects and action items that can improve DR capabilities.
    • Often low-cost, low-effort quick wins are identified to mitigate at least some gaps/risks. Higher-cost, higher-effort projects can be part of a longer-term IT strategy. Improving service continuity is an ongoing commitment.

    Brainstorm solutions to address gaps and risk

    3(f) Solutioning

    Estimated Time: 1.5 hours

    1. Review each of the risk and gap cards from the tabletop exercise.
    2. As a group, brainstorm ideas to address gaps, mitigate risks, and improve resiliency. Write the list of ideas on a whiteboard or flip-chart paper. The solutions can range from quick-wins and action items to major capital investments.
    3. Try to avoid debates about feasibility at this point – that should happen later. The goal is to get all ideas on the board.

    An example of how to complete Activity 3(f). Three cue cards showing various steps are attached by arrows to steps on a whiteboard.

    Info-Tech Best Practice

    It’s about finding ways to solve the problem, not about solving the problem. When you’re brainstorming solutions to problems, don’t stop with the first idea, even if the solution seems obvious. The first idea isn’t always the best or only solution; other ideas can expand on and improve that first idea.

    Select an optimal DR deployment model from a world of choice

    There are many options for a DR deployment. What makes sense for you?

    • Sifting through the options for a DR site can be overwhelming. Simplify by eliminating deployment models that aren’t a good fit for your requirements or organization using Info-Tech’s research.
    • Someone will ask you about DR in the cloud. Cut to the chase and evaluate cloud for fit with your organization’s current capabilities and requirements. Read about the 10 Secrets for Successful DR in the Cloud.
    • Selecting and deploying a DR site is an exercise in risk mitigation. IT’s role is to advise the business on options to address the risk of not having a DR site, including cost and effort estimates. The business must then decide how to manage risk. Build total cost of ownership (TCO) estimates and evaluate possible challenges and risks for each option.

    Is it practical to invest in greater geo-redundancy that meets RTOs and RPOs during a widespread event?

    Info-Tech suggests you consider events that impact both sites, and your risk tolerance for that impact. Outline the impact of downtime at a high level if both the primary and secondary site were affected. Research how often events severe enough to have impacted both your primary and secondary sites have occurred in the past. What’s the business tolerance for this type of event?

    A common strategy: have a primary and DR site that are close enough to support low RPO/RTO, but far enough away to mitigate the impact of known regional events. Back up data to a remote third location as protection against a catastrophic event.

    Info-Tech Insight

    Approach site selection as a project. Leverage Select an Optimal Disaster Recovery Deployment Model to structure your own site-selection project.

    Set up the DRP Roadmap Tool

    3(g) DRP Roadmap Tool – Set up tool

    Use the DRP Roadmap Tool to create a high-level roadmap to plan and communicate DR action items and initiatives. Determine the data you’ll use to define roadmap items.

    Screenshot of Info-Tech's DRP Roadmap Tool

    Plan next steps by estimating timeline, effort, priority, and more

    3(h) DRP Roadmap Tool – Describe roadmap items

    A screenshot of Info-Tech's DRP Roadmap Tool to show how to describe roadmap items

    Review and communicate the DRP Roadmap Tool

    3(i) DRP Roadmap Tool – View roadmap chart

    A screenshot of Info-Tech's DRP Roadmap Tool's Roadmap tab

    Step 3.3: Review the Future State Recovery Process

    This step will walk you through the following activities:

    • Update the recovery workflow to outline your future recovery procedure.
    • Summarize findings from DR exercises and present the results to the project sponsor and other interested executives.

    This step involves the following participants:

    • DRP Coordinator
    • IT SMEs (Future State Recovery Flow)
    • DR Project Sponsor

    Results and Insights

    • Summarize results from DR planning exercises to make the case for needed DR investment.

    Outline your future state recovery flow

    3(j) Update the recovery workflow to outline response and recovery in the future

    Estimated Time: 30 minutes

    Outline your expected future state recovery flow to demonstrate improvements once projects and action items have been completed.

    1. Create a copy of your DRP recovery workflow in a new tab in Visio.
    2. Delete gap and risk cards that are addressed by proposed projects. Consolidate or eliminate steps that would be simplified or streamlined in the future if projects are implemented.
    3. Create a short-, medium-, and long-term review of changes to illustrate improvements over time to the project roadmap.
    4. Update this workflow as you implement and improve DR capabilities.

    Screenshot of the recovery workflow

    Validate recovery targets and communicate actual recovery capabilities

    3(k) Validate findings, present recommendations, secure budget

    Estimated Time: time required will vary

    1. Interview managers or process owners to validate RTO, RPO, and business impact scores.Use your assessment of “heavy users” of particular applications (picture at right) to remind you which business users you should include in the interview process.
    2. Present an overview of your findings to the management team.Use Info-Tech’s DRP Recap and Results Template to summarize your findings.
    3. Take projects into the budget process.With the management team aware of the rationale for investment in DRP, build the business case and secure budget where needed.

    Present DRP findings and make the case for needed investment

    3(I) DRP Recap and Results Template

    Create a communication deck to recap key findings for stakeholders.

    • Write a clear problem statement. Identify why you did this project (what problem you’re solving).
    • Clearly state key findings, insights, and recommendations.
    • Leverage the completed tools and templates to populate the deck. Callouts throughout the template presentation will direct you to take and populate screenshots throughout the document.
    • Use the presentation to communicate key findings to, and gather feedback from, business unit managers, executives, and IT staff.
    Screenshots of Info-Tech's DRP Recap and Results Template

    Stories from the field: Info-Tech clients find value in Phase 3 in the following ways

    Tabletop planning is an effective way to discover gaps in recovery capabilities. Identify issues in the tabletop exercise so you can manage them before disaster strikes. For example:

    Back up a second…

    A client started to back up application data offsite. To minimize data transfer and storage costs, the systems themselves weren’t backed up. Working through the restore process at the DR site, the DBA realized 30 years of COBOL and SQR code – critical business functionality – wasn’t backed up offsite.

    Net… work?

    A 500-employee professional services firm realized its internet connection could be a significant roadblock to recovery. Without internet, no one at head office could access critical cloud systems. The tabletop exercise identified this recovery bottleneck and helped prioritize the fix on the roadmap.

    Someone call a doctor!

    Hospitals rely on their phone systems for system downtime procedures. A tabletop exercise with a hospital client highlighted that if the data center were damaged, the phone system would likely be damaged as well. Identifying this provided more urgency to the ongoing VOIP migration.

    The test of time

    A small municipality relied on a local MSP to perform systems restore, but realized it had never tested the restore procedure to identify RTA. Contacting the MSP to review capabilities became a roadmap item to address this risk.

    Phase 3: Insights and accomplishments

    Screenshot of Info-Tech's DRP recovery workflow template

    Outlined the DRP response and risks to recovery

    Screenshots of activities completed related to brainstorming risk mitigation measures.

    Brainstormed risk mitigation measures

    Summary of Accomplishments

    • Planned and documented your DR incident response and systems recovery workflow.
    • Identified gaps and risks to recovery and incident management.
    • Brainstormed and identified projects and action items to mitigate risks and close gaps.

    Up Next: Leverage the core deliverables to complete, extend, and maintain your DRP

    Create a Right-Sized Disaster Recovery Plan

    Phase 4

    Complete, Extend, and Maintain Your DRP

    Phase 4: Complete, Extend, and Maintain Your DRP

    This phase will walk you through the following activities:

    • Identify progress made on your DRP by reassessing your DRP maturity.
    • Prioritize the highest value major initiatives to complete, extend, and maintain your DRP.

    This phase involves the following participants:

    • DRP Coordinator
    • Executive Sponsor

    Results and Insights

    • Communicate the value of your DRP by demonstrating progress against items in the DRP Maturity Scorecard.
    • Identify and prioritize future major initiatives to support the DRP, and the larger BCP.

    Celebrate accomplishments, plan for the future

    Congratulations! You’ve completed the core DRP deliverables and made the case for investment in DR capabilities. Take a moment to celebrate your accomplishments.

    This milestone is an opportunity to look back and look forward.

    • Look back: measure your progress since you started to build your DRP. Revisit the assessments completed in phase 1, and assess the change in your overall DRP maturity.
    • Look forward: prioritize future initiatives to complete, extend, and maintain your DRP. Prioritize initiatives that are the highest impact for the least requirement of effort and resources.

    We have completed the core DRP methodology for key systems:

    • BIA, recovery objectives, high-level recovery workflow, and recovery actuals.
    • Identify key tasks to meet recovery objectives.

    What could we do next?

    • Repeat the core methodology for additional systems.
    • Identify a DR site to meet recovery requirements, and review vendor DR capabilities.
    • Create a summary DRP document including requirements, capabilities, and change procedures.
    • Create a test plan and detailed recovery documentation.
    • Coordinate the creation of BCPs.
    • Integrate DR in other key operational processes.

    Revisit the DRP Maturity Scorecard to measure progress and identify remaining areas to improve

    4(a) DRP Maturity Scorecard – Reassess your DRP program maturity

    1. Find the copy of the DRP Maturity Scorecard you completed previously. Save a second copy of the completed scorecard in the same folder.
    2. Update scoring where you have improved your DRP documentation or capabilities.
    3. Review the new scores on tab 3. Compare the new scores to the original scores.

    Screenshot of DRP Maturity Assessment Results

    Info-Tech Best Practice

    Use the completed, updated DRP Maturity Scorecard to demonstrate the value of your continuity program, and to help you decide where to focus next.

    Prioritize major initiatives to complete, extend, and maintain the DRP

    4(b) Prioritize major initiatives

    Estimated Time: 2 hours

    Prioritize major initiatives that mitigate significant risk with the least cost and effort.

    1. Use the scoring criteria below to evaluate risk, effort, and cost for potential initiatives. Modify the criteria if required for your organization. Write this out on a whiteboard or flip-chart paper.
    2. Assign a score from 1 to 3. Multiply the scores for each initiative together for an aggregate score. In general, prioritize initiatives with higher scores.
    Score A: How significant are the risks this initiative will mitigate? B: How easily can we complete this initiative? C: How cost-effective is this initiative?
    3: High Critical impact on +50% of stakeholders, or major impact to compliance posture, or significant health/safety risk. One sprint, can be completed by a few individuals with minor supervision. Within the IT discretionary budget.
    2: Medium Impacts <50% of stakeholders, or minor impact on compliance, or degradation to health or safety controls. One quarter, and/or some increased effort required, some risk to completion. Requires budget approval from finance.
    1: Low Impacts limited to <25% of stakeholders, no impact on compliance posture or health/safety. One year, and/or major vendor or organizational challenges. Requires budget approval from the board of directors.

    Info-Tech Best Practice

    You can use a similar scoring exercise to prioritize and schedule high-benefit, low-effort, low-cost items identified in the roadmap in phase 3.

    Example: Prioritize major initiatives

    4(b) Prioritize major initiatives continued

    Write out the table on a whiteboard (record the results in a spreadsheet for reference). In the case below, IT might decide to work on repeating the core methodology first as they create the active testing plans, and tackle process changes later.

    Initiative A: How significant are the risks this initiative will mitigate? B: How easily can we complete this initiative? C: How cost-effective is this initiative? Aggregate score (A x B x C)
    Repeat the core methodology for all systems 2 – will impact some stakeholders, no compliance or safety impact. 2 – will require about 3 months, no significant complications. 3 – No cost. 12
    Add DR to project mgmt. and change mgmt. 1 – Mitigates some recovery risks over the long term. 1 – Requires extensive consultation and process review. 3 – No cost. 3
    Active failover testing on plan 2 – Mitigates some risks; documentation and cross training is already in place. 2 – Requires 3-4 months of occasional effort to prepare for test. 2 – May need to purchase some equipment before testing. 8

    Info-Tech Best Practice

    Find a pace that allows you to keep momentum going, but also leaves enough time to act on the initial findings, projects, and action items identified in the DRP Roadmap Tool. Include these initiatives in the Roadmap tool to visualize how identified initiatives fit with other tasks identified to improve your recovery capabilities.

    Repeat the core DR methodology for additional systems and applications


    You have created a DR plan for your most critical systems. Now, add the rest:

    • Build on the work you’ve already done. Re-use the BIA scoring scale. Update your existing recovery workflows, rather than creating and formatting an entirely new document. A number of steps in the recovery will be shared with, or similar to, the recovery procedures for your Tier 1 systems.

    Risks and Challenges Mitigated

    • DR requirements and capabilities for less-critical systems have not been evaluated.
    • Gaps in the recovery process for less critical systems have not been evaluated or addressed.
    • DR capabilities for less critical systems may not meet business requirements.
    Sample Outputs
    Add Tier 2 & 3 systems to the BIA.
    Complete another tabletop exercise for Tier 2 & 3 systems recovery, and add the results to the recovery workflow.
    Identify projects to close additional gaps in the recovery process. Add projects to the project roadmap.

    Info-Tech Best Practice

    Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

    Extend your core DRP deliverables

    You’ve completed the core DRP deliverables. Continue to create DRP documentation to support recovery procedures and governance processes:

    • DR documentation efforts fail when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s long, hard to maintain, and ends up as shelfware.
    • Create documentation in layers to keep it manageable. Build supporting documentation over time to support your high-level recovery workflow.

    Risks and Challenges Mitigated

    • Key contact information, escalation, and disaster declaration responsibilities are not identified or formalized.
    • DRP requirements and capabilities aren’t centralized. Key DRP findings are in multiple documents, complicating governance and oversight by auditors, executives, and board members.
    • Detailed recovery procedures and peripheral information (e.g. network diagrams) are not documented.
    Sample Outputs
    Three to five detailed systems recovery flowcharts/checklists.
    Documented team roles, succession plans, and contact information.
    Notification, assessment, and disaster declaration plan.
    DRP summary.
    Layer 1, 2 & 3 network diagrams.

    Info-Tech Best Practice

    Use this example of a complete, practical, right-size DR plan to drive and guide your efforts.

    Select an optimal DR deployment model and deployment site

    Your DR site has been identified as inadequate:

    • Begin with the end in mind. Commit to mastering the selected model and leverage your vendor relationship for effective DR.
    • Cut to the chase and evaluate the feasibility of cloud first. Gauge your organization’s current capabilities for DR in the cloud before becoming infatuated with the idea.
    • A mixed model gives you the best of both worlds. Diversify your strategy by identifying fit for purpose and balancing the work required to maintain various models.

    Risks and Challenges Mitigated

    • Without an identified DR site, you’ll be scrambling when a disaster hits to find and contract for a location to restore IT services.
    • Without systems and application data backed up offsite, you stand to lose critical business data and logic if all copies of the data at your primary site were lost.
    Sample Outputs
    Application assessment for cloud DR.
    TCO tool for different environments.
    Solution decision and executive presentation.

    Info-Tech Best Practice

    Use Info-Tech’s blueprint, Select the Optimal Disaster Recovery Deployment Model, to help you make sense of a world of choice for your DR site.

    Extend DRP findings to business process resiliency with a BCP pilot

    Integrate your findings from DRP into the overall BCP:

    • As an IT leader you have the skillset and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP – they know their processes and requirements to resume business operations better than anyone else.
    • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces.

    Risks and Challenges Mitigated

    • No formal plan exists to recover from a disruption to critical business processes.
    • Business requirements for IT systems recovery may change following a comprehensive review of business continuity requirements.
    • Outside of core systems recovery, IT could be involved in relocating staff, imaging and issuing new end-user equipment, etc. Identifying these requirements is part of BCP.
    Sample Outputs
    Business process-focused BIA for one business unit.
    Recovery workflows for one business unit.
    Provisioning list for one business unit.
    BCP project roadmap.

    Info-Tech Best Practice

    Use Info-Tech’s blueprint, Develop a Business Continuity Plan, to develop and deploy a repeatable BCP methodology.

    Test the plan to validate capabilities and cross-train staff on recovery procedures

    You don’t have a program to regularly test the DR plan:

    • Most DR tests are focused solely on the technology and not the DR management process – which is where most plans fail.
    • Be proactive – establish an annual test cycle and identify and coordinate resources well in advance.
    • Update DRP documentation with findings from the plan, and track the changes you make over time.

    Risks and Challenges Mitigated

    • Gaps likely still exist in the plan that are hard to find without some form of testing.
    • Customers and auditors may ask for some form of DR testing.
    • Staff may not be familiar with DR documentation or how they can use it.
    • No formal cycle to validate and update the DRP.
    Sample Outputs
    DR testing readiness assessment.
    Testing handbooks.
    Test plan summary template.
    DR test issue log and analysis tool.

    Info-Tech Best Practice

    Uncover deficiencies in your recovery procedures by using Info-Tech’s blueprint Reduce Costly Downtime Through DR Testing.

    “Operationalize” DRP management

    Inject DR planning in key operational processes to support plan maintenance:

    • Major changes, or multiple routine changes, can materially alter DR capabilities and requirements. It’s not feasible to update the DR plan after every routine change, so leverage criticality tiers in the BIA to focus your change management efforts. Critical systems require more rigorous change procedures.
    • Likewise, you can build criticality tiers into more focused project management and performance measurement processes.
    • Schedule regular tasks in your ticketing system to verify capabilities and cross-train staff on key recovery procedures (e.g. backup and restore).

    Risks and Challenges Mitigated

    • DRP is not updated “as needed” – as requirements and capabilities change due to business and technology changes.
    • The DRP is disconnected from day-to-day operations.
    Sample Outputs
    Reviewed and updated change, project, and performance management processes.
    Reviewed and updated internal SLAs.
    Reviewed and updated data protection and backup procedures.

    Review infrastructure service provider DR capabilities

    Insert DR planning in key operational processes to support plan maintenance:

    • Reviewing vendor DR capabilities is a core IT vendor management competency.
    • As your DR requirements change year-to-year, ensure your vendors’ service commitments still meet your DR requirements.
    • Identify changes in the vendor’s service offerings and DR capabilities, e.g. higher costs for additional DR support, new offerings to reduce potential downtime, or conversely, a degradation in DR capabilities.

    Risks and Challenges Mitigated

    • Vendor capabilities haven’t been measured against business requirements.
    • No internal capability exists currently to assess vendor ability to meet promised SLAs.
    • No internal capability exists to track vendor performance on recoverability.
    Sample Outputs
    A customized vendor DRP questionnaire.
    Reviewed vendor SLAs.
    Choose to keep or change service levels or vendor offerings based on findings.

    Phase 4: Insights and accomplishments

    Screenshot of DRP Maturity Assessment Results

    Identified progress against targets

    Screenshot of prioritized further initiatives.

    Prioritized further initiatives

    Screenshot of DRP Planning Roadmap

    Added initiatives to the roadmap

    Summary of Accomplishments

    • Developed a list of high-priority initiatives that can support the extension and maintenance of the DR plan over the long term.
    • Reviewed and update maturity assessments to establish progress and communicate the value of the DR program.

    Summary of accomplishment

    Knowledge Gained

    • Conduct a BIA to determine appropriate targets for RTOs and RPOs.
    • Identify DR projects required to close RTO/RPO gaps and mitigate risks.
    • Use tabletop planning to create and validate an incident response plan.

    Processes Optimized

    • Your DRP process was optimized, from BIA to documenting an incident response plan.
    • Your vendor evaluation process was optimized to identify and assess a vendor’s ability to meet your DR requirements, and to repeat this evaluation on an annual basis.

    Deliverables Completed

    • DRP Maturity Scorecard
    • DRP Business Impact Analysis Tool
    • DRP Roadmap Tool
    • Incident response plan and systems recovery workflow
    • Executive presentation

    Info-Tech’s insights bust the most obstinate myths of DRP

    Myth #1: DRPs need to focus on major events such as natural disasters and other highly destructive incidents such as fire and flood.

    Reality: The most common threats to service continuity are hardware and software failures, network outages, and power outages.

    Myth #2: Effective DRPs start with identifying and evaluating potential risks.

    Reality: DR isn’t about identifying risks; it’s about ensuring service continuity.

    Myth #3: DRPs are separate from day-to-day operations and incident management.

    Reality: DR must be integrated with service management to ensure service continuity.

    Myth #4: I use a co-lo or cloud services so I don’t have to worry about DR. That’s my vendor’s responsibility.

    Reality: You can’t outsource accountability. You can’t just assume your vendor’s DR capabilities will meet your needs.

    Myth #5: A DRP must include every detail so anyone can execute the recovery.

    Reality: IT DR is not an airplane disaster movie. You aren’t going to ask a business user to execute a system recovery, just like you wouldn’t really want a passenger with no flying experience to land a plane.

    Supplement the core documentation with these tools and templates

    • An Excel workbook workbook to track key roles on DR, business continuity, and emergency response teams. Can also track DR documentation location and any hardware purchases required for DR.
    • A questionnaire template and a response tracking tool to structure your investigation of vendor DR capabilities.
    • Integrate escalation with your DR plan by defining incident severity and escalation rules . Use this example as a template or integrate ideas into your own severity definitions and escalation rules in your incident management procedures.
    • A minute-by-minute time-tracking tool to capture progress in a DR or testing scenario. Monitor progress against objectives in real time as recovery tasks are started and completed.

    Next steps: Related Info-Tech research

    Select the Optimal Disaster Recovery Deployment Model Evaluate cloud, co-lo, and on-premises disaster recovery deployment models.

    Develop a Business Continuity Plan Streamline the traditional approach to make BCP development manageable and repeatable.

    Prepare for a DRP Audit Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

    Document and Maintain Your Disaster Recovery Plan Put your DRP on a diet: keep it fit, trim, and ready for action.

    Reduce Costly Downtime Through DR Testing Improve your DR plan and your team’s ability to execute on it.

    Implement Crisis Management Best Practices An effective crisis response minimizes the impact of a crisis on reputation, profitability, and continuity.

    Research contributors and experts

    • Alan Byrum, Director of Business Continuity, Intellitech
    • Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
    • Paul Beaudry, Assistant Vice-President, Technical Services, MIS, Richardson International Limited
    • Yogi Schulz, President, Corvelle Consulting

    Glossary

    • Business Continuity Management (BCM) Program: Ongoing management and governance process supported by top management and appropriately resourced to implement and maintain business continuity management. (Source: ISO 22301:2012)
    • Business Continuity Plan (BCP): Documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. The BCP is not necessarily one document, but a collection of procedures and information.
    • Crisis: A situation with a high level of uncertainty that disrupts the core activities and/or credibility of an organization and requires urgent action. (Source: ISO 22300)
    • Crisis Management Team (CMT): A group of individuals responsible for developing and implementing a comprehensive plan for responding to a disruptive incident. The team consists of a core group of decision makers trained in incident management and prepared to respond to any situation.
    • Disaster Recovery Planning (DRP): The activities associated with the continuing availability and restoration of the IT infrastructure.
    • Incident: An event that has the capacity to lead to loss of, or a disruption to, an organization’s operations, services, or functions – which, if not managed, can escalate into an emergency, crisis, or disaster.

      • BCI Editor’s Note: In most countries “incident” and “crisis” are used interchangeably, but in the UK the term “crisis” has been generally reserved for dealing with wide-area incidents involving Emergency Services. The BCI prefers the use of “incident” for normal BCM purposes. (Source: The Business Continuity Institute)

    • Incident Management Plan: A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services, and actions needed to implement the incident management process.
    • IT Disaster: A service interruption requiring IT to rebuild a service, restore from backups, or activate redundancy at the backup site.
    • Recovery Point: Time elapsed between the last good copy of the data being taken and failure/corruption on the production environment; think of this as data loss.
    • Recovery Point Actual (RPA): The currently achievable recovery point after a disaster event, given existing people, processes, and technology. This reflects expected maximum data loss that could actually occur in a disaster scenario.
    • Recovery Point Objective (RPO): The target recovery point after a disaster event, usually calculated in hours, on a given system, application, or service. Think of this as acceptable and appropriate data loss. RPO should be based on a business impact analysis (BIA) to identify an acceptable and appropriate recovery target.
    • Recovery Time: Time required to restore a system, application, or service to a functional state; think of this as downtime.
    • Recovery Time Actual (RTA): The currently achievable recovery time after a disaster event, given existing people, processes, and technology. This reflects expected maximum downtime that could actually occur in a disaster scenario.
    • Recovery Time Objective (RTO): The target recovery time after a disaster event for a given system, application, or service. RTO should be based on a business impact analysis (BIA) to identify acceptable and appropriate downtime.

    Bibliography

    BCMpedia. “Recovery Objectives: RTO, RPO, and MTPD.” BCMpedia, n.d. Web.

    Burke, Stephen. “Public Cloud Pitfalls: Microsoft Azure Storage Cluster Loses Power, Puts Spotlight On Private, Hybrid Cloud Advantages.” CRN, 16 Mar. 2017. Web.

    Elliot, Stephen. “DevOps and the Cost of Downtime: Fortune 1000 Best Practice Metrics Quantified.” IDC, 2015. Web.

    FEMA. Planning & Templates. FEMA, 2015. Web.

    FINRA. “Business Continuity Plans and Emergency Contact Information.” FINRA, 2015. Web.

    FINRA. “FINRA, the SEC and CFTC Issue Joint Advisory on Business Continuity Planning.” FINRA, 2013. Web.

    Gosling, Mel, and Andrew Hiles. “Business Continuity Statistics: Where Myth Meets Fact.” Continuity Central, 2009. Web.

    Hanwacker, Linda. “COOP Templates for Success Workbook.” The LSH Group, n.d. Web.

    Homeland Security. Federal Information Security Management Act (FISMA). Homeland Security, 2015. Web.

    Nichols, Shaun. “AWS's S3 Outage Was So Bad Amazon Couldn't Get Into Its Own Dashboard to Warn the World.” The Register, 1 Mar. 2017. Web.

    Potter, Patrick. “BCM Regulatory Alphabet Soup.” RSA Archer Organization, 2012. Web.

    Rothstein, Philip Jan. “Disaster Recovery Testing: Exercising Your Contingency Plan.” Rothstein Associates Inc., 2007. Web.

    The Business Continuity Institute. “The Good Practice Guidelines.” The Business Continuity Institute, 2013. Web.

    The Disaster Recovery Journal. “Disaster Resource Guide.” The Disaster Recovery Journal, 2015. Web.

    The Disaster Recovery Journal. “DR Rules & Regulations.” The Disaster Recovery Journal, 2015. Web.

    The Federal Financial Institution Examination Council (FFIEC). Business Continuity Planning. IT Examination Handbook InfoBase, 2015. Web.

    York, Kyle. “Read Dyn’s Statement on the 10/21/2016 DNS DDoS Attack.” Oracle, 22 Oct. 2016. Web.

    Customer Relationship Management Platform Selection Guide

    • Buy Link or Shortcode: {j2store}529|cart{/j2store}
    • member rating overall impact: 9.2/10 Overall Impact
    • member rating average dollars saved: $14,719 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Customer relationship management (CRM) suites are an indispensable part of a holistic strategy for managing end-to-end customer interactions.
    • After defining an approach to CRM, selection and implementation of the right CRM suite is a critical step in delivering concrete business value for marketing, sales, and customer service.
    • Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for CRM platforms that don't deliver on the promise of the CRM strategy.

    Our Advice

    Critical Insight

    • IT needs to be a trusted partner in CRM selection and implementation, but the business also needs to own the requirements and be involved from the beginning.
    • CRM requirements dictate the components of the target CRM architecture, such as deployment model, feature focus, and customization level. Savvy application directors recognize the points in the project where the CRM architecture model necessitates deviations from a "canned" roll-out plan.
    • CRM selection is a multi-step process that involves mapping target capabilities for marketing, sales, and customer service, assigning requirements across functional categories, determining the architecture model to prioritize criteria, and developing a comprehensive RFP that can be scored in a weighted fashion.
    • Companies that succeed with CRM implementation create a detailed roadmap that outlines milestones for configuration, security, points of implementation, data migration, training, and ongoing application maintenance.

    Impact and Result

    • A CRM platform that effectively meets the needs of marketing, sales, and customer service and delivers value.
    • Reduced costs during CRM selection.
    • Reduced implementation costs and time frame.
    • Faster time to results after implementation.

    Customer Relationship Management Platform Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Customer Relationship Management Platform Selection Guide – Speed up the process to build your business case and select your CRM solution.

    This blueprint will help you build a business case for selecting the right CRM platform, defining key requirements, and conducting a thorough analysis and scan of the ever-evolving CRM market space.

    • Customer Relationship Management Platform Selection Guide — Phases 1-3

    2. CRM Business Case Template – Document the key drivers for selecting a new CRM platform.

    Having a sound business case is essential for succeeding with a CRM. This template will allow you to document key drivers and impact, in line with the CRM Platform Selection Guide blueprint.

    • CRM Business Case Template

    3. CRM Request for Proposal Template

    Create your own request for proposal (RFP) for your customer relationship management (CRM) solution procurement process by customizing the RFP template created by Info-Tech.

    • CRM Request for Proposal Template

    4. CRM Suite Evaluation and RFP Scoring Tool

    The CRM market has many strong contenders and differentiation may be difficult. Instead of relying solely on reputation, organizations can use this RFP tool to record and objectively compare vendors according to their specific requirements.

    • CRM Suite Evaluation and RFP Scoring Tool

    5. CRM Vendor Demo Script

    Use this template to support your business's evaluation of vendors and their solutions. Provide vendors with scenarios that prompt them to display not only their solution's capabilities, but also how the tool will support your organization's particular needs.

    • CRM Vendor Demo Script

    6. CRM Use Case Fit Assessment Tool

    Use this tool to help build a CRM strategy for the organization based on the specific use case that matches your organizational needs.

    • CRM Use-Case Fit Assessment Tool
    [infographic]

    Further reading

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution.

    Table of Contents

    1. Analyst Perspective
    2. Executive Summary
    3. Blueprint Overview
    4. Executive Brief
    5. Phase 1: Understand CRM Functionality
    6. Phase 2: Build the Business Case and Elicit CRM requirements
    7. Phase 3: Discover the CRM Marketspace and Prepare for Implementation
    8. Conclusion

    Analyst Perspective

    A strong CRM platform is paramount to succeeding with customer engagement.

    Modern CRM platforms are the workhorses that provide functional capabilities and data curation for customer experience management. The market for CRM platforms has seen an explosion of growth over the last five years, as organizations look to mature their ability to deliver strong capabilities across marketing, sales, and customer service.

    IT needs to be a trusted partner in CRM selection and implementation, but the business also needs to own the requirements and be involved from the get-go.

    CRM selection must be a multistep process that involves defining target capabilities for marketing, sales, and customer service, prioritizing requirements across functional categories, determining the architecture model for the CRM environment, and developing a comprehensive RFP that can be scored in a weighted fashion.

    To succeed with CRM implementation, create a detailed roadmap that outlines milestones for configuration, security, points of implementation, data migration, training, and ongoing application maintenance.

    Photo of Ben Dickie, Research Lead, Customer Experience Strategy, Info-Tech Research Group. Ben Dickie
    Research Lead, Customer Experience Strategy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Customer Relationship Management (CRM) suites are an indispensable part of a holistic strategy for managing end-to-end customer interactions. Selecting the right platform that aligns with your requirements is a significant undertaking.

    After defining an approach to CRM, selection and implementation of the right CRM suite is a critical step in delivering concrete business value for marketing, sales, and customer service.     		Common Obstacles

    Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    The CRM market is rapidly evolving and changing, making it tricky to stay on top of the space.

    IT often finds itself in the unenviable position of taking the fall for CRM platforms that don’t deliver on the promise of the CRM strategy.     		Info-Tech’s Approach

    CRM platform selection must be driven by your overall customer experience management strategy: link your CRM selection to your organization’s CXM framework.

    Determine if you need a CRM platform that skews toward marketing, sales, or customer service; leverage use cases to help guide selection.

    Ensure strong points of integration between CRM and other software such as MMS. A CRM should not live in isolation; it must provide a 360-degree view.

    Info-Tech Insight

    IT must work in lockstep with its counterparts in marketing, sales, and customer service to define a unified vision for the CRM platform.

    Info-Tech’s methodology for selecting the right CRM platform

    1. Understand CRM Features 2. Build the Business Case & Elicit CRM Requirements 3. Discover the CRM Market Space & Prepare for Implementation
    Phase Steps
    1. Define CRM platforms
    2. Classify table stakes & differentiating capabilities
    3. Explore CRM trends
    1. Build the business case
    2. Streamline requirements elicitation for CRM
    3. Construct the RFP
    1. Discover key players in the CRM landscape
    2. Engage the shortlist & select finalist
    3. Prepare for implementation
    Phase Outcomes
    • Consensus on scope of CRM and key CRM capabilities
    • CRM selection business case
    • Top-level use cases and requirements
    • Completed CRM RFP
    • CRM market analysis
    • Shortlisted vendor
    • Implementation considerations

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The CRM purchase process should be broken into segments:

    1. CRM vendor shortlisting with this buyer’s guide
    2. Structured approach to selection
    3. Contract review

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3
    Call #1: Understand what a CRM platform is and the “art of the possible” for sales, marketing, and customer service. Call #2: Build the business case to select a CRM.

    Call #3: Define your key CRM requirements.

    Call #4: Build procurement items such as an RFP.     		Call #5: Evaluate the CRM solution landscape and shortlist viable options.

    Call #6: Review implementation considerations.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    INFO~TECH RESEARCH GROUP

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution.

    EXECUTIVE BRIEF

    Info-Tech Research Group Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
    © 1997-2022 Info-Tech Research Group Inc.

    What exactly is a CRM platform?

    Our Definition: A customer relationship management (CRM) platform (or suite) is a core enterprise application that provides a broad feature set for supporting customer interaction processes, typically across marketing, sales and customer service. These suites supplant more basic applications for customer interaction management (such as the contact management module of an enterprise resource planning (ERP) platform or office productivity suite).

    A customer relationship management suite provides many key capabilities, including but not limited to:

    • Account management
    • Order history tracking
    • Pipeline management
    • Case management
    • Campaign management
    • Reports and analytics
    • Customer journey execution

    A CRM suite provides a host of native capabilities, but many organizations elect to tightly integrate their CRM solution with other parts of their customer experience ecosystem to provide a 360-degree view of their customers.

    		Stock image of a finger touching a screen showing a stock chart.

    Info-Tech Insight

    CRM feature sets are rapidly evolving. Focus on the social component of sales, marketing, and service management features, as well as collaboration, to get the best fit for your requirements. Moreover, consider investing in best-of-breed social media management platforms (SMMPs) and internal collaboration tools to ensure sufficient functionality.

    Build a cohesive CRM selection approach that aligns business goals with CRM capabilities.

    Info-Tech Insight

    Customers expect to interact with organizations through the channels of their choice. Now more than ever, you must enable your organization to provide tailored customer experiences.

    Customer expectations are on the rise: meet them!

    A CRM platform is a crucial system for enabling good customer experiences.

    CUSTOMER EXPERIENCE IS EVOLVING

    1. Thoughtfulness is in
        Connect with customers on a personal level
    2. Service over products
        The experience is more important than the product
    3. Culture is now number one
        Culture is the most overlooked piece of customer experience strategy
    4. Engineering and service finally join forces
        Companies are combining their technology and service efforts to create strong feedback loops
    5. The B2B world is inefficiently served
        B2B needs to step up with more tools and a greater emphasis placed on customer experience

    (Source: Forbes, 2019)

    Identifying organizational objectives of high priority will assist in breaking down business needs and CRM objectives. This exercise will better align the CRM systems with the overall corporate strategy and achieve buy-in from key stakeholders.

    A strong CRM platform supports a range of organizational objectives for customer engagement.

    Increase Revenue Enable lead scoring Deploy sales collateral management tools Improve average cost per lead via a marketing automation tool
    Enhance Market Share Enhance targeting effectiveness with a CRM Increase social media presence via an SMMP Architect customer intelligence analysis
    Improve Customer Satisfaction Reduce time-to-resolution via better routing Increase accessibility to customer service with live chat Improve first contact resolution with customer KB
    Increase Customer Retention Use a loyalty management application Improve channel options for existing customers Use customer analytics to drive targeted offers
    Create Customer-Centric Culture Ensure strong training and user adoption programs Use CRM to provide 360-degree view of all customer interactions Incorporate the voice of the customer into product development

    Succeeding with CRM selection and implementation has a positive effect on driving revenues and decreasing costs

    There are three buckets of metrics and KPIs where CRM will drive improvements

    The metrics of a smooth CRM selection and implementation process include:

    • Better alignment of CRM functionality to business needs.
    • Better functionality coverage of the selected platform.
    • Decreased licensing costs via better vendor negotiation.
    • Improved end-user satisfaction with the deployed solution.
    • Fewer errors and rework during implementation.
    • Reduced total implementation costs.
    • Reduced total implementation time.

    A successful CRM deployment drives revenue

    • Increased customer acquisition due to enhanced accuracy of segmentation and targeting, superior lead qualification, and pipeline management.
    • Increased customer satisfaction and retention due to targeted campaigns (e.g. customer-specific deals), quicker service incident resolution, and longitudinal relationship management.
    • Increased revenue per customer due to comprehensive lifecycle management tools, social engagement, and targeted upselling of related products and services (enabled by better reporting/analytics).

    A successful CRM deployment decreases cost

    • Deduplication of effort across business domains as marketing, sales, and service now have a common repository of customer information and interaction tools.
    • Increased sales and service agent efficiency due to their focus on selling and resolution, rather than administrative tasks and overhead.
    • Reduced cost-to-sell and cost-to-serve due to automation of activities that were manually intensive.
    • Reduced cost of accurate data due to embedded reporting and analytics functionality.

    CRM platforms sit at the core of a well-rounded customer engagement ecosystem

    At the center is 'Customer Relationship Management Platform' surrounded by 'Web Experience Management Platform', 'E-Commerce & Point-of-Sale Solutions', 'Social Media Management Platform', 'Customer Intelligence Platform', 'Customer Service Management Tools', and 'Marketing Management Suite'.

    Customer Experience Management (CXM) Portfolio

    		Customer relationship management platforms are increasingly expansive in functional scope and foundational to an organization’s customer engagement strategy. Indeed, CRMs form the centerpiece for a comprehensive CXM system, alongside tools such as customer intelligence platforms and adjacent point solutions for sales, marketing, and customer service.

    Review Info-Tech’s CXM blueprint below to build a complete, end-to-end customer interaction solution portfolio that encompasses CRM alongside other critical components. The CXM blueprint also allows you to develop strategic requirements for CRM based on customer personas and external market analysis.

    Build a Strong Technology Foundation for Customer Experience Management

    Sample of the 'Build a Strong Technology Foundation for Customer Experience Management' blueprint. Design an end-to-end technology strategy to drive sales revenue, enhance marketing effectiveness, and create compelling experiences for your customers.

    View the blueprint

    Considering a CRM switch? Switching software vendors drives high satisfaction

    Eighty percent of organizations are more satisfied after changing their software vendor.

    • Most organizations see not only a positive change in satisfaction with their new vendor, but also a substantial change in satisfaction.
    • What matters is making sure your organization is well-positioned to make a switch.
    • When it comes to switching software vendors, the grass really can be greener on the other side.

    Over half of organizations are 60%+ more satisfied after changing their vendor.

    (Source: Info-Tech Research Group, "Switching Software Vendors Overwhelmingly Drives Increased Satisfaction", 2020.)

    IT is critical to the success of your CRM selection and rollout

    Today’s shared digital landscape of the CIO and CMO

    Info-Tech Insight

    Technology is the key enabler of building strong customer experiences: IT must stand shoulder to shoulder with the business to develop a technology framework for customer relationship management.

    CIO

    IT Operations

    Service Delivery and Management

    IT Support

    IT Systems and Application

    IT Strategy and Governance

    Cybersecurity     		Collaboration and Partnership

    Digital Strategy = Transformation
    Business Goals | Innovation | Leadership | Rationalization

    Customer Experience
    Architecture | Design | Omnichannel Delivery | Management

    Insight (Market Facing)
    Analytics | Business Intelligence | Machine Learning | AI

    Marketing Integration + Operating Model
    Apps | Channels | Experiences | Data | Command Center

    Master Data
    Customer | Audience | Industry | Digital Marketing Assets     		CMO

    PEO Media

    Brand Management

    Campaign Management

    Marketing Tech

    Marketing Ops

    Privacy, Trust, and Regulatory Requirements

    (Source: ZDNet, 2020)

    CRM by the numbers

    1/3

    Statistical analysis of CRM projects indicates failures vary from 18% to 69%. Taking an average of those analyst reports, about one-third of CRM projects are considered a failure. (Source: CIO Magazine, 2017)

    92%

    92% of organizations report that CRM use is important for accomplishing revenue objectives. (Source: Hall, 2020)

    40%

    In 2019, 40% of executives name customer experience the top priority for their digital transformation. (Source: CRM Magazine, 2019)

    Case Study

    Align strategy and technology to meet consumer demand.
    INDUSTRY
    Entertainment
    SOURCE
    Forbes, 2017
    Challenge

    Beginning as a mail-out service, Netflix offered subscribers a catalog of videos to select from and have mailed to them directly. Customers no longer had to go to a retail store to rent a video. However, the lack of immediacy of direct mail as the distribution channel resulted in slow adoption.

    Blockbuster was the industry leader in video retail but was lagging in its response to industry, consumer, and technology trends around customer experience.

    		Solution

    In response to the increasing presence of tech-savvy consumers on the internet, Netflix invested in developing its online platform as its primary distribution channel. The benefit of doing so was two-fold: passive brand advertising (by being present on the internet) and meeting customer demands for immediacy and convenience. Netflix also recognized the rising demand for personalized service and created an unprecedented, tailored customer experience.

    		Results

    Netflix’s disruptive innovation is built on the foundation of great customer experience management. Netflix is now a $28-billion company, which is tenfold what Blockbuster was worth.

    Netflix used disruptive technologies to innovatively build a customer experience that put it ahead of the long-time video rental industry leader, Blockbuster.

    CRM Buyer’s Guide

    Phase 1

    Understand CRM Features

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    		Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    		Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Set a level of understanding of CRM technology.
    • Define which CRM features are table stakes (standard) and which are differentiating.
    • Identify the “Art of the Possible” in a modern CRM from a sales, marketing, and service lens.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Understand CRM table stakes features

    Organizations can expect nearly all CRM vendors to provide the following functionality.

    Lead Management Pipeline Management Contact Management Campaign Management Customer Service Management
    • Tracks and captures a lead’s information, automatically building a profile. Leads are then qualified through contact scoring models. Assigning leads to sales is typically automated.
    • Enables oversight over future sales. Includes revenue forecasting based on past/present trends, tracking sales velocity, and identifying ineffective sales processes.
    • Tracks and stores customer data, including demography, account and billing history, social media, and contact information. Typically, records and fields can be customized.
    • Provides integrated omnichannel campaign functionality and data analysis of customer intelligence. Data insights can be used to drive new and effective marketing campaigns.
    • Provides integrated omnichannel customer experiences to provide convenient service. Includes case and ticket management, automated escalation rules, and third-party integrations.

    Identify differentiating CRM features

    While not always “must-have” functionality, these features may be the final dealbreaker when deciding between two CRM vendors.

    Image of clustered screens with various network and business icons surounding them.
    • Workflow Automation
      Automate repetitive tasks by creating workflows that trigger actions or send follow-up reminders for next steps.
    • Advanced Analytics and Reporting
      Provides customized dashboard visualizations, detailed reporting, AI-driven virtual assistants, data extraction & analysis, and ML forecasting.
    • Customizations and Open APIs
      Broad range of available customizations (e.g. for dashboards and fields), alongside ease of integration (e.g. via plugins or APIs).
    • Document Management
      Out-of-the-box centralized content repository for storing, uploading, and sharing documents.
    • Mobile Support
      Ability to support mobile devices, OSes, and platforms with a native application or HTML-based web-access.
    • Project and Task Management
      Native project and task management functionality, enhancing cross-team organization and communication.
    • Configure, Price, Quote (CPQ)
      Create and send quotes or proposals to prospective and current customers.

    Features aren’t everything – be wary of common CRM selection pitfalls

    You can have all the right features, but systemic problems will lead to poor CRM implementation. Dig out these root causes first to ensure a successful CRM selection.

    50% of organizations believe the quality of their CRM data is “very poor” or “neutral.”

    Without addressing data governance issues, CRMs will only be as good as your data.

    Source: (Validity 2020)     		27% of organizations report that bad data costs them 10% or more in lost revenue annually.
    42% rate the trust that users have in their data as “high” or “very high.”
    54% believe that sales forecasts are accurate or very accurate.
    69% attribute poor CRM governance to missing or incomplete data, followed by duplicate data, incorrect data, and expired data. Other data issues include siloed data or disparate systems.
    73% believe that they do not have a 360-degree view of their customers.

    Ensure you understand the “art of the possible” in the CRM landscape

    Knowing what is possible will help funnel which features are most suitable for your organization – having all the bells and whistles does not always equal strong ROI.

    Holistically examine the potential of any CRM solution through three main lenses: Stock image of a person working with dashboards.

    Sales

    Identify sales opportunities through recording customers’ interactions, generating leads, nurturing contacts, and forecasting revenues.     		Stock image of people experiencing digital ideas.

    Marketing

    Analyze customer interactions to identify upsell and cross-sell opportunities, drive customer loyalty, and use customer data for targeted campaigns.     		Stock image of a customer service representative.

    Customer Service

    Improve and optimize customer engagement and retention, leveraging customer data to provide round-the-clock omnichannel experiences.

    Art of the possible: Sales

    Stock image of a person working with dashboards.

    TRACK PROSPECT INTERACTIONS

    		 Want to engage with a prospect but don’t know what to lead with? CRM solutions can track and analyze many of the interactions a prospect has with your organization, including with fellow staff, their clickthrough rate on marketing material, and what services they are downloading on your website. This information can then auto-generate tasks to begin lead generation.

    COORDINATE LEAD SCORING

    		 Information captured from a prospect is generated into contact cards; missing data (such as name and company) can be auto-captured by the CRM via crawling sites such as LinkedIn. The CRM then centralizes and scores (according to inputted business rules) a lead’s potential, ensuring sales teams coordinate and keep a track of the lead’s journey without wrongful interference.

    AI-DRIVEN REVENUE FORECASTING

    		 Generate accurate forecasting reports using AI-driven “virtual assistants” within the CRM platform. These assistants are personal data scientists, quickly noting discrepancies, opportunities, and what-if scenarios – tasks that might take weeks to do manually. This pulled data is then auto-forecasted, with the ability to flexibly adjust to real-time data.

    Art of the possible: Marketing

    Stock image of people experiencing digital ideas.

    DRIVE LOYALTY

    		 Data captured and analyzed in the CRM from customer interactions builds profiles and a deeper understanding of customers’ interests. With this data, marketing teams can deliver personalized promotions and customer service to enhance loyalty – from sending a discount on a product the customer was browsing on the website, to providing notifications about delivery statuses.

    AUTOMATE WORKFLOWS

    		 Building customer profiles, learning spending habits, and charting a customer’s journey for upselling or cross-selling can be automated through workflows, saving hours of manual work. These workflows can immediately respond to customer enquiries or deliver offers to the customer’s preferred channel based on their prior usage.

    TARGETED CAMPAIGNING

    		 Information attained through a CRM platform directly informs any marketing strategy: identifying customer segments, spending habits, building a better product based on customer feedback, and identifying high-spending customers. With any new product or offering, it is straightforward for marketing teams to understand where to target their next campaign for highest impact.

    Art of the possible: Customer service

    Stock image of a customer service representative.

    OMNICHANNEL SUPPORT

    		 Rapidly changing demographics and modes of communications require an evolution toward omnichannel engagement. Many customers now expect to communicate with contact centers not just by voice, but via social media. Agents need customer information synced across each channel they use, meeting the customer’s needs where they are.

    INTELLIGENT SELF-SERVICE PORTALS

    		 Customers want their issues resolved as quickly as possible. Machine-learning self-service options deliver personalized customer experiences, which also reduce both agent call volume and support costs for the organization.

    LEVERAGING ANALYTICS

    		 The future of customer service is tied up with analytics. This not only entails AI-driven capabilities that fetch the agent relevant information, skills-based routing, and using biometric data (e.g. speech) for security. It also feeds operations leaders’ need for easy access to real insights about how their customers and agents are doing.

    Best-of-Breed Point Solutions

    Full CRM Suite
    Blue smiley face. Benefits
    • Features may be more advanced for specific functional areas and a higher degree of customization may be possible.
    • If a potential delay in real-time customer data transfer is acceptable, best-of-breeds provide a similar level of functionality to suites for a lower price.
    • Best-of-breeds allow value to be realized faster than suites, as they are easier and faster to implement and configure.
    • Rip and replace is easier, and vendor updates are relatively quick to market.
    		Benefits
    • Everyone in the organization works from the same set of customer data.
    • There is a “lowest common denominator” for agent learning as consistent user interfaces lower learning curves and increase efficiency in usage.
    • There is a broader range of functionality using modules.
    • Integration between functional areas will be strong and the organization will be in a better position to enable version upgrades without risking invalidation of an integration point between separate systems.
    		 Green smiley face.
    Purple frowny face. Challenges
    • Best-of-breeds typically cover less breadth of functionality than suites.
    • There is a lack of uniformity in user experience across best-of-breeds.
    • Data integrity risks are higher.
    • Variable infrastructure may be implemented due to multiple disparate systems, which adds to architecture complexity and increased maintenance.
    • There is potential for redundant functionality across multiple best-of-breeds.
    		 Challenges
    • Suites exhibit significantly higher costs compared to point solutions.
    • Suite module functionality may not have the same depth as point solutions.
    • Due to high configuration availability and larger-scale implementation requirements, the time to deploy is longer than point solutions.
    		 Orange frowny face.
    Info-Tech Insight

    Even if a suite is missing a potential module, the proliferation of app extensions, integrations, and services could provide a solution. Salesforce’s AppExchange, for instance, offers a plethora of options to extend its CRM solution – from telephony integration, to gamification.

    CRM Buyer’s Guide

    Phase 2

    Build the Business Case & Elicit CRM Requirements

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    		Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    		Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Identify goals, objectives, challenges, and costs to inform the business case for a new CRM platform.
    • Elicit and prioritize key requirements for your platform.
    • Port the requirements into Info-Tech’s CRM RFP Template.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Right-size the CRM selection team to ensure you get the right information but are still able to move ahead quickly

    Full-Time Resourcing: At least one of these five team members must be allocated to the selection initiative as a full-time resource.

    A silhouetted figure.

    IT Leader

    		 A silhouetted figure.

    Technical Lead

    		 A silhouetted figure.

    Business Analyst/
    Project Manager

    		 A silhouetted figure.

    Business Lead

    		 A silhouetted figure.

    Process Expert(s)
    This team member is an IT director or CIO who will provide sponsorship and oversight from the IT perspective. This team member will focus on application security, integration, and enterprise architecture. This team member elicits business needs and translates them into technology requirements. This team member will provide sponsorship from the business needs perspective. Typically, a CMO or SVP of sales. These team members are the sales, marketing, and service process owners who will help steer the CRM requirements and direction.

    Info-Tech Insight

    It is critical for the selection team to determine who has decision rights. Organizational culture will play the largest role in dictating which team member holds the final say for selection decisions. For more information on stakeholder management and involvement, see this guide.

    Be prepared to define what issues you are trying to address and why a new CRM is the right approach

    Identify the current state and review the background of what you’ve done leading up to this point, goals you’ve been asked to meet, and challenges in solving known problems to help to set the stage for why your proposed solution is needed. If your process improvements have taken you as far as you can go without improved workflows or data, specify where the gaps are.
    Arrows with icons related to the text on the right merging into one arrow. Alignment

    Alignment to strategic goals is always important, but that is especially true with CRM because customer relationship management platforms are at the intersection of your organization and your customers. What are the strategic marketing, sales and customer service goals that you want to realize (in whole or in part) by improving your CRM ecosystem?

    Impact to your business

    Identify areas where your customers may be impacted by poor experiences due to inadequate or aging technology. What’s the impact on customer retention? On revenue?

    Impact to your organization

    Define how internal stakeholders within the organization are impacted by a sub-optimal CRM experience – what are their frustrations and pain points? How do issues with your current CRM environment prevent teams in sales, marketing, or service from doing their jobs?

    Impact to your department

    Describe the challenges within IT of using disparate systems, workarounds, poor data and reporting, lack of automation, etc., and the effect these challenges have on IT’s goals.

    Align the CRM strategy with the corporate strategy

    Corporate Strategy Unified Strategy CRM Strategy
    Spectrum spanning all columns.
    Your corporate strategy:
    • Conveys the current state of the organization and the path it wants to take.
    • Identifies future goals and business aspirations.
    • Communicates the initiatives that are critical for getting the organization from its current state to the future state.
    • The CRM strategy and the rationale for deploying a new CRM can be and should be linked, with metrics, to the corporate strategy and ultimate business objectives (such as improving customer acquisition, entering new segments, or improving customer lifetime value).
    		Your CRM strategy:
    • Communicates the organization’s budget and spending on CRM.
    • Identifies IT initiatives that will support the business and key CRM objectives.
    • Outlines staffing and resourcing for CRM initiatives.
    CRM projects are more successful when the management team understands the strategic importance and the criticality of alignment. Time needs to be spent upfront aligning business strategies with CRM capabilities. Effective alignment between sales, marketing, customer service, operations, IT, and the business should happen daily. Alignment doesn’t just need to occur at the executive level, but also at each level of the organization.

    2.1 Create your list of goals and milestones for CRM

    1-3 hours

    Input: Corporate strategy, Target key performance indicators, End-user satisfaction results (if applicable)

    Output: Prioritized list of goals with milestones that can be met with a new or improved CRM solution

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales or service SMEs

    1. Review strategic goals to identify alignment to your CRM selection project. For example, digital transformation may be enhanced or enabled with a CRM solution that supports better outreach to key customer segments through improved campaign management.
    2. Next, brainstorm tactical goals with your colleagues.
    3. Identify specific goals the organization has set for the business that may be supported by improved customer prospecting, customer service, or analytics functionality through a better CRM solution.
    4. Identify specific goals your organization will be able to make possible with a new or improved CRM solution.
    5. Prioritize this list and lead with the most important goal that can be reached at the one-year, six-month, and three-month milestones.
    6. Document in the goals section of your business case.

    Download the CRM Business Case Template and record the outputs of this exercise in the strategic business goals, business drivers, and technical drivers slides.

    Identify what challenges exist with the current environment

    Ensure you are identifying issues at a high level, so as not to drown in detail, but still paint the right picture. Identify technical issues that are impacting customer experience or business goals. Typical complaints for CRM solutions that are old or have been outgrown include:

    1.

    Lack of a flexible, configurable customer data model that supports complex relationships between accounts and contacts.

    2.

    Lack of a flexible, configurable customer data model that supports complex relationships between accounts and contacts.

    3.

    Lack of meaningful reports and useable dashboards, or difficulty in surfacing them.

    4.

    		 Poor change enablement resulting in business interruptions.

    5.

    		 Inability to effectively automate routine sales, marketing, or service tasks at scale via a workflow tool.

    6.

    		 Lack of proper service management features, such as service knowledge management.

    7.

    Inability to ingest customer data at scale (for example, no ability to automatically log e-mails or calls).

    8.

    Major technical deficiencies and outages – the incumbent CRM platform goes down, causing business disruption.

    9.

    The platform itself doesn’t exist in the current state – everything is done in Microsoft Excel!

    Separate business issues from technical issues, but highlight where they’re connected and where technical issues are causing business issues or preventing business goals from being reached.

    Before switching vendors, evaluate your existing CRM to see if it’s being underutilized or could use an upgrade

    The cost of switching vendors can be challenging, but it will depend entirely on the quality of data and whether it makes sense to keep it.
    • Achieving success when switching vendors first requires reflection. We need to ask why we are dissatisfied with our incumbent software.
    • If the product is old and inflexible, the answer may be obvious, but don’t be afraid to include your incumbent in your evaluation if your issues might be solved with an upgrade.
    • Look at your use-case requirements to see where you want to take the CRM solution and compare them to your incumbent’s roadmap. If they don’t match, switching vendors may be the only solution. If your roadmaps align, see if you’re fully leveraging the solution or will be able to start working through process improvements.
    Pie graph with a 20% slice. Pie graph with a 25% slice.

    20%

    		 Small/Medium Enterprises

    25%

    		 Large Enterprises
    only occasionally or rarely/never use their software (Source: Software Reviews, 2020; N = 45,027)
    Fully leveraging your current software now will have two benefits:
    1. It may turn out that poor leveraging of your incumbent software was the problem all along; switching vendors won’t solve the problem by itself. As the data to the right shows, a fifth of small/medium enterprises and a quarter of large enterprises do not fully leverage their incumbent software.
    2. If you still decide to switch, you’ll be in a good negotiating position. If vendors can see you are engaged and fully leveraging your software, they will be less complacent during negotiations to win you over.
    Info-Tech Insight

    Switching vendors won’t improve poor internal processes. To be fully successful and meet the goals of the business case, new software implementations must be accompanied by process review and improvement.

    2.2 Create your list of challenges as they relate to your goals and their impacts

    1-2 hours

    Input: Goals lists, Target key performance indicators, End-user satisfaction results (if applicable)

    Output: Prioritized list of challenges preventing or hindering customer experiences

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Brainstorm with your colleagues to discuss your challenges with CRM today from an application and process lens.
    2. Identify how these challenges are impacting your ability to meet the goals and identify any that are creating customer-facing issues.
    3. Group together like areas and arrange in order of most impactful. Identify which of these issues will be most relevant to the business case for a new CRM platform.
    4. Document in the current-state section of your business case.
    5. Discuss and determine if the incumbent solution can meet your needs or if you’ll need to replace it with a different product.

    Download the CRM Business Case Template and document the outputs of this exercise in the current-state section of your business case.

    Determine costs of the solution

    Ensure the business case includes both internal and external costs related to the new CRM platform, allocating costs of project managers to improve accuracy of overall costs and level of success.

    CRM solutions include application costs and costs to design processes, install, and configure. These start-up costs can be a significant factor in whether the initial purchase is feasible.

    CRM Vendor Costs

    • Application licensing
    • Implementation and configuration
    • Professional services
    • Maintenance and support
    • Training
    • 3rd Party add-ons
    • Data transformation
    • Integration
    When thinking about vendor costs, also consider the matching internal cost associated with the vendor activity (e.g. data cleansing, internal support).

    Internal Costs

    • Project management
    • Business readiness
    • Change management
    • Resourcing (user groups, design/consulting, testing)
    • Training
    • Auditors (if regulatory requirements need vetting)
    Project management is a critical success factor at all stages of an enterprise application initiative from planning to post-implementation. Ensuring that costs for such critical areas are accurately represented will contribute to success.

    Download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable to define requirements for installation and configuration.

    		Bring in the right resources to guarantee success. Work with the PMO or project manager to get help with creating the SOW.

    60% of IT projects are NOT finished “mostly or always” on time (Wellingtone, 2018).

    55% of IT personnel feel that the business objectives of their software projects are clear to them (Geneca, 2017).

    Document costs and expected benefits of the new CRM

    The business case should account for the timing of both expenditures and benefits. It is naïve to expect straight-line benefit realization or a big-bang cash outflow related to the solution implementation. Proper recognition and articulation of ramp-up time will make your business case more convincing.

    Make sure your timelines are realistic for benefits realization, as these will be your project milestones and your metrics for success.

    Example:
    Q1-Q2 Q3-Q6 Q6 Onwards

    Benefits at 25%

    At the early stages of an implementation, users are still learning the new system and go-live issues are being addressed. Most of the projected process improvements are likely to be low, zero, or even negative.

    Benefits at 75%

    Gradually, as processes become more familiar, an organization can expect to move closer to realizing the forecasted benefits or at least be in a position to recognize a positive trend toward their realization.

    Benefits at 100%

    In an ideal world, all projected benefits are realized at 100% or higher. This can be considered the stage where processes have been mastered, the system is operating smoothly, and change has been broadly adopted. In reality, benefits are often overestimated.

    Costs at 50%

    As with benefits, some costs may not kick in until later in the process or when the application is fully operational. In the early phases of implementation, factor in the cost of overlapping technology where you’ll need to run redundant systems and transition any data.

    Costs at 100%

    Costs are realized quicker than benefits as implementation activities are actioned, licensing and maintenance costs are introduced, and resourcing is deployed to support vendor activities internally. Costs that were not live in the early stages are an operational reality at this stage.

    Costs at 100%+

    Costs can be expected to remain relatively static past a certain point, if estimates accurately represented all costs. In many instances, costs can exceed original estimates in the business case, where costs were either underestimated, understated, or missed.

    2.3 Document your costs and expected benefits

    1-2 hours

    Input: Quotes with payment schedule, Budget

    Output: Estimated payment schedule and cost breakdown

    Materials: Spreadsheet or whiteboard, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Estimate costs for the CRM solution. If you’re working with a vendor, provide the initial requirements to quote; otherwise, estimate as closely as you’re able.
    2. Calculate the five-year total cost for the solution to ensure the long-term budget is calculated.
    3. Break down costs for licenses, implementation, training, internal support, and hardware or hosting fees.
    4. Determine a reasonable breakdown of costs for the first year.
    5. Identify where residual costs of the old system may factor in if there are remaining contract obligations during the technology transition.
    6. Create a list of benefits expected to be realized within the same timeline.

    Sample of the table on the previous slide.

    Download the CRM Business Case Template and document the outputs of this exercise in the current-state section of your business case.

    Identify risks and dependencies to mitigate barriers to success as you look to roll out a CRM suite

    A risk assessment will be helpful to better understand what risks need to be mitigated to make the project a success and what risks are pending should the solution not be approved or be delayed.

    Risk Criteria Relevant Questions
    Timeline Uncertainty
    • How much risk is associated with the timeline of the CRM project?
    • Is this timeline realistic and can you reach some value in the first year?
    Success of Similar Projects
    • Have we undertaken previous projects that are similar?
    • Were those successful?
    • Did we note any future steps for improvement?
    Certainty of Forecasts
    • Where have the numbers originated?
    • How comfortable are the sponsors with the revenue and cost forecasts?
    Chance of Cost Overruns
    • How likely is the project to have cost overruns?
    • How much process and design work needs to be done prior to implementation?
    Resource Availability
    • Is this a priority project?
    • How likely are resourcing issues from a technical and business perspective?
    • Do we have the right resources?
    Change During Delivery
    • How volatile is the area in which the project is being implemented?
    • Are changes in the environment likely?
    • How complex are planned integrations?

    2.4 Identify risks to the success of the solution rollout and mitigation plan

    1-2 hours

    Input: List of goals and challenges, Target key performance indicators

    Output: Prioritized list of challenges preventing or hindering improvements for the IT teams

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Brainstorm with your colleagues to discuss potential roadblocks and risks that could impact the success of the CRM project.
    2. Identify how these risks could impact your project.
    3. Document the ones that are most likely to occur and derail the project.
    4. Discuss potential solutions to mitigate risks.

    Download the CRM Business Case Template and document the outputs of this exercise in the risk and dependency section of your business case. If the risk assessment needs to be more complex, complete the Risk Indicator Analysis in Info-Tech’s Business Case Workbook.

    Start requirements gathering by identifying your most important use cases across sales, marketing, and service

    Add to your business case by identifying which top-level use cases will meet your goals.

    Examples of target use cases for a CRM project include:

    • Enhance sales acquisition capabilities (i.e. via pipeline management)
    • Enhance customer upsell and cross-sell capabilities
    • Improve customer segmentation and targeting capabilities for multi-channel marketing campaigns
    • Strengthen customer care capabilities to improve customer satisfaction and retention (i.e. via improved case management and service knowledge management)
    • Create actionable insights via enhanced reporting and analytics

    Info-Tech Insight

    Lead with the most important benefit and consider the timeline. Can you reach that goal and report success to your stakeholders within the first year? As you look toward that one-year goal, you can consider secondary benefits, some of which may be opportunities to bring early value in the solution.

    		Benefits of a successful deployment of use cases will include:
    • Improved customer satisfaction
    • Improved operational efficiencies
    • Reduced customer turnover
    • Increased platform uptime
    • License or regulatory compliance
    • Positioned for growth

    Typically, we see business benefits in this order of importance. Lead with the outcome that is most important to your stakeholders.

    • Net income increases
    • Revenue generators
    • Cost reductions
    • Improved customer service

    Consider perspectives of each stakeholder to ensure functionality needs are met and high satisfaction results

    Best of breed vs. “good enough” is an important discussion and will feed your success.

    Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

    • Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where “good enough” is an acceptable state.
    • Consider the implications to implementation and all use cases of buying an all-in-one solution, integration of multiple best-of-breed solutions, or customizing features that were not built into a solution.
    • Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional CRM solutions.

    Pros and Cons

    Build vs. Buy

    Multi-Source Best of Breed

    Flexibility
    vs.
    architectural complexity

    Vendor Add-Ons & Integrations

    Lower support costs
    vs.
    configuration

    Multi-source Custom

    Flexibility
    vs.
    high skills requirements

    Single Source

    Lower support costs
    vs.
    configuration

    2.5 Define use cases and high-level features for meeting business and technical goals

    1-2 hours

    Input: List of goals and challenges

    Output: Use cases to be used for determining requirements

    Materials: Whiteboard/flip charts, CRM Business Case Template

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Identify the key customer engagement use cases that will support your overall goals as defined in the previous section.
    2. The following slide has examples of use case domains that will be enhanced from a CRM platform.
    3. Define high-level goals you wish to achieve in the first year and longer term. If you have more specific KPIs to add, and it is a requirement for your organization’s documentation, add them to this section.
    4. Take note of where processes will need to be improved to benefit from these use-case solutions – the tools are only as good as the process behind them.

    Download the CRM Business Case Template and document the outputs from this exercise in the current-state section of your business case.

    Understand the dominant use-case scenarios across organizations to narrow the list of potential CRM solutions

    Sales
    Enablement

    • Generate leads through multiple channels.
    • Rapidly sort, score, and prioritize leads based on multiple criteria.
    • Create in-depth sales forecasts segmented by multiple criteria (territory, representative, etc.).

    Marketing
    Management

    • Manage marketing campaigns across multiple channels (web, social, email, etc.).
    • Aggregate and analyze customer data to generate market intelligence.
    • Build and deploy customer-facing portals.

    Customer Service
    Management

    • Generate tickets, and triage customer service requests through multiple channels.
    • Track customer service interactions with cases.
    • There is a need to integrate customer records with contact center infrastructure.
    Info-Tech Insight

    Use your understanding of the CRM use case to accelerate the vendor shortlisting process. Since the CRM use case has a direct impact on the prioritization of a platform’s features and capabilities, you can rapidly eliminate vendors from contention or designate superfluous modules as out-of-scope.

    2.5.1 Use Info-Tech’s CRM Use-Case Fit Assessment Tool to align your CRM requirements to the vendor use cases

    30 min

    Input: Understanding of business objectives for CRM project, Use-Case Fit Assessment Tool

    Output: Use-case suitability

    Materials: Use-Case Fit Assessment Tool

    Participants: Core project team, Project managers

    1. Use the Use-Case Fit Assessment Tool to understand how your unique business requirements map into which CRM use case.
    2. This tool will assess your answers and determine your relative fit against the use-case scenarios.
    3. Fit will be assessed as “Weak,” “Moderate,” or “Strong.”
      1. Consider the common pitfalls, which were mentioned earlier, that can cause IT projects to fail. Plan and take clear steps to avoid or mitigate these concerns.
      2. Note: These use-case scenarios are not mutually exclusive, meaning your organization can align with one or more scenarios based on your answers. If your organization shows close alignment to multiple scenarios, consider focusing on finding a more robust solution and concentrate your review on vendors that performed strongly in those scenarios or meet the critical requirements for each.

    Download the CRM Use-Case Fit Assessment Tool

    Once you’ve identified the top-level use cases a CRM must support, elicit, and prioritize granular platform requirements.

    Understanding business needs through requirements gathering is the key to defining everything about what is being purchased, yet it is an area where people often make critical mistakes.

    Info-Tech Insight

    To avoid creating makeshift solutions, an organization needs to gather requirements with the desired future state in mind.

    Risks of poorly scoped requirements

    • Fail to be comprehensive and miss certain areas of scope
    • Focus on how the solution should work instead of what it must accomplish
    • Have multiple levels of detail within the requirements, which are inconsistent and confusing
    • Drill all the way down into system-level detail
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow
    • Omit constraints or preferences that buyers think are “obvious”

    Best practices

    • Get a clear understanding of what the system needs to do and what it is expected to produce
    • Test against the principle of MECE – requirements should be “mutually exclusive and collectively exhaustive”
    • Explicitly state the obvious and assume nothing
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors

    Prioritize requirements to assist with vendor selection: focus on priority requirements linked to differentiated capabilities

    Prioritization is the process of ranking each requirement based on its importance to project success. Hold a meeting for the domain SMEs, implementation SMEs, project managers, and project sponsors to prioritize the requirements list. At the conclusion of the meeting, each requirement should be assigned a priority level. The implementation SMEs will use these priority levels to ensure efforts are targeted toward the proper requirements and to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order requirements.


    Pyramid of the MoSCoW Model.
    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994.

    		The MoSCoW Model of Prioritization

    Requirements must be implemented for the solution to be considered successful.

    Requirements that are high priority should be included in the solution if possible.

    Requirements are desirable but not necessary and could be included if resources are available.

    Requirements won’t be in the next release, but will be considered for the future releases.

    Base your prioritization on the right set of criteria

    Effective Prioritization Criteria

    Criteria

    Description
    Regulatory & Legal Compliance These requirements will be considered mandatory.
    Policy Compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business Value Significance Give a higher priority to high-value requirements.
    Business Risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of Success Especially in “proof of concept” projects, it is recommended that requirements have good odds.
    Implementation Complexity Give a higher priority to low implementation difficulty requirements.
    Alignment With Strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    2.6 Identify requirements to support your use cases

    1-2 hours

    Input: List of goals and challenges

    Output: Use cases to be used for determining requirements

    Materials: Whiteboard/flip charts, Vendor Evaluation Workbook

    Participants: CIO, Application managers, CMO/SVP sales, Marketing, sales, or service SMEs

    1. Work with the team to identify which features will be most important to support your use cases. Keep in mind there will be some features that will require more effort to implement fully. Add that into your project plan.
    2. Use the features lists on the following slides as a guide to get started on requirements.
    3. Prioritize your requirements list into mandatory features and nice-to-have features (or use the MoSCoW model from the previous slides). This will help you to eliminate vendors who don’t meet bare minimums and to score remaining vendors.
    4. Use this same list to guide your vendor demos.

    Our Improve Requirements Gathering blueprint provides a deep dive into the process of eliciting, analyzing, and validating requirements if you need to go deeper into effective techniques.

    CRM features

    Table stakes vs. differentiating

    What is a table stakes/standard feature?

    • Certain features are standard for all CRM tools, but that doesn’t mean they are all equal.
    • The existence of features doesn’t guarantee their quality or functionality to the standards you need. Never assume that “Yes” in a features list means you don’t need to ask for a demo.
    • If Table Stakes are all you need from your CRM solution, the only true differentiator for the organization is price. Otherwise, dig deeper to find the best price to value for your needs.

    What is a differentiating/additional feature?

    • Differentiating features take two forms:
      • Some CRM platforms offer differentiating features that are vertical specific.
      • Other CRM platforms offer differentiating features that are considered cutting edge. These cutting-edge features may become table stakes over time.

    Table stakes features for CRM

    Account Management Flexible account database that stores customer information, account history, and billing information. Additional functionality includes: contact deduplication, advanced field management, document linking, and embedded maps.
    Interaction Logging and Order History Ability to view all interactions that have occurred between sales teams and the customer, including purchase order history.
    Basic Pipeline Management View of all opportunities organized by their current stage in the sales process.
    Basic Case Management The ability to create and manage cases (for customer service or order fulfilment) and associate them with designated accounts or contacts.
    Basic Campaign Management Basic multi-channel campaign management (i.e. ability to execute outbound email campaigns). Budget tracking and campaign dashboards.
    Reports and Analytics In-depth reports on CRM data with dashboards and analytics for a variety of audiences.
    Mobile Support Mobile access across multiple devices (tablets, smartphones and/or wearables) with access to CRM data and dashboards.

    Additional features for CRM

    Customer Information Management Customizable records with detailed demographic information and the ability to created nested accounts (accounts with associated sub-accounts or contact records).
    Advanced Case Management Ability to track detailed interactions with members or constituents through a case view.
    Employee Collaboration Capabilities for employee-to-employee collaboration, team selling, and activity streams.
    Customer Collaboration Capabilities for outbound customer collaboration (i.e. the ability to create customer portals).
    Lead Generation Capabilities for generating qualified leads from multiple channels.
    Lead Nurturing/Lead Scoring The ability to evaluate lead warmth using multiple customer-defined criteria.
    Pipeline and Deal Management Managing deals through cases, providing quotes, and tracking client deliverables.

    Additional features for CRM (Continued)

    Marketing Campaign Management Managing outbound marketing campaigns via multiple channels (email, phone, social, mobile).
    Customer Intelligence Tools for in-depth customer insight generation and segmentation, predictive analytics, and contextual analytics.
    Multi-Channel Support Capabilities for supporting customer interactions across multiple channels (email, phone, social, mobile, IoT, etc.).
    Customer Service Workflow Management Capabilities for customer service resolution, including ticketing and service management.
    Knowledge Management Tools for capturing and sharing CRM-related knowledge, especially for customer service.
    Customer Journey Mapping Visual workflow builder with automated trigger points and business rules engine.
    Document Management The ability to curate assets and attachments and add them to account or contact records.
    Configure, Price, Quote The ability to create sales quotes/proposals from predefined price lists and rules.

    2.7 Put it all together – port your requirements into a robust RFP template that you can take to market!

    1-2 hours
    1. Once you’ve captured and prioritized your requirements – and received sign-off on them from key stakeholders – it’s time to bake them into a procurement vehicle of your choice.
    2. For complex enterprise systems like a CRM platform, Info-Tech recommends that this should take the form of a structured RFP document.
    3. Use our CRM RFP Template and associated CRM RFP Scoring Tool to jump-start the process.
    4. The next step will be conducting a market scan to identify contenders, and issuing the RFP to a shortlist of viable vendors for further evaluation.

    Need additional guidance on running an effective RFP process? Our Drive Successful Sourcing Outcomes with a Robust RFP Process has everything you need to ace the creation, administration and assessment of RFPs!

    		Samples of the CRM Request for Proposal Template and CRM Suite Evaluation and RFP Scoring Tool.

    Download the CRM Request for Proposal Template

    Download the CRM Suite Evaluation and RFP Scoring Tool

    Identify whether vertical-specific CRM platforms are a best fit

    In mature vendor landscapes (like CRM) vendors begin to differentiate themselves by offering vertical-specific platforms, modules, or feature sets. These feature sets accelerate the implantation, decrease the platform’s learning curve, and drive user adoption. The three use cases below cover the most common industry-specific offerings:

    Public Sector

    • Constituent management and communication.
    • Constituent portal deployment for self-service.
    • Segment constituents based on geography, needs and preferences.

    Education

    • Top-level view into the student journey from prospect to enrolment.
    • Track student interactions with services across the institution.
    • Unify communications across different departments.

    Financial Services

    • Determine customer proclivity for new services.
    • Develop self-service banking portals.
    • Track longitudinal customer relationships from first account to retirement management.
    Info-Tech Insight

    Vertical-specific solutions require less legwork to do upfront but could cost you more in the long run. Interoperability and vendor viability must be carefully examined. Smaller players targeting niche industries often have limited integration ecosystems and less funding to keep pace with feature innovation.

    Rein-in ballooning scope for CRM selection projects

    Stretching the CRM beyond its core capabilities is a short-term solution to a long-term problem. Educate stakeholders about the limits of CRM technology.

    Common pitfalls for CRM selection

    • Tangential capabilities may require separate solutions. It is common for stakeholders to list features such as “content management” as part of the new CRM platform. While content management goes hand in hand with the CRM’s ability to manage customer interactions, document management is best handled by a standalone platform.

    Keeping stakeholders engaged and in line

    • Ballooning scope leads to stakeholder dissatisfaction. Appeasing stakeholders by over-customizing the platform will lead to integration and headaches down the road.
    • Make sure stakeholders feel heard. Do not turn down ideas in the midst of an elicitation session. Once the requirements-gathering sessions are completed, the project team has the opportunity to mark requirements as “out of scope” and communicate the reasoning behind the decision.
    • Educate stakeholders on the core functionality of CRM. Many stakeholders do not know the best-fit use cases for CRM platforms. Help end users understand what CRM is good at and where additional technologies will be needed.
    		 Stock image of a man leaping with a balloon.

    CRM Buyer’s Guide

    Phase 3

    Discover the CRM Market Space & Prepare for Implementation

    Phase 1

    1.1 Define CRM platforms

    1.2 Classify table stakes & differentiating capabilities

    1.3 Explore CRM trends

    		Phase 2

    2.1 Build the business case

    2.2 Streamline requirements elicitation for CRM

    2.3 Construct the RFP

    		Phase 3

    3.1 Discover key players in the CRM landscape

    3.2 Engage the shortlist & select finalist

    3.3 Prepare for implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the CRM vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for CRM.

    This phase involves the following participants:

    • CIO
    • Applications manager
    • Project manager
    • Sales executive
    • Marketing executive
    • Customer service executive

    Consolidating the Vendor Shortlist Up-Front Reduces Downstream Effort

    Put the “short” back in shortlist!

    • Radically reduce effort by narrowing the field of potential vendors earlier in the selection process. Too many organizations don’t funnel their vendor shortlist until nearing the end of the selection process. The result is wasted time and effort evaluating options that are patently not a good fit.
    • Leverage external data (such as SoftwareReviews) and expert opinion to consolidate your shortlist into a smaller number of viable vendors before the investigative interview stage and eliminate time spent evaluating dozens of RFP responses.
    • Having fewer RFP responses to evaluate means you will have more time to do greater due diligence.
    		 Stock image of river rapids.

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:
    1. Reviewing your requirements
    2. Checking out SoftwareReviews
    3. Shortlisting your vendors
    4. Conducting demos and detailed proposal reviews
    5. Selecting and contracting with a finalist!
    		 Image of a person presenting a dashboard of the steps on the left.

    Get to know the key players in the CRM landscape

    The proceeding slides provide a top-level overview of the popular players you will encounter in the CRM shortlisting process.

    Logos of the key players in the CRM landscape (Salesforce, Microsoft, Oracle, HubSpot, etc).

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews
    Sample of SoftwareReviews' Data Quadrant Report. Title page of SoftwareReviews' Data Quadrant Report. The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Sample of SoftwareReviews' Emotional Footprint. Title page of SoftwareReviews' Emotional Footprint. The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    Icon of a person.


    Fact-based reviews of business software from IT professionals.

    		Icon of a magnifying glass over a chart.


    Top-tier data quality backed by a rigorous quality assurance process.

    		CLICK HERE to ACCESS

    Comprehensive software reviews to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Icon of a tablet.


    Product and category reports with state-of-the-art data visualization.

    		Icon of a phone.


    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insights of our expert analysts, our members receive unparalleled support in their buying journey.

    Logo for Salesforce.
    Est. 1999 | CA, USA | NYSE: CRM

    bio

    		 Link for their Twitter account. Link for their LinkedIn profile. Link for their website.
    Sales Cloud Enterprise allows you to be more efficient, more productive, more everything than ever before as it allows you to close more deals, accelerate productivity, get more leads, and make more insightful decisions.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:
    • Breadth of features
    • Quality of features
    • Sales management functionality
    Areas to Improve:
    • Cost of service
    • Ease of implementation
    • Telephony and contact center management
    Logo gif for SoftwareReviews.
    8.0
    COMPOSITE SCORE     		8.3
    CX SCORE     		+77
    EMOTIONAL FOOTPRINT     		83%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 600
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Salesforce screen. Vendor Pulse rating. How often do we hear about Salesforce from our members for CRM? 'Very Frequently'.
    History of Salesforce in a vertical timeline.
    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.     		Logo for Salesforce.

    “Salesforce is the pre-eminent vendor in the CRM marketplace and is a force to be reckoned with in terms of the breadth and depth of its capabilities. The company was an early disruptor in the category, placing a strong emphasis from the get-go on a SaaS delivery model and strong end-user experience. This allowed them to rapidly gain market share at the expense of more complacent enterprise application vendors. A series of savvy acquisitions over the years has allowed Salesforce to augment their core Sales and Service Clouds with a wide variety of other solutions, from e-commerce to marketing automation to CPQ. Salesforce is a great fit for any organization looking to partner with a market leader with excellent functional breadth, strong interoperability, and a compelling technology and partner ecosystem. All of this comes at a price, however – Salesforce prices at a premium, and our members routinely opine that Salesforce’s commercial teams are overly aggressive – sometimes pushing solutions without a clear link to underpinning business requirements.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Sales Cloud Essentials Sales Cloud Professional Sales Cloud Enterprise Sales Cloud Ultimate
    • Starts at $25*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $75*
    • Per user/mo
    • Mid-market target
    • Starts at $150*
    • Per user/mo
    • Enterprise target
    • Starts at $300*
    • Per user/mo
    • Strong upmarket feature additions
    Logo for Microsoft.


    Est. 1975 | WA, USA | NYSE: MSFT

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Dynamics 365 Sales is an adaptive selling solution that helps your sales team navigate the realities of modern selling. At the center of the solution is an adaptive, intelligent system – prebuilt and ready to go – that actively monitors myriad signals and distills them into actionable insights.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Business value created
    • Analytics and reporting
    • Lead management

    Areas to Improve:

    • Quote, contract, and proposals
    • Vendor support
    Logo gif for SoftwareReviews.
    8.1
    COMPOSITE SCORE     		8.3
    CX SCORE     		+84
    EMOTIONAL FOOTPRINT     		82%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 198
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Microsoft screen.Vendor Pulse rating. How often do we hear about Microsoft Dynamics from our Members? 'Very Frequently'.

    History of Microsoft in a vertical timeline.

    *Pricing correct as of June 2022. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.     		Logo for Microsoft.
    “”

    “Microsoft Dynamics 365 is a strong and compelling player in the CRM arena. While Microsoft is no stranger to the CRM space, their offerings here have seen steady and marked improvement over the last five years. Good functional breadth paired with a modern user interface and best-in-class Microsoft stack compatibility ensures that we consistently see them on our members’ shortlists, particularly when our members are looking to roll out CRM capabilities alongside other components of the Dynamics ecosystem (such as Finance, Operations, and HR). Today, Microsoft segments the offering into discrete modules for sales, service, marketing, commerce, and CDP. While Microsoft Dynamics 365 is a strong option, it’s occasionally mired by concerns that the pace of innovation and investment lags Salesforce (its nearest competitor). Additionally, the marketing module of the product is softer than some of its competitors, and Microsoft themselves points organizations with complex marketing requirements to a strategic partnership that they have with Adobe.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    D365 Sales Professional D365 Sales Enterprise D365 Sales Premium
    • Starts at $65*
    • Per user/mo
    • Midmarket focus
    • Starts at $95*
    • Per user/mo
    • Enterprise focus
    • Starts at $135*
    • Per user/mo
    • Enterprise focus with customer intelligence
    Logo for Oracle.


    Est. 1977 | CA, USA | NYSE: ORCL

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Oracle Engagement Cloud (CX Sales) provides a set of capabilities to help sales leaders transition smoothly from sales planning and execution through customer onboarding, account management, and support services.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Quality of features
    • Activity and workflow management
    • Analytics and reporting

    Areas to Improve:

    • Marketing management
    • Product strategy & rate of improvement
    Logo gif for SoftwareReviews.
    7.8
    COMPOSITE SCORE     		7.9
    CX SCORE     		+77
    EMOTIONAL FOOTPRINT     		78%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 140
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of an Oracle screen.Vendor Pulse rating. How often do we hear about Oracle from our members for CRM? 'Frequently'.

    History of Oracle in a vertical timeline.

    Logo for Oracle.

    “Oracle is long-term juggernaut of the enterprise applications space. Their CRM portfolio is diverse – rather than a single stack, there are multiple Oracle solutions (many made by acquisition) that support CRM capabilities – everything from Siebel to JD Edwards to NetSuite to Oracle CX applications. The latter constitute Oracle’s most modern stab at CRM and are where the bulk of feature innovation and product development is occurring within their portfolio. While historically seen as lagging behind other competitors like Salesforce and Microsoft, Oracle has made excellent strides in improving their user experience (via their Redwoods design paradigm) and building new functional capabilities within their CRM products. Indeed, SoftwareReviews shows Oracle performing well in our most recent peer-driven reports. Nonetheless, we most commonly see Oracle as a pricier ecosystem play that’s often subordinate to a heavy Oracle footprint for ERP. Many of our members also express displeasure with Oracle as a vendor and highlight their heavy-handed “threat of audit” approach. ”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Oracle CX Sales - Pricing Opaque:

    “Request a Demo”

    Logo for SAP.


    Est. 1972 | Germany | NYSE: SAP

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    SAP is the third-largest independent software manufacturer in the world, with a presence in over 120 countries. Having been in the industry for over 40 years, SAP is perhaps best known for its ERP application, SAP ERP.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Ease of data integration

    Areas to Improve:

    • Lead management
    • Marketing management
    • Collaboration
    • Usability & intuitiveness
    • Analytics & reporting
    Logo gif for SoftwareReviews.
    7.4
    COMPOSITE SCORE     		7.8
    CX SCORE     		+74
    EMOTIONAL FOOTPRINT     		75%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 108
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a SAP screen.Vendor Pulse rating. How often do we hear about SAP from our members for CRM? 'Occasionally'.

    History of SAP in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.     		Logo for SAP.

    “SAP is another mainstay of the enterprise applications market. While they have a sound breadth of capabilities in the CRM and customer experience space, SAP consistently underperforms in many of our relevant peer-driven SoftwareReviews reports for CRM and adjacent areas. CRM seems decidedly a secondary focus for SAP, behind their more compelling play in the enterprise resource planning (ERP) space. Indeed, most instances where we see SAP in our clients’ shortlists, it’s as an ecosystem play within a broader SAP strategy. If you’re blue on the ERP side, looking to SAP’s capabilities on the CRM front makes logical sense and can help contain costs. If you’re approaching a CRM selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests you’ll be better served by a vendor that places a higher degree of primacy on the CRM aspect of their portfolio.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    SAP CRM - Pricing Opaque:

    “Request a Demo”

    Logo for pipedrive.


    Est. 2010 | NY, USA | Private

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Pipedrive brings together the tools and data, the platform focuses sales professionals on fundamentals to advance deals through their pipelines. Pipedrive's goal is to make sales success inevitable - for salespeople and teams.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Sales Management
    • Account & Contact Management
    • Lead Management
    • Usability & Intuitiveness
    • Ease of Implementation

    Areas to Improve:

    • Customer Service Management
    • Marketing Management
    • Product Strategy & Rate of Improvement
    Logo gif for SoftwareReviews.
    8.3
    COMPOSITE SCORE     		8.4
    CX SCORE     		+85
    EMOTIONAL FOOTPRINT     		85%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 262
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Pipedrive screen.Vendor Pulse rating. How often do we hear about Pipedrive from our members for CRM? 'Occasionally'.

    History of Pipedrive in a vertical timeline.

    *Pricing correct as of June 2022. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.     		Logo for Pipedrive.

    “A relatively new offering, Pipedrive has seen explosive growth over the last five years. They’re a vendor that has gone from near-obscurity to popping up frequently on our members’ shortlists. Pipedrive’s secret sauce has been a relentless focus on high-velocity sales enablement. Their focus on pipeline management, lead assessment and routing, and a good single pane of glass for sales reps has driven significant traction for the vendor when sales enablement is the driving rationale behind rolling out a new CRM platform. Bang for your buck is also strong with Pipedrive, with the vendor having a value-driven licensing and implementation model.

    Pipedrive is not without some shortcomings. It’s laser-focus on sales enablement is at the expense of deep capabilities for marketing and service management, and its profile lends itself better to SMBs and lower midmarket than it does large organizations looking for enterprise-grade CRM.”

    Ben Dickie
    Research Practice Lead, Info-Tech Research Group

    Essential Advanced Professional Enterprise
    • Starts at $12.50*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $24.90*
    • Per user/mo
    • Small/mid-sized businesses
    • Starts at $49.90*
    • Per user/mo
    • Lower mid-market focus
    • Starts at $99*
    • Per user/mo
    • Enterprise focus
    Logo for SugarCRM.


    Est. 2004 | CA, USA | Private

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Produces Sugar, a SaaS-based customer relationship management application. SugarCRM is backed by Accel-KKR.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Ease of customization
    • Product strategy and rate of improvement
    • Ease of IT administration

    Areas to Improve:

    • Marketing management
    • Analytics and reporting
    Logo gif for SoftwareReviews.
    8.4
    COMPOSITE SCORE     		8.8
    CX SCORE     		+92
    EMOTIONAL FOOTPRINT     		84%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 97
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a SugarCRM screen.Vendor Pulse rating. How often do we hear about SugarCRM from our members for CRM? 'Frequently'.
    History of SugarCRM in a vertical timeline.
    *Pricing correct as of August 2021. Listed in USD and absent discounts.
    See pricing on vendor’s website for latest information.     		Logo for SugarCRM.

    “SugarCRM offers reliable baseline capabilities at a lower price point than other large CRM vendors. While SugarCRM does not offer all the bells and whistles that an Enterprise Salesforce plan might, SugarCRM is known for providing excellent vendor support. If your organization is only after standard features, SugarCRM will be a good vendor to shortlist.

    However, ensure you have the time and labor power to effectively implement and train on SugarCRM’s solutions. SugarCRM does not score highly for user-friendly experiences, with complaints centering on outdated and unintuitive interfaces. Setting up customized modules takes time to navigate, and SugarCRM does not provide a wide range of native integrations with other applications. To effectively determine whether SugarCRM does offer a feasible solution, it is recommended that organizations know exactly what kinds of integrations and modules they need.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Sugar Professional Sugar Serve Sugar Sell Sugar Enterprise Sugar Market
    • Starts at $52*
    • Per user/mo
    • Min. 3 users
    • Small businesses
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • Focused on customer service
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • Focused on sales automation
    • Starts at $80*
    • Per user/mo
    • Min. 3 users
    • On-premises, mid-sized businesses
    • Starts at $1000*
    • Priced per month
    • Min. 10k contacts
    • Large enterprise
    Logo for .


    Est. 2006 | MA, USA | HUBS (NYSE)

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Develops software for inbound customer service, marketing, and sales. Software includes CRM, SMM, lead gen, SEO, and web analytics.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Breadth of features
    • Product strategy and rate of improvement
    • Ease of customization

    Areas to Improve:

    • Ease of data integration
    • Customer service management
    • Telephony and call center management
    Logo gif for SoftwareReviews.
    8.3
    COMPOSITE SCORE     		8.4
    CX SCORE     		+84
    EMOTIONAL FOOTPRINT     		86%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 97
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a HubSpot screen.Vendor Pulse rating. How often do we hear about HubSpot from our members for CRM? 'Frequently'.

    History of HubSpot in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts
    See pricing on vendor’s website for latest information.     		Logo for HubSpot.

    “ HubSpot is best suited for small to mid-sized organizations that need a range of CRM tools to enable growth across sales, marketing campaigns, and customer service. Indeed, HubSpot offers a content management solution that offers a central storage location for all customer and marketing data. Moreover, HubSpot offers plenty of freemium tools for users to familiarize themselves with the software before buying. However, though HubSpot is geared toward growing businesses, smaller organizations may not see high ROI until they begin to scale. The “Starter” and “Professional” plans’ pricing is often cited by small organizations as a barrier to commitment, and the freemium tools are not a sustainable solution. If organizations can take advantage of discount behaviors from HubSpot (e.g. a startup discount), HubSpot will be a viable long-term solution. ”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Starter Professional Enterprise
    • Starts at $50*
    • Per month
    • Min. 2 users
    • Small businesses
    • Starts at $500*
    • Per month
    • Min. 5 users
    • Small/mid-sized businesses
    • Starts at $1200*
    • Billed yearly
    • Min. 10 users
    • Mid-sized/small enterprise
    Logo for Zoho.


    Est. 1996 | India | Private

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Zoho Corporation offers a cloud software suite, providing a full operating system for CRM, alongside apps for finance, productivity, HR, legal, and more.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Business value created
    • Breadth of features
    • Collaboration capabilities

    Areas to Improve:

    • Usability and intuitiveness
    Logo gif for SoftwareReviews.
    8.7
    COMPOSITE SCORE     		8.9
    CX SCORE     		+92
    EMOTIONAL FOOTPRINT     		85%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 152
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Zoho screen.Vendor Pulse rating. How often do we hear about Zoho from our members for CRM? 'Occasionally'.

    History of Zoho in a vertical timeline.

    *
    See pricing on vendor’s website for latest information.     		Logo for Zoho.

    “Zoho has a long list of software solutions for businesses to run end to end. As one of Zoho’s earliest software releases, though, ZohoCRM remains a flagship product. ZohoCRM’s pricing is incredibly competitive for mid/large enterprises, offering high business value for its robust feature sets. For those organizations that already utilize Zoho solutions (such as its productivity suite), ZohoCRM will be a natural extension.

    However, small/mid-sized businesses may wonder how much ROI they can get from ZohoCRM, when much of the functionality expected from a CRM (such as workflow automation) cannot be found until one jumps to the “Enterprise” plan. Given the “Enterprise” plan’s pricing is on par with other CRM vendors, there may not be much in a smaller organization’s eyes that truly distinguishes ZohoCRM unless they are already invested Zoho users.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Standard Professional Enterprise Ultimate
    • Starts at $20*
    • Per user/mo
    • Small businesses after basic functionality
    • Starts at $35*
    • Per user/mo
    • Small/mid-sized businesses
    • Adds inventory management
    • Starts at $50*
    • Per user/mo
    • Mid-sized/small enterprise
    • Adds Zia AI
    • Starts at $65*
    • Per user/mo
    • Enterprise
    • Bundles Zoho Analytics
    Logo for Zendesk.


    Est. 2009 | CA, USA | ZEN (NYSE)

    bio

    		Link for their Twitter account.Link for their LinkedIn profile.Link for their website.
    Software developer for customer service. Founded in Copenhagen but moved to San Francisco after $6 million Series B funding from Charles River Ventures and Benchmark Capital.

    SoftwareReviews’ Enterprise CRM Rankings

    Strengths:

    • Quality of features
    • Breadth of features
    • Vendor support

    Areas to Improve:

    • Business value created
    • Ease of customization
    • Usability and intuitiveness
    Logo gif for SoftwareReviews.
    7.8
    COMPOSITE SCORE     		7.9
    CX SCORE     		+80
    EMOTIONAL FOOTPRINT     		72%
    LIKELINESS TO RECOMMEND
    DOWNLOAD REPORT 50
    REVIEWS
    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF and NPS scores pulled from live data as of June 2022. Rankings and ”strengths” and ”areas to improve” pulled from January 2022 Category Report.
    Sample of a Zendesk screen.Vendor Pulse rating. How often do we hear about Zendesk from our members for CRM? 'Rarely'.

    History of Zendesk in a vertical timeline.

    *Pricing correct as of August 2021. Listed in USD and absent discounts
    See pricing on vendor’s website for latest information.     		Logo for Zendesk.

    “Zendesk’s initial growth was grounded in word-of-mouth advertising, owing to the popularity of its help desk solution’s design and functionality. Zendesk Sell has followed suit, receiving strong feedback for the breadth and quality of its features. Organizations that have already reaped the benefits of Zendesk’s customer service suite will find Zendesk Sell a straightforward fit for their sales teams.

    However, it is important to note that Zendesk Sell is predominantly focused on sales. Other key components of a CRM, such as marketing, are less fleshed out. Organizations should ensure they verify what requirements they have for a CRM before choosing Zendesk Sell – if sales process requirements (such as forecasting, call analytics, and so on) are but one part of what the organization needs, Zendesk Sell may not offer the highest ROI for the pricing offered.”

    Thomas Randall
    Research Director, Info-Tech Research Group

    Sell Team Sell Professional Sell Enterprise
    • Starts at $19*
    • Per user/mo
    • Max. 3 users
    • Small businesses
    • Basic functionality
    • Starts at $49*
    • Per user/mo
    • Small/mid-sized businesses
    • Advanced analytics
    • Starts at $99*
    • Per user/mo
    • Mid-sized/small enterprise
    • Task automation

    Speak with category experts to dive deeper into the vendor landscape

    Icon of a person.
    Fact-based reviews of business software from IT professionals.     		Icon of a magnifying glass over a chart.
    Top-tier data quality backed by a rigorous quality assurance process.     		CLICK HERE to ACCESS

    Comprehensive software reviews to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    Icon of a tablet.
    Product and category reports with state-of-the-art data visualization.     		Icon of a phone.
    User-experience insight that reveals the intangibles of working with a vendor.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today’s technology. Combined with the insights of our expert analysts, our members receive unparalleled support in their buying journey.

    Conduct a day of rapid-fire vendor demos

    Zoom in on high-value use cases and answers to targeted questions

    Make sure the solution will work for your business

    Give each vendor 90 to 120 minutes to give a rapid-fire presentation. We suggest the following structure:

    • 30 minutes: company introduction and vision
    • 60 minutes: walk-through of two or three high-value demo scenarios
    • 30 minutes: targeted Q&A from the business stakeholders and procurement team
      •
    To ensure a consistent evaluation, vendors should be asked analogous questions, and a tabulation of answers should be conducted.     		How to challenge the vendors in the investigative interview
    • Change the visualization/presentation.
    • Change the underlying data.
    • Add additional data sets to the artifacts.
    • Collaboration capabilities.
    • Perform an investigation in terms of finding BI objects and identifying previous changes, and examine the audit trail.
    		 Rapid-fire vendor investigative interview

    Invite vendors to come onsite (or join you via video conference) to demonstrate the product and to answer questions. Use a highly targeted demo script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

    Graphic of an alarm clock.
    To kick-start scripting your demo scenarios, leverage our CRM Demo Script Template.

    A vendor scoring model provides a clear anchor point for your evaluation of CRM vendors based on a variety of inputs

    A vendor scoring model is a systematic method for effectively assessing competing vendors. A weighted-average scoring model is an approach that strikes a strong balance between rigor and evaluation speed.

    Info-Tech Insight

    Even the best scoring model will still involve some “art” rather than science – scoring categories such as vendor viability always entails a degree of subjective interpretation.

    How do I build a scoring model?

    • Start by shortlisting the key criteria you will use to evaluate your vendors. Functional capabilities should always be a critical category, but you’ll also want to look at criteria such as affordability, architectural fit, and vendor viability.
    • Depending on the complexity of the project, you may break down some criteria into sub-categories to assist with evaluation (for example, breaking down functional capabilities into constituent use cases so you can score each one).
    • Once you’ve developed the key criteria for your project, the next step is weighting each criterion. Your weightings should reflect the priorities for the project at hand. For example, some projects may put more emphasis on affordability, others on vendor partnership.
    • Using the information collected in the subsequent phases of this blueprint, score each criterion from 1-100, then multiply by the weighting factor. Add up the weighted scores to arrive at the aggregate evaluation score for each vendor on your shortlist.

    What are some of the best practices?

    • While the criteria for each project may vary, it’s helpful to have an inventory of repeatable criteria that can be used across application selection projects. The next slide contains an example that you can add or subtract from.
    • Don’t go overboard on the number of criteria: five to 10 weighted criteria should be the norm for most projects. The more criteria (and sub-criteria) you must score against, the longer it will take to conduct your evaluation. Always remember, link the level of rigor to the size and complexity of your project! It’s possible to create a convoluted scoring model that takes significant time to fill out but yields little additional value.
    • Creation of the scoring model should be a consensus-driven activity among IT, procurement, and the key business stakeholders – it should not be built in isolation. Everyone should agree on the fundamental criteria and weights that are employed.
    • Consider using not just the outputs of investigative interviews and RFP responses to score vendors, but also third-party review services like SoftwareReviews.

    Define how you’ll score CRM proposals and demos

    Define key CRM selection criteria for your organization – this should be informed by the following goals, use cases, and requirements covered in the blueprint.

    Criteria

    Description

    Functional CapabilitiesHow well does the vendor align with the top-priority functional requirements identified in your accelerated needs assessment? What is the vendor’s functional breadth and depth?
    AffordabilityHow affordable is this vendor? Consider a three-to-five-year total cost of ownership (TCO) that encompasses not just licensing costs, but also implementation, integration, training, and ongoing support costs.
    Architectural FitHow well does this vendor align with our direction from an enterprise architecture perspective? How interoperable is the solution with existing applications in our technology stack? Does the solution meet our deployment model preferences?
    ExtensibilityHow easy is it to augment the base solution with native or third-party add-ons as our business needs may evolve?
    ScalabilityHow easy is it to expand the solution to support increased user, data, and/or customer volumes? Are there any capacity constraints of the solution?
    Vendor ViabilityHow viable is this vendor? Are they an established player with a proven track record, or a new and untested entrant to the market? What is the financial health of the vendor? How committed are they to the particular solution category?
    Vendor VisionDoes the vendor have a cogent and realistic product roadmap? Are they making sensible investments that align with your organization’s internal direction?
    Emotional FootprintHow well does the vendor’s organizational culture and team dynamics align to yours?
    Third-Party Assessments and/or ReferencesHow well-received is the vendor by unbiased, third-party sources like SoftwareReviews? For larger projects, how well does the vendor perform in reference checks (and how closely do those references mirror your own situation)?

    Decision Point: Select the Finalist

    After reviewing all vendor responses to your RFP, conducting vendor demos, and running a pilot project (if applicable), the time has arrived to select your finalist.

    All core selection team members should hold a session to score each shortlisted vendor against the criteria enumerated on the previous slide – based on an in-depth review of proposals, the demo sessions, and any pilots or technical assessments.

    The vendor that scores the highest in aggregate is your finalist.

    Congratulations – you are now ready to proceed to final negotiation and inking a contract. This blueprint provides a detailed approach on the mechanics of a major vendor negotiation.

    Leverage Info-Tech’s research to plan and execute your CRM implementation

    Use Info-Tech Research Group’s three phase implementation process to guide your own planning.
    The three phases of software implementation: 'Assess', 'Prepare', 'Govern & Course Correct'. Sample of the 'Governance and Management of Enterprise Software Implementation' blueprint.

    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Visit this link

    Prepare for implementation: establish a clear resourcing plan

    Organizations rarely have sufficient internal staffing to resource a CRM project on their own. Consider the options for closing the gap in internal resource availability.

    The most common project resourcing structures for enterprise projects are:
    Your own staff +
    1. Management consultant
    2. Vendor consultant
    3. System integrator
    Info-Tech Insight

    When contemplating a resourcing structure, consider:

    • Availability of in-house implementation competencies and resources.
    • Timeline and constraints.
    • Integration environment complexity.

    Consider the following:

    Internal vs. External Roles and Responsibilities

    Clearly delineate between internal and external team responsibilities and accountabilities, and communicate this to your technology partner up front.

    Internal vs. External Accountabilities

    Accountability is different than responsibility. Your vendor or SI partner may be responsible for completing certain tasks, but be careful not to outsource accountability for the implementation – ultimately, the internal team will be accountable.

    Partner Implementation Methodologies

    Often vendors and/or SIs will have their own preferred implementation methodology. Consider the use of your partner's implementation methodology; however, you know what will work for your organization.

    Establish team composition

    1 – 2 hours

    Input: Skills assessment, Stakeholder analysis, Vendor partner selection

    Output: Team composition

    Materials: Sticky notes, Whiteboard, Markers

    Participants: Project team

    Use Info-Tech’s Governance and Management of Enterprise Software Implementation to establish your team composition. Within that blueprint:

    1. Assess the skills necessary for an implementation. Inventory the competencies required for the implementation project team. Map your internal resources to each competency as applicable.
    2. Select your internal implementation team. Determine who needs to be involved closely with the implementation. Key stakeholders should also be considered as members of your implementation team.
    3. Identify the number of external consultants/support required for implementation. Consider your in-house skills, timeline considerations, integration environment complexity, and cost constraints as you make your team composition plan. Be sure to dedicate an internal resource to managing the vendor and partner relationships.
    4. Document the roles and responsibilities, accountabilities, and other expectations of your team as they relate to each step of the implementation.

    Governance and Management of Enterprise Software Implementation

    Sample of the 'Governance and Management of Enterprise Software Implementation' blueprint.Follow our iterative methodology with a task list focused on the business must-have functionality to achieve rapid execution and to allow staff to return to their daily work sooner.

    Visit this link

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:
    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship-building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:
    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:
    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role clarity: Having a clear definition of what everyone’s role is.

    Plan for your implementation of CRM based on deployment model

    Place your CRM application into your IT landscape by configuring and adjusting the tool based on your specific deployment method.

    Icon of a housing development.
    On-Premises

    1. Identify custom features and configuration items
    2. Train developers and IT staff on new software investment
    3. Install software
    4. Configure software
    5. Test installation and configuration
    6. Test functionality

    Icon of a cloud upload.
    SaaS-based

    1. Train developers and IT staff on new software investment
    2. Set up connectivity
    3. Identify VPN or internal solution
    4. Check firewalls
    5. Validate bandwidth regulations

    Integration is a top IT challenge and critical to the success of the CRM suite

    CRM suites are most effective when they are integrated with ERP and MarTech solutions.

    Data interchange between the CRM solution and other data sources is necessary

    		 Formulate a comprehensive map of the systems, hardware, and software with which the CRM solution must be able to integrate. Customer data needs to constantly be synchronized: without this, you lose out on one of the primary benefits of CRM. These connections must be bidirectional for maximum value (i.e. marketing data to the CRM, customer data to MMS).
    Specialized projects that include an intricate prospect or customer list and complex rules may need to be built by IT The more custom fields you have in your CRM suite and point solutions, the more schema mapping you will have to do. Include this information in the RFP to receive guidance from vendors on the ease with which integration can be achieved.

    Pay attention to legacy apps and databases

    		 If you have legacy CRM, POS, or customer contact software, more custom code will be required. Many vendors claim that custom integration can be performed for most systems, but custom comes at a cost. Don’t just ask if they can integrate; ask how long it will take and for references from organizations which have been successful in this.
    When assessing the current application portfolio that supports CRM, the tendency will be to focus on the applications under the CRM umbrella, relating mostly to marketing, sales, and customer service. Be sure to include systems that act as inputs to, or benefit due to outputs from, the CRM or similar applications.

    CRM data flow

    Example of a CRM data flow.

    Be sure to include enterprise applications that are not included in the CRM application portfolio. Popular systems to consider for POIs include billing, directory services, content management, and collaboration tools.

    Sample CRM integration map

    Sample of a CRM integration map.

    Scenario: Failure to address CRM data integration will cost you in the long run

    A company spent $15 million implementing a new CRM system in the cloud and decided NOT to spend an additional $1.5 million to do a proper cloud DI tool procurement. The mounting costs followed.

    Cost Element – Custom Data Integration

    $
    2 FTEs for double entry of sales order data $ 100,000/year
    One-time migration of product data to CRM $ 240,000 otc
    Product data maintenance $ 60,000/year
    Customer data synchronization interface build $ 60,000 otc
    Customer data interface maintenance $ 10,000/year
    Data quality issues $ 100,000/year
    New SaaS integration built in year 3 $ 300,000 otc
    New SaaS integration maintenance $ 150,000/year

    Cost Element – Data Integration Tool

    $
    DI strategy and platform implementation $1,500,000 otc
    DI tool maintenance $ 15,000/year
    New SaaS integration point in year 3 $ 300,000 otc
    Thumbs down color coded red to the adjacent chart. Custom integration is costing this organization $300,000/year for one SaaS solution.
    Thumbs up color coded blue to the adjacent chart.

    The proposed integration solution would have paid for itself in 3-4 years and saved exponential costs in the long run.

    Proactively address data quality in the CRM during implementation

    Data quality is a make-or-break issue in a CRM platform; garbage in is garbage out.
    • CRM suites are one of the leading offenders for generating poor-quality data. As such, it’s important to have a plan in place for structuring your data architecture in such a way the poor data quality is minimized from the get-go.
    • Having a plan for data quality should precede data migration efforts; some types of poor data quality can be mitigated prior to migration.
    • There are five main types of poor-quality data found in CRM platforms.
      • Duplicate data: Duplicate records can be a major issue. Leverage dedicated deduplication tools to eliminate them.
      • Stale data: Out-of-date customer information can reduce the usefulness of the platform. Use automated social listening tools to help keep data fresh.
      • Incomplete data: Records with missing info limit platform value. Specify data validation parameters to mandate that all fields are filled in.
      • Invalid and conflicting data: These can create cascading errors. Establishing conflict resolution rules in ETL tools for data integration can lessen issues.
    Info-Tech Insight

    If you have a complex POI environment, appoint data stewards for each major domain and procure a deduplication tool. As the complexity of CRM system-to-system integrations increases, so will the chance that data quality errors will crop up – for example, bidirectional POI with other sources of customer information dramatically increase the chances of conflicting/duplicate data.

    Profile data, eliminate dead weight, and enforce standards to protect data

    Identify and eliminate dead weight

    		 Poor data can originate in the firm’s CRM system. Custom queries, stored procedures, or profiling tools can be used to assess the key problem areas.

    Loose rules in the CRM system may lead to records of no significant value in the database. Those rules need to be fixed, but if changes are made before the data is fixed, users could encounter database or application errors, which will reduce user confidence in the system.

    • Conduct a data flow analysis: map the path that data takes through the organization.
    • Use a mass cleanup to identify and destroy dead weight data. Merge duplicates either manually or with the aid of software tools. Delete incomplete data, taking care to reassign related data.
    • COTS packages typically allow power users to merge records without creating orphaned records in related tables, but custom-built applications typically require IT expertise.

    Create and enforce standards and policies

    		 Now that the data has been cleaned, it’s important to protect the system from relapsing.

    Work with business users to find out what types of data require validation and which fields should have changes audited. Whenever possible, implement drop-down lists to standardize values and make programming changes to ensure that truncation ceases.

    • Truncated data is usually caused by mismatches in data structures during either one-time data loads or ongoing data integrations.
    • Don’t go overboard on assigning required fields; users will just put key data in note fields.
    • Discourage the use of unstructured note fields: the data is effectively lost except if it gets subpoenaed.
    Info-Tech Insight

    Data quality concerns proliferate with the customization level of your platform. The more extensive the custom integration points and module/database extensions that you have made, the more you will need to have a plan in place for managing data quality from a reactive and proactive standpoint.

    Create a formal communication process throughout the CRM implementation

    Establish a comprehensive communication process around the CRM enterprise roll-out to ensure that end users stay informed.

    The CRM kick-off meeting(s) should encompass: 'The high-level application overview', 'Target business-user requirements', 'Target quality of service (QoS) metrics', 'Other IT department needs', 'Tangible business benefits of application', 'Special consideration needs'. The overall objective for interdepartmental CRM kick-off meetings is to confirm that all parties agree on certain key points and understand platform rationale and functionality.

    The kick-off process will significantly improve internal communications by inviting all affected internal IT groups, including business units, to work together to address significant issues before the application process is formally activated.

    Department groups or designated trainers should take the lead and implement a process for:

    • Scheduling CRM platform roll-out/kick-off meetings.
    • Soliciting preliminary input from the attending groups to develop further training plans.
    • Establishing communication paths and the key communication agents from each department who are responsible for keeping lines open moving forward.

    Ensure requirements are met with robust user acceptance testing

    User acceptance testing (UAT) is a test procedure that helps to ensure end-user requirements are met. Test cases can reveal bugs before the suite is implemented.

    Five Secrets of UAT Success

    		 Bracket with colors corresponding the adjacent list items.

    1

    		 Create the plan With the information collected from requirements gathering, create the plan. Make sure this information is added to the main project plan documentation.

    2

    		 Set the agenda The time allotted will vary depending on the functionality being tested. Ensure that the test schedule allows for the resolution of issues and discussion.

    3

    		 Determine who will participate Work with the relevant stakeholders to identify the people who can best contribute to system testing. Look for experienced power users who have been involved in earlier decision making about the system.

    4

    		 Highlight acceptance criteria Together with the UAT group, pinpoint the criteria to determine system acceptability. Refer back to requirements specified in use cases in the initial requirements-gathering stages of the project.

    5

    		 Collect end user feedback Weaknesses in resolution workflow design, technical architecture, and existing customer service processes can be highlighted and improved on with ongoing surveys and targeted interviews.

    Calculate post-deployment metrics to assess measurable value of the project

    Track the post-deployment results from the project and compare the metrics to the current state and target state.

    CRM Selection and Implementation Metrics
    Description Formula Current or Estimated Target Post-Deployment
    End-User Satisfaction # of Satisfied Users
    # of End Users     		70% 90% 85%
    Percentage Over/Under Estimated Budget Amount Spent - 100%
    Budget     		5% 0% 2%
    Percentage Over/Under Estimated Timeline Project Length - 100%
    Estimated Timeline     		10% -5% -10%

    CRM Strategy Metrics
    Description Formula Current or Estimated Target Post-Deployment
    Number of Leads Generated (per month) # of Leads Generated 150 200 250
    Average Time to Resolution (in minutes) Time Spent on Resolution
    # of Resolutions     		30 minutes 10 minutes 15 minutes
    Cost per Interaction by Campaign Total Campaign Spending
    # of Customer Interactions     		$17.00 $12.00 $12.00

    Select the Right CRM Platform

    CRM technology is critical to facilitate an organization’s relationships with customers, service users, employees, and suppliers. Having a structured approach to building a business case, defining key requirements, and engaging with the right shortlist of vendors to pick the best finalist is crucial.

    This selection guide allows organizations to execute a structured methodology for picking a CRM that aligns with their needs. This includes:
    • Alignment and prioritization of key business and technology drivers for a CRM selection business case.
    • Identification of key use cases and requirements for CRM.
    • Construction of a robust CRM RFP.
    • A strong market scan of key players.
    • A survey of crucial implementation considerations.
    This formal CRM selection initiative will drive business-IT alignment, identify sales and marketing automation priorities, and allow for the rollout of a platform that’s highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Insight summary

    Stakeholder satisfaction is critical to your success

    Choosing a solution for a single use case and then expanding it to cover other purposes can be a way to quickly gain approvals and then make effective use of dollars spent. However, this can also be a nightmare if the product is not fit for purpose and requires significant customization effort for future use cases. Identify use cases early, engage stakeholders to define success, and recognize where you need to find balance between a single off-the-shelf CRM platform and adjacent MarTech or sales enablement systems.

    Build a business case

    An effective business case isn’t a single-purpose document for obtaining funding. It can also be used to drive your approach to product selection, requirements gathering, and ultimately evaluating stakeholder and user satisfaction.

    Use your business case to define use cases and milestones as well as success.

    Balance process with technology

    A new solution with old processes will result in incremental increased value. Evaluate existing processes and identify opportunities to improve and remove workarounds. Then define requirements.

    You may find that the tools you have would be adequate with an upgrade and tool optimization. If not, this exercise will prepare you to select the right solution for your current and future needs.

    Drive toward early value

    Lead with the most important benefit and consider the timeline. Most stakeholders will lose interest if they don’t realize benefits within the fist year. Can you reach your goal and report success within that timeline?

    Identify secondary, incremental customer engagement improvements that can be made as you work toward the overall goal to be achieved at the one-year milestone.

    Related Info-Tech Research

    Stock image of an office worker. Build a Strong Technology Foundation for Customer Experience Management
    • Any CRM project needs to be guided by the broader strategy around customer engagement. This blueprint explores how to create a strong technology enablement approach for CXM using voice of the customer analysis.
    Stock image of a target with arrows. Improve Requirements Gathering
    • 70% of projects that fail do so because of poor requirements. If you need to double-click on best practices for eliciting, analyzing, and validating requirements as you build up your CRM picklist and RFP, this blueprint will equip you with the knowledge and tools you need to hit the ground running.
    Stock image of a pen on paper. Drive Successful Sourcing Outcomes with a Robust RFP Process
    • Managing a complex RFP process for an enterprise application like a CRM platform can be a challenging undertaking. This blueprint zooms into how to build, run, administer, and evaluate RFP responses effectively.

    Bibliography

    “Doomed From the Start? Why a Majority of Business and IT Teams Anticipate Their Software Development Projects Will Fail.” Geneca, 25 Jan. 2017. Web.

    Hall, Kerrie. “The State of CRM Data Management 2020.” Validity. 27 April 2020. Web.

    Hinchcliffe, Dion. “The Evolving Role of the CIO and CMO in Customer Experience.” ZDNet, 22 Jan. 2020. Web.

    Klie, L. “CRM Still Faces Challenges, Most Speakers Agree: CRM Systems Have Been Around for Decades, but Interoperability and Data Siloes Still Have to Be Overcome.” CRM Magazine, vol. 23, no. 5, 2019, pp. 13-14.

    Markman, Jon. "Netflix Knows What You Want... Before You Do." Forbes. 9 Jun. 2017. Web.

    Morgan, Blake. “50 Stats That Prove The Value Of Customer Experience.” Forbes, 24 Sept. 2019. Web.

    Taber, David. “What to Do When Your CRM Project Fails.” CIO Magazine, 18 Sept. 2017. Web.

    “The State of Project Management Annual Survey 2018.” Wellingtone, 2018. Web.

    “The History of Microsoft Dynamics.” Eswelt. 2021. Accessed 8 June 2022.

    “Unlock the Mysteries of Your Customer Relationships.” Harvard Business Review. 1 July 2014. Accessed 30 Mar. 2016.

    Info-Tech Quarterly Research Agenda Outcomes Q2-Q3 2023

    • Buy Link or Shortcode: {j2store}297|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    At Info-Tech, we take pride in our research and have established the most rigorous publication standards in the industry. However, we understand that engaging with all our analysts to gauge the future may not always be possible. Hence, we have curated some compelling recently published research along with forthcoming research insights to assist you in navigating the next quarter.

    Our Advice

    Critical Insight

    We offer a quarterly Research Agenda Outcomes deck that thoroughly summarizes our recently published research, supplying decision makers with valuable insights and best practices to make informed and effective decisions. Our research is supported by our team of seasoned analysts with decades of experience in the IT industry.

    By leveraging our research, you can stay updated with the latest trends and technologies, giving you an edge over the competition and ensuring the optimal performance of your IT department. This way, you can make confident decisions that lead to remarkable success and improved outcomes.

    Impact and Result

    • Enhance preparedness for future market trends and developments: Keep up to date with the newest trends and advancements in the IT sector to be better prepared for the future.
    • Enhance your decision making: Acquire valuable information and insights to make better-informed, confident decisions.
    • Promote innovation: Foster creativity, explore novel perspectives, drive innovation, and create new products or services.

    Info-Tech Quarterly Research Agenda Outcomes Q2/Q3 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Info-Tech Quarterly Research Agenda Q3 2023 Deck – An overview of our Research Agenda Outcome for Q2 and Q3 of 2023.

    A guide to our top research published to date for 2023 (Q2/Q3).

    • Info-Tech Quarterly Research Agenda Outcomes for Q2/Q3 2023
    [infographic]

    Further reading

    Featured Research Projects 2023 (Q2/Q3)

    “Here are my selections for the top research projects of the last quarter.”

    Photo of Gord Harrison, Head of Research & Advisory, Info-Tech Research Group.

    Gord Harrison
    Head of Research & Advisory
    Info-Tech Research Group

    CIO

    01
    Build Your Generative AI Roadmap

    Generative AI is here, and it's time to find its best uses – systematically and responsibly.

    02
    CIO Priorities 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    03
    Build an IT Risk Taxonomy

    If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

    04
    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    Beyond the hype: How it can help you become more customer-focused?

    05
    Effective IT Communications

    Generative AI is here, and it's time to find its best uses – systematically and responsibly.

    06
    Develop a Targeted Flexible Work Program for IT

    Select flexible work options that balance organizational and employee needs to drive engagement and improve attraction and retention.

    07
    Effectively Manage CxO Relations

    Make relationship management a daily habit with a personalized action plan.

    08
    Establish High-Value IT Performance Dashboards and Metrics

    Spend less time struggling with visuals and more time communicating about what matters to your executives.

    Applications

    09
    Build Your Enterprise Application Implementation Playbook

    Your implementation doesn't start with technology but with an effective plan that the team can align on.

    10
    Develop Your Value-First Business Process Automation Strategy

    As you scale your business automations, focus on what matters most.

    11
    Manage Requirements in an Agile Environment

    Agile and requirements management are complementary, not competitors.

    Security

    12
    Assess Your Cybersecurity Insurance Policy

    Adapt to changes in the cyber insurance market.

    13
    Design and Implement a Business-Aligned Security Program

    Focus first on business value.

    Infrastructure & Operations

    14
    Automate IT Asset Data Collection

    Acquire and use discovery tools wisely to populate, update, and validate the data in your ITAM database.

    Industry | Retail

    15
    Leveraging AI to Create Meaningful Insights and Visibility in Retail

    AI prominence across the enterprise value chain.

    Industry | Education

    16
    Understand the Implications of Generative AI in Education

    Bans aren't the answer, but what is?

    Industry | Wholesale

    17
    Wholesale Industry Business Reference Architecture

    Business capability maps, value streams, and strategy maps for the wholesale industry.

    Industry | Retail Banking

    18
    Mainframe Modernization for Retail Banking

    A strategy for modernizing mainframe systems to meet the needs of modern retail banking.

    Industry | Utilities

    19
    Data Analytics Use Cases for Utilities

    Building upon the collective wisdom for the art of the possible.

    Build Your Generative AI Roadmap

    Generative AI is here, and it's time to find its best uses – systematically and responsibly.

    CIO
    Strategy & Governance

    Photo of Bill Wong, Principal Research Director, Info-Tech Research Group.

    Bill Wong
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Build Your Generative AI Roadmap' research.

    Sample of the 'Build Your Generative AI Roadmap' research.

    Logo for Info-Tech.

    CIO Priorities 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    CIO
    Strategy & Governance

    Photo of Brian Jackson, Principal Research Director, Info-Tech Research Group.

    Brian Jackson
    Principal Research Director

    Download this report or book an analyst call on this topic

    Sample of the 'CIO Priorities 2023' report.

    Sample of the 'CIO Priorities 2023' report.

    Logo for Info-Tech.

    Build an IT Risk Taxonomy

    If integrated risk is your destination, your IT risk taxonomy is the road to get you there.

    CIO
    Strategy & Governance

    Photo of Donna Bales, Principal Research Director, Info-Tech Research Group.

    Donna Bales
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Build an IT Risk Taxonomy' research.

    Sample of the 'Build an IT Risk Taxonomy' research.

    Logo for Info-Tech.

    Navigate the Digital ID Ecosystem to Enhance Customer Experience

    Beyond the hype: How it can help you become more customer-focused?

    CIO
    Strategy & Governance

    Photo of Manish Jain, Principal Research Director, Info-Tech Research Group.

    Manish Jain
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Navigate the Digital ID Ecosystem to Enhance Customer Experience' research.

    Sample of the 'Navigate the Digital ID Ecosystem to Enhance Customer Experience' research.

    Logo for Info-Tech.

    Effective IT Communications

    Empower IT employees to communicate well with any stakeholder across the organization.

    CIO
    People & Leadership

    Photo of Brittany Lutes, Research Director, Info-Tech Research Group.

    Brittany Lutes
    Research Director

    Photo of Diana MacPherson, Senior Research Analyst, Info-Tech Research Group.

    Diana MacPherson
    Senior Research Analyst

    Download this research or book an analyst call on this topic

    Effective IT Communications' research.

    Sample of the 'Effective IT Communications' research.

    Logo for Info-Tech.

    Develop a Targeted Flexible Work Program for IT

    Select flexible work options that balance organizational and employee needs to drive engagement and improve attraction and retention.

    CIO
    People & Leadership

    Photo of Jane Kouptsova, Research Director, Info-Tech Research Group.

    Jane Kouptsova
    Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Develop a Targeted Flexible Work Program for IT' research.

    Sample of the 'Develop a Targeted Flexible Work Program for IT' research.

    Logo for Info-Tech.

    Effectively Manage CxO Relations

    Make relationship management a daily habit with a personalized action plan.

    CIO
    Value & Performance

    Photo of Mike Tweedle, Practice Lead, Info-Tech Research Group.

    Mike Tweedle
    Practice Lead

    Download this research or book an analyst call on this topic

    Sample of the 'Effectively Manage CxO Relations' research.

    Sample of the 'Effectively Manage CxO Relations' research.

    Logo for Info-Tech.

    Establish High-Value IT Performance Dashboards and Metrics

    Spend less time struggling with visuals and more time communicating about what matters to your executives.

    CIO
    Value & Performance

    Photo of Diana MacPherson, Senior Research Analyst, Info-Tech Research Group.

    Diana MacPherson
    Senior Research Analyst

    Download this research or book an analyst call on this topic

    Sample of the 'Establish High-Value IT Performance Dashboards and Metrics' research.

    Sample of the 'Establish High-Value IT Performance Dashboards and Metrics' research.

    Logo for Info-Tech.

    Build Your Enterprise Application Implementation Playbook

    Your implementation doesn't start with technology but with an effective plan that the team can align on.

    Applications
    Business Processes

    Photo of Ricardo de Oliveira, Research Director, Info-Tech Research Group.

    Ricardo de Oliveira
    Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Build Your Enterprise Application Implementation Playbook' research.

    Sample of the 'Build Your Enterprise Application Implementation Playbook' research.

    Logo for Info-Tech.

    Develop Your Value-First Business Process Automation Strategy

    As you scale your business automations, focus on what matters most.

    Applications
    Business Processes

    Photo of Andrew Kum-Seun, Research Director, Info-Tech Research Group.

    Andrew Kum-Seun
    Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Develop Your Value-First Business Process Automation Strategy' research.

    Sample of the 'Develop Your Value-First Business Process Automation Strategy' research.

    Logo for Info-Tech.

    Manage Requirements in an Agile Environment

    Agile and requirements management are complementary, not competitors.

    Applications
    Application Development

    Photo of Vincent Mirabelli, Principal Research Director, Info-Tech Research Group.

    Vincent Mirabelli
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Manage Requirements in an Agile Environment' research.

    Sample of the 'Manage Requirements in an Agile Environment' research.

    Logo for Info-Tech.

    Assess Your Cybersecurity Insurance Policy

    Adapt to changes in the cyber insurance market.

    Security
    Security Risk, Strategy & Governance

    Photo of Logan Rohde, Senior Research Analyst, Info-Tech Research Group.

    Logan Rohde
    Senior Research Analyst

    Download this research or book an analyst call on this topic

    Sample of the 'Assess Your Cybersecurity Insurance Policy' research.

    Sample of the 'Assess Your Cybersecurity Insurance Policy' research.

    Logo for Info-Tech.

    Design and Implement a Business-Aligned Security Program

    Focus first on business value.

    Security
    Security Risk, Strategy & Governance

    Photo of Michel Hébert, Research Director, Info-Tech Research Group.

    Michel Hébert
    Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Design and Implement a Business-Aligned Security Program' research.

    Sample of the 'Design and Implement a Business-Aligned Security Program' research.

    Logo for Info-Tech.

    Automate IT Asset Data Collection

    Acquire and use discovery tools wisely to populate, update, and validate the data in your ITAM database.

    Infrastructure & Operations
    I&O Process Management

    Photo of Andrew Sharp, Research Director, Info-Tech Research Group.

    Andrew Sharp
    Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Automate IT Asset Data Collection' research.

    Sample of the 'Automate IT Asset Data Collection' research.

    Logo for Info-Tech.

    Leveraging AI to Create Meaningful Insights and Visibility in Retail

    AI prominence across the enterprise value chain.

    Industry Coverage
    Retail

    Photo of Rahul Jaiswal, Principal Research Director, Info-Tech Research Group.

    Rahul Jaiswal
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Leveraging AI to Create Meaningful Insights and Visibility in Retail' research.

    Sample of the 'Leveraging AI to Create Meaningful Insights and Visibility in Retail' research.

    Logo for Info-Tech.

    Understand the Implications of Generative AI in Education

    Bans aren't the answer, but what is?

    Industry Coverage
    Education

    Photo of Mark Maby, Research Director, Info-Tech Research Group.

    Mark Maby
    Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Understand the Implications of Generative AI in Education' research.

    Sample of the 'Understand the Implications of Generative AI in Education' research.

    Logo for Info-Tech.

    Wholesale Industry Business Reference Architecture

    Business capability maps, value streams, and strategy maps for the wholesale industry.

    Industry Coverage
    Wholesale

    Photo of Rahul Jaiswal, Principal Research Director, Info-Tech Research Group.

    Rahul Jaiswal
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Wholesale Industry Business Reference Architecture' research.

    Sample of the 'Wholesale Industry Business Reference Architecture' research.

    Logo for Info-Tech.

    Mainframe Modernization for Retail Banking

    A strategy for modernizing mainframe systems to meet the needs of modern retail banking.

    Industry Coverage
    Retail Banking

    Photo of David Tomljenovic, Principal Research Director, Info-Tech Research Group.

    David Tomljenovic
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Mainframe Modernization for Retail Banking' research.

    Sample of the 'Mainframe Modernization for Retail Banking' research.

    Logo for Info-Tech.

    Data Analytics Use Cases for Utilities

    Building upon the collective wisdom for the art of the possible.

    Industry Coverage
    Utilities

    Photo of Jing Wu, Principal Research Director, Info-Tech Research Group.

    Jing Wu
    Principal Research Director

    Download this research or book an analyst call on this topic

    Sample of the 'Data Analytics Use Cases for Utilities' research.

    Sample of the 'Data Analytics Use Cases for Utilities' research.

    Sneak Peaks: Research coming in next quarter!

    “Next quarter we have a big lineup of reports and some great new research!”

    Photo of Gord Harrison, Head of Research & Advisory, Info-Tech Research Group.

    Gord Harrison
    Head of Research & Advisory
    Info-Tech Research Group

    1. Build MLOps and Engineering for AI and ML

      Enabling you to develop your Engineering and ML Operations to support your current & planned use cases for AI and ML.

    2. Leverage Gen AI to Improve Your Test Automation Strategy

      Enabling you to embed Gen AI to assist your team during testing broader than Gen AI compiling code.

    3. Make Your IT Financial Data Accessible, Reliable, and Usable

      This project will provide a recipe for bringing IT's financial data to a usable state through a series of discovery, standardization, and policy-setting actions.

    4. Implement Integrated AI Governance

      Enabling you to implement best-practice governance principles when implementing Gen AI.

    5. Develop Exponential IT Capabilities

      Enabling you to understand and develop your strategic Exponential IT capabilities.

    6. Build Your AI Strategy and Roadmap

      This project will provide step-by-step guidance in development of your AI strategy with an AI strategy exemplar.

    7. Priorities for Data Leaders in 2024 and Beyond

      This report will detail the top five challenges expected in the upcoming year and how you as the CDAO can tackle them.

    8. Deploy AIOps More Effectively

      This research is designed to assess the process maturity of your IT operations and help identify pain pains and opportunities for AI deployment within your IT operations.

    9. Design Your Edge Computing Architecture

      This research will provide deployment guidelines and roadmap to address your edge computing needs.

    10. Manage Change in the AI-Enabled Enterprise

      Managing change is complex with the disruptive nature of emerging tech like AI. This research will assist you from an organizational change perspective.

    11. Assess the Security and Privacy Impacts of Your AI Vendors

      This research will allow you to enhance transparency, improve risk management, and ensure the security and privacy of data when working with AI vendors.

    12. Prepare Your Board for AI Disruption

      This research will arm you with tools to educate your board on the impact of Gen AI, addressing the potential risks and the potential benefits.

    Info-Tech Research Leadership Team

    “We have a world-class team of experts focused on providing practical, cutting-edge IT research and advice.”

    Photo of Gord Harrison, Head of Research & Advisory, Info-Tech Research Group.

    Gord Harrison
    Head of Research & Advisory
    Info-Tech Research Group

    Photo of Jack Hakimian, Senior Vice President, Research Development, Info-Tech Research Group.

    Jack Hakimian
    Senior Vice President
    Research Development

    Photo of Aaron Shum, Vice President, Security & Privacy Research, Info-Tech Research Group.

    Aaron Shum
    Vice President
    Security & Privacy Research

    Photo of Larry Fretz, Vice President, Industry Research, Info-Tech Research Group.

    Larry Fretz
    Vice President
    Industry Research

    Photo of Mark Tauschek, Vice President, Research Fellowships, Info-Tech Research Group.

    Mark Tauschek
    Vice President
    Research Fellowships

    Photo of Tom Zehren, Chief Product Officer, Info-Tech Research Group.

    Tom Zehren
    Chief Product Officer

    Photo of Rick Pittman, Vice President, Advisory Quality & Delivery, Info-Tech Research Group.

    Rick Pittman
    Vice President
    Advisory Quality & Delivery

    Photo of Nora Fisher, Vice President, Shared Services, Info-Tech Research Group.

    Nora Fisher
    Vice President
    Shared Services

    Photo of Becca Mackey, Vice President, Workshops, Info-Tech Research Group.

    Becca Mackey
    Vice President
    Workshops

    Photo of Geoff Nielson, Senior Vice President, Global Services & Delivery, Info-Tech Research Group.

    Geoff Nielson
    Senior Vice President
    Global Services & Delivery

    Photo of Brett Rugroden, Senior Vice President, Global Market Programs, Info-Tech Research Group.

    Brett Rugroden
    Senior Vice President
    Global Market Programs

    Photo of Hannes Scheidegger, Senior Vice President, Global Public Sector, Info-Tech Research Group.

    Hannes Scheidegger
    Senior Vice President
    Global Public Sector

    About Info-Tech Research Group

    Info-Tech Research Group produces unbiased and highly relevant research to help leaders make strategic, timely, and well-informed decisions. We partner closely with your teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for the organization.

    Sample of the IT Management & Governance Framework.

    Drive Measurable Results

    Our world-class leadership team is continually focused on building disruptive research and products that drive measurable results and save money.

    Info-Tech logo.

    Better Research Than Anyone

    Our team of experts is composed of the optimal mix of former CIOs, CISOs, PMOs, and other IT leaders and IT and management consultants as well as academic researchers and statisticians.

    Dramatically Outperform Your Peers

    Leverage Industry Best Practices

    We enable over 30,000 members to share their insights and best practices that you can use by having direct access to over 100 analysts as an extension of your team.

    Become an Info-Tech influencer:

    • Help shape our research by talking with our analysts.
    • Discuss the challenges, insights, and opportunities in your chosen areas.
    • Suggest new topic ideas for upcoming research cycles.

    Contact
    Jack Hakimian
    jhakimian@infotech.com

    We interview hundreds of experts and practitioners to help ensure our research is practical and focused on key member challenges.

    Why participate in expert interviews?

    • Discuss market trends and stay up to date.
    • Influence Info-Tech's research direction with your practical experience.
    • Preview our analysts' perspectives and preliminary research.
    • Build on your reputation as a thought leader and research contributor.
    • See your topic idea transformed into practical research.

    Thank you!

    Join us at our webinars to discuss more topics.

    For information on Info-Tech's products and services and to participate in our research process, please contact:

    Jack Hakimian
    jhakimian@infotech.com

    Rationalize Your Collaboration Tools

    • Buy Link or Shortcode: {j2store}51|cart{/j2store}
    • member rating overall impact: 7.3/10 Overall Impact
    • member rating average dollars saved: 10 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications
    • Organizations collaboration toolsets are increasingly disordered and overburdened. Not only do organizations waste money by purchasing tools that overlap with their current toolset, but also employees’ productivity is destroyed by having to spend time switching between multiple tools.
    • Shadow IT is easier than ever. Without suitable onboarding and agreed-upon practices, employees will seek out their own solutions for collaboration. No transparency of what tools are being used means that information shared through shadow IT cannot be coordinated, monitored, or regulated effectively.

    Our Advice

    Critical Insight

    • Best-of-breed approaches create more confusion than productivity. Collaboration toolsets should be as streamlined as possible.
    • Employee-led initiatives to implement new toolsets are more successful. Focus on what is a suitable fit for employees’ needs.
    • Strategizing toolsets enhances security. File transfers and communication through unmonitored, unapproved tools increases phishing and hacking risks.

    Impact and Result

    • Categorize your current collaboration toolset, identifying genuine overlaps and gaps in your collaboration capabilities.
    • Work through our best-practice recommendations to decide which redundant overlapping tools should be phased out.
    • Build business requirements to fill toolset gaps and create an adoption plan for onboarding new tools.
    • Create a collaboration strategy that documents collaboration capabilities, rationalizes them, and states which capability to use when.

    Rationalize Your Collaboration Tools Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to create a collaboration strategy that will improve employee efficiency and save the organization time and money.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Evaluate current toolset

    Identify and categorize current collaboration toolset usage to recognize unnecessary overlaps and legitimate gaps.

    • Rationalize Your Collaboration Tools – Phase 1: Evaluate Current Toolset
    • Identifying and Categorizing Shadow Collaboration Tools Survey
    • Overlaps and Gaps in Current Collaboration Toolset Template

    2. Strategize toolset overlaps

    Evaluate overlaps to determine which redundant tools should be phased out and explore best practices for how to do so.

    • Rationalize Your Collaboration Tools – Phase 2: Strategize Toolset Overlaps
    • Phase-Out Plan Gantt Chart Template
    • Phase-Out Plan Marketing Materials

    3. Fill toolset gaps

    Fill your collaboration toolset gaps with best-fit tools, build business requirements for those tools, and create an adoption plan for onboarding.

    • Rationalize Your Collaboration Tools – Phase 3: Fill Toolset Gaps
    • Adoption Plan Gantt Chart Template
    • Adoption Plan Marketing Materials
    • Collaboration Tools Business Requirements Document Template
    • Collaboration Platform Evaluation Tool
    [infographic]

    Workshop: Rationalize Your Collaboration Tools

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Categorize the Toolset

    The Purpose

    Create a collaboration vision.

    Acknowledge the current state of the collaboration toolset.

    Key Benefits Achieved

    A clear framework to structure the collaboration strategy

    Activities

    1.1 Set the vision for the Collaboration Strategy.

    1.2 Identify your collaboration tools with use cases.

    1.3 Learn what collaboration tools are used and why, including shadow IT.

    1.4 Begin categorizing the toolset.

    Outputs

    Beginnings of the Collaboration Strategy

    At least five archetypical use cases, detailing the collaboration capabilities required for these cases

    Use cases updated with shadow IT currently used within the organization

    Overlaps and Gaps in Current Capabilities Toolset Template

    2 Strategize Overlaps

    The Purpose

    Identify redundant overlapping tools and develop a phase-out plan.

    Key Benefits Achieved

    Communication and phase-out plans for redundant tools, streamlining the collaboration toolset.

    Activities

    2.1 Identify legitimate overlaps and gaps.

    2.2 Explore business and user strategies for identifying redundant tools.

    2.3 Create a Gantt chart and communication plan and outline post-phase-out strategies.

    Outputs

    Overlaps and Gaps in Current Capabilities Toolset Template

    A shortlist of redundant overlapping tools to be phased out

    Phase-out plan

    3 Build Business Requirements

    The Purpose

    Gather business requirements for finding best-fit tools to fill toolset gaps.

    Key Benefits Achieved

    A business requirements document

    Activities

    3.1 Use SoftwareReviews and the Collaboration Platform Evaluation Tool to shortlist best-fit collaboration tool.

    3.2 Build SMART objectives and goals cascade.

    3.3 Walk through the Collaboration Tools Business Requirements Document Template.

    Outputs

    A shortlist of collaboration tools

    A list of SMART goals and a goals cascade

    Completed Business Requirements Document

    4 Create an Adoption Plan

    The Purpose

    Create an adoption plan for successfully onboarding new collaboration tools.

    Key Benefits Achieved

    An adoption plan

    Activities

    4.1 Fill out the Adoption Plan Gantt Chart Template.

    4.2 Create the communication plan.

    4.3 Explore best practices to socialize the new tools.

    Outputs

    Completed Gantt chart

    Adoption plan marketing materials

    Long-term strategy for engaging employees with onboarded tools

    Create a Right-Sized Enterprise Architecture Governance Framework

    • Buy Link or Shortcode: {j2store}582|cart{/j2store}
    • member rating overall impact: 9.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 5 Average Days Saved
    • Parent Category Name: Strategy & Operating Model
    • Parent Category Link: /strategy-and-operating-model
    • EA governance is perceived as an unnecessary layer of bureaucracy because business benefits are poorly communicated.
    • The organization doesn’t have a formalized EA practice.
    • Where an EA practice exists, employees are unsure of EA’s roles and responsibilities.

    Our Advice

    Critical Insight

    • Enterprise architecture is not a technical function – it should be business-value driven and forward looking, positioning organizational assets in favor of long-term strategy rather than short-term tactics.

    Impact and Result

    • Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.
    • Right-sized. Re-use existing process checkpoints rather than creating new ones. Clearly define EA governance inclusion criteria for projects.
    • Defined and measured process. Define metrics to measure EA’s performance and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.
    • Strike the right balance. Adopt architecture principles that strikes the right balance between business and technology.

    Create a Right-Sized Enterprise Architecture Governance Framework Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to find out how implementing a successful enterprise architecture governance framework can benefit your organization.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Current State of EA Governance

    Identify the organization’s standing in terms of the enterprise architecture practice, and know the gaps and what the EA practice needs to fulfill to create a good governance framework.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 1: Current State of EA Governance
    • EA Capability – Risk and Complexity Assessment Tool
    • EA Governance Assessment Tool

    2. EA Fundamentals

    Understand the EA fundamentals and then refresh them to better align the EA practice with the organization and create business benefit.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 2: EA Fundamentals
    • EA Vision and Mission Template
    • EA Goals and Measures Template
    • EA Principles Template

    3. Engagement Model

    Analyze the IT operating model and identify EA’s role at each stage; refine it to promote effective EA engagement upfront in the early stages of the IT operating model.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 3: Engagement Model
    • EA Engagement Model Template

    4. EA Governing Bodies

    Set up EA governing bodies to provide guidance and foster a collaborative environment by identifying the correct number of EA governing bodies, defining the game plan to initialize the governing bodies, and creating an architecture review process.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 4: EA Governing Bodies
    • Architecture Board Charter Template
    • Architecture Review Process Template

    5. EA Policy

    Create an EA policy to provide a set of guidelines designed to direct and constrain the architecture actions of the organization in the pursuit of its goals in order to improve architecture compliance and drive business value.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 5: EA Policy
    • EA Policy Template
    • EA Assessment Checklist Template
    • EA Compliance Waiver Process Template
    • EA Compliance Waiver Form Template

    6. Architectural Standards

    Define architecture standards to facilitate information exchange, improve collaboration, and provide stability. Develop a process to update the architectural standards to ensure relevancy and promote process transparency.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 6: Architectural Standards
    • Architecture Standards Update Process Template

    7. Communication Plan

    Craft a plan to engage the relevant stakeholders, ascertain the benefits of the initiative, and identify the various communication methods in order to maximize the chances of success.

    • Create a Right-Sized Enterprise Architecture Governance Framework – Phase 7: Communication Plan
    • EA Governance Communication Plan Template
    • EA Governance Framework Template
    [infographic]

    Workshop: Create a Right-Sized Enterprise Architecture Governance Framework

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Current State of EA governance (Pre-workshop)

    The Purpose

    Conduct stakeholder interviews to understand current state of EA practice and prioritize gaps for EA governance based on organizational complexity.

    Key Benefits Achieved

    Prioritized list of actions to arrive at the target state based on the complexity of the organization

    Activities

    1.1 Determine organizational complexity.

    1.2 Conduct an assessment of the EA governance components.

    1.3 Identify and prioritize gaps.

    1.4 Conduct senior management interviews.

    Outputs

    Organizational complexity score

    EA governance current state and prioritized list of EA governance component gaps

    Stakeholder perception of the EA practice

    2 EA Fundamentals and Engagement Model

    The Purpose

    Refine EA fundamentals to align the EA practice with the organization and identify EA touchpoints to provide guidance for projects.

    Key Benefits Achieved

    Alignment of EA goals and objectives with the goals and objectives of the organization

    Early involvement of EA in the IT operating model

    Activities

    2.1 Review the output of the organizational complexity and EA assessment tools.

    2.2 Craft the EA vision and mission.

    2.3 Develop the EA principles.

    2.4 Identify the EA goals.

    2.5 Identify EA engagement touchpoints within the IT operating model.

    Outputs

    EA vision and mission statement

    EA principles

    EA goals and measures

    Identified EA engagement touchpoints and EA level of involvement

    3 EA Governing Bodies

    The Purpose

    Set up EA governing bodies to provide guidance and foster a collaborative environment by identifying the correct number of EA governing bodies, defining the game plan to initialize the governing bodies and creating an architecture review process.

    Key Benefits Achieved

    Business benefits are maximized and solution design is within the options set forth by the architectural reference models while no additional layers of bureaucracy are introduced

    Activities

    3.1 Identify the number of governing bodies.

    3.2 Define the game plan to initialize the governing bodies.

    3.3 Define the architecture review process.

    Outputs

    Architecture board structure and coverage

    Identified architecture review template

    4 EA Policy

    The Purpose

    Create an EA policy to provide a set of guidelines designed to direct and constrain the architecture actions of the organization in the pursuit of its goals in order to improve architecture compliance and drive business value.

    Key Benefits Achieved

    Improved architecture compliance, which ties investments to business value and provides guidance to architecture practitioners

    Activities

    4.1 Define the scope.

    4.2 Identify the target audience.

    4.3 Determine the inclusion and exclusion criteria.

    4.4 Craft an assessment checklist.

    Outputs

    Defined scope

    Inclusion and exclusion criteria for project review

    Architecture assessment checklist

    5 Architectural Standards and Communication Plan

    The Purpose

    Define architecture standards to facilitate information exchange, improve collaboration, and provide stability.

    Craft a communication plan to implement the new EA governance framework in order to maximize the chances of success.

    Key Benefits Achieved

    Consistent development of architecture, increased information exchange between stakeholders

    Improved process transparency

    Improved stakeholder engagement

    Activities

    5.1 Identify and standardize EA work products.

    5.2 Classifying the architectural standards.

    5.3 Identifying the custodian of standards.

    5.4 Update the standards.

    5.5 List the changes identified in the EA governance initiative

    5.6 Create a communication plan.

    Outputs

    Identified set of EA work products to standardize

    Architecture information taxonomy

    Identified set of custodian of standards

    Standard update process

    List of EA governance initiatives

    Communication plan for EA governance initiatives

    Further reading

    Create a Right-Sized Enterprise Architecture Governance Framework

    Focus on process standardization, repeatability, and sustainability.

    ANALYST PERSPECTIVE

    "Enterprise architecture is not a technology concept, rather it is the foundation on which businesses orient themselves to create and capture value in the marketplace. Designing architecture is not a simple task and creating organizations for the future requires forward thinking and rigorous planning.

    Architecture processes that are supposed to help facilitate discussions and drive option analysis are often seen as an unnecessary overhead. The negative perception is due to enterprise architecture groups being overly prescriptive rather than providing a set of options that guide and constrain solutions at the same time.

    EA groups should do away with the direct and control mindset and change to a collaborate and mentor mindset. As part of the architecture governance, EA teams should provide an option set that constrains design choices, and also be open to changes to standards or best practices. "

    Gopi Bheemavarapu, Sr. Manager, CIO Advisory Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    This Research Will Help You:

    • Understand the importance of enterprise architecture (EA) governance and how to apply it to guide architectural decisions.
    • Enhance your understanding of the organization’s current EA governance and identify areas for improvement.
    • Optimize your EA engagement model to maximize value creation.
    • Learn how to set up the optimal number of governance bodies in order to avoid bureaucratizing the organization.

    This Research Will Also Assist:

    • Business Relationship Managers
    • Business Analysts
    • IT Managers
    • Project Managers
    • IT Analysts
    • Quality Assurance Leads
    • Software Developers

    This Research Will Help Them:

    • Give an overview of enterprise architecture governance
    • Clarity on the role of enterprise architecture team

    Executive summary

    Situation

    • Deployed solutions do not meet business objectives resulting in expensive and extensive rework.
    • Each department acts independently without any regular EA touchpoints.
    • Organizations practice project-level architecture as opposed to enterprise architecture.

    Complication

    • EA governance is perceived as an unnecessary layer of bureaucracy because business benefits are poorly communicated.
    • The organization doesn’t have a formalized EA practice.
    • Where an EA practice exists, employees are unsure of EA’s roles and responsibilities.

    Resolution

    • Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.
    • Right-sized. Re-use existing process checkpoints, rather than creating new ones. Clearly define EA governance inclusion criteria for projects.
    • Defined and measured process. Define metrics to measure EA’s performance and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.
    • Strike the right balance. Adopt architecture principles that strikes the right balance between business and technology imperatives.

    Info-Tech Insight

    Enterprise architecture is critical to ensuring that an organization has the solid IT foundation it needs to efficiently enable the achievement of its current and future strategic goals rather than focusing on short-term tactical gains.

    What is enterprise architecture governance?

    An architecture governance process is the set of activities an organization executes to ensure that decisions are made and accountability is enforced during the execution of its architecture strategy. (Hopkins, “The Essential EA Toolkit.”)

    EA governance includes the following:

    • Implement a system of controls over the creation and monitoring of all architectural components.
    • Ensure effective introduction, implementation, and evolution of architectures within the organization.
    • Implement a system to ensure compliance with internal and external standards and regulatory obligations.
    • Develop practices that ensure accountability to a clearly identified stakeholder community, both inside and outside the organization.

    (TOGAF)

    IT governance sets direction through prioritization and decision making, and monitors overall IT performance.

    The image shows a circle set within a larger circle. The inner circle is connected to the bottom of the larger circle. The inner circle is labelled EA Governance and the larger circle is labelled IT Governance.

    EA governance ensures that optimal architectural design choices are being made that focus on long-term value creation.

    Harness the benefits of an optimized EA governance

    Core benefits of EA governance are seen through:

    Value creation

    Effective EA governance ensures alignment between organizational investments and corporate strategic goals and objectives.

    Cost reduction

    Architecture standards provide guidance to identify opportunities for reuse and eliminate redundancies in an organization.

    Risk optimization

    Architecture review processes and assessment checklists ensure that solutions are within the acceptable risk levels of the organization.

    EA governance is difficult to structure appropriately, but having an effective structure will allow you to:

    • Achieve business strategy through faster time-to-market innovations and capabilities.
    • Reduced transaction costs with more consistent business processes and information across business units.
    • Lower IT costs due to better traceability, faster design, and lower risk.
    • Link IT investments to organizational strategies and objectives
    • Integrate and institutionalizes IT best practices.
    • Enable the organization to take full advantage of its information, infrastructure, and hardware and software assets.
    • Support regulatory as well as best practice requirements such as auditability, security, responsibility, and accountability.

    Organizations that have implemented EA governance realize greater benefits from their EA programs

    Modern day CIOs of high-performing organizations use EA as a strategic planning discipline to improve business-IT alignment, enable innovation, and link business and IT strategies to execution.

    Recent Info-Tech research found that organizations that establish EA governance realize greater benefits from their EA initiatives.

    The image shows a bar graph, with Impact from EA on the Y-axis, and different initiatives listed on the X-axis. Each initiative has two bars connected to it, with a blue bar representing answers of No and the grey bar representing answers of Yes.

    (Info-Tech Research Group, N=89)

    Measure EA governance implementation effectiveness

    Define key operational measures for internal use by IT and EA practitioners. Also, define business value measures that communicate and demonstrate the value of EA as an “enabler” of business outcomes to senior executives.

    EA performance measures (lead, operational) EA value measures (lag)
    Application of EA management process EA’s contribution to IT performance EA’s contribution to business value

    Enterprise Architecture Management

    • Number of months since the last review of target state EA blueprints.

    IT Investment Portfolio Management

    • Percentage of projects that were identified and proposed by EA.

    Solution Development

    • Number of projects that passed EA reviews.
    • Number of building blocks reused.

    Operations Management

    • Reduction in the number of applications with overlapping functionality.

    Business Value

    • Lower non-discretionary IT spend.
    • Decreased time to production.
    • Higher satisfaction of IT-enabled services.

    An insurance provider adopts a value-focused, right-sized EA governance program

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    The insurance sector has been undergoing major changes, and as a reaction, businesses within the sector have been embracing technology to provide innovative solutions.

    The head of EA in a major insurance provider (henceforth to be referred to as “INSPRO01”) was given the mandate to ensure that solutions are architected right the first time to maximize reuse and reduce technology debt. The EA group was at a critical point – to demonstrate business value or become irrelevant.

    Complication

    The project management office had been accountable for solution architecture and had placed emphasis on short-term project cost savings at the expense of long term durability.

    There was a lack of awareness of the Enterprise Architecture group within INSPRO01, and people misunderstood the roles and responsibilities of the EA team.

    Result

    Info-Tech helped define the responsibilities of the EA team and clarify the differences between the role of a Solution Architect vs. Enterprise Architect.

    The EA team was able to make the case for change in the project management practices to ensure architectures are reviewed and approved prior to implementation.

    As a result, INSPRO01 saw substantial increases in reuse opportunities and thereby derived more value from its technology investments.

    Success factors for EA governance

    The success of any EA governance initiative revolves around adopting best practices, setting up repeatable processes, and establishing appropriate controls.

    1. Develop best practices for managing architecture policies, procedures, roles, skills, and organizational structures.
    2. Establish organizational responsibilities and structures to support the architecture governance processes.
    3. Management of criteria for the control of the architecture governance processes, dispensations, compliance assessments, and SLAs.

    Info-Tech’s approach to EA governance

    Our best-practice approach is grounded in TOGAF and enhanced by the insights and guidance from our analysts, industry experts, and our clients.

    Value-focused. Focus EA governance on helping the organization achieve business benefits. Promote EA’s contribution in realizing business value.

    Right-sized. Insert EA governance into existing process checkpoints rather than creating new ones. Clearly define EA governance inclusion criteria for projects.

    Measured. Define metrics to measure EA’s performance, and integrate EA governance with other governance processes such as project governance. Also clearly define the EA governing bodies’ composition, domain, inputs, and outputs.

    Balanced. Adopt architecture principles that strikes the right balance between business and technology.

    Info-Tech’s EA governance framework

    Info-Tech’s architectural governance framework provides a value-focused, right-sized approach with a strong emphasis on process standardization, repeatability, and sustainability.

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    Use Info-Tech’s templates to complete this project

    1. Current state of EA governance
      • EA Capability - Risk and Complexity Assessment Tool
      • EA Governance Assessment Tool
    2. EA fundamentals
      • EA Vision and Mission Template
      • EA Goals and Measures Template
      • EA Principles Template
    3. Engagement model
      • EA Engagement Model Template
    4. EA governing bodies
      • Architecture Board Charter Template
      • Architecture Review Process Template
    5. EA policy
      • EA Policy Template
      • Architecture Assessment Checklist Template
      • Compliance Waiver Process Template
      • Compliance Waiver Form Template
    6. Architectural standards
      • Architecture Standards Update Process Template
    7. Communication Plan
      • EA Governance Communication Plan Template
      • EA Governance Framework Template

    As you move through the project, capture your progress with a summary in the EA Governance Framework Template.

    Download the EA Governance Framework Template document for use throughout this project.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    EA governance framework – phase-by-phase outline (1/2)

    Current state of EA governance EA Fundamentals Engagement Model EA Governing Bodies
    Best-Practice Toolkit

    1.1 Determine organizational complexity

    1.2 Conduct an assessment of the EA governance components

    1.3 Identify and prioritize gaps

    2.1 Craft the EA vision and mission

    2.2 Develop the EA principles

    2.3 Identify the EA goals

    3.1 Build the case for EA engagement

    3.2 Identify engagement touchpoints within the IT operating model

    4.1 Identify the number of governing bodies

    4.2 Define the game plan to initialize the governing bodies

    4.3 Define the architecture review process

    Guided Implementations
    • Determine organizational complexity
    • Assess current state of EA governance
    • Develop the EA fundamentals
    • Review the EA fundamentals
    • Review the current IT operating model
    • Determine the target engagement model
    • Identify architecture boards and develop charters
    • Develop an architecture review process

    Phase 1 Results:

    • EA Capability - risk and complexity assessment
    • EA governance assessment

    Phase 2 Results:

    • EA vision and mission
    • EA goals and measures
    • EA principles

    Phase 3 Results:

    • EA engagement model

    Phase 4 Results:

    • Architecture board charter
    • Architecture review process

    EA governance framework – phase-by-phase outline (2/2)

    EA Policy Architectural Standards Communication Plan
    Best-Practice Toolkit

    5.1 Define the scope of EA policy

    5.2 Identify the target audience

    5.3 Determine the inclusion and exclusion criteria

    5.4 Craft an assessment checklist

    6.1 Identify and standardize EA work products

    6.2 Classify the architectural standards

    6.3 Identify the custodian of standards

    6.4 Update the standards

    7.1 List the changes identified in the EA governance initiative

    7.2 Identify stakeholders

    7.3 Create a communication plan

    Guided Implementations
    • EA policy, assessment checklists, and decision types
    • Compliance waivers
    • Understand architectural standards
    • EA repository and updating the standards
    • Create a communication plan
    • Review the communication plan

    Phase 5 Results:

    • EA policy
    • Architecture assessment checklist
    • Compliance waiver process
    • Compliance waiver form

    Phase 6 Results:

    • Architecture standards update process

    Phase 7 Results:

    • Communication plan
    • EA governance framework

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Pre-workshopWorkshop Day 1Workshop Day 2Workshop Day 3Workshop Day 4
    ActivitiesCurrent state of EA governance EA fundamentals and engagement model EA governing bodies EA policy Architectural standards and

    communication plan

    1.1 Determine organizational complexity

    1.2 Conduct an assessment of the EA governance components

    1.3 Identify and prioritize gaps

    1.4 Senior management interviews

    1. Review the output of the organizational complexity and EA assessment tools
    2. Craft the EA vision and mission
    3. Develop the EA principles.
    4. Identify the EA goals
    5. Identify EA engagement touchpoints within the IT operating model
    1. Identify the number of governing bodies
    2. Define the game plan to initialize the governing bodies
    3. Define the architecture review process
    1. Define the scope
    2. Identify the target audience
    3. Determine the inclusion and exclusion criteria
    4. Craft an assessment checklist
    1. Identify and standardize EA work products
    2. Classifying the architectural standards
    3. Identifying the custodian of standards
    4. Updating the standards
    5. List the changes identified in the EA governance initiative
    6. Identify stakeholders
    7. Create a communication plan
    Deliverables
    1. EA Capability - risk and complexity assessment tool
    2. EA governance assessment tool
    1. EA vision and mission template
    2. EA goals and measures template
    3. EA principles template
    4. EA engagement model template
    1. Architecture board charter template
    2. Architecture review process template
    1. EA policy template
    2. Architecture assessment checklist template
    3. Compliance waiver process template
    4. Compliance waiver form template
    1. Architecture standards update process template
    2. Communication plan template

    Phase 1

    Current State of EA Governance

    Create a Right-Sized Enterprise Architecture Governance Framework

    Current State of EA Governance

    1. Current State of EA Governance
    2. EA Fundamentals
    3. Engagement Model
    4. EA Governing Bodies
    5. EA Policy
    6. Architectural Standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Determine organizational complexity
    • Conduct an assessment of the EA governance components
    • Identify and prioritize gaps

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Prioritized list of gaps

    Info-Tech Insight

    Correlation is not causation – an apparent problem might be a symptom rather than a cause. Assess the organization’s current EA governance to discover the root cause and go beyond the symptoms.

    Phase 1 guided implementation outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Current State of EA Governance

    Proposed Time to Completion: 2 weeks

    Step 1.1: Determine organizational complexity

    Start with an analyst kick-off call:

    • Discuss how to use Info-Tech’s EA Capability – Risk and Complexity Assessment Tool.
    • Discuss how to complete the inputs on the EA Governance Assessment Tool.

    Then complete these activities…

    • Conduct an assessment of your organization to determine its complexity.
    • Assess the state of EA governance within your organization.

    With these tools & templates:

    • EA Capability – Risk and Complexity Assessment Tool
    • EA Governance Assessment Tool

    Step 1.2: Assess current state of EA governance

    Start with an analyst kick-off call:

    • Review the output of the EA governance assessment and gather feedback on your goals for the EA practice.

    Then complete these activities…

    • Discuss whether you are ready to proceed with the project.
    • Review the list of tasks and plan your next steps.

    With these tools & templates:

    • EA Governance Assessment Tool

    Right-size EA governance based on organizational complexity

    Determining organizational complexity is not rocket science. Use Info-Tech’s tool to quantify the complexity and use it, along with common sense, to determine the appropriate level of architecture governance.

    Info-Tech’s methodology uses six factors to determine the complexity of the organization:

    1. The size of the organization, which can often be denoted by the revenue, headcount, number of applications in use, and geographical diversity.
    2. The solution alignment factor helps indicate the degree to which various projects map to the organization’s strategy.
    3. The size and complexity of the IT infrastructure and networks.
    4. The portfolio of applications maintained by the IT organization.
    5. Key changes within the organization such as M&A, regulatory changes, or a change in business or technology leadership.
    6. Other negative influences that can adversely affect the organization.

    Determine your organization’s level of complexity

    1.1 2 hours

    Input

    • Group consensus on the current state of EA competencies.

    Output

    • A list of gaps that need to be addressed for EA governance competencies.

    Materials

    • Info-Tech’s EA assessment tool, a computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Capability section highlighted.

    Step 1 - Facilitate

    Download the EA Capability – Risk and Complexity Assessment Tool to facilitate a session on determining your organization’s complexity.

    Download EA Organizational - Risk and Complexity Assessment Tool

    Step 2 - Summarize

    Summarize the results in the EA governance framework document.

    Update the EA Governance Framework Template

    Understand the components of effective EA governance

    EA governance is multi-faceted and it facilitates effective use of resources to meet organizational strategic objectives through well-defined structural elements.

    EA Governance

    • Fundamentals
    • Engagement Model
    • Policy
    • Governing Bodies
    • Architectural Standards

    Components of architecture governance

    1. EA vision, mission, goals, metrics, and principles that provide a direction for the EA practice.
    2. An engagement model showing where and in what fashion EA is engaged in the IT operating model.
    3. An architecture policy formulated and enforced by the architectural governing bodies to guide and constrain architectural choices in pursuit of strategic goals.
    4. Governing bodies to assess projects for compliance and provide feedback.
    5. Architectural standards that codify the EA work products to ensure consistent development of architecture.

    Next Step: Based on the organization’s complexity, conduct a current state assessment of EA governance using Info-Tech’s EA Governance Assessment Tool.

    Assess the components of EA governance in your organization

    1.2 2 hrs

    Input

    • Group consensus on the current state of EA competencies.

    Output

    • A list of gaps that need to be addressed for EA governance competencies.

    Materials

    • Info-Tech’s EA assessment tool, a computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Governance section highlighted.

    Step 1 - Facilitate

    Download the “EA Governance Assessment Tool” to facilitate a session on identifying the best practices to be applied in your organization.

    Download Info-Tech’s EA Governance Assessment Tool

    Step 2 - Summarize

    Summarize the identified best practices in the EA governance framework document.

    Update the EA Governance Framework Template


    Conduct a current state assessment to identify limitations of the existing EA governance framework

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    INSPRO01 was planning a major transformation initiative. The organization determined that EA is a strategic function.

    The CIO had pledged support to the EA group and had given them a mandate to deliver long-term strategic architecture.

    The business leaders did not trust the EA team and believed that lack of business skills in the group put the business transformation at risk.

    Complication

    The EA group had been traditionally seen as a technology organization that helps with software design.

    The EA team lacked understanding of the business and hence there had been no common language between business and technology.

    Result

    Info-Tech helped the EA team create a set of 10 architectural principles that are business-value driven rather than technical statements.

    The team socialized the principles with the business and technology stakeholders and got their approvals.

    By applying the business focused architectural principles, the EA team was able to connect with the business leaders and gain their support.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Determine organizational complexity.
    • Conduct an assessment of the EA governance components.
    • Identify and prioritize gaps.

    Outcomes

    • Organizational complexity assessment
    • EA governance capability assessment
    • A prioritized list of capability gaps

    Phase 2

    EA Fundamentals

    Create a Right-Sized Enterprise Architecture Governance Framework

    EA Fundamentals

    1. Current State of EA Governance
    2. EA Fundamentals
    3. Engagement Model
    4. EA Governing Bodies
    5. EA Policy
    6. Architectural Standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Craft the EA vision and mission
    • Develop the EA principles.
    • Identify the EA goals

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Refined set of EA fundamentals to support the building of EA governance

    Info-Tech Insight

    A house divided against itself cannot stand – ensure that the EA fundamentals are aligned with the organization’s goals and objectives.

    Phase 2 guided implementation outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: EA Fundamentals

    Proposed Time to Completion: 3 weeks

    Step 2.1: Develop the EA fundamentals

    Review findings with analyst:

    • Discuss the importance of the EA fundamentals – vision, mission, goals, measures, and principles.
    • Understand how to align the EA vision, mission, goals, and measures to your organization’s vision, mission, goals, measures, and principles.

    Then complete these activities…

    • Develop the EA vision statements.
    • Craft the EA mission statements.
    • Define EA goals and measures.
    • Adopt EA principles.

    With these tools & templates:

    • EA Vision and Mission Template
    • EA Principles Template
    • EA Goals and Measures Template

    Step 2.2: Review the EA fundamentals

    Review findings with analyst:

    • Review the EA fundamentals in conjunction with the results of the EA governance assessment tool and gather feedback.

    Then complete these activities…

    • Refine the EA vision, mission, goals, measures, and principles.
    • Review the list of tasks and plan your next steps.

    With these tools & templates:

    • EA Vision and Mission Template
    • EA Principles Template
    • EA Goals and Measures Template

    Fundamentals of an EA organization

    Vision, mission, goals and measures, and principles form the foundation of the EA function.

    Factors to consider when developing the vision and mission statements

    The vision and mission statements provide strategic direction to the EA team. These statements should be created based on the business and technology drivers in the organization.

    Business Drivers

    • Business drivers are factors that determine, or cause, an increase in value or major improvement of a business.
    • Examples of business drivers include:
      • Increased revenue
      • Customer retention
      • Salesforce effectiveness
      • Innovation

    Technology Drivers

    • Technology drivers are factors that are vital for the continued success and growth of a business using effective technologies.
    • Examples of technology drivers include:
      • Enterprise integration
      • Information security
      • Portability
      • Interoperability

    "The very essence of leadership is [that] you have a vision. It's got to be a vision you articulate clearly and forcefully on every occasion. You can't blow an uncertain trumpet." – Theodore Hesburgh

    Develop vision, mission, goals, measures, and principles to define the EA capability direction and purpose

    EA capability vision statement

    Articulates the desired future state of EA capability expressed in the present tense.

    • What will be the role of EA capability?
    • How will EA capability be perceived?

    Example: To be recognized by both the business and IT as a trusted partner that drives [Company Name]’s effectiveness, efficiency, and agility.

    EA capability mission statement

    Articulates the fundamental purpose of the EA capability.

    • Why does EA capability exist?
    • What does EA capability do to realize its vision?
    • Who are the key customers of the EA capability?

    Example: Define target enterprise architecture for [Company Name], identify solution opportunities, inform IT investment management, and direct solution development, acquisition, and operation compliance.

    EA capability goals and measures

    EA capability goals define specific desired outcomes of an EA management process execution. EA capability measures define how to validate the achievement of the EA capability goals.

    Example:

    Goal: Improve reuse of IT assets at [Company Name].

    Measures:

    • The number of building blocks available for reuse.
    • Percent of projects that utilized existing building blocks.
    • Estimated efficiency gain (= effort to create a building block * reuse count).

    EA principles

    EA principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting target-state enterprise architecture design, solution development, and procurement decisions.

    Example:

    • EA principle name: Reuse.
    • Statement: Maximize reuse of existing assets.
    • Rationale: Reuse prevents duplication of development and support efforts, increasing efficiency, and agility.
    • Implications: Define architecture and solution building blocks and ensure their consistent application.

    EA principles guide decision making

    Policies can be seen as “the letter of the law,” whereas EA principles summarize “the spirit of the law.”

    The image shows a graphic with EA Principles listed at the top, with an arrow pointing down to Decisions on the use of IT. At the bottom are domain-specific policies, with two arrows pointing upwards: the arrow on the left is labelled direct, and the arrow on the right is labelled control. The arrow points up to the label Decisions on the use of IT. On the left, there is an arrow pointing both up and down. At the top it is labelled The spirit of the law, and at the bottom, The letter of the law. On the right, there is another arrow pointing both up and down, labelled How should decisions be made at the top and labelled Who has the accountability and authority to make decisions? at the bottom.

    Define EA capability goals and related measures that resonate with EA capability stakeholders

    EA capability goals, i.e. specific desired outcomes of an EA management process execution. Use COBIT 5, APO03 process goals, and metrics as a starting point.

    The image shows a chart titled Manage Enterprise Architecture.

    Define relevant business value measures to collect indirect evidence of EA’s contribution to business benefits

    Define key operational measures for internal use by IT and EA practitioners. Also, define business value measures that communicate and demonstrate the value of EA as an enabler of business outcomes to senior executives.

    EA performance measures (lead, operational) EA value measures (lag)
    Application of EA management process EA’s contribution to IT performance EA’s contribution to business value

    Enterprise Architecture Management

    • Number of months since the last review of target state EA blueprints.

    IT Investment Portfolio Management

    • Percentage of projects that were identified and proposed by EA.

    Solution Development

    • Number of projects that passed EA reviews.
    • Number of building blocks reused.

    Operations Management

    • Reduction in the number of applications with overlapping functionality.

    Business Value

    • Lower non-discretionary IT spend.
    • Decreased time to production.
    • Higher satisfaction of IT-enabled services.

    Refine the organization’s EA fundamentals

    2.1 2 hrs

    Input

    • Group consensus on the current state of EA competencies.

    Output

    • A list of gaps that need to be addressed for EA governance competencies.

    Materials

    • Info-Tech’s EA assessment tool, a computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the Table of Contents with four sections highlighted, beginning with EA Vision Statement and ending with EA Goals and Measures.

    Step 1 - Facilitate

    Download the three templates and hold a working session to facilitate a session on creating EA fundamentals.

    Download the EA Vision and Mission Template, the EA Principles Template, and the EA Goals and Measures Template

    Step 2 - Summarize

    Document the final vision, mission, principles, goals, and measures within the EA Governance Framework.

    Update the EA Governance Framework Template


    Ensure that the EA fundamentals are aligned to the organizational needs

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    The EA group at INSPRO01 was being pulled in multiple directions with requests ranging from architecture review to solution design to code reviews.

    Project level architecture was being practiced with no clarity on the end goal. This led to EA being viewed as just another IT function without any added benefits.

    Info-Tech recommended that the EA team ensure that the fundamentals (vision, mission, principles, goals, and measures) reflect what the team aspired to achieve before fixing any of the process concerns.

    Complication

    The EA team was mostly comprised of technical people and hence the best practices outlined were not driven by business value.

    The team had no documented vision and mission statements in place. In addition, the existing goals and measures were not tied to the business strategic objectives.

    The team had architectural principles documented, but there were too many and they were very technical in nature.

    Result

    With Info-Tech’s guidance, the team developed a vision and mission statement to succinctly communicate the purpose of the EA function.

    The team also reduced and simplified the EA principles to make sure they were value driven and communicated in business terms.

    Finally, the team proposed goals and measures to track the performance of the EA team.

    With the fundamentals in place, the team was able to show the value of EA and gain organization-wide acceptance.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Craft the EA vision and mission.
    • Develop the EA principles.
    • Identify the EA goals.

    Outcomes

    • Refined set of EA fundamentals to support the building of EA governance.

    Phase 3

    Engagement Model

    Create a Right-Sized Enterprise Architecture Governance Framework

    Engagement Model

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This step will walk you through the following activities:

    • Build the case for EA engagement
    • Engagement touchpoints within the IT operating model

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Summary of the assessment of the current EA engagement model
    • Target EA engagement model

    Info-Tech Insight

    Perform due diligence prior to decision making. Use the EA Engagement Model to promote conversations between stage gate meetings as opposed to having the conversation during the stage gate meetings.

    Phase 3 guided implementation outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: EA engagement model

    Proposed Time to Completion: 2 weeks

    Step 3.1 Review the current IT operating model

    Start with an analyst kick-off call:

    • Review Info-Tech’s IT operating model.
    • Understand how to document your organization’s IT operating model.
    • Document EA’s current role and responsibility at each stage of the IT operating model.

    Then complete these activities…

    • Document your organization’s IT operating model.

    With these tools & templates:

    • EA Engagement Model Template

    Step 3.2: Determine the target engagement model

    Review findings with analyst:

    • Review your organization’s current state IT operating model.
    • Review your EA’s role and responsibility at each stage of the IT operating model.
    • Document the role and responsibility of EA in the future state.

    Then complete these activities…

    • Document EA’s future role within each stage of your organization’s IT operating model.

    With these tools & templates:

    • EA Engagement Model Template.

    The three pillars of EA Engagement

    Effective EA engagement revolves around three basic principles – generating business benefits, creating adaptable models, and being able to replicate the process across the organization.

    Business Value Driven

    Focus on generating business value from organizational investments.

    Repeatable

    Process should be standardized, transparent, and repeatable so that it can be consistently applied across the organization.

    Flexible

    Accommodate the varying needs of projects of different sizes.

    Where these pillars meet: Advocates long-term strategic vs. short-term tactical solutions.

    EA interaction points within the IT operating model

    EA’s engagement in each stage within the plan, build, and run phases should be clearly defined and communicated.

    Plan Strategy Development Business Planning Conceptualization Portfolio Management
    Build Requirements Solution Design Application Development/ Procurement Quality Assurance
    Run Deploy Operate

    Document the organization’s current IT operating model

    3.1 2-3 hr

    Input

    • IT project lifecycle

    Output

    • Organization’s current IT operating model.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, IT department leads, business leaders.

    Instructions:

    Hold a working session with the participants to document the current IT operating model. Facilitate the activity using the following steps:

    1. Map out the IT operating model.

    1. Find a project that was just deployed within the organization and backtrack every step of the way to the strategy development that resulted in the conception of the project.
    2. Interview the personnel involved with each step of the process to get a sense of whether or not projects usually move to deployment going through these steps.
    3. Review Info-Tech’s best-practice IT operating model presented in the EA Engagement Model Template, and add or remove any steps to the existing organization’s IT operating model as necessary. Document the finalized steps of the IT operating model.

    2. Determine EA’s current role in the operating model.

    1. Interview EA personnel through each step of the process and ask them their role. This is to get a sense of the type of input that EA is having into each step of the process.
    2. Using the EA Engagement Model Template, document the current role of EA in each step of the organization’s IT operation as you complete the interviews.

    Download the EA Engagement Model Template to document the organization’s current IT operating model.

    Define RACI in every stage of the IT operating model (e.g. EA role in strategy development phase of the IT operating model is presented below)

    Strategy Development

    Also known as strategic planning, strategy development is fundamental to creating and running a business. It involves the creation of a longer-term game plan or vision that sets specific goals and objectives for a business.

    R Those in charge of performing the task. These are the people actively involved in the completion of the required work. Business VPs, EA, IT directors R
    A The one ultimately answerable for the correct and thorough completion of the deliverable or task, and the one who delegates the work to those responsible. CEO A
    C Those whose opinions are sought before a decision is made, and with whom there is two-way communication. PMO, Line managers, etc. C
    I Those who are kept up to date on progress, and with whom there is one-way communication. Development managers, etc. I

    Next Step: Similarly define the RACI for each stage of the IT operating model; refer to the activity slide for prompts.

    Best practices on the role of EA within the IT operating model

    Plan

    Strategy Development

    C

    Business Planning

    C

    Conceptualization

    A

    Portfolio Management

    C

    Build

    Requirements

    C

    Solution Design

    R

    Application Development/ Procurement

    R

    Quality Assurance

    I

    Run

    Deploy

    I

    Operate

    I

    Next Step: Define the role of EA in each stage of the IT operating model; refer to the activity slide for prompts.

    Define EA’s target role in each step of the IT operating model

    3.2 2 hrs

    Input

    • Organization’s IT operating model.

    Output

    • Organization’s EA engagement model.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business leaders, IT department leaders.

    The image shows the Table of Contents for the EA Engagement Model Template with the EA Engagement Summary section highlighted.

    Step 1 - Facilitate

    Download the EA Engagement Model Template and hold a working session to define EA’s target role in each step of the IT operating model.

    Download the EA Engagement Model Template

    Step 2 - Summarize

    Document the target state role of EA within the EA Governance Framework document.

    Update the EA Governance Framework Template


    Design an EA engagement model to formalize EA’s role within the IT operating model

    CASE STUDY

    Industry Insurance

    Source Info-Tech

    Situation

    INSPRO01 had a high IT cost structure with looming technology debt due to a preference for short-term tactical gains over long-term solutions.

    The business satisfaction with IT was at an all-time low due to expensive solutions that did not meet business needs.

    INSPRO01’s technology landscape was in disarray with many overlapping systems and interoperability issues.

    Complication

    No single team within the organization had an end-to-end perspective all the way from strategy to project execution. A lot of information was being lost in handoffs between different teams.

    This led to inconsistent design/solution patterns being applied. Investment decisions had not been grounded in reality and this often led to cost overruns.

    Result

    Info-Tech helped INSPRO01 identify opportunities for EA team engagement at different stages of the IT operating model. EA’s role within each stage was clearly defined and documented.

    With Info-Tech’s help, the EA team successfully made the case for engagement upfront during strategy development rather than during project execution.

    The increased transparency enabled the EA team to ensure that investments were aligned to organizational strategic goals and objectives.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Build the case for EA engagement.
    • Identify engagement touchpoints within the IT operating model.

    Outcomes

    • Summary of the assessment of the current EA engagement model
    • Target EA engagement model

    Phase 4

    EA Governing Bodies

    Create a Right-Sized Enterprise Architecture Governance Framework

    EA Governing Bodies

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Identify the number of governing bodies
    • Define the game plan to initialize the governing bodies
    • Define the architecture review process

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Charter definition for each EA governance board

    Info-Tech Insight

    Use architecture governance like a scalpel rather than a hatchet. Implement governing bodies to provide guidance rather than act as a police force.

    Phase 4 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Create or identify EA governing bodies

    Proposed Time to Completion: 2 weeks

    Step 4.1: Identify architecture boards and develop charters

    Start with an analyst kick-off call:

    • Understand the factors influencing the number of governing bodies required for an organization.
    • Understand the components of a governing body charter.

    Then complete these activities…

    • Identify how many governing bodies are needed.
    • Define EA governing body composition, meeting frequency, and domain of coverage.
    • Define the inputs and outputs of each EA governing body.
    • Identify mandatory inclusion criteria.

    With these tools & templates:

    • Architecture Board Charter Template

    Step 4.2: Develop an architecture review process

    Follow-up with an analyst call:

    • Review the number of boards identified for your organization and gather feedback.
    • Review the charters developed for each governing body and gather feedback.
    • Understand the various factors that impact the architecture review process.
    • Review Info-Tech’s best-practice architecture review process.

    Then complete these activities…

    • Refine the charters for governing bodies.
    • Develop the architecture review process for your organization.

    With these tools & templates:

    • Architecture Review Process Template

    Factors that determine the number of architectural boards required

    The primary purpose of architecture boards is to ensure that business benefits are maximized and solution design is within the options set forth by the architectural reference models without introducing additional layers of bureaucracy.

    The optimal number of architecture boards required in an organization is a function of the following factors:

    • EA organization model
      • Distributed
      • Federated
      • Centralized
    • Architecture domains Maturity of architecture domains
    • Project throughput

    Commonly observed architecture boards:

    • Architecture Review Board
    • Technical Architecture Committee
    • Data Architecture Review Board
    • Infrastructure Architecture Review Board
    • Security Architecture Review Board

    Info-Tech Insight

    Before building out a new governance board, start small by repurposing existing forums by adding architecture as an agenda item. As the items for review increase consider introducing dedicated governing bodies.

    EA organization model drives the architecture governance structure

    EA teams can be organized in three ways – distributed, federated, and centralized. Each model has its own strengths and weaknesses. EA governance must be structured in a way such that the strengths are harvested and the weaknesses are mitigated.

    Distributed Federated Centralized
    EA org. structure
    • No overarching EA team exists and segment architects report to line of business (LOB) executives.
    • A centralized EA team exists with segment architects reporting to LOB executives and dotted-line to head of (centralized) EA.
    • A centralized EA capability exists with enterprise architects reporting to the head of EA.
    Implications
    • Produces a fragmented and disjointed collection of architectures.
    • Economies of scale are not realized.
    • High cross-silo integration effort.
    • LOB-specific approach to EA.
    • Requires dual reporting relationships.
    • Additional effort is required to coordinate centralized EA policies and blueprints with segment EA policies and blueprints.
    • Accountabilities may be unclear.
    • Can be less responsive to individual LOB needs, because the centralized EA capability must analyze needs of multiple LOBs and various trade-off options to avoid specialized, one-off solutions.
    • May impede innovation.
    Architectural boards
    • Cross LOB working groups to create architecture standards, patterns, and common services.
    • Local boards to support responsiveness to LOB-specific needs.
    • Cross LOB working groups to create architecture standards, patterns and common services.
    • Cross-enterprise boards to ensure adherence to enterprise standards and reduce integration costs.
    • Local boards to support responsiveness to LOB specific needs.
    • Enterprise working groups to create architecture standards, patterns, and all services.
    • Central board to ensure adherence to enterprise standards.

    Architecture domains influences the number of architecture boards required

    • An architecture review board (ARB) provides direction for domain-specific boards and acts as an escalation point. The ARB must have the right mix of both business and technology stakeholders.
    • Domain-specific boards provide a platform to have focused discussions on items specific to that domain.
    • Based on project throughput and the maturity of each domain, organizations would have to pick the optimal number of boards.
    • Architecture working groups provide a platform for cross-domain conversations to establish organization wide standards.
    Level 1 Architecture Review Board IT and Business Leaders
    Level 2 Business Architecture Board Data Architecture Board Application Architecture Board Infrastructure Architecture Board Security Architecture Board IT and Business Managers
    Level 3 Architecture Working Groups Architects

    Create a game plan for the architecture boards

    • Start with a single board for each level – an architecture review board (ARB), a technical architecture committee (TAC), and architecture working groups.
    • As the organization matures and the number of requests to the TAC increase, consider creating domain-specific boards – such as business architecture, data architecture, application architecture, etc. – to handle architecture decisions pertaining to that domain.

    Start with this:

    Level 1 Architecture Review Board
    Level 2 Technical Architecture Committee
    Level 3 Architecture Working Groups

    Change to this:

    Architecture Review Board IT and Business Leaders
    Business Architecture Board Data Architecture Board Application Architecture Board Infrastructure Architecture Board Security Architecture Board IT and Business Managers
    Architecture Working Groups Architects

    Architecture boards have different objectives and activities

    The boards at each level should be set up with the correct agenda – ensure that the boards’ composition and activities reflect their objective. Use the entry criteria to communicate the agenda for their meetings.

    Architecture Review Board Technical Architecture Committee
    Objective
    • Evaluates business strategy, needs, and priorities, sets direction and acts as a decision making authority of the EA capability.
    • Directs the development of target state architecture.
    • Monitors performance and compliance of the architectural standards.
    • Monitor project solution architecture compliance to standards, regulations, EA principles, and target state EA blueprints.
    • Review EA compliance waiver requests, make recommendations, and escalate to the architecture review board (ARB).
    Composition
    • Business Leadership
    • IT Leadership
    • Head of Enterprise Architecture
    • Business Managers
    • IT Managers
    • Architects
    Activities
    • Review compliance of conceptual solution to standards.
    • Discuss the enterprise implications of the proposed solution.
    • Select and approve vendors.
    • Review detailed solution design.
    • Discuss the risks of the proposed solution.
    • Discuss the cost of the proposed solution.
    • Review and recommend vendors.
    Entry Criteria
    • Changes to IT Enterprise Technology Policy.
    • Changes to the technology management plan.
    • Approve changes to enterprise technology inventory/portfolio.
    • Ongoing operational cost impacts.
    • Detailed estimates for the solution are ready for review.
    • There are significant changes to protocols or technologies responsible for solution.
    • When the project is deviating from baselined architectures.

    Identify the number of governing bodies

    4.1 2 hrs

    Input

    • EA Vision and Mission
    • EA Engagement Model

    Output

    • A list of EA governing bodies.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business line leads, IT department leads.

    Instructions:

    Hold a working session with the participants to identify the number of governing bodies. Facilitate the activity using the following steps:

    1. Examine the EA organization models mentioned previously. Assess how your organization is structured, and identify whether your organization has a federated, distributed or centralized EA organization model.
    2. Reference the “Game plan for the architecture boards” slide. Assess the architecture domains, and define how many there are in the organization.
    3. Architecture domains:
      1. If no defined architecture domains exist, model the number of governing bodies in the organization based on the “Start with this” scenario in the “Game plan for the architecture boards” slide.
      2. If defined architecture domains do exist, model the number of governing bodies based on the “Change to this” scenario in the “Game plan for the architecture boards” slide.
    4. Name each governing body you have defined in the previous step. Download Info-Tech’s Architecture Board Charter Template for each domain you have named. Input the names into the title of each downloaded template.

    Download the Architecture Board Charter Template to document this activity.

    Defining the governing body charter

    The charter represents the agreement between the governing body and its stakeholders about the value proposition and obligations to the organization.

    1. Purpose: The reason for the existence of the governing body and its goals and objectives.
    2. Composition: The members who make up the committee and their roles and responsibilities in it.
    3. Frequency of meetings: The frequency at which the committee gathers to discuss items and make decisions.
    4. Entry/Exit Criteria: The criteria by which the committee selects items for review and items for which decisions can be taken.
    5. Inputs: Materials that are provided as inputs for review and decision making by the committee.
    6. Outputs: Materials that are provided by the committee after an item has been reviewed and the decision made.
    7. Activities: Actions undertaken by the committee to arrive at its decision.

    Define EA’s target role in each step of the IT operating model

    4.2 3 hrs

    Input

    • A list of all identified EA governing bodies.

    Output

    • Charters for each EA governing bodies.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the Table of Contents for the EA Governance Framework document, with the Architecture Board Charters highlighted.

    Step 1 Facilitate

    Hold a working session with the stakeholders to define the charter for each of the identified architecture boards.

    Download Architecture Board Charter Template

    Step 2 Summarize

    • Summarize the objectives of each board and reference the charter document within the EA Governance Framework.
    • Upload the final charter document to the team’s common repository.

    Update the EA Governance Framework document


    Considerations when creating an architecture review process

    • Ensure that architecture review happens at major milestones within the organization’s IT Operating Model such as the plan, build, and run phases.
    • In order to provide continuous engagement, make the EA group accountable for solution architecture in the plan phase. In the build phase, the EA group will be consulted while the solution architect will be responsible for the project solution architecture.

    Plan

    • Strategy Development
    • Business Planning
    • A - Conceptualization
    • Portfolio Management

    Build

    • Requirements
    • R - Solution Design
    • Application Development/ Procurement
    • Quality Assurance

    Run

    • Deploy
    • Operate

    Best-practice project architecture review process

    The best-practice model presented facilitates the creation of sound solution architecture through continuous engagement with the EA team and well-defined governance checkpoints.

    The image shows a graphic of the best-practice model. At the left, four categories are listed: Committees; EA; Project Team; LOB. At the top, three categories are listed: Plan; Build; Run. Within the area between these categories is a flow chart demonstrating the best-practice model and specific checkpoints throughout.

    Develop the architecture review process

    4.3 2 hours

    Input

    • A list of all EA governing bodies.
    • Info-Tech’s best practice architecture review process.

    Output

    • The new architecture review process.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    Hold a working session with the participants to develop the architecture review process. Facilitate the activity using the following steps:

    1. Reference Info-Tech’s best-practice architecture review process embedded within the “Architecture Review Process Template” to gain an understanding of an ideal architecture review process.
    2. Identify the stages within the plan, build, and run phases where solution architecture reviews should occur, and identify the governing bodies involved in these reviews.
    3. As you go through these stages, record your findings in the Architecture Review Process Template.
    4. Connect the various activities leading to and from the architecture creation points to outline the review process.

    Download the Architecture Review Process Template for additional guidance regarding developing an architecture review process.

    Develop the architecture review process

    4.3 2 hrs

    Input

    • A list of all identified EA governing bodies.

    Output

    • Charters for each EA governing bodies.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents, with the Architecture Review Process highlighted.

    Step 1 - Facilitate

    Download Architecture Review Process Template and facilitate a session to customize the best-practice model presented in the template.

    Download the Architecture Review Process Template

    Step 2 - Summarize

    Summarize the process changes and document the process flow in the EA Governance Framework document.

    Update the EA Governance Framework Template

    Right-size EA governing bodies to reduce the perception of red tape

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    At INSPRO01, architecture governance boards were a bottleneck. The boards fielded all project requests, ranging from simple screen label changes to complex initiatives spanning multiple applications.

    These boards were designed as forums for technology discussions without any business stakeholder involvement.

    Complication

    INSPRO01’s management never gave buy-in to the architecture governance boards since their value was uncertain.

    Additionally, architectural reviews were perceived as an item to be checked off rather than a forum for getting feedback.

    Architectural exceptions were not being followed through due to the lack of a dispensation process.

    Result

    Info-Tech has helped the team define adaptable inclusion/exclusion criteria (based on project complexity) for each of the architectural governing boards.

    The EA team was able to make the case for business participation in the architecture forums to better align business and technology investment.

    An architecture dispensation process was created and operationalized. As a result architecture reviews became more transparent with well-defined next steps.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Identify the number of governing bodies.
    • Define the game plan to initialize the governing bodies.
    • Define the architecture review process.

    Outcomes

    • Charter definition for each EA governance board

    Phase 5

    EA Policy

    Create a Right-Sized Enterprise Architecture Governance Framework

    EA Policy

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Define the EA policy scope
    • Identify the target audience
    • Determine the inclusion and exclusion criteria
    • Create an assessment checklist

    This step involves the following participants:

    • CIO
    • IT Leaders
    • Business Leaders
    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • The completed EA policy
    • Project assessment checklist
    • Defined assessment outcomes
    • Completed compliance waiver process

    Info-Tech Insight

    Use the EA policy to promote EA’s commitment to deliver value to business stakeholders through process transparency, stakeholder engagement, and compliance.

    Phase 5 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 5: EA Policy

    Proposed Time to Completion: 3 weeks

    Step 5.1–5.3: EA Policy, Assessment Checklists, and Decision Types

    Start with an analyst kick-off call:

    • Discuss the three pillars of EA policy and its purpose.
    • Review the components of an effective EA policy.
    • Understand how to develop architecture assessment checklists.
    • Understand the assessment decision types.

    Then complete these activities…

    • Define purpose, scope, and audience of the EA policy.
    • Create a project assessment checklist.
    • Define the organization’s assessment decision type.

    With these tools & templates:

    • EA Policy Template
    • EA Assessment Checklist Template

    Step 5.4: Compliance Waivers

    Review findings with analyst:

    • Review your draft EA policy and gather feedback.
    • Review your project assessment checklists and the assessment decision types.
    • Discuss the best-practice architecture compliance waiver process and how to tailor it to your organizational needs.

    Then complete these activities…

    • Refine the EA policy based on feedback gathered.
    • Create the compliance waiver process.

    With these tools & templates:

    • EA Compliance Waiver Process Template
    • EA Compliance Waiver Form Template

    Three pillars of architecture policy

    Architecture policy is a set of guidelines, formulated and enforced by the governing bodies of an organization, to guide and constrain architectural choices in pursuit of strategic goals.

    Architecture compliance – promotes compliance to organizational standards through well-defined assessment checklists across architectural domains.

    Business value – ensures that investments are tied to business value by enforcing traceability to business capabilities.

    Architectural guidance – provides guidance to architecture practitioners on the application of the business and technology standards.

    Components of EA policy

    An enterprise architecture policy is an actionable document that can be applied to projects of varying complexity across the organization.

    1. Purpose and Scope: This EA policy document clearly defines the scope and the objectives of architecture reviews within an organization.
    2. Target Audience: The intended audience of the policy such as employees and partners.
    3. Architecture Assessment Checklist: A wide range of typical questions that may be used in conducting Architecture Compliance reviews, relating to various aspects of the architecture.
    4. Assessment Outcomes: The outcome of the architecture review process that determines the conformance of a project solution to the enterprise architecture standards.
    5. Compliance Waiver: Used when a solution or segment architecture is perceived to be non-compliant with the enterprise architecture.

    Draft the purpose and scope of the EA policy

    5.1 2.5 hrs

    Input

    • A consensus on the purpose, scope, and audience for the EA policy.

    Output

    • Documented version of the purpose, scope, and audience for the EA policy.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Policy section highlighted.

    Step 1 - Facilitate

    Download the EA Policy Template and hold a working session to draft the EA policy.

    Download the EA Policy Template

    Step 2 - Summarize

    • Summarize purpose, scope, and intended audience of the policy in the EA Governance Framework document.
    • Update the EA policy document with the purpose, scope and intended audience.

    Update the EA Governance Framework Template

    Architecture assessment checklist

    Architecture assessment checklist is a list of future-looking criteria that a project will be assessed against. It provides a set of standards against which projects can be assessed in order to render a decision on whether or not the project can be greenlighted.

    Architecture checklists should be created for each EA domain since each domain provides guidance on specific aspects of the project.

    Sample Checklist Questions

    Business Architecture:

    • Is the project aligned to organizational strategic goals and objectives?
    • What are the business capabilities that the project supports? Is it creating new capabilities or supporting an existing one?

    Data Architecture:

    • What processes are in place to support data referential integrity and/or normalization?
    • What is the physical data model definition (derived from logical data models) used to design the database?

    Application Architecture:

    • Can this application be placed on an application server independent of all other applications? If not, explain the dependencies.
    • Can additional parallel application servers be easily added? If so, what is the load balancing mechanism?

    Infrastructure Architecture:

    • Does the solution provide high-availability and fault-tolerance that can recover from events within a datacenter?

    Security Architecture:

    • Have you ensured that the corporate security policies and guidelines to which you are designing are the latest versions?

    Create architectural assessment checklists

    5.2 2 hrs

    Input

    • Reference architecture models.

    Output

    • Architecture assessment checklist.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows a screenshot of the Table of Contents with the EA Assessment Checklist section highlighted.

    Step 1 - Facilitate

    Download the EA Assessment Checklist Template and hold a working session to create the architectural assessment checklists.

    Download the EA Assessment Checklist Template

    Step 2 - Summarize

    • Summarize the major points of the checklists in the EA Governance Framework document.
    • Update the EA policy document with the detailed architecture assessment checklists.

    Update the EA Governance Framework Template

    Architecture assessment decision types

    • As a part of the proposed solution review, the governing bodies produce a decision indicating the compliance of the solution architecture with the enterprise standards.
    • Go, No Go, or Conditional are a sample set of decision outcomes available to the governing bodies.
    • On a conditional approval, the project team must file for a compliance waiver.

    Approved

    • The solution demonstrates substantial compliance with standards.
    • Negligible risk to the organization or minimal risks with sound plans of how to mitigate them.
    • Architectural approval to proceed with delivery type of work.

    Conditional Approval

    • The significant aspects of the solution have been addressed in a satisfactory manner.
    • Yet, there are some aspects of the solution that are not compliant with standards.
    • The architectural approval is conditional upon presenting the missing evidence within a minimal period of time determined.
    • The risk level may be acceptable to the organization from an overall IT governance perspective.

    Not Approved

    • The solution is not compliant with the standards.
    • Scheduled for a follow-up review.
    • Not recommended to proceed until the solution is more compliant with the standards.

    Best-practice architecture compliance waiver process

    Waivers are not permanent. Waiver terms must be documented for each waiver specifying:

    • Time period after which the architecture in question will be compliant with the enterprise architecture.
    • The modifications necessary to the enterprise architecture to accommodate the solution.

    The image shows a flow chart, split into 4 sections: Enterprise Architect; Solution Architect; TAC; ARB. To the right of these section labels, there is a flow chart that documents the waiver process.

    Create compliance waiver process

    5.4 3-4 hrs

    Input

    • A consensus on the compliance waiver process.

    Output

    • Documented compliance waiver process and form.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the Table of Contents with the Compliance Waiver Form section highlighted.

    Step 1 - Facilitate

    Download the EA compliance waiver template and hold a working session to customize the best-practice process to your organization’s needs.

    Download the EA Compliance Waiver Process Template

    Step 2 - Summarize

    • Summarize the objectives and high-level process in the EA Governance Framework document.
    • Update the EA policy document with the compliance waiver process.
    • Upload the final policy document to the team’s common repository.

    Update the EA Governance Framework Template

    Creates an enterprise architecture policy to drive adoption

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    EA program adoption across INSPRO01 was at its lowest point due to a lack of transparency into the activities performed by the EA group.

    Often, projects ignored EA entirely as it was viewed as a nebulous and non-value-added activity that produced no measurable results.

    Complication

    There was very little documented information about the architecture assessment process and the standards against which project solution architectures were evaluated.

    Additionally, there were no well-defined outcomes for the assessment.

    Project groups were left speculating about the next steps and with little guidance on what to do after completing an assessment.

    Result

    Info-Tech helped the EA team create an EA policy containing architecture significance criteria, assessment checklists, and reference to the architecture review process.

    Additionally, the team also identified guidelines and detailed next steps for projects based on the outcome of the architecture assessment.

    These actions brought clarity to EA processes and fostered better engagement with the EA group.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Define the scope.
    • Identify the target audience.
    • Determine the inclusion and exclusion criteria.
    • Create an assessment checklist.

    Outcomes

    • The completed EA policy
    • Project assessment checklist
    • Defined assessment outcomes
    • Completed compliance waiver process

    Phase 6

    Architectural Standards

    Create a Right-Sized Enterprise Architecture Governance Framework

    Architectural Standards

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • Identify and standardize EA work products
    • Classify the architectural standards
    • Identify the custodian of standards
    • Update the standards

    This step involves the following participants:

    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • A standardized set of EA work products
    • A way to categorize and store EA work products
    • A defined method of updating standards

    Info-Tech Insight

    The architecture standard is the currency that facilitates information exchange between stakeholders. The primary purpose is to minimize transaction costs by providing a balance between stability and relevancy.

    Phase 6 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 6: Architectural standards

    Proposed Time to Completion: 4 weeks

    Step 6.1: Understand Architectural Standards

    Start with an analyst kick-off call:

    • Discuss architectural standards.
    • Know how to identify and define EA work products.
    • Understand the standard content of work products.

    Then complete these activities…

    • Identify and standardize EA work products.

    Step 6.2–6.3: EA Repository and Updating the Standards

    Review with analyst:

    • Review the standardized EA work products.
    • Discuss the principles of EA repository.
    • Discuss the Info-Tech best-practice model for updating architecture standards and how to tailor them to your organizational context.

    Then complete these activities…

    • Build a folder structure for storing EA work products.
    • Use the Info-Tech best-practice architecture standards update process to develop your organization’s process for updating architecture standards.

    With these tools & templates:

    • Architecture Standards Update Process Template

    Recommended list of EA work products to standardize

    • EA work products listed below are typically produced as a part of the architecture lifecycle.
    • To ensure consistent development of architecture, the work products need to be standardized.
    • Consider standardizing both the naming conventions and the content of the work products.
    1. EA vision: A document containing the vision that provides the high-level aspiration of the capabilities and business value that EA will deliver.
    2. Statement of EA Work: The Statement of Architecture Work defines the scope and approach that will be used to complete an architecture project.
    3. Reference architectures: A reference architecture is a set of best-practice taxonomy that describes components and the conceptual structure of the model, as well as graphics, which provide a visual representation of the taxonomy to aid understanding. Reference architectures are created for each of the architecture domains.
    4. Solution proposal: The proposed project solution based on the EA guidelines and standards.
    5. Compliance assessment request: The document that contains the project solution architecture assessment details.
    6. Architecture change request: The request that initiates a change to architecture standards when existing standards can no longer meet the needs of the enterprise.
    7. Transition architecture: A transition architecture shows the enterprise at incremental states that reflect periods of transition that sit between the baseline and target architectures.
    8. Architectural roadmap: A roadmap that lists individual increments of change and lays them out on a timeline to show progression from the baseline architecture to the target architecture.
    9. EA compliance waiver request: A compliance waiver request that must be made when a solution or segment architecture is perceived to be non-compliant with the enterprise architecture.

    Standardize the content of each work product

    1. Purpose - The reason for the existence of the work product.
    2. Owner - The owner of this EA work product.
    3. Target Audience - The intended audience of the work product such as employees and partners.
    4. Naming Pattern - The pattern for the name of the work product as well as its file name.
    5. Table of Contents - The various sections of the work product.
    6. Review & Sign-Off Authority - The stakeholders who will review the work product and approve it.
    7. Repository Folder Location - The location where the work product will be stored.

    Identify and standardize work products

    6.1 3 hrs

    Input

    • List of various documents being produced by projects currently.

    Output

    • Standardized list of work products.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • A computer, and/or a whiteboard and marker.

    Instructions:

    Hold a working session with the participants to identify and standardize work products. Facilitate the activity using the steps below.

    1. Identifying EA work products:
      1. Start by reviewing the list of all architecture-related documents presently produced in the organization. Any such deliverable with the following characteristics can be standardized:
        1. If it can be broken out and made into a standalone document.
        2. If it can be made into a fill-in form completed by others.
        3. If it is repetitive and requires iterative changes.
      2. Create a list of work products that your organization would like to standardize based on the characteristics above.
    2. The content and format of standardized EA work products:
      1. For each work product your organization wishes to standardize, look at its purpose and brainstorm the content needed to fulfill that purpose.
      2. After identifying the elements that need to be included in the work product to fulfill its purpose, order them logically for presentation purposes.
      3. In each section of the work product that need to be completed, include instructions on how to complete the section.
      4. Review the seven elements presented in the previous slide and include them in the work products.

    EA repository - information taxonomy

    As the EA function begins to grow and accumulates EA work products, having a well-designed folder structure helps you find the necessary information efficiently.

    Architecture meta-model

    Describes the organizationally tailored architecture framework.

    Architecture capability

    Defines the parameters, structures, and processes that support the enterprise architecture group.

    Architecture landscape

    An architectural presentation of assets in use by the enterprise at particular points in time.

    Standards information base

    Captures the standards with which new architectures and deployed services must comply.

    Reference library

    Provides guidelines, templates, patterns, and other forms of reference material to accelerate the creation of new architectures for the enterprise.

    Governance log

    Provides a record of governance activity across the enterprise.

    Create repository folder structure

    6.2 5-6 hrs

    Input

    • List of standardized work products.

    Output

    • EA work products mapped to a repository folder.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, IT department leads.

    Instructions:

    Hold a working session with the participants to create a repository structure. Facilitate the activity using the steps below:

    1. Start with the taxonomy on the previous slide, and sort the existing work products into these six categories.
    2. Assess that the work products are sorted in a mutually exclusive and collectively exhaustive fashion. This means that a certain work product that appears in one category should not appear in another category. As well, make sure these six categories capture all the existing work products.
    3. Based on the categorization of the work products, build a folder structure that follows these categories, which will allow for the work products to be accessed quickly and easily.

    Create a process to update EA work products

    • Architectural standards are not set in stone and should be reviewed and updated periodically.
    • The Architecture Review Board is the custodian for standards.
    • Any change to the standards need to be assessed thoroughly and must be communicated to all the impacted stakeholders.

    Architectural standards update process

    Identify

    • Identify changes to the standards

    Assess

    • Review and assess the impacts of the change

    Document

    • Document the change and update the standard

    Approve

    • Distribute the updated standards to key stakeholders for approval

    Communicate

    • Communicate the approved changes to impacted stakeholders

    Create a process to continually update standards

    6.3 1.5 hrs

    Input

    • The list of work products and its owners.

    Output

    • A documented work product update process.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, business line leads, IT department leads.

    The image shows the screenshot of the Table of Contents with the Standards Update Process highlighted.

    Step 1 - Facilitate

    Download the standards update process template and hold a working session to customize the best practice process to your organization’s needs.

    Download the Architecture Standards Update Process Template

    Step 2 - Summarize

    Summarize the objectives and the process flow in the EA governance framework document.

    Update the EA Governance Framework Template

    Create architectural standards to minimize transaction costs

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    INSPRO01 didn’t maintain any centralized standards and each project had its own solution/design work products based on the preference of the architect on the project. This led to multiple standards across the organization.

    Lack of consistency in architectural deliverables made the information hand-offs expensive.

    Complication

    INSPRO01 didn’t maintain the architectural documents in a central repository and the information was scattered across multiple project folders.

    This caused key stakeholders to make decisions based on incomplete information and resulted in constant revisions as new information became available.

    Result

    Info-Tech recommended that the EA team identify and standardize the various EA work products so that information was collected in a consistent manner across the organization.

    The team also recommended an information taxonomy to store the architectural deliverables and other collateral.

    This resulted in increased consistency and standardization leading to efficiency gains.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • Identify and standardize EA work products.
    • Classify the architectural standards.
    • Identify the custodian of standards.
    • Update the standards.

    Outcomes

    • A standardized set of EA work products
    • A way to categorize and store EA work products
    • A defined method of updating standards

    Phase 7

    Communication Plan

    Create a Right-Sized Enterprise Architecture Governance Framework

    Communication Plan

    1. Current state of EA governance
    2. EA fundamentals
    3. Engagement model
    4. EA governing bodies
    5. EA policy
    6. Architectural standards
    7. Communication Plan

    This phase will walk you through the following activities:

    • List the changes identified in the EA governance initiative
    • Identify stakeholders
    • Create a communication plan

    This step involves the following participants:

    • Head of Enterprise Architecture
    • Enterprise Architects
    • Domain Architects
    • Solution Architects

    Outcomes of this step

    • Communication Plan
    • EA Governance Framework

    Info-Tech Insight

    By failing to prepare, you are preparing to fail – maximize the likelihood of success for EA governance by engaging the relevant stakeholders and communicating the changes.

    Phase 7 guided implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 6: Operationalize the EA governance framework

    Proposed Time to Completion: 1 week

    Step 7.1: Create a Communication Plan

    Start with an analyst kick-off call:

    • Discuss how to communicate changes to stakeholders.
    • Discuss the purposes and benefits of the EA governance framework.

    Then complete these activities…

    • Identify the stakeholders affected by the EA governance transformations.
    • List the benefits of the proposed EA governance initiative.
    • Create a plan to communicate the changes to impacted stakeholders.

    With these tools & templates:

    • EA Governance Communication Plan Template
    • EA Governance Framework Template

    Step 7.2: Review the Communication Plan

    Start with an analyst kick-off call:

    • Review the communication plan and gather feedback on the proposed stakeholders.
    • Confer about the various methods of communicating change in an organization.
    • Discuss the uses of the EA Governance Framework.

    Then complete these activities…

    • Refine your communication plan and use it to engage with stakeholders to better serve customers.
    • Create the EA Governance Framework to accompany the communication plan in engaging stakeholders to better understand the value of EA.

    With these tools & templates:

    • EA Governance Communication Plan Template
    • EA Governance Framework Template

    Communicate changes to stakeholders

    The changes made to the EA governance components need to be reviewed, approved, and communicated to all of the impacted stakeholders.

    Deliverables to be reviewed:

    • Fundamentals
      • Vision and Mission
      • Goals and Measures
      • Principles
    • Architecture review process
    • Assessment checklists
    • Policy Governing body charters
    • Architectural standards

    Deliverable Review Process:

    Step 1: Hold a meeting with stakeholders to review, refine, and agree on the changes.

    Step 2: Obtain an official approval from the stakeholders.

    Step 3: Communicate the changes to the impacted stakeholders.

    Communicate the changes by creating an EA governance framework and communication plan

    7.1 3 hrs

    Input

    • EA governance deliverables.

    Output

    • EA Governance Framework
    • Communication Plan.

    Materials

    • A computer, and/or a whiteboard and marker.

    Participants

    • EA team, CIO, business line leads, IT department leads.

    Instructions:

    Hold a working session with the participants to create the EA governance framework as well as the communication plan. Facilitate the activity using the steps below:

    1. EA Governance Framework:
      1. The EA Governance Framework is a document that will help reference and cite all the materials created from this blueprint. Follow the instructions on the framework to complete.
    2. Communication Plan:
      1. Identify the stakeholders based on the EA governance deliverables.
      2. For each stakeholder identified, complete the “Communication Matrix” section in the EA Governance Communication Plan Template. Fill out the section based on the instructions in the template.
      3. As the stakeholders are identified based on the “Communication Matrix,” use the EA Governance Framework document to communicate the changes.

    Download the EA Governance Communication Plan Template and EA Governance Framework Template for additional instructions and to document your activities in this phase.

    Maximize the likelihood of success by communicating changes

    Case Study

    Industry Insurance

    Source Info-Tech

    Situation

    The EA group followed Info-Tech’s methodology to assess the current state and has identified areas for improvement.

    Best practices were adopted to fill the gaps identified.

    The team planned to communicate the changes to the technology leadership team and get approvals.

    As the EA team tried to roll out changes, they encountered resistance from various IT teams.

    Complication

    The team was not sure of how to communicate the changes to the business stakeholders.

    Result

    Info-Tech has helped the team conduct a thorough stakeholder analysis to identify all the stakeholders who would be impacted by the changes to the architecture governance framework.

    A comprehensive communication plan was developed that leveraged traditional email blasts, town hall meetings, and non-traditional methods such as team blogs.

    The team executed the communication plan and was able to manage the change effectively.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Key Activities

    • List the changes identified in the EA governance initiative.
    • Identify stakeholders.
    • Create a communication plan.
    • Compile the materials created in the blueprint to better communicate the value of EA governance.

    Outcomes

    • Communication plan
    • EA governance framework

    Bibliography

    Government of British Columbia. “Architecture and Standards Review Board.” Government of British Columbia. 2015. Web. Jan 2016. < http://www.cio.gov.bc.ca/cio/standards/asrb.page >

    Hopkins, Brian. “The Essential EA Toolkit Part 3 – An Architecture Governance Process.” Cio.com. Oct 2010. Web. April 2016. < http://www.cio.com/article/2372450/enterprise-architecture/the-essential-ea-toolkit-part-3---an-architecture-governance-process.html >

    Kantor, Bill. “How to Design a Successful RACI Project Plan.” CIO.com. May 2012. Web. Jan 2016. < http://www.cio.com/article/2395825/project-management/how-to-design-a-successful-raci-project-plan.html >

    Sapient. “MIT Enterprise Architecture Guide.” Sapient. Sep 2004. Web. Jan 2016. < http://web.mit.edu/itag/eag/FullEnterpriseArchitectureGuide0.1.pdf >

    TOGAF. “Chapter 41: Architecture Repository.” The Open Group. 2011. Web. Jan 2016. < http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap41.html >

    TOGAF. “Chapter 48: Architecture Compliance.” The Open Group. 2011. Web. Jan 2016. < http://pubs.opengroup.org/architecture/togaf9-doc/arch/chap48.html >

    TOGAF. “Version 9.1.” The Open Group. 2011. Web. Jan 2016. http://pubs.opengroup.org/architecture/togaf9-doc/arch/

    United States Secret Service. “Enterprise Architecture Review Board.” United States Secret Service. Web. Jan 2016. < http://www.archives.gov/records-mgmt/toolkit/pdf/ID191.pdf >

    Virginia Information Technologies Agency. “Enterprise Architecture Policy.” Commonwealth of Virginia. Jul 2006. Web. Jan 2016. < https://www.vita.virginia.gov/uploadedfiles/vita_main_public/library/eapolicy200-00.pdf >

    Research contributors and experts

    Alan Mitchell, Senior Manager, Global Cities Centre of Excellence, KPMG

    Alan Mitchell has held numerous consulting positions before his role in Global Cities Centre of Excellence for KPMG. As a Consultant, he has had over 10 years of experience working with enterprise architecture related engagements. Further, he worked extensively with the public sector and prides himself on his knowledge of governance and how governance can generate value for an organization.

    Ian Gilmour, Associate Partner, EA advisory services, KPMG

    Ian Gilmour is the global lead for KPMG’s enterprise architecture method and Chief Architect for the KPMG Enterprise Reference Architecture for Health and Human Services. He has over 20 years of business design experience using enterprise architecture techniques. The key service areas that Ian focuses on are business architecture, IT-enabled business transformation, application portfolio rationalization, and the development of an enterprise architecture capability within client organizations.

    Djamel Djemaoun Hamidson, Senior Enterprise Architect, CBC/Radio-Canada

    Djamel Djemaoun is the Senior Enterprise Architect for CBC/Radio-Canada. He has over 15 years of Enterprise Architecture experience. Djamel’s areas of special include service-oriented architecture, enterprise architecture integration, business process management, business analytics, data modeling and analysis, and security and risk management.

    Sterling Bjorndahl, Director of Operations, eHealth Saskatchewan

    Sterling Bjorndahl is now the Action CIO for the Sun Country Regional Health Authority, and also assisting eHealth Saskatchewan grow its customer relationship management program. Sterling’s areas of expertise include IT strategy, enterprise architecture, ITIL, and business process management. He serves as the Chair on the Board of Directors for Gardiner Park Child Care.

    Huw Morgan, IT Research Executive, Enterprise Architect

    Huw Morgan has 10+ years experience as a Vice President or Chief Technology Officer in Canadian internet companies. As well, he possesses 20+ years experience in general IT management. Huw’s areas of expertise include enterprise architecture, integration, e-commerce, and business intelligence.

    Serge Parisien, Manager, Enterprise Architecture at Canada Mortgage Housing Corporation

    Serge Parisien is a seasoned IT leader with over 25 years of experience in the field of information technology governance and systems development in both the private and public sectors. His areas of expertise include enterprise architecture, strategy, and project management.

    Alex Coleman, Chief Information Officer at Saskatchewan Workers’ Compensation Board

    Alex Coleman is a strategic, innovative, and results-driven business leader with a proven track record of 20+ years’ experience planning, developing, and implementing global business and technology solutions across multiple industries in the private, public, and not-for-profit sectors. Alex’s expertise includes program management, integration, and project management.

    L.C. (Skip) Lumley , Student of Enterprise and Business Architecture

    Skip Lumley was formerly a Senior Principle at KPMG Canada. He is now post-career and spends his time helping move enterprise business architecture practices forward. His areas of expertise include enterprise architecture program implementation and public sector enterprise architecture business development.

    Additional contributors

    • Tim Gangwish, Enterprise Architect at Elavon
    • Darryl Garmon, Senior Vice President at Elavon
    • Steve Ranaghan, EMEIA business engagement at Fujitsu

    The Complete Manual for Layoffs

    • Buy Link or Shortcode: {j2store}514|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $30,999 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead

    When the economy is negatively influenced by factors beyond any organization’s control, the impact can be felt almost immediately on the bottom line. This decline in revenue as a result of a weakening economy will force organizations to reconsider every dollar they spend.

    Our Advice

    Critical Insight

    • The remote work environment many organizations find themselves in adds a layer of complexity to the already sensitive process of laying off employees.
    • Carrying out layoffs must be done while keeping personal contact as your first priority. That personal contact should be the basis for all subsequent communication with laid-off and remaining staff, even after layoffs have occurred.

    Impact and Result

    By following our process, we can provide your organization with the direction, tools, and best practices to lay off employees. This will need to be done with careful consideration into your organization’s short- and longer-term strategic goals.

    The Complete Manual for Layoffs Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prepare for layoffs

    Understand the most effective cost-cutting solutions and set layoff policies and guidelines.

    • The Complete Manual for Layoffs Storyboard
    • Layoffs SWOT Analysis Template
    • Redeployment and Layoff Strategy Workbook
    • Sample Layoffs Policy
    • Cost-Cutting Planning Tool
    • Termination Costing Tool

    2. Objectively identify employees

    Develop an objective layoff selection method and plan for the transfer of essential responsibilities.

    • Workforce Planning Tool
    • Employee Layoff Selection Tool

    3. Prepare to meet with employees

    Plan logistics, training, and a post-layoff plan communication.

    • Termination Logistics Tool
    • IT Knowledge Transfer Risk Assessment Tool
    • IT Knowledge Transfer Plan Template
    • IT Knowledge Identification Interview Guide Template
    • Knowledge Transfer Job Aid
    • Layoffs Communication Package

    4. Meet with employees

    Collaborate with necessary departments and deliver layoffs notices.

    • Employee Departure Checklist Tool

    5. Monitor and manage departmental effectiveness

    Plan communications for affected employee groups and monitor organizational performance.

    • Ten Ways to Connect With Your Employees
    • Creating Connections
    [infographic]

    Embed Security Into the DevOps Pipeline

    • Buy Link or Shortcode: {j2store}265|cart{/j2store}
    • member rating overall impact: 9.3/10 Overall Impact
    • member rating average dollars saved: $31,515 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Your organization is starting its DevOps journey and is looking to you for guidance on how to ensure that the outcomes are secure.
    • Or, your organization may have already embraced DevOps but left the security team behind. Now you need to play catch-up.

    Our Advice

    Critical Insight

    • Shift security left. Identify opportunities to embed security earlier in the development pipeline.
    • Start with minimum viable security. Use agile methodologies to further your goals of secure DevOps.
    • Treat “No” as a finite resource. The role of security must transition from that of naysayer to a partner in finding the way to “Yes.”

    Impact and Result

    • Leverage the CLAIM (Culture, Learning, Automation, Integration, Measurement) Framework to identify opportunities to close the gaps.
    • Collaborate to find new ways to shift security left so that it becomes part of development rather than an afterthought.
    • Start with creating minimum viable security by developing a DevSecOps implementation strategy that focuses initially on quick wins.

    Embed Security Into the DevOps Pipeline Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should secure the DevOps pipeline, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify opportunities

    Brainstorm opportunities to secure the DevOps pipeline using the CLAIM Framework.

    • Embed Security Into the DevOps Pipeline – Phase 1: Identify Opportunities

    2. Develop strategy

    Assess opportunities and formulate a strategy based on a cost/benefit analysis.

    • Embed Security Into the DevOps Pipeline – Phase 2: Develop Strategy
    • DevSecOps Implementation Strategy Template
    [infographic]

    Quality Management

    • Buy Link or Shortcode: {j2store}45|cart{/j2store}
    • Related Products: {j2store}45|crosssells{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Planning and Architecture
    • Parent Category Link: /service-planning-and-architecture
    • byline: Be proactive; it costs exponentially more to fix a problem the longer it goes unnoticed.
    Drive efficiency and agility with right-sized quality management

    Make Your IT Governance Adaptable

    • Buy Link or Shortcode: {j2store}359|cart{/j2store}
    • member rating overall impact: 8.0/10 Overall Impact
    • member rating average dollars saved: $123,499 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
    • Governance is delegated to people and practices that don’t have the ability or authority to make these decisions.
    • Decisions are made within committees that don’t meet frequently enough to support business velocity.
    • It is difficult to allocate time and resources to build or execute governance effectively.

    Our Advice

    Critical Insight

    • IT governance applies not just to the IT department but to all uses of information and technology.
    • IT governance works against you if it no longer aligns with or supports your organizational direction, goals, and work practices.
    • Governance doesn’t have to be bureaucratic or control based.
    • Your governance model should be able to adapt to changes in the organization’s strategy and goals, your industry, and your ways of working.
    • Governance can be embedded and automated into your practices.

    Impact and Result

    • You will produce more value from IT by developing a governance framework optimized for your current needs and context, with the ability to adapt as your needs shift.
    • You will create the foundation and ability to delegate and empower governance to enable agile delivery.
    • You will identify areas where governance does not require manual oversight and can be embedded into the way you work.

    Make Your IT Governance Adaptable Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make Your IT Governance Adaptable Deck – A document that walks you through how to design and implement governance that fits the context of your organization and can adapt to change.

    Our dynamic, flexible, and embedded approach to governance will help drive organizational success. The three-phase methodology will help you identify your governance needs, select and refine your governance model, and embed and automate governance decisions.

    • Make Your IT Governance Adaptable – Phases 1-3

    2. Adaptive and Controlled Governance Model Templates and Workbook – Documents that gather context information about your organization to identify the best approach for governance.

    Use these templates and workbook to identify the criteria and design factors for your organization and the design triggers to maintain fit. Upon completion this will be your new governance framework model.

    • Controlled Governance Models Template
    • IT Governance Program Overview
    • Governance Workbook

    3. Implementation Plan and Workbook – Tools that help you build and finalize your approach to implement your new or revised governance model.

    Upon completion you will have a finalized implementation plan and a visual roadmap.

    • Governance Implementation Plan
    • Governance Roadmap Workbook

    4. Governance Committee Charter Templates – Base charters that can be adapted for communication.

    Customize these templates to create the committee charters or terms of reference for the committees developed in your governance model.

    • IT PMO Committee Charter
    • IT Risk Committee Charter for Controlled Governance
    • IT Steering Committee Charter for Controlled Governance
    • Program Governance Committee Charter
    • Architecture Review Board Charter
    • Data Governance Committee Charter
    • Digital Governance Committee Charter

    5. Governance Automation Criteria Checklist and Worksheet – Tools that help you determine which governance decisions can be automated and work through the required logic and rules.

    The checklist is a starting point for confirming which activities and decisions should be considered for automation or embedding. Use the worksheet to develop decision logic by defining the steps and information inputs involved in making decisions.

    • Governance Automation Criteria Checklist
    • Governance Automation Worksheet

    Infographic

    Workshop: Make Your IT Governance Adaptable

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Develop Your Guiding Star

    The Purpose

    Establish the context for your governance model.

    Key Benefits Achieved

    Core understanding of the context that will enable us to build an optimal model

    Activities

    1.1 Confirm mission, vision, and goals.

    1.2 Define scope and principles.

    1.3 Adjust for culture and finalize context.

    Outputs

    Governance principles

    Governance context and goals

    2 Define the Governance Model

    The Purpose

    To select and adapt a governance model based on your context.

    Key Benefits Achieved

    A selected and optimized governance model

    Activities

    2.1 Select and refine governance model.

    2.2 Confirm and adjust the structure.

    2.3 Review and adapt governance responsibilities and activities.

    2.4 Validate governance mandates and membership.

    Outputs

    IT governance model and adjustment triggers

    IT governance structure, responsibilities, membership, and cadence

    Governance committee charters

    3 Build Governance Process and Policy

    The Purpose

    Refine your governance practices and associate policies properly.

    Key Benefits Achieved

    A completed governance model that can be implemented with clear update triggers and review timing

    Policy alignment with the right levels of authority

    Activities

    3.1 Update your governance process.

    3.2 Align policies to mandate.

    3.3 Adjust and confirm your model.

    3.4 Identify and document update triggers and embed into review cycle.

    Outputs

    IT governance process and information flow

    IT governance policies

    Finalized governance model

    4 Embed and Automate Governance

    The Purpose

    Identify options to automate and embed governance activities and decisions.

    Key Benefits Achieved

    Simply more consistent governance activities and automate them to enhance speed and support governance delegation and empowerment

    Activities

    4.1 Identify decisions and standards that can be automated. Develop decision logic.

    4.2 Plan verification and validation approach.

    4.3 Build implementation plan.

    4.4 Develop communication strategy and messaging.

    Outputs

    Selected automation options, decision logic, and business rules

    Implementation and communication plan

    Further reading

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    13 Governance Stages

    14 Info-Tech’s IT Governance Thought Model

    19 Info-Tech’s Approach

    23 Insight Summary

    30 Phase 1: Identify Your Governance Needs

    54 Phase 2: Select and Refine Your Governance Model

    76 Phase 3: Embed and Automate

    94 Summary of Accomplishment

    95 Additional Support

    97 Contributors

    98 Bibliography

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    EXECUTIVE BRIEF

    Analyst Perspective

    Governance will always be part of the fabric of your organization. Make it adaptable so it doesn’t constrain your success.

    Photo of Valence Howden, Principal Research Director, Info-Tech Research Group

    Far too often, the purpose of information and technology (I&T) governance is misunderstood. Instead of being seen as a way to align the organization’s vision to its investment in information and technology, it has become so synonymous with compliance and control that even mentioning the word “governance” elicits a negative reaction.

    Success in modern digital organizations depends on their ability to adjust for velocity and uncertainty, requiring a dynamic and responsive approach to governance – one that is embedded and automated in your organization to enable new ways of working, innovation, and change.

    Evolutionary theory describes adaptability as the way an organism adjusts to fit a new environment, or changes to its existing environment, to survive. Applied to organizations, adaptable governance is critical to the ability to survive and succeed.

    If your governance doesn’t adjust to enable your changing business environment and customer needs, it will quickly become misaligned with your goals and drive you to failure.

    It is critical that people build an approach to governance that is effective and relevant today while building in adaptability to keep it relevant tomorrow.

    Valence Howden
    Principal Research Director, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • People don’t understand the value of governance, seeing it as a hindrance to productivity and efficiency.
    • Governance is delegated to people and practices that don’t have the ability or authority to make decisions.
    • Decisions are made within committees that don’t meet frequently enough to support business velocity.
    • It is difficult to allocate time and resources to build or execute governance effectively

    Common Obstacles

    • You are unable to clearly communicate how governance adds value to your organization.
    • Your IT governance approach no longer aligns with or supports your organizational direction, goals, and work practices.
    • Governance is seen and performed as a bureaucratic control-based exercise.
    • Governance activities are not transparent.
    • The governance committee gets too deeply involved with project deep dives and daily management, derailing its effectiveness and ability to produce value.

    Info-Tech’s Approach

    • Use Info-Tech’s IT governance models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.
    • Adjust the model based on industry needs, your principles, regulatory requirements, and your future direction.
    • Identify where to embed or automate decision making and compliance and what is required to do so effectively.
    • Implement your governance model for success.

    Info-Tech Insight

    IT governance must be embedded and automated, where possible, to effectively meet the needs and velocity of digital organizations and modern practices and to drive success and value.

    What is governance?

    IT governance is a critical and embedded practice that ensures that information and technology investments, risks, and resources are aligned in the best interests of the organization and produce business value.

    Effective governance ensures that the right technology investments are made at the right time to support and enable your organization’s mission, vision, and goals.

    5 KEY OUTCOMES OF GOOD GOVERNANCE
    STRATEGIC ALIGNMENT

    Technology investments and portfolios are aligned with the organization's strategic objectives.

    		RISK OPTIMIZATION

    Organizational risks are understood and addressed to minimize impact and optimize opportunities.

    		VALUE DELIVERY

    IT investments and initiatives deliver their expected benefits.

    		RESOURCE OPTIMIZATION

    Resources (people, finances, time) are appropriately allocated across the organization to optimal organizational benefit.

    		PERFORMANCE MEASUREMENT

    The performance of technology investments is monitored and used to determine future courses of action and to confirm achievement of success.

    ‹–EVALUATE–DIRECT–MONITOR–›

    Why is this necessary?

    • Governance is not simply a committee or an activity that you perform at a specific point in time; it is a critical and continuously active practice that drives the success of your organization. It is part of your organization’s DNA and is just as unique, with some attributes common to all (IT governance elements), some specific to your family (industry refinements), and some specific to you (individual organization).
    • Your approach to governance needs to change over time in order to remain relevant and continue to enable value and success, but organizations rarely want to change governance once it’s in place.
    • To meet the speed and flow of practices like Lean, DevOps, and Agile, your IT governance needs to be done differently and become embedded into the way your organization works. You must adjust your governance model based on key moments of change – organizational triggers – to maintain the effectiveness of your model.

    Info-Tech Insight

    Build an optimal model quickly and implement the core elements using an iterative approach to ensure the changes provide the most value.

    The Technology Value Trinity

    Delivery of Business Value & Strategic Needs

    • DIGITAL & TECHNOLOGY STRATEGY
      The identification of objectives and initiatives necessary to achieve business goals.
    • IT OPERATING MODEL
      The model for how IT is organized to deliver on business needs and strategies.
    • INFORMATION & TECHNOLOGY GOVERNANCE
      The governance to ensure the organization and its customers get maximum value from the use of information and technology.

    All three elements of the Technology Value Trinity work in harmony to deliver business value and meet strategic needs. As one changes, the others need to change as well.

    • Digital and IT Strategy tells you what you need to achieve to be successful.
    • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
    • Information & Technology Governance is the confirmation that IT’s goals and strategy align with the business’ strategy. It is the mechanism by which you continuously prioritize work to ensure that what you deliver is in line with the strategy. This oversight involves evaluating, directing, and monitoring the delivery of outcomes to ensure that the use of resources results in achieving the organization’s goals.

    Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest rather than on what is in the best interest of the organization.

    Where information & technology governance fits within an organization

    An infographic illustrating where Governance fits within an organization. The main section is titled 'Enterprise Governance and Strategy' and contains 'Value Outcomes', 'Mission and Vision', 'Goals and Objectives', and 'Guiding Principles'. These all feed into the highlighted 'Information & Technology Governance', which then contributes to 'IT Strategy', which lies outside the main section.

    I&T governance hasn’t achieved its purpose

    Governance is the means by which IT ensures that information and technology delivery and spend is aligned to business goals and delivers business outcomes. However, most CEOs continue to perceive IT as being poorly aligned to the business’ strategic goals, which indicates that governance is not implemented or executed properly.

    For I&T governance to be effective you need a clear understanding of the things that drive your organization and its success. This understanding becomes your guiding star, which is critical for effective governance. It also requires participation by all parts of the organization, not just IT.

    Info-Tech CIO/CEO Alignment Diagnostics (N=124)

    43% of CEOs believe that business goals are going unsupported by IT.

    60% of CEOs believe that improvement is required around IT’s understanding of business goals.

    80% of CIOs/CEOs are misaligned on the target role for IT.

    30% of business stakeholders are supporters (N=32,536) of their IT departments

    Common causes of poor governance

    Key causes of poor or misaligned governance

    1. Governance and its value to your organization is not well understood, often being confused or integrated with more granular management activities.
    2. Business executives fail to understand that IT governance is a function of the business and not the IT department.
    3. Poor past experiences have made “governance” a bad word in the organization. People see it as a constraint and barrier that must be circumvented to get work done.
    4. There is misalignment between accountability and authority throughout the organization, and the wrong people are involved in governance practices.
    5. There is an unwillingness to change a governance approach that has served the organization well in the past, leading to challenges when the organization starts to change practices and speed of delivery.
    6. There is a lack of data and data-related capabilities required to support good decision making and the automation of governance decisions.
    7. The goals and strategy of the organization are not known or understood, leaving nothing for IT governance to orient around.

    Key symptoms of ineffective governance committees

    1. No actions or decisions are generated. The committee produces no value and makes no decisions after it meets. The lack of value output makes the usefulness of the committee questionable.
    2. Resources are overallocated. There is a lack of clear understanding of capacity and value in work to be done, leading to consistent underestimation of required resources and poor resource allocation.
    3. Decisions are changed outside of committee. Decisions made or initiatives approved by the committee are later changed when the proper decision makers are involved or the right information becomes available.
    4. Governance decisions conflict with organizational direction. This shows an obvious lack of alignment and behavioral disconnect that work against organizational success. It is often due to not accounting for where power really exists within the structure.
    5. Consistently poor outcomes are produced from governance direction. Committee members’ lack of business acumen, relevant data, or understanding of organizational goals results in decisions that fail to drive successful measured outcomes.

    Mature your governance by transitioning from ad hoc to automated

    Organizations should look to progress in their governance stages. Ad hoc and controlled governance practices tend to be more rigid, making these a poor fit for organizations requiring higher velocity delivery or using more agile and adaptive practices.

    The goal as you progress through these stages is to delegate governance and empower teams based on your fit and culture, enabling teams where needed to make optimal decisions in real time, ensuring that they are aligned with the best interests of the organization.

    Automate governance for optimal velocity while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive, able to react effectively to volatility and uncertainty.

    A graph illustrating the transition from Ad Hoc to Automated. The y-axis is 'Process Integration' and x-axis is 'Trust & Empowerment'. 'Ad Hoc: Inconsistent Decision Making' lies close to the origin, ranking low on both axes' values. 'Controlled: Authoritarian, Highly Structured' ranks slightly higher on both axes. 'Agile: Distributed & Empowered' ranks 2nd highest on both axes. 'Automated: High Velocity, Embedded & Flexible' ranks highest on both axes.

    Stages of governance

    Adaptive
    Data-Centric

    ˆ


    ˆ


    ˆ


    ˆ


    ˆ
    Traditional
    (People- and Document-Centric)

    4

    		 Automated Governance
    • Entrenched into organizational processes and product/service design
    • Empowered and fully delegated to maintain fit and drive organizational success and survival

    3

    		 Agile Governance
    • Flexible enough to support different needs in the organization and respond quickly to change
    • Driven by principles and delegated throughout the company

    2

    		 Controlled Governance
    • Focused on compliance and hierarchy-based authority
    • Levels of authority defined and often driven by regulatory requirements

    1

    		 Ad Hoc Governance
    • Not well defined or understood within the organization
    • Occurs out of necessity but often not done by the right people or bodies

    Make Governance Adaptable and Automated to Drive Success and Value

    Governance adaptiveness ensures the success of digital organizations and modern practice implementation.

    THE PROBLEM

    • The wrong people are making decisions.
    • Organizations don't understand what governance is or why it's done.
    • Governance scope and design is a bad fit, damaging the organization.
    • People think governance is optional.

    THE SOLUTION

    ESTABLISH YOUR GUIDING PRINCIPLES

    Define and establish the guiding principle that drive your organization toward success.

    • Mission & Vision
    • Business Goals & Success Criteria
    • Operating Model & Work Practices
    • Governance Scope
    • Principles
    SELECT AND REFINE YOUR MODEL

    Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

    IDENTIFY MODEL UPDATE TRIGGERS

    Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

    • Principles
      Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
    • Responsibilities
      Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
    • Structure
      Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
    • Processes
      Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
    • Membership
      Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
    • Policies
      Confirm any governing policies that need to be adhered to and considered to manage risk.
    DETERMINE AUTOMATION OPTIONS AND DECISION RULES

    Identify where to embed or automate decision making and compliance and what is required to do so effectively.

    STAGES OF GOVERNANCE

      Traditional (People- and document-centric)
    1. AD HOC GOVERNANCE
      Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people or bodies.
    2. CONTROLLED GOVERNANCE
      Governance focused on compliance and hierarchy-based, authority-driven control of decisions. Levels of Authority are defined and often driven by regulatory requirements.
      3. Adaptive (Data Centric)
    3. AGILE GOVERNANCE
      Governance that is flexible to support different needs and quick responses in the organization. Driven by principles and delegated throughout the company.
    4. AUTOMATED GOVERNANCE
      Governance that is entrenched and automated into the organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival.

    KEY INSIGHT

    Governance must actively adapt to changes in your organization, environment, and practices or it will drive you to failure.

    Developing governance principles

    Governance principles support the move from controlled to automated governance by providing guardrails that guide your decisions. They provide the ethical boundaries and cultural perspectives that contextualize your decisions and keep you in line with organizational values. Determining principles are global in nature.

    CONTROLLED CHANGE ACTIONS AND RATIONALE AUTOMATED
    Disentangle governance and management Move from governance focused on evaluating, directing, and monitoring strategic decisions around information and technology toward defining and automating rules and principles for decision making into processes and practices, empowering the organization and driving adaptiveness. Delegate and empower
    Govern toward value Move from identifying the organization’s mission, goals, and key drivers toward orienting IT to align with those value outcomes and embedding value outcomes into design and delivery practices. Deliver to defined outcomes
    Make risk-informed decisions Move from governance bodies using risk information to manually make informed decisions based on their defined risk tolerance toward having risk information and attestation baked into decision making across all aspects and layers of the IT organization – from design to sustainment. Embed risk decision making into processes and practices
    Measure to drive improvement Move from static lagging metrics that validate that the work being done is meeting the organization’s needs and guide future decision making toward automated governance with more transparency driven by data-based decision making and real-time data insights. Trust through real-time reporting
    Enforce standards and behavior Move from enforcing standards and behavior and managing exceptions to ensure that there are consistent outcomes and quality toward automating standards and behavioral policies and embedding adherence and changes in behavior into the organization’s natural way of working. Automate standards through automated decision rules, verification, and validation

    Find your guiding star

    MISSION AND VISION –› GOALS AND OBJECTIVES –› GUIDING PRINCIPLES –›

    VALUE
    Why your organization exists and what value it aims to provide. The purpose you build a strategy to achieve. What your organization needs be successful at to fulfill its mission. Key propositions and guardrails that define and guide expected organizational behavior and beliefs.

    Your mission and vision define your goals and objectives. These are reinforced by your guiding principles, including ethical considerations, your culture, and expected behaviors. They provide the boundaries and guardrails for enabling adaptive governance, ensuring you continue to move in the right direction for organizational success.

    To paraphrase Lewis Carroll, “If you don't know where you want to get to, it doesn't much matter which way you go.” Once you know what matters, where value resides, and which considerations are necessary to make decisions, you have consistent directional alignment that allows you to delegate empowered governance throughout the organization, taking you to the places you want to go.

    Understand governance versus management

    Don’t blur the lines between governance and management; each has a unique role to play. Confusing them results in wasted time and confusion around ownership.

    Governance

    I&T governance defines WHAT should be done and sets direction through prioritization and decision making, monitoring overall IT performance.

    Governance aligns with the mission and vision of the organization to guide IT.

    		A cycle of processes split into two halves, 'Governance Processes' and 'Management Processes'. Beginning on the Management side, the processes are 'Plan', 'Build', 'Run', 'Monitor', then to the Governance side, 'Evaluate', 'Direct', 'Monitor', and back to the beginning.

    Management

    Management focuses on HOW to do things to achieve the WHAT. It is responsible for executing on, operating, and monitoring activities as determined by I&T governance.

    Management makes decisions for implementation based on governance direction.

    Data is critical to automating governance

    Documents and subjective/non-transparent decisions do not create sufficient structure to allow for the true automation of governance. Data related to decisions and aggregated risk allow you to define decision logic and rules and algorithmically embed them into your organization.

    People- and Document-Centric

    Governance drives activities through specific actors (individuals/committees) and unstructured data in processes and documents that are manually executed, assessed, and revised. There are often constraints caused by gaps or lack of adequate and integrated information in support of good decisions.

    Data-Centric

    Governance actors provide principles, parameters, and decision logic that enable the creation of code, rulesets, and algorithms that leverage organizational data. Attestation is automatic – validated and managed within the process, product, or service.

    Info-Tech’s Approach

    Define your context and build your model

    ESTABLISH YOUR GUIDING PRINCIPLES

    Define and establish the guiding principle that drive your organization toward success.

    • Mission & Vision
    • Business Goals & Success Criteria
    • Operating Model & Work Practices
    • Governance Scope
    • Principles
    SELECT AND REFINE YOUR MODEL

    Use Info-Tech's IT Governance Models to identify a base model similar to the way you are organized. Confirm your current and future placement in governance execution.

    MODEL UPDATE TRIGGERS

    Adjust the model based on industry needs, your principles, regulatory requirements, and future direction.

    • Principles
      Select principles that allow the organization to be adaptive while still ensuring the governance continues to stay on course with pursuing its guiding star.
    • Responsibilities
      Decide on the governance responsibilities related to Oversight Level, Strategic Alignment, Value Delivery, Risk Optimization, Resource Optimization, and Performance Management.
    • Structure
      Determine at which structured level governance is appropriate: Enterprise, Strategic, Tactical, or Operational.
    • Processes
      Establish processes that will enable governance to occur such as: Embed the processes required for successful governance.
    • Membership
      Identify the Responsibility & Accountability of those who should be involved in governance processes, policies, guidelines, and responsibilities.
    • Policies
      Confirm any governing policies that need to be adhered to and considered to manage risk.
    AUTOMATION OPTIONS AND DECISION RULES

    Identify where to embed or automate decision making and compliance and what is required to do so effectively.

    The Info-Tech Difference

    Define your context and build your model

    1. Quickly identify the organizational needs driving governance and your guiding star.
    2. Select and refine a base governance model based on our templates.
    3. Define and document the key changes in your organization that will trigger a need to update or revise your governance.
    4. Determine where you might be able to automate aspects of your governance.
    5. Design your decision rules where appropriate to support automated and adaptive governance.

    How to use this research

    Where are you in your governance optimization journey?

    MY GOVERNANCE IS AD HOC AND WE’RE STARTING FROM SCRATCH I NEED TO BUILD A NEW GOVERNANCE STRUCTURE OUR GOVERNANCE APPROACH IS INEFFECTIVE AND NEEDS IMPROVEMENT I NEED TO LOOK AT OPTIONS FOR AUTOMATING GOVERNANCE PRACTICES
    Step 1.1: Define Your Governance Context Step 1.2: Structure Your IT Governance Phase 2: Select and Refine Your Model Phase 3: Embed and Automate

    IT governance is about ensuring that the investment decisions made around information and technology drive the optimal organizational value, not about governing the IT department.

    In this section we will clarify your organizational context for governance and define your guiding star to orient your governance design and inform your structure.

    There is no need to start from scratch! Start with Info-Tech’s best-practice IT governance models and customize them based on your organizational context.

    The research in this section will help you to select the right base model to work from and provide guidance on how to refine it.

    Governance practices eventually stop being a good fit for a changing organization, and things that worked before become bottlenecks.

    Governing roles and committees don’t adjust well, don’t have consistent practices, and lack the right information to make good decisions.

    The research in this section will help you improve and realign your governance practices.

    Once your governance is controlled and optimized you are ready to investigate opportunities to automate.

    This phase of the blueprint will help you determine where it’s feasible to automate and embed governance, understand key governance automation practices, and develop governing business rules to move your journey forward.

    Related Research:

    If you are looking for details on specific associated practices, please see our related research:

    1. I need to establish data governance.
    2. I need to manage my project portfolio, from intake to confirmation of value.
    3. I need better risk information to support decision making.
    4. I need to ensure I am getting the expected outcomes and benefits from IT spend.
    5. I need to prioritize my product backlog or service portfolio.

    Info-Tech’s methodology for building and embedding adaptive governance

    1. Identify Your Governance Needs 2. Select and Refine Your Governance Model 3. Embed and Automate
    Phase Steps
    1. Confirm Mission, Vision, and Goals
    2. Define Scope and Principles
    3. Adjust for Culture and Finalize Context
    1. Select and Refine Your Governance Model
    2. Identify and Document Your Governance Triggers
    3. Build Your Implementation Plan
    1. Identify Decisions to Embed and Automate
    2. Plan Validation and Verification
    3. Update Implementation Plan
    Phase Outcomes
    • Governance context, guiding star, and principles
    • Completed governance model with associated decisions and policies
    • Implementation plan
    • List of automation options
    • Decision logic, rules, and rulesets
    • Validation and verification approach
    • Finalized implementation plan

    Insight summary

    Value

    To remain valuable, I&T governance must actively adapt to changes in your organization, environment, and practices, or it will drive you to failure instead of success.

    Focus

    I&T governance does not focus on the IT department. Rather, its intent is to ensure your organization makes sound decisions around investment in and use of information and technology.

    Maturity

    Your governance approach progresses in stages from ad hoc to automated as your organization matures. Your stage depends on your organizational needs and ways of working.

    Good governance

    Good governance does not equate to control and does not stifle innovation.

    Automation

    Automating governance must be done in stages, based on your capabilities, level of maturity, and amount of usable data.

    Strategy

    Establish the least amount of governance required to allow you to achieve your goals.

    Guiding star

    If you don’t establish a guiding star to align the different stakeholders in your organization, governance practices will create conflict and confusion.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key Deliverable:
    Governance Framework Model

    The governance framework model provides the design of your new governance model and the organizational context to retain stakeholder alignment and organizational satisfaction with governance.

    The model includes the structures, practices, and responsibilities to drive effective governance in your organization.

    Sample of the key blueprint deliverable 'Governance Framework Model'.

    Governance Implementation Plan

    This roadmap lays out the changes required to implement the governance model, the cultural items that need to be addressed, and anticipated timing.

    Sample of the blueprint deliverable 'Governance Implementation Plan'.

    Governance Committee Charters

    Develop a detail governance charter or term of reference for each governing body. Outline the mandate, responsibilities, membership, process, and associated policies for each.

    Sample of the blueprint deliverable 'Governance Committee Charters'.

    Blueprint benefits

    IT Benefits

    • Stronger, traceable alignment of IT decisions and initiatives to business needs.
    • Improved ability for IT to meet the changing demands and velocity of the business.
    • Better support and enablement of innovation – removing constraints and barriers.
    • Optimized governance that supports and enables modern work practices.
    • Increased value generation from IT initiatives and optimal use of IT resources.
    • Designed adaptability to ensure you remain in alignment as your business and IT environments change.

    Business Benefits

    • Clear transparent focus of IT initiatives on generating strategic business value.
    • Improved ability to measure the value and contribution of IT to business goals.
    • Alignment and integration of business/IT strategy.
    • Optimized development and use of IT capabilities to meet business needs.
    • Improved integration with corporate/enterprise governance.

    Executive Brief Case Study

    INDUSTRY Manufacturing
    SOURCE Info-Tech analyst experience

    Improving the governance approach and delegating decision making to support a change in business operation

    Challenge

    The large, multi-national organization has locations across the world but has two primary headquarters, in Europe and the United States.

    Market shifts drove an organizational shift in strategy, leading to a change in operating models, a product focus, and new work approaches across the organization.

    Much of the implementation and execution was done in isolation, and effectiveness was slowed by poor integration and conflicting activities that worked against each other.

    The product owner role was not well defined.

    Solution

    After reviewing the organization’s challenges and governance approach, we redefined and realigned its organizational and regional goals and identified outcomes that needed to be driven into their strategies.

    We also reviewed their span of control and integration requirements and properly defined decisions that could be made regionally versus globally, so that decisions could be made to support new work practices.

    We defined the product and service owner roles and the decisions each needed to make.

    Results

    We saw an improvement in the alignment of organizational activities and the right people and bodies making decisions.

    Work and practices were aimed at the same key outcomes and alignment between teams toward organizational goal improved.

    Within one year, the success rate of the organization’s initiatives increased by 22%, and the percentage of product-related decisions made by product owners increased by 50%.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 5 and 8 calls over the course of 2 to 3 months.

    What does a typical GI on this topic look like?

      Phase 1: Identify Your Governance Needs

    • Call #1: Confirm your organization’s mission and vision and review your strategy and goals.
    • Call #2: Identify considerations and governance needs. Develop your guiding star and governing principles.

      • Phase 2: Select and Refine Your Model

    • Call #3: Select your base model and optimize it to meet your governance needs.
    • Call #4: Define your adjustment triggers and develop your implementation plan.

      • Phase 3: Embed and Automate

    • Call #5: Identify decisions and standards you can automate and where to embed them.
    • Call #6: Confirm levels of authority and data requirements. Establish your approach and update the implementation plan.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889

    Session 1 Session 2 Session 3 Session 4 Session 5
    Activities
    Develop Your Guiding Star

    1.1 Confirm mission, vision, and goals

    1.2 Define scope and principles

    1.3 Adjust for culture and finalize context

    Define the Governance Model

    2.1 Select and refine governance model

    2.2 Confirm and adjust the structure

    2.3 Review and adapt governance responsibilities and activities

    2.4 Validate governance mandates and membership

    Build Governance Process and Policy

    3.1 Update your governance process

    3.2 Align policies to mandate

    3.3 Adjust and confirm your governance model

    3.4 Identify and document your update triggers

    3.5 Embed triggers into review cycle

    Embed and Automate Governance

    4.1 Identify decisions and standards to automate

    4.2 Plan verification and validation approach

    4.3 Build implementation plan

    4.4 Develop communication strategy and messaging

    Next Steps and Wrap-Up

    5.1 Complete in-progress outputs from previous four sessions

    5.2 Set up review time for workshop outputs and to discuss next steps

    Outcomes
    1. Governance context and goals
    2. Governance principles
    1. IT governance model and adjustment triggers
    2. IT governance structure, responsibilities, membership, and cadence
    3. Governance committee charters
    1. IT governance process and information flow
    2. IT governance policies
    3. Finalized governance model
    1. Selected automation options, decision logic, and business rules
    2. Implementation and communication plan
    1. Governance context and principles
    2. Finalized governance model and charters
    3. Finalized implementation plan

    Make Your IT Governance Adaptable

    Phase 1

    Identify your Governance Needs

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context
      •

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Identify the organization’s goals, mission, and vision that will guide governance.

    Define the scope of your governance model and the principles that will guide how it works.

    Account for organizational attitudes, behaviors, and culture related to governance and finalize your context.

    This phase involves the following participants:

    • Senior IT leadership
    • Governance leads

    Step 1.1

    Define Your Guiding Star

    Activities
    • 1.1.1 Document and interpret your strategy, mission, and vision
    • 1.1.2 Document and interpret the business and IT goals and outcomes
    • 1.1.3 Identify your operating model and work processes

    This step will walk you through the following activities:

    Review your business and IT strategy, mission, and vision to ensure understanding of organizational direction.

    Identify the business and IT goals that governance needs to align.

    Confirm your operating model and any work practices that need to be accounted for in your model.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Identified guiding star outcomes to align governance outcomes with

    Defined operating model type and work style that impact governance design

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Govern by intent

    Find the balance for your designed governance approach

    Organic governance occurs during the formation of an organization and shifts with challenges, but it is rarely transparent and understood. It changes your culture in uncontrolled ways. Intentional governance is triggered by changes in organizational needs, working approaches, goals, and structures. It is deliberate and changes your culture to enable success.
    Stock photo of a weight scale.

    Info-Tech Insight

    Your approach to governance needs to be designed, even if your execution of governance is adaptable and delegated.

    What is your guiding star?

    Your guiding star is a combination of your organization’s mission, vision, and strategy and the goals that have been defined to meet them.

    It provides you with a consistent focal point around which I&T-related activities and projects orbit, like planets around a star.

    It generates the gravity that governance uses to keep things from straying too far away from the goal of achieving relevant value.

    1. Mission & Vision
    2. Business Goals & Success Criteria
    3. Operating Model & Work Practices
    4. Governance Scope
    5. Principles

    1.1.1 Document and interpret your strategy, mission, and vision

    30 minutes

    Input: Business strategy, IT strategy, Mission and vision statements

    Output: Updated Governance Workbook, Documented strategic outcomes and organizational aims that governance needs to achieve

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Gather your available business, digital, and IT strategy, mission, and vision information and document everything in your Governance Workbook. It’s ok if you don’t have all of it.
    2. Review and your mission and vision as a group. Discuss and document key points, including:
      • Which activities do you perform as an organization that embody your vision?
      • What key decisions and behaviors are required to ensure that your mission and vision are achievable?
      • What do you require from leadership to enable you to govern effectively?
      • What are the implications of the mission and vision on how the organization needs to work? What are the implications on decisions around opportunities and risks?

    Download the Governance Workbook

    1.1.2 Document and interpret the business and IT goals and outcomes

    60 minutes

    Input: Business strategy, Business and IT goals and related initiatives

    Output: Required success outcomes for goals, Links between IT and business goals that governance needs to align

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Document the business and IT goals that have been created to achieve the mission and vision.
    2. Discuss if there are any gaps between the goals and the mission and vision. Ask yourself – if we accomplish these goals will we have successfully achieved the mission?
    3. For each goal, define what successful achievement of the goal looks like. Starting with one goal or objective, ask:
      • How would I know I am on the right path and how will I know I have gotten there?
      • How would I know if I am not on the right path and what does a bad result look like?
      4. Document your success criteria.
    4. Brainstorm some examples of decisions that support or constrain the achievement of your goals.
    5. Repeat this exercise for your remaining goals.
    6. As a group, map IT goals to business goals.

    What is your operating model and why is it important?

    An IT operating model is a visual representation of the way your IT organization needs to be designed and the capabilities it requires to deliver on the business mission, strategic objectives, and technological ambitions.

    The model is critical in the optimization and alignment of the IT organization’s structure in order to deliver the capabilities required to achieve business goals. It is a key determinant of how governance needs to be designed and where it is implemented.

    Little visualizations of different operating models: 'Centralized', 'Decentralized', and 'Hybrid'.

    1.1.3 Identify your operating model and work practices

    60 minutes

    Input: Organizational structure, Operating model (if available)

    Output: Confirmed operating approach, Defined work practices

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Identify the way your organization functions:
      • How do we currently operate? Are we centralized, decentralized or a hybrid? Are we focused on delivering products and services? Do we provide service ourselves or do we use vendors for delivery?
      • Can we achieve our mission, goals, and strategies, if we continue to operate this way? What would we have to change in how we operate to be successful in the future?
    2. Identify your governance needs. Do we need to be more structured or more flexible to support our future ways of working?
      • If you operate in a more traditional way, consider whether you are implementing or moving toward more modern practices (e.g. Agile, DevOps, enterprise service management). Do you need to make more frequent but lower-risk decisions?
      • Is your organization ready to delegate governance culturally and in terms of business understanding? Is there enough available information to support adaptive decisions and actions?
    3. Document your operating style, expected changes in work style, and cultural readiness. You will need to consider the implications on design.

    Step 1.2

    Define Scope and Principles

    Activities
    • 1.2.1 Determine the proper scope for your governance
    • 1.2.2 Confirm your determining governing principles
    • 1.2.3 Develop your specific governing principles

    This step will walk you through the following activities:

    Identify what is included and excluded within the scope of your governance.

    Develop the determining and specific principles that provide guardrails for governance activities and decisions.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Documented governance scope and principles to apply

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Define the context for governance

    Based on the goals and principles you defined and the operating model you selected, confirm where oversight will be necessary and at what level. Focus on the necessity to expedite and clear barriers to the achievement of goals and on the ownership of risks and compliance. Some key considerations:

    • Where in the organization will you need to decide on work that needs to be done?
    • What type of work will you need to do?
    • In what areas could there be conflicts in prioritization/resource allocation to address?
    • Who is accountable for risks to the organization and its objectives?
    • Where are your regional or business-unit-specific concerns that require focused local attention?
    • Are we using more agile, rapid delivery methods to produce work?

    Understand your governance scope

    Your governance scope helps you define the boundaries of what your governance model and practices will cover. This includes key characteristics of your organization that impact what governance needs to address.

    Sample Considerations

    • Organizational Span
      • The geographical area the organization operates within. Regional laws and requirements will affect governance delegation and standards/policy development.
    • Level of Regulation
      • Higher levels of regulation create more standards and controls for risk and compliance, impacting how authority can be delegated or automated.
    • Sourcing Model
      • Changing technology sourcing introduces additional vendor governance requirements and may impact compliance and audit.
    • Risk Posture
      • The appetite for risk organizationally, and in pockets, impacts the level of uncertainty you are willing to work within and impact decision-making authority positioning.
    • Size
      • The size of your organization impacts the approach to governance, practice implementation, and delegation of authority.
    • What Is Working Today?
      • Which elements of your current governance approach should be retained, and what are the biggest pain points that need to be addressed?
    (Source: COBIT 2019)

    1.2.1 Determine the proper scope for your governance

    60 minutes

    Input: Context information from Activity 1.1, Scoping areas

    Output: Defined scope and span of control

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Determine the scope/span of control required for your governance by:
      • Reviewing your key IT capabilities. Identify the ones where the responsibilities and decisions require oversight to ensure they meet the needs of the organization.
      • Identify what works well or poorly in your current governance approach.
      • Discuss and document the level and type of knowledge and business understanding required.
      • Identify and document any regulations, standards, or laws that apply to your organization/industry and how broadly they have to be applied.
      • Identify the organization’s risk appetite, where known, and areas where acceptable thresholds of risk have been defined. Where are key risk and opportunity decisions made? Who owns risk in your organization?
      • Identify and document the perceived role of the IT group in your organization (e.g. support, innovator, partner) and sourcing model (e.g. insource, outsource).
      • Is there sufficient information and data available in your organization to support effective decision making?

    How should your governance be structured?

    Organizations often have too many governance bodies, creating friction without value. Where that isn’t the case, the bodies are often inefficient, with gaps or overlaps in accountability and authority. Structure your governance to optimize its effectiveness, designing with the intent to have the fewest number of governing bodies to be effective, but no less than is necessary.

    Start with your operating model.

    • Understand what’s different about your governance based on whether your organization in centralized, distributed, or a different model (e.g. hybrid, product).
    • Identify and include governance structures that are mandatory due to regulation or industry.
    • Based on your context, identify how many of your governance activities should be performed together.

    Determine whether your governance should be controlled or adaptive.

    • Do you have the capability to distribute governance and is your organization empowered enough culturally?
    • Do you have sufficient standards and data to leverage? Do you have the tools and capabilities?
    • Identify governance structures that are required due to regulation or industry.

    Info-Tech Insight

    Your approach to governance needs to be designed and structured, even if your execution of governance is adaptable and delegated.

    Identify and Refine your Principles

    Confirm your defining principles based on your selection of controlled or adaptive governance. Create specific principles to clarify boundaries or provide specific guidance for teams within the organization.

    Controlled Adaptive
    Disentangle governance and management Delegate and empower
    Govern toward value Deliver to defined outcomes
    Make risk-informed decisions Embed risk into decision making
    Measure to drive improvement Trust though real-time reporting
    Enforce standards and behavior Automate decision making though established standards

    Determining Principle: Delegate and empower.

    Specific Principle: Decisions should be made at the lowest reasonable level of the organization with clarity.

    Rationale: To govern effectively with the velocity required to address business needs, governance needs to be executed deeper into the organization and organizational goals need to be clearly understood everywhere.

    Implication: Decision making needs to be delegated throughout the organization, so information and data requirements need to be identified, decision-making approach and principles need to be shared, and authority needs to be delegated clearly.

    1.2.2 Confirm your determining governance principles

    30-45 minutes

    Input: Governance Framework Model– Governance Principles

    Output: Governance workbook - Finalized list of determining principles

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Review the IT governance principles in your Governance Workbook.
    2. Within your IT senior leadership team (or IT governance working group) assign one or two principles to teams of two to three participants. Have each team identify what this would mean for your organization. Answering the questions:
      • In what ways do our current governance practices support this?
      • What are some examples of changes that would need to be made to make this a reality?
      • How would applying this principle improve your governance?
    3. Have each team present their results and compile the findings and implications in the Governance Workbook to use for future communication of the change.

    Specific governing principles

    Specific governing principles are refined principles derived from a determining principle, when additional specificity and detail is necessary. It allows you to define an approach for specific behaviors and activities. Multiple specific principles may underpin the determining one.

    A visualization of a staircase with stairs labelled, bottom to top, 'Determining Principle', 'Rationale', 'Implications', 'Specific Principles'.

    Specific Principles – Related principles that may be required to ensure the implications of the determining principal are addressed within the organization. They may be specific to individual areas and may be addressed in policies.

    Implications – The implications of this principle on the organization, specific to how and where governance is executed and the level of information and authority that would be necessary.

    Rationale – The reason(s) driving the determining principle.

    Determining Principle – A core overarching principle – a defining aspect of your governance model.

    1.2.3 Develop your specific governing principles

    30 minutes

    Input: Updated determining principles

    Output: List of specific principles linked to determining principles

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Confirm the determining principles for your governance model based on your previous discussions.
    2. Identify where to apply the principles. This is based on:
      1. Your governance scope (how much is within your span of control)
      2. The amount of data you have available
      3. Your cultural readiness for delegation
    3. Create specific principles to support the determining principles:
      1. Document the rationale driving the determining principles.
      2. Identify the implications.
      3. Create specific principles that will support the success in achieving the goals of each determining principle.
    4. Document all information on the “Governance guiding star” slide in the Governance Workbook.

    Download the Governance Workbook

    Step 1.3

    Adjust for Culture and Finalize Context

    Activities
    • 1.3.1 Identify and address the impact of attitude, behavior, and culture
    • 1.3.2 Finalize your context

    This step will walk you through the following activities:

    Identify your organizational attitude, behavior, and culture related to governance.

    Identify positives that can be leveraged and develop means to address negatives.

    Finalize the context that your model will leverage and align to.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Identify Your Governance Needs

    Step 1.1 – Define your Guiding Star Step 1.2 – Define Scope and Principles Step 1.3 – Adjust for Culture and Finalize Context

    Understanding attitude, behavior, and culture

    A

    		 ttitude

    What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users. This manifests in the belief that governance is a constraint that needs to be avoided or ignored – often with unintended consequences.

    A stock photo of a lightbulb over a person's head and a blackboard behind them reading 'New Mindset - data-verified= New Results'.">

    Any form of organizational change involves adjusting people’s attitudes to create buy-in and commitment.

    You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive.

    Understanding attitude, behavior, and culture

    B

    		 ehavior

    What people do. This is influenced by attitude and the culture of the organization. In governance, this manifests as people’s willingness to be governed, who pushes back, and who tries to bypass it.

    A stock photo of someone walking up a set of stairs into the distant sunlight.

    To implement change within IT, especially at a tactical and strategic level, organizational behavior needs to change.

    This is relevant because people gravitate toward stability and will resist change in an active or passive way unless you can sell the need, value, and benefit of changing their behavior and way of working.

    Understanding attitude, behavior, and culture

    C

    		 ulture

    The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources. In governance terms, this is how decisions are really made and where responsibility really exists rather than what is identified formally.

    A stock photo of a compass pointing to 'VALUES'.

    The impact of the organizational or corporate “attitude” on employee behavior and attitude is often not fully understood.

    Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed governance models. In the case of automating governance, cultural readiness for automation is a critical success factor.

    1.3.1 Identify and address the impact of attitude, behavior, and culture

    45 minutes

    Input: Senior leadership knowledge

    Output: Updated Governance Workbook

    Materials: Governance Workbook

    Participants: IT senior leadership

    1. Break into three groups. Each group will discuss and document the positive and negative aspects of one of attitude, behavior, or culture related to governance in your organization.
    2. Each group will present and explain their list to the group.
    3. Add any additional suggestions in each area that are identified by the other groups.
    4. Identify the positive elements of attitude, behavior, and culture that would help with changing or implementing your updated governance model.
    5. Identify any challenges that will need to be addressed for the change to be successful.
    6. As a group, brainstorm some mitigations or solutions to these challenges. Document them in the Governance Workbook to be incorporated into the implementation plan.

    Download the Governance Workbook

    Attitude, behavior, and culture

    Evaluate the organization across the three contexts. The positive items represent opportunities for leveraging these characteristics with the implementation of the governance model, while the negative items must be considered and/or mitigated.

    Attitude Behavior Culture
    Positive
    Negative
    Mitigation

    1.3.2 Finalize your governance context

    30 minutes

    Input: Documented governance principles and scope from previous exercises

    Output: Finalized governance context in the Governance Workbook

    Materials: Whiteboard/flip charts, Governance Workbook

    Participants: IT senior leadership

    1. Use the information that has been gathered throughout this section to update and finalize your IT governance context.
    2. Document it in your Governance Workbook.

    Download the Governance Workbook

    Make Your IT Governance Adaptable

    Phase 2

    Select and Refine Your Governance Model

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach
      •

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan

    This phase will walk you through the following activities:

    Select a base governance model and refine it to suit your organization.

    Identify scenarios and changes that will trigger updates to your governance model.

    Build your implementation plan.

    This phase involves the following participants:

    • Senior IT leadership
    • Governance resources

    Step 2.1

    Choose and Adapt Your Model

    Activities
    • 2.1.1 Choose your base governance model
    • 2.1.2 Confirm and adjust the structure of your model
    • 2.1.3 Define the governance responsibilities
    • 2.1.4 Validate the governance mandates and membership
    • 2.1.5 Update your committee processes
    • 2.1.6 Adjust your associated policies
    • 2.1.7 Adjust and confirm your governance model

    This step will walk you through the following activities:

    Review and selecting your base governance model.

    Adjust the structure, responsibilities, policies, mandate, and membership to best support your organization.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Select and Refine Your Governance Model

    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    Your governance framework has six key components

    GOVERNANCE FRAMEWORK

    • GUIDELINES
      The key behavioral factors that ground your governance framework
    • MEMBERSHIP
      Formalization of who has authority and accountability to make specific governance decisions
    • RESPONSIBILITIES
      The definition of which decisions and outcomes your governance structure and each governance body is accountable for
    • STRUCTURE
      Which governance bodies and roles are in place to articulate where decisions are made in the organization
    • PROCESS
      Identification of the how your governance will be executed, how decisions are made, and the inputs, outputs, and connections to related processes
    • POLICY
      Set of principles established to address risk and drive expected and required behavior

    4 layers of governance bodies

    There are traditionally 4 layers of governance in an enterprise, and organizations have governing bodies or individuals at each level

    RESPONSIBILITIES AND TYPICAL MEMBERSHIP
    ENTERPRISE Defines organizational goals. Directs or regulates the performance and behavior of the enterprise, ensuring it has the structure and capabilities to achieve its goals.

    Membership: Business executives, Board

    STRATEGIC Ensures IT initiatives, products, and services are aligned to organizational goals and strategy and provide expected value. Ensure adherence to key principles.

    Membership: Business executives, CIO, CDO

    TACTICAL Ensures key activities and planning are in place to execute strategic initiatives.

    Membership: Authorized division leadership, related IT leadership

    OPERATIONAL Ensures effective execution of day-to-day functions and practices to meet their key objectives.

    Membership: Service/product owners, process owners, architecture leadership, directors, managers

    2.1.1 Choose your base governance model

    30 minutes

    Input: Governance models templates

    Output: Selected governance model

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Download Info-Tech’s base governance models (Controlled Governance Models Template and IT Governance Program Overview) and review them to find a template that most closely matches your context from Phase 1. You can start with a centralized, decentralized, or product/service hybrid IT organization. Remove unneeded models.
    2. If you do not have documented governance today, start with a controlled model as your foundation. Continue working through this phase if you have a documented governance framework you wish to optimize using our best practices or move to Phase 3 if you are looking to automate or embed your governance activities.

    Controlled Governance Models Template

    Adaptive Governance Models Template

    2.1.2 Confirm and adjust the structure of your model

    30-45 minutes

    Input: Selected base governance model, Governance context/scope

    Output: Updated governance bodies and relationships

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Validate your selected governance body structural model.
      • Are there any governing bodies you must maintain that should replace the ones listed? In part or in full?
      • Are there any missing bodies? Look at alternative committees for examples.
      • Document the adjustments.
    2. Are there any governing bodies that are not required?
      • Based on your size and needs, can they be done within one committee?
      • Is the capability or data not in place to perform the work?
      • Document the required changes.

    There are five key areas of governance responsibility

    A cyclical visualization of the five keys areas of governance responsibility, 'Strategic Alignment', 'Value Delivery', 'Risk Management', 'Resource Management', and 'Performance Measurement'.

    STRATEGIC ALIGNMENT
    Ensures that technology investments and portfolios are aligned with the organization’s needs.

    VALUE DELIVERY
    Reviews the outcomes of technology investments and portfolios to ensure benefits realization.

    RISK MANAGEMENT
    Defines and owns the risk thresholds and register to ensure that decisions made are in line with the posture of the organization.

    RESOURCE MANAGEMENT
    Ensures that people, financial knowledge, and technology resources are appropriately allocated across the organization.

    PERFORMANCE MEASUREMENT
    Monitors and directs the performance or technology investments to determine corrective actions and understand successes.

    2.1.3 Define the governance responsibilities

    Ensure you have the right responsibilities in the right place

    45-60 minutes

    Input: Selected governance base model, Governance context

    Output: Updated responsibilities and activities, Updated activities for selected governance bodies, New or removed governing bodies

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Based on your context and model, review the responsibilities identified for each committee and confirm that they align with the mandate and the stated outcome.
    2. Identify and highlight any responsibilities and activities that would not be involved in informing and enabling the mandate of the committee.
    3. Adjust the wording of confirmed responsibilities and activities to reflect your organizational language.
    4. Review each highlighted “bad fit” activity and move it to a committee whose mandate it would support or remove it if it’s not performed in your organization.
    5. If an additional committee is required, define the mandate and scope, then include any additional responsibilities that might have been a bad fit elsewhere

    2.1.4 Validate the governance mandates and membership

    30 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Adjusted mandates and refined committee membership

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the mandate and membership slides in your selected governance model.
    2. Adjust the mandate to ensure that it aligns to and conveys:
      1. The outcome that the committee is meant to generate for the organization.
      2. Its scope/span of control.
    3. Discuss the type of information members would require for the committee to be successful in achieving its mandate.
    4. Document the member knowledge requirement in the mandate slide of the model template.

    Determine the right membership for your governance

    One of the biggest benefits of governance committees is the perspective provided by people from various parts of the organization, which helps to ensure technology investments are aligned with strategic goals. However, having too many people – or the wrong people – involved prevents the committee from being effective. Avoid this by following these principles.

    Three principles for selecting committee membership

    1. Determine membership based on responsibilities and required knowledge.
      Organizations often make the mistake of creating committees and selecting members before defining what they will do. This results in poor governance because members don’t have the knowledge required to make decisions. Define the mandate of the committee to determine which members are the right fit.
    2. Ensure members are accountable and authorized to make the decisions.
      Effective governance requires the members to have the authority and accountability to make decisions. This ensures meetings achieve their outcome and produce value, which improves the committee’s chances of survival.
    3. Select leaders who see the big picture.
      Often committee decisions and responsibilities become tangled in the web of organizational politics. Include people, often C-level, whose attendance is critical and who have the requisite knowledge, mindset, and understanding to put business needs ahead of their own.

    2.1.5 Update your committee processes

    20 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Updated committee processes

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the committee details based on the changes you have made in goals, mandate, and responsibilities.
    2. Identify and document changes required to the committee outputs (outcomes) and adjust the consumer of the outputs to match.
    3. Review the high-level process steps required to get to the modified output. Add required activities or remove unnecessary ones. Review the process flow. Does it make sense? Are there unnecessary steps?
    4. Review and update inputs required for the process steps and update the information/data sources.
    5. Adjust the detailed process steps to reflect the work that needs to be done to support each high-level process step that changed.

    2.1.6 Adjust your associated policies

    20 minutes

    Input: Selected governance base model, Updated structure and responsibilities

    Output: Adjusted mandates and refined committee membership

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Review the policies associated with the governing bodies in your base model. Identify the policies that apply to your organization, those that are missing, and those that are not necessary.
    2. Confirm the policies that you require.
    3. Make sure the policies and policy purposes (or risks and related behaviors the policy addresses) are matched to the governance committee that has responsibilities in that area. Move policies to the right committee.

    2.1.7 Adjust and confirm your governance model

    1. Confirm the adjustment of governance bodies, structure, and input/output linkages.
    2. Confirm revisions to decisions and responsibilities.
    3. Confirm policy and regulation/standards associations.
    4. Select related governance committee charters from the provided set and revise the charters to reflect the elements defined in your updated model.
    5. Finalize your governance model.

    Samples of slides related to adjusting and confirming governance models in the Governance Workbook.

    Step 2.2

    Identify and Document Your Governance Triggers

    Activities
    • 2.2.1 Identify and document update triggers
    • 2.2.2 Embed triggers into the review cycle

    This step will walk you through the following activities:

    Identify scenarios that will create a need to review or change your governance model.

    Update your review/update approach to receiving trigger notifications.

    This step involves the following participants:

    • Senior IT leadership
    • Governance leads

    Outcomes of this step

    Downloaded tool ready to select the base governance model for your organization

    Select and Refine Your Governance Model

    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    What are governance triggers

    Governance triggers are organizational or environmental changes within or around an organization that are inflection points that start the review and revision of governance models to maintain their fit with the organization. This is the key to adaptive governance design.

    A target with five arrows sticking out of the bullseye, 'Operating Model', 'Business Strategy', 'Mandate Change', 'Management Practices', and 'Digital Transformation'.

    2.2.1 Identify and document update triggers

    30 minutes

    Input: Governance Workbook

    Output: Updated workbook with defined and documented governance triggers, points of origin, and integration

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Open the Governance Workbook to the “Triggers” slides.
    2. Review the list of governance triggers. Retain the ones that apply to your organization, remove those you feel are unnecessary, and add any change scenarios you feel should be included.
    3. Identify where you would receive notifications of these changes and the related processes or activities that would generate these notifications, if applicable.
    4. Document any points of integration required between governance processes and the source process. Highlight any where the integration is not currently in place.

    Sample of the 'Triggers' slide in the Governance Workbook.

    2.2.2 Embed triggers into the review cycle

    30 minutes

    Input: Governance model

    Output: Review cycle update

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. Identify which triggers impact the entire governance model and which impact specific committees.
    2. Add an activity for triggered review of the impacted governance model into your governance committee process.

    Step 2.3

    Build Your Implementation Approach

    Activities
    • 2.3.1 Identify and document your implementation plan
    • 2.3.2 Build your roadmap
    • 2.3.3 Build your sunshine diagram

    This step will walk you through the following activities:

    Transfer changes to the Governance Implementation Plan Template.

    Determine the timing for the implementation phases.

    This step involves the following participants:

    • Senior IT leadership
    • Governance process owner

    Outcomes of this step

    Implementation plan for adaptive governance framework model

    Select and Refine Your Governance Model
    Step 2.1 – Choose and Adapt Your Model Step 2.2 – Identify and Document Your Governance Triggers Step 2.3 – Build Implementation Approach

    2.3.1 Identify and document your implementation plan

    60 minutes

    Input: Governance model, Guiding principles, Update triggers, Cultural factors and mitigations

    Output: Implementation roadmap

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. As a group, discuss the changes required to implement the governance model, the cultural items that need to be addressed, and the anticipated timing.
    2. Document the implementation activities and consolidate them into groupings/themes based on similarities or shared outcomes.
    3. Name the grouped themes for clarity and identify key dependencies between activities in each area and across themes.
    4. Identify and document your approach (e.g. continuous, phased) and high-level timeline for implementation.
    5. Document the themes and initiatives in the Governance Implementation Plan.

    Download the Governance Implementation Plan

    Illustrate the implementation plan using roadmaps

    Info-Tech recommends two different methods to roadmap the initiatives in your Governance Implementation Plan.

    Gantt Chart
    Sample of a Gantt Chart.

    This type of roadmap depicts themes, related initiatives, the associated goals, and exact start and end dates for each initiative. This diagram is useful for outlining a larger number of activities and initiatives and has an easily digestible and repeatable format.

    		Sunshine Diagram
    Sample of a Sunshine Diagram.

    This type of roadmap depicts themes and their associated initiatives. The start and end dates for the initiatives are approximated based on years or phases. This diagram is useful for highlighting key initiatives on one page.

    2.3.2 Build your roadmap

    30 minutes

    Input: Governance themes and initiatives

    Output: roadmap visual

    Materials: Governance Roadmap Workbook, Governance Workbook

    Participants: CIO, IT senior leadership

    1. Open the Governance Implementation Plan and review themes and initiatives.
    2. Open the Governance Roadmap Workbook.
    3. Discuss whether the implementation roadmap should be developed as a Gantt chart, a sunshine diagram, or both.
      For the Gantt chart:
      • Input the roadmap start year and date.
      • Change the months and year in the Gantt chart to reflect the same roadmap start year.
      • Input and populate the planned start and end dates for the list of high-priority initiatives.

    Develop your Gantt chart in the Governance Roadmap Workbook

    2.3.3 Build your sunshine diagram

    30 minutes

    Input: Governance themes and initiatives

    Output: Sunshine diagram visual

    Materials: Whiteboard/flip charts, Markers, Governance Implementation Plan

    Participants: CIO, IT senior leadership

    1. Review your list of themes and initiatives.
    2. Build a model with “rays” radiating out from a central theme or objective.
    3. Using curved arcs, break the grid into timeline periods or phases.
    4. Complete your sunshine diagram in the Governance Implementation Plan.

    Customize your sunshine diagram in the Governance Implementation Plan

    Make Your IT Governance Adaptable

    Phase 3

    Embed and Automate

    Phase 1

    • 1.1 Define Your Guiding Star
    • 1.2 Define Scope and Principles
    • 1.3 Adjust for Culture and Finalize Context

    Phase 2

    • 2.1 Choose and Adapt Your Model
    • 2.2. Identify and Document Your Governance Triggers
    • 2.3 Build Your Implementation Approach

    Phase 3

    • 3.1 Identify Decisions to Embed and Automate
    • 3.2 Plan Validation and Verification
    • 3.3 Update Implementation Plan
      •

    This phase will walk you through the following activities:

    Identify which decisions you are ready to automate.

    Identify standards and policies that can be embedded and automated.

    Identify integration points.

    Confirm data requirements to enable success.

    This phase involves the following participants:

    • IT senior leadership
    • Governance process owner
    • Product and service owners
    • Policy owners

    Step 3.1

    Identify Decisions to Embed and Automate

    Activities
    • 3.1.1 Review governance decisions and standards and the required level of authority
    • 3.1.2 Build your decision logic
    • 3.1.3 identify constraints and mitigation approaches
    • 3.1.4 Develop decision rules and principles

    This step will walk you through the following activities:

    Identify your key decisions.

    Develop your decision logic.

    Confirm decisions that could be automated.

    Identify and address constraints.

    Develop decision rules and principles.

    This step involves the following participants:

    • IT senior leadership

    Outcomes of this step

    Developed decision rules, rulesets, and principles that can be leveraged to automate governance

    Defined integration points

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    What is decision automation?

    Decision automation is the codifying of rules that connect the logic of how decisions are made with the data required to make those decisions. This is then embedded and automated into processes and the design of products and services.

    • It is well suited to governance where the same types of decisions are made on a recurring basis, using the same set of data. It requires clean, high-quality data to be effective.
    • Improvements in artificial intelligence (AI) and machine learning (ML) have allowed the creation of scenarios where a hybrid of rules and learning can improve decision outcomes.

    Key Considerations

    • Data Availability
    • Legality
    • Contingencies
    • Decision Transparency
    • Data Quality
    • Auditability

    How complexity impacts decisions

    Decision complexity impacts the type of rule(s) you create and the amount of data required. It also helps define where or if decisions can be automated.

    1. SIMPLE
      Known and repeatable with consistent and familiar outcomes – structured, causal, and easy to standardize and automate.
    2. COMPLICATED
      Less known and outcomes are not consistently repeatable. Expertise can drive standards and guidelines that can be used to automate decisions.
    3. COMPLEX
      Unknown and new, highly uncertain in terms of outcomes, impact, and data. Requires more exploration and data. Difficult to automate but can be built into the design of products and services.
    4. CHAOTIC
      Unstructured and unknown situation. Requires adaptive and immediate action without active data – requires retained human governance
      5. (Based on Dave Snowden’s Cynefin framework)

    Governance Automation Criteria Checklist

    The Governance Automation Criteria Checklist provides a view of key considerations for determining whether a governing activity or decision is a good candidate for automation.

    The criteria identify key qualifiers/disqualifiers to make it easier to identify eligibility.

    Sample of the Governance Automation Criteria Checklist.

    Download the Governance Automation Criteria Checklist

    Governance Automation Worksheet

    Sample of the Governance Automation Worksheet.

    The Governance Automation Worksheet provides a way to document your governance and systematically identify information about the decisions to help determine if automation is possible.

    From there, decision rules, logic, and rulesets can be designed in support of building a structure flow to allow for automation.

    Download the Governance Automation Worksheet

    3.1.1 Review governance decisions and standards and the required level of authority

    30 minutes

    Input: Automation Criteria Checklist, Governance Automation Worksheet, Updated governance model

    Output: Documented decisions and related authority, Selected options for automation, Updated Governance Automation Worksheet

    Materials: Whiteboard/flip charts, Governance Automation Worksheet

    Participants: IT senior leadership

    1. Identify the decisions that are made within each committee in your updated governance model and document them in the Governance Automation Worksheet.
    2. Confirm the level of authority required to make each decision.
    3. Review the automation checklist to confirm whether each decision is positioned well for automation.
    4. Select and document the decisions that are the strongest options for automation/embedding and document them in the Governance Automation Worksheet.

    What are decision rules?

    Decision rules provide specific instructions and constraints that must be considered in making decisions and are critical for automating governance.

    They provide the logical path to assess governance inputs to make effective decisions with positive business outputs.

    Inputs would include key information such as known risks, your defined prioritization matrix, portfolio value scoring, and compliance controls.

    Individual rules can be leveraged in different places.

    Some decision rule types are listed here.

    1. Statement Rules
      Natural expression of logical progression, written through logical elements
    2. Decision Tree Rules
      Decision tree with two axes that overlap to generate a decision
    3. Sequential Rules
      A sequence of decisions that move from one step to the next
    4. Expression Rule
      A particular set of rules triggered by a particular rule condition being met
    5. Truth table rules
      Combines many decision factors into one place; produces different outputs

    What are decision rulesets

    Rulesets are created to make complex decisions. Individual rule types are combined to create rulesets that are applied together to generate effective decisions. One rule will provide contextual information required for additional rules to execute in a Rule-Result-Rule-Result-Rule-Decision flow.

    A visualization of two separate rulesets made up of the decision rules on the previous slide. 'Ruleset 1' contains '1) Statement Rules', '2) Decision Tree Rules', and 5) Truth Table Rules'. 'Ruleset 2' contains '3) Sequential Rules' and '4) Expression Rule'.

    3.1.2 Build your decision logic

    30 minutes

    Input: Governance Automation Worksheet

    Output: Documented decision logic to support selected decision types and data requirements

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    1. For each selected decision, identify the principles that drive the considerations around the decision.
    2. For each decision, develop the decision logic by defining the steps and information inputs involved in making the decision and documenting the flow from beginning to end.
    3. Determine whether this is one specific decision or a combination of different decisions (in sequence or based on decisions).
    4. Name your decision rule.

    Sample of the Governance Automation Worksheet.

    3.1.3 Identify constraints and mitigation approaches

    60 minutes
    1. Document constraints to automation of decisions related to:
      • Availability of decision automation tools
      • Decision authority change requirements
      • Data constraints
      • Knowledge requirements
      • Process adjustment requirements
      • Product/service design levels
    2. Brainstorm and identify approaches to mitigate constraints and score based on likelihood of success.
    3. Identify mitigation owners and initial timeline expectations.
    4. Document the constraints and mitigations in the Governance Workbook on the constraints and mitigations slide.

    Sample of the 'Constraints and mitigations' slide of the 'Governance Workbook'.

    3.1.4 Develop decision rules and principles

    1.5-2 hours

    Input: Governance Automation Worksheet

    Output: Defined decision integration points, Confirmed data availability sets, Decision rules, rulesets, and principles with control indicators

    Materials: Whiteboard/flip charts, Governance Automation Worksheet

    Participants: IT senior leadership

    1. Review the decision logic for those decisions that you have confirmed for automation. Identify the processes where the decision should be executed.
    2. Associate each decision with specific process steps or stages or how it would be included in software/product design.
    3. For each selected decision, identify the availability of data required to support the decision logic and the level of complexity and apply governing principles.
    4. Create the decision rules and identify data gaps.
    5. Define the decision flow and create rulesets as needed.
    6. Confirm automation requirements and define control indicators.

    Step 3.2

    Plan Validation and Verification

    Activities
    • 3.2.1 Define verification approach for embedded and automated governance
    • 3.2.2 Define validation approach for embedded and automated governance

    This step will walk you through the following activities:

    Define how decision outcomes will be measured.

    Determine how the effectiveness of automated governance will be reported.

    This step involves the following participants:

    • IT senior leadership

    Outcomes of this step

    Tested and verified automation of decisions

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    Decision rule relationship through to verification

    1. Rules

    Focus on clear decision logic

    Often represented in simple statement types and supported by data:

    IF – THEN

    IF – AND – THEN

    IF – AND NOT – THEN

    		2. Rulesets

    Aggregate rules for more complex decisions

    Integrated flows between different required rules:
    Rule 1:
    (Output 1) – Rule 2
    (Output 2) – Rule 6
    Rule 6: (Output 1) – Rule 7     		3. Rule Attestation

    Verify success of automated decisions

    Attestation of embedded and automated rules with key control indicators embedded within process and products.

    Principles embedded into automated software controls.

    3.2.1 Define verification approach for embedded and automated governance

    60 minutes

    Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

    Output: A defined measurement of effective decision outcomes, Approach to automate and/or report the effectiveness of automated governance

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    Verify

    1. Confirm expected outcome of rules.
    2. Select a sampling of new required decisions or recently performed decisions related to areas of automation.
    3. Run the decisions through the decision rules or rule groupings that were developed and compare to parallel decisions made using the traditional approach. (These must be segregated activities.)
    4. Review the outcome of the rules and adjust based on the output. Identify areas of adjustment. Confirm that the automation meets your requirements.

    3.2.2 Define validation approach for embedded and automated governance

    60 minutes

    Input: Governance rules and rulesets as defined in the Governance Automation Worksheet, Defined decision outcomes

    Output: Defined assurance and attestation requirements, Key control indicators that can be automated

    Materials: Whiteboard/flip charts

    Participants: IT senior leadership

    Validate

    1. Develop an approach to measure automated decisions. Align success criteria to current governance KPIs and metrics.
    2. If no such metrics exist, define expected outcome. Define key risk indicators based on the expected points of automation.
    3. Establish quality assurance checkpoints within the delivery lifecycles to adjust for variance.
    4. Create triggers back to rule owners to drive changes and improvements to rules and rule groupings.

    Step 3.3

    Update Implementation Plan

    Activities
    • 3.3.1 Finalize the implementation plan

    This step will walk you through the following activities:

    Review implications and mitigations to make sure all have been considered.

    Finalize the implementation plan and roadmap.

    This step involves the following participants:

    • Senior IT leadership

    Outcomes of this step

    Completed Governance implementation plan and roadmap

    Embed and Automate

    Step 3.1 – Identify Decisions to Embed and Automate Step 3.2 – Plan Validation and Verification Step 3.3 – Update Implementation Plan

    3.3.1 Finalize the implementation plan

    30 minutes

    Input: Governance workbook, Updated governance model, Draft implementation plan and roadmap

    Output: Finalized implementation plan and roadmap

    Materials: Whiteboard/flip charts, Governance Implementation Plan

    Participants: IT senior leadership

    1. Document automation activities within phases in a governance automation theme in the Governance Implementation Plan.
    2. Review timelines in the implementation plan and where automation fits within the roadmap.
    3. Updated the implementation plan and roadmap.

    Governance Implementation Plan

    Summary of Accomplishment

    Problem Solved

    Through this project we have:

    • Improved your governance model to ensure a better fit for your organization, while creating adaptivity for the future.
    • Ensured your governance operates as an enabler of success with the proper bodies and levels of authority established.
    • Established triggers to ensure your governance model is actively adjusted to maintain its fit.
    • Developed a plan to embed and automate governance.
    • Created decision rules and principles and identified where to embed them within your practices.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Valence Howden.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Related Info-Tech Research

    Improve IT Governance to Drive Business Results

    Avoid bureaucracy and achieve alignment with a minimalist approach. Align with your organizational context.

    Establish Data Governance

    Establish data trust and accountability with strong governance.

    Maximize Business Value From IT Through Benefits Realization

    Embed value and alignment confirmation into your governance to ensure you optimize IT value achievement for resource spend.

    Build a Better Product Owner

    Strengthen the product/service owner role in your organization by focusing on core capabilities and proper alignment.

    Research contributors and experts

    Photo of Sidney Hodgson, Senior Director, Industry, Info-Tech Research Group. Sidney Hodgson
    Senior Director, Industry
    Info-Tech Research Group
    • Sidney has over 30 years of experience in IT leadership roles as CIO of three organizations in Canada and the US as well as international consulting experience in the US and Asia.
    • Sid has a breadth of knowledge in IT governance, project management, strategic and operational planning, enterprise architecture, business process re-engineering, IT cost reduction, and IT turnaround management.
    		 Photo of David Tomljenovic, Principal Research Advisor, Industry, Info-Tech Research Group. David Tomljenovic
    Principal Research Advisor, Industry
    Info-Tech Research Group
    • David brings extensive experience from the Financial Services sector, having worked 25 years on Bay Street. Most recently he was a Corporate Finance and Strategy Advisor for Infiniti Labs (Toronto/Hong Kong), Automotive, and Smart City Accelerator, where he provided financial and mergers & acquisitions advisory services to accelerator participants with a focus on early-stage fundraising activities.

    Research contributors and experts

    Photo of Cole Cioran, Practice Lead, Applications and Agile Development, Info-Tech Research Group. Cole Cioran
    Practice Lead, Applications and Agile Development
    Info-Tech Research Group
    • Over the past 25 years, Cole has developed software; designed data, infrastructure, and software solutions; defined systems and enterprise architectures; delivered enterprise-wide programs; and managed software development, infrastructure, and business systems analysis practices.
    		 Photo of Crystal Singh, Research Director, Applications – Data and Information Management, Info-Tech Research Group. Crystal Singh
    Research Director, Applications – Data and Information Management
    Info-Tech Research Group
    • Crystal brings a diverse and global perspective to her role, drawing from her professional experiences in various industries and locations. Prior to joining Info-Tech, Crystal led the Enterprise Data Services function at Rogers Communications, one of Canada’s leading telecommunications companies.

    Research contributors and experts

    Photo of Carlene McCubbin, Practice Lead, CIO, Info-Tech Research Group. Carlene McCubbin
    Practice Lead, CIO
    Info-Tech Research Group
    • Carlene covers key topics in organization and leadership and specializes in governance, organizational design, relationship management, and human capital development. She led the development of Info-Tech’s Organization and Leadership practice.
    		 Photo of Denis Goulet, Senior Workshop Director, Info-Tech Research Group. Denis Goulet
    Senior Workshop Director
    Info-Tech Research Group
    • Denis is a transformational leader and experienced strategist who focuses on helping clients communicate, relate, and adapt for success. Having developed Governance Model and IT strategies in organizations ranging from small to billion-dollar multi-nationals, he firmly believes in a collaborative value-driven approach to work.

    Bibliography

    “2020 State of Data Governance and Automation Report.” Erwin.com, 28 Jan. 2020. Web.

    “Adaptive IT Governance.” Google search, 15 Nov. 2020.

    “Adaptive IT Governance Framework.” CIO Index, 3 Nov. 2011. Accessed 15 Nov. 2020.

    “Agile Governance Made Easy.” Agilist, n.d. Accessed 15 Nov. 2020.

    “Automating Governance — Our Work.” Humanising Machine Intelligence, n.d. Accessed 15 Nov. 2020.

    “Automation – Decisions.” IBM, 2020. Accessed 15 Oct. 2020.

    Chang, Charlotte. “Accelerating Agile through effective governance.” Medium, 22 Sept. 2020. Web.

    “COBIT 5: Enabling Processes.” ISACA, 2012. Web. Oct. 2016.

    COBIT 2019. ISACA, Dec. 2018. Web.

    Curtis, Blake. “The Value of IT Governance.” ISACA, 29 June 2020. Accessed 15 Nov. 2020.

    De Smet, Aaron. “Three Keys to Faster, Better Decisions.” McKinsey & Company, 1 May 2019. Accessed 15 Nov. 2020.

    “Decision Rules and Decision Analysis.” Navex Global, 2020. Web.

    “Decisions Automation with Business Rules Management Solution.” Sumerge, 4 Feb. 2020. Accessed 15 Nov. 2020.

    “DevGovOps – Key factors for IT governance for enterprises in a DevOps world.” Capgemini, 27 Sept. 2019. Web.

    Eisenstein, Lena. “IT Governance Checklist.” BoardEffect, 19 Feb. 2020. Accessed 15 Nov. 2020.

    “Establishing Effective IT and Data Governance.” Chartered Professional Accountants Canada, n.d. Accessed 15 Nov. 2020.

    Gandzeichuk, Ilya. “Augmented Analytics: From Decision Support To Intelligent Decision-Making.” Forbes, 8 Jan. 2020. Accessed 15 Nov. 2020.

    Georgescu, Vlad. “What Is IT Governance? Understanding From First Principles.” Plutora, 18 Oct. 2019. Web.

    Goodwin, Bill. “IT Governance in the Era of Shadow IT.” ComputerWeekly, 5 Aug. 2014. Accessed 15 Nov. 2020.

    “Governance of IT, OT and IOT.” ISACA Journal, 2019. Web.

    Gritsenko, Daria, and Matthew Wood. “Algorithmic Governance: A Modes of Governance Approach.” Regulation & Governance, 10 Nov. 2020. Web.

    Hansert, Philipp. “Adaptive IT Governance with Clausmark’s Bee4IT.” Bee360, 25 Oct. 2019. Accessed 15 Nov. 2020.

    Havelock, Kylie. “What Does Good Product Governance Look Like?” Medium. 8 Jan. 2020. Web.

    Haven, Dolf van der. “Governance of IT with ISO 38500 - A More Detailed View” LinkedIn article, 24 Oct. 2016. Accessed 15 Nov. 2020.

    Hong, Sounman, and Sanghyun Lee. “Adaptive Governance and Decentralization: Evidence from Regulation of the Sharing Economy in Multi-Level Governance.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 299–305. Web.

    ISACA. “Monthly Seminar & Networking Dinner: CIO Dashboard.” Cvent, Feb. 2012. Accessed 15 Nov. 2020.

    ISO/IEC 38500, ISO, 2018 and ongoing.

    “IT Governance.” Kenway Consulting, n.d. Accessed 15 Nov. 2020.

    “IT Governance in the Age of COVID 19.” Union of Arab Banks Webinar, 19-21 Oct. 2020. Accessed 15 Nov. 2020.

    Jaffe, Dennis T. “Introducing the Seven Pillars of Governance.” Triple Pundit, 15 Nov. 2011. Accessed 15 Nov. 2020.

    Janssen, Marijn, and Haiko van der Voort. “Agile and Adaptive Governance in Crisis Response: Lessons from the COVID-19 Pandemic.” International Journal of Information Management, vol. 55, December 2020. Web.

    Jodya, Tiffany. “Automating Enterprise Governance within Delivery Pipelines.” Harness.io, 14 May 2020. Web.

    Kumar, Sarvesh. “AI-Based Decision-Making Automation.” Singular Intelligence, 17 June 2019. Web.

    “Lean IT Governance.” Disciplined Agile, n.d. Accessed 15 Nov. 2020.

    Lerner, Mark. “Government Tech Projects Fail by Default. It Doesn’t Have to Be This Way.” Belfer Center for Science and International Affairs, 21 Oct. 2020. Accessed 15 Nov. 2020.

    Levstek, Aleš, Tomaž Hovelja, and Andreja Pucihar. “IT Governance Mechanisms and Contingency Factors: Towards an Adaptive IT Governance Model.” Organizacija, vol. 51, no. 4, Nov. 2018. Web.

    Maccani, Giovanni, et al. “An Emerging Typology of IT Governance Structural Mechanisms in Smart Cities.” Government Information Quarterly, vol. 37, no. 4, Oct. 2020. Web.

    Magowan, Kirstie. “IT Governance vs IT Management: Mastering the Differences.” BMC Blogs, 18 May 2020. Accessed 15 Nov. 2020.

    Mazmanian, Adam. “Is It Time to Rethink IT Governance? ” Washington Technology, 26 Oct. 2020. Accessed 15 Nov. 2020.

    Mukherjee, Jayanto. “6 Components of an Automation (DevOps) Governance Model.” Sogeti, n.d. Accessed 15 Nov. 2020.

    Ng, Cindy. “The Difference Between Data Governance and IT Governance.” Inside Out Security, updated 17 June 2020. Web.

    Pearson, Garry. “Agile or Adaptive Governance Required?” Taking Care of the Present (blog), 30 Oct. 2020. Accessed 15 Nov. 2020.

    Peregrine, Michael, et al. “The Long-Term Impact of the Pandemic on Corporate Governance.” Harvard Law School Forum on Corporate Governance, 16 July 2020. Web.

    Raymond, Louis, et al. “Determinants and Outcomes of IT Governance in Manufacturing SMEs: A Strategic IT Management Perspective.” International Journal of Accounting Information Systems, vol. 35, December 2019. Web.

    Rentrop, Christopher. “Adaptive IT Governance – Foundation of a Successful Digitalization.” Business IT Cooperation Coordination Controlling (blog). May 2, 2018. Web.

    Schultz, Lisen, et al. “Adaptive Governance, Ecosystem Management, and Natural Capital.” Proceedings of the National Academy of Sciences, vol. 112, no. 24, 2015, pp. 7369–74. Web.

    Selig, Gad J. Implementing IT Governance: A Practical Guide to Global Best Practices in IT Management. Van Haren Publishing, 2008. Accessed 15 Nov. 2020.

    Sharma, Chiatan. “Rule Governance for Enterprise-Wide Adoption of Business Rules: Why Does a BRMS Implementation Need a Governance Framework?” Business Rules Journal, vol. 13, no. 4, April 2012. Accessed 15 Nov. 2020.

    Smallwood, Robert. “Information Governance, IT Governance, Data Governance – What’s the Difference?” The Data Administration Newsletter, 3 June 2020. Accessed 15 Nov. 2020.

    Snowden, Dave. "Cynefin – weaving sense-making into the fabric of our world", Cognitive Edge, 20 October 2020.

    “The Place of IT Governance in the Enterprise Governance.” Institut de la Gouvernance des Systemes d’Information, 2005. Accessed 15 Nov. 2020.

    Thomas, Mark. “Demystifying IT Governance Roles in a Dynamic Business Environment.” APMG International, 29 Oct. 2020. Webinar. Accessed 15 Nov. 2020.

    “The Four Pillars of Governance Best Practice.” The Institute of Directors in New Zealand, 4 Nov. 2019. Web.

    Wang, Cancan, Rony Medaglia, and Lei Zheng. “Towards a Typology of Adaptive Governance in the Digital Government Context: The Role of Decision-Making and Accountability.” Government Information Quarterly, vol. 35, no. 2, April 2018, pp. 306–22.

    Westland, Jason. “IT Governance: Definitions, Frameworks and Planning.” ProjectManager.com, 17 Dec. 2019. Web.

    Wilkin, Carla L., and Jon Riddett. “IT Governance Challenges in a Large Not-for-Profit Healthcare Organization: The Role of Intranets.” Electronic Commerce Research vol. 9, no. 4, 2009, pp. 351-74. Web.

    Zalnieriute, Monika, et al. “The Rule of Law and Automation of Government Decision Making.” Modern Law Review, 25 Feb. 2019. Web.

    Data Quality

    • Buy Link or Shortcode: {j2store}19|cart{/j2store}
    • Related Products: {j2store}19|crosssells{/j2store}
    • Teaser Video: Visit Website
    • Teaser Video Title: Big data after pandemic
    • member rating overall impact: 8.3/10
    • member rating average dollars saved: $5,100
    • member rating average days saved: 8
    • Parent Category Name: Data and Business Intelligence
    • Parent Category Link: /data-and-business-intelligence
    • byline: Great data-driven insights start with great data quality.
    Restore trust in your data by aligning your data management approach to the business strategy

    Agile Readiness Assessment Survey

    • Buy Link or Shortcode: {j2store}160|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Today’s realities are driving organizations to digitize faster and become more Agile.
    • Agile transformations are difficult and frequently fail for a variety of reasons.
    • To achieve the benefits of Agile, organizations need to be ready for the significant changes that Agile demands.
    • Challenges to your Agile transformation can come from a variety of sources.

    Our Advice

    Critical Insight

    • Use Info-Tech’s CLAIM+G model to examine potential roadblocks to Agile on six different organizational dimensions.
    • Use survey results to identify and address the issues that are most likely to derail your Agile transformation.

    Impact and Result

    • Better understand where and how your organization needs to change to support your Agile transformation.
    • Focus your attention on your organization’s biggest roadblocks to Agile.
    • Improve your organization’s chances of a successful Agile transformation.

    Agile Readiness Assessment Survey Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Agile Readiness Assessment Deck – A guide to help your organization survey its Agile readiness.

    Read this deck to see how an Agile Readiness Assessment can help your organization understand its readiness for Agile transformation. The storyboard guides you through how to collect, consolidate, and examine survey responses and create an actionable list of improvements to make your organization more Agile ready.

    • Agile Readiness Assessment Storyboard

    2. Survey Templates (Excel or MS Forms, available in English and French) – Use these templates to create and distribute the survey broadly within your organization.

    The Agile Readiness Assessment template is available in either Excel or Microsoft Forms (both English and French versions are available). Download the Excel templates here or use the links in the above deck to access the online versions of the survey.

    • Agile Readiness Survey – English
    • Agile Readiness Survey – French

    3. Agile Readiness Assessment Consolidated Results Tool – Use this tool to consolidate and analyze survey responses.

    The Agile Readiness Assessment Consolidated Results Tool allows you to consolidate survey responses by team/role and produces your heatmap for analysis.

    • Agile Readiness Assessment Consolidated Results Tool
    [infographic]

    Further reading

    Agile Readiness Assessment

    Understand how ready your organization is for an Agile transformation.

    Info-Tech Research Group Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.

    Analyst Perspective

    Use the wisdom of crowds to understand how ready you are for Agile transformation.

    Photo of Alex Ciraco, Principal Research Director, Application Delivery and Management, Info-Tech Research Group

    Agile transformations can be difficult and complex to implement. That’s because they require fundamental changes in the way an organization thinks and behaves (and many organizations are not ready for these changes).

    Use Info-Tech’s Agile Readiness Assessment to broadly survey the organization’s readiness for Agile along six dimensions:

    • Culture
    • Learning
    • Automation
    • Integrated teams
    • Metrics
    • Governance

    The survey results will help you to examine and address those areas that are most likely to hinder your move to Agile.

    Alex Ciraco
    Principal Research Director, Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Your organization wants to shorten delivery time and improve quality by adopting Agile practices.
    • Your organization has not yet used Agile successfully.
    • You know that Agile transformations are complex and difficult to implement.
    • You want to maximize your Agile transformation’s chances of success.

    Common Obstacles

    • Risks to your Agile transformation can come from a variety of sources, including:
      • Organizational culture
      • Learning practices
      • Use of automation
      • Ability to create integrated teams
      • Use of metrics
      • Governance practices

    Info-Tech’s Approach

    • Use Info-Tech’s Agile Readiness Assessment to broadly survey your organization’s readiness for Agile.
    • Examine the consolidated results of this survey to identify challenges that are most likely to hinder Agile success.
    • Discuss and address these challenges to increase your chances of success.

    Info-Tech Insight

    By first understanding the numerous challenges to Agile transformations and then broadly surveying your organization to identify and address the challenges that are at play, you are more likely to have a successful Agile transformation.

    Info-Tech’s methodology

    1. Distribute Survey 2. Consolidate Survey Results 3. Examine Results and Problem Solve
    Phase Steps

    1.1 Identify the teams/roles you will survey.

    1.2 Configure the survey to reflect your teams/roles.

    1.3 Distribute the Agile Readiness Assessment Survey broadly in the organization.

    2.1 Collect survey responses from all participants.

    2.2 Consolidate the results using the template provided.

    3.1 Examine the consolidated results (both OVERALL and DETAILED Heatmaps)

    3.2 Identify key challenge areas (those which are most “red”) and discuss these challenges with participants

    3.3 Brainstorm, select and refine potential solutions to these challenges
    Phase Outcomes An appreciation for the numerous challenges associated with Agile transformations Identified challenges to Agile within your organization (both team-specific and organization-wide challenges) An actionable list of solutions/actions to address your organization’s Agile challenges.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Agile Readiness Assessment Survey

    Survey the organization to understand your readiness for an Agile transformation on six dimensions.

    Sample of the Agile Readiness Assessment Survey blueprint deliverable.

    		 Agile Readiness Assessment Consolidated Results

    Examine your readiness for Agile and identify team-specific and organization-wide challenges.

    Sample of the Agile Readiness Assessment Consolidated Results blueprint deliverable.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 8 calls over the course of 1 to 2 months.

    What does a typical GI on this topic look like?

      Phase 1: Distribute Survey

    • Call #1: Scope requirements, objectives, and your specific challenges (identify potential participants).
    • Call #2: First call with participants (introduce Phase 1 and assign survey for completion).
    • Call #3: Gather survey responses (prep for Phase 2 calls).

      • Phase 2: Consolidate Survey Results

    • Call #4: Consolidate all survey responses using the template.
    • Call #5: Conduct initial review of consolidated results (prep for Phase 3 calls).

      • Phase 3: Examine Results and Problem Solve

    • Call #6: Present consolidated results to participants and agree on most pressing challenges.
    • Call #7: Brainstorm, identify, and refine potential solutions to most pressing challenges.
    • Call #8: Conduct closing and communication call.

    Phase 1 — Phase 1 of 3, 'Distribute Survey'.

    Customize and distribute the survey

    Decide which teams/roles will participate in the survey.

    Decide which format and language(s) you will use for your Agile Readiness Assessment Survey.

    Configure the survey templates to reflect your selected teams/roles.

    Distribute the survey for participants to complete.

    • 1.1 The Agile Readiness Assessment Survey will help you to identify both team-specific and organization-wide challenges to your Agile transformation. It is best to distribute the survey broadly across the organization and include several teams and roles. Identify and make note of the teams/roles that will be participating in the survey.
    • 1.2 Select which format of survey you will be using (Excel or online), along with the language(s) you will use (links to the survey templates can be found in the table below). Then configure the survey templates to reflect your list of teams/roles from Step 1.1.
      • Format Language Download Survey Template
      Excel English Agile Readiness Assessment Excel Survey Template – EN and FR
      Excel French
      Online English Agile Readiness Assessment Online Survey Template – EN
      Online French Agile Readiness Assessment Online Survey Template – FR

    • 1.3 Distribute your Agile Readiness Assessment Survey broadly in the organization. Give all participants a deadline date for completion of the survey.

    Phase 2 — Phase 2 of 3, 'Consolidate Results'.

    Consolidate Survey Results

    Collect and consolidate all survey responses using the template provided.

    Review the OVERALL and DETAILED Heatmaps generated by the template.

    • 2.1 Collect the survey responses from all participants. All responses completed using the online form will be anonymous (for responses returned using the Excel form, assign each a unique identifier so that anonymity of responses is maintained).
    • 2.2 Consolidate the survey responses using the template below. Follow the instructions in the template to incorporate all survey responses.

      • Download the Agile Readiness Assessment Consolidated Results Tool

      Sample of the Agile Readiness Assessment Consolidated Results Tool, ranking maturity scores in 'Culture', 'Learning', 'Automation', 'Integrated Teams', 'Metrics', and 'Governance'.

    Phase 3 — Phase 3 of 3, 'Examine Results'.

    Examine Survey Results and Problem Solve

    Review the consolidated survey results as a team.

    Identify the challenges that need the most attention.

    Brainstorm potential solutions. Decide which are most promising and create a plan to implement them.

    • 3.1 Examine the consolidated results (both OVERALL and DETAILED Heatmaps) and look at both team-specific and organization-wide challenge areas.
    • 3.2 Identify which challenge areas need the most attention (typically those that are most red in the heatmap) and discuss these challenges with survey participants.
    • 3.3 As a team, brainstorm potential solutions to these challenges. Select from and refine the solutions that are most promising, then create a plan to implement them.

    3.1 Exercise: Collaborative Problem Solving — Phase 3 of 3, 'Examine Results'.

    60 Mins

    Input: Consolidated survey results

    Output: List of actions to address your most pressing challenges along with a timeline to implement them

    Materials: Agile Readiness Assessment Consolidated Results Tool, Whiteboard and markers

    Participants: Survey participants, Other interested parties

    This exercise will create a plan for addressing your most pressing Agile-related challenges.

    • As a team, agree on which survey challenges are most important to address (typically the most red in the heatmap).
    • Brainstorm potential solutions/actions to address these challenges.
    • Assign solutions/actions to individuals and set a timeline for completion.
    Challenge Proposed Solution Owner Timeline
    Enrichment
    lack of a CoE    		 Establish a service-oriented Agile Center of Excellence (CoE) staffed with experienced Agile practitioners who can directly help new-to-Agile teams be successful. Bill W. 6 Months
    Tool Chain
    (lack of Agile tools)    		 Select a standard Agile work management tool (e.g. Jira, Rally, ADO) that will be used by all Agile teams. Cindy K. 2 Months

    Related Info-Tech Research

    Sample of an Info-Tech blueprint. Modernize Your SDLC
    • Strategically adopt today’s SDLC good practices to streamline value delivery.
    Sample of an Info-Tech blueprint. Implement Agile Practices That Work
    • Guide your organization through its Agile transformation journey.
    Sample of an Info-Tech blueprint. Implement DevOps Practices That Work
    • Streamline business value delivery through the strategic adoption of DevOps practices.
    Sample of an Info-Tech blueprint. Mentoring for Agile Teams
    • Leverage an experience Agile Mentor to give your in-flight Agile project a helping hand.

    Research Contributors and Experts

    • Columbus Brown, Senior Principal – Practice Lead – Business Alignment, Daugherty Business Solutions
    • Saeed Khan, Founder, Transformation Labs
    • Brenda Peshak, Product Owner/Scrum Master/Program Manager, John Deere/Source Allies/Widget Industries LLC
    • Vincent Mirabelli, Principal, Global Project Synergy Group
    • Len O'Neill, Sr. Vice President and Chief Information Officer, The Suddath Companies
    • Shameka A. Jones, MPM, CSM, Lead Business Management Consultant, Mainspring Business Group, LLC
    • Ryland Leyton, Lead Business Analyst, Aptos Retail
    • Ashish Nangia, Lead Business System Analyst, Ashley Furniture Industries
    • Barbara Carkenord, CBAP, IIBA-AAC, PMI-PBA, PMP, SAFe POPM, President, Carkenord Consulting
    • Danelkis Serra, CBAP, Chapter Operations Manager, Regions & Chapters, IIBA (International Institute of Business Analysis)
    • Lorrie Staples-Ellis, CyberSecurity Integration Strategist, Wealth Management, Truist Bank
    • Ginger Sundberg, Independent Consultant
    • Kham Raven, Project Manager, Fraud Strategy & Execution, Truist Bank
    • Sarah Vollett, PMP, Business Analyst, Operations, College of Physicians and Surgeons of British Columbia
    • Nicole J Coyle, ICP-ACC, CEAC, SPC4, SASM, POPM, CSM, ECM, CCMP, CAPM, Team Agile Coach and Team Facilitator, HCQIS Foundational Components
    • Joe Glower, IT Director, Jet Support Services, Inc. (JSSI)
    • Harsh Daharwal, Senior Director, Application Delivery, J.R. Simplot
    • Hans Eckman, Principal Research Director, Info-Tech Research Group
    • Valence Howden, Principal Research Director, Info-Tech Research Group

    Streamline Application Maintenance

    • Buy Link or Shortcode: {j2store}402|cart{/j2store}
    • member rating overall impact: 9.5/10 Overall Impact
    • member rating average dollars saved: 20 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Application maintenance teams are accountable for the various requests and incidents coming from a variety business and technical sources. The sheer volume and variety of requests create unmanageable backlogs.
    • The increasing complexity and reliance on technology within the business has set unrealistic expectations on maintenance teams. Stakeholders expect teams to accommodate maintenance without impact on project schedules.

    Our Advice

    Critical Insight

    • Improving maintenance’s focus and attention may mean doing less but more valuable work. Teams need to be realistic about what can be committed and be prepared to justify why certain requests have to be pushed down the backlog (e.g. lack of business value, high risks).
    • Maintenance must be treated like any other development activity. The same intake and prioritization practices and quality standards must be upheld, and best practices followed.

    Impact and Result

    • Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns, and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
    • Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance requests in order to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
    • Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

    Streamline Application Maintenance Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to understand the common struggles found in application maintenance, their root causes, and the Info-Tech methodology to overcoming these hurdles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your maintenance priorities

    Understand the stakeholder priorities driving changes in your application maintenance practice.

    • Streamline Application Maintenance – Phase 1: Assess the Current Maintenance Landscape
    • Application Maintenance Operating Model Template
    • Application Maintenance Resource Capacity Assessment
    • Application Maintenance Maturity Assessment

    2. Instill maintenance governance

    Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.

    • Streamline Application Maintenance – Phase 2: Develop a Maintenance Release Schedule

    3. Enhance triaging and prioritization practices

    Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities

    4. Streamline maintenance delivery

    Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.

    • Streamline Application Maintenance – Phase 4: Streamline Maintenance Delivery
    • Application Maintenance Business Case Presentation Document
    [infographic]

    Workshop: Streamline Application Maintenance

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Maintenance Priorities

    The Purpose

    Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.

    Understand any current issues that are affecting your maintenance practice.

    Key Benefits Achieved

    Awareness of business and IT priorities.

    An understanding of the maturity of your maintenance practices and identification of issues to alleviate.

    Activities

    1.1 Define priorities for enhanced maintenance practices.

    1.2 Conduct a current state assessment of your application maintenance practices.

    Outputs

    List of business and technical priorities

    List of the root-cause issues, constraints, and opportunities of current maintenance practice

    2 Instill Maintenance Governance

    The Purpose

    Define the processes, roles, and points of communication across all maintenance activities.

    Key Benefits Achieved

    An in-depth understanding of all maintenance activities and what they require to function effectively.

    Activities

    2.1 Modify your maintenance process.

    2.2 Define your maintenance roles and responsibilities.

    Outputs

    Application maintenance process flow

    List of metrics to gauge success

    Maintenance roles and responsibilities

    Maintenance communication flow

    3 Enhance Triaging and Prioritization Practices

    The Purpose

    Understand in greater detail the process and people involved in receiving and triaging a request.

    Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.

    Understand backlog management and release planning tactics to accommodate maintenance.

    Key Benefits Achieved

    An understanding of the stakeholders needed to assess and approve requests.

    The criteria used to build a tailored prioritization scheme.

    Tactics for efficient use of resources and ideal timing of the delivery of changes.

    A process that ensures maintenance teams are always working on tasks that are valuable to the business.

    Activities

    3.1 Review your maintenance intake process.

    3.2 Define a request prioritization scheme.

    3.3 Create a set of practices to manage your backlog and release plans.

    Outputs

    Understanding of the maintenance request intake process

    Approach to assess the impact, urgency, and severity of requests for prioritization

    List of backlog management grooming and release planning practices

    4 Streamline Maintenance Delivery

    The Purpose

    Understand how to apply development best practices and quality standards to application maintenance.

    Learn the methods for monitoring and visualizing maintenance work.

    Key Benefits Achieved

    An understanding of quality standards and the scenarios for where they apply.

    The tactics to monitor and visualize maintenance work.

    Streamlined maintenance delivery process with best practices.

    Activities

    4.1 Define approach to monitor maintenance work.

    4.2 Define application quality attributes.

    4.3 Discuss best practices to enhance maintenance development and deployment.

    Outputs

    Taskboard structure and rules

    Definition of application quality attributes with user scenarios

    List of best practices to streamline maintenance development and deployment

    5 Finalize Your Maintenance Practice

    The Purpose

    Create a target state built from appropriate metrics and attainable goals.

    Consider the required items and steps for the implementation of your optimization initiatives.

    Key Benefits Achieved

    A realistic target state for your optimized application maintenance practice.

    A well-defined and structured roadmap for the implementation of your optimization initiatives.

    Activities

    5.1 Refine your target state maintenance practices.

    5.2 Develop a roadmap to achieve your target state.

    Outputs

    Finalized application maintenance process document

    Roadmap of initiatives to achieve your target state

    Diagnose Brand Health to Improve Business Growth

    • Buy Link or Shortcode: {j2store}564|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Low number and quality of leads generated, poor conversion rates, and declining customer retention and loyalty
    • Higher customer acquisition vs. marketing costs
    • Difficulties attracting and keeping talent, partners, and investors
    • Slow or low growth and devaluation of the brand due to low brand equity

    Our Advice

    Critical Insight

    • The Brand: Intangible, yet a company’s most valuable asset.
    • Data-driven decisions for a strong brand.
    • Investing in brand-building efforts means investing in your success.

    Impact and Result

    • Increase brand awareness and equity.
    • Build trust and improve customer retention and loyalty.
    • Achieve higher and faster growth.

    Diagnose Brand Health to Improve Business Growth Research & Tools

    Diagnose Brand Health to Improve Business Growth Executive Brief – A deck to help diagnose brand health to improve business growth.

    In this executive brief, you will discover the importance of a strong brand on the valuation, growth, and sustainability of your company. You will also learn about SoftwareReviews' approach to assessing current performance and gaining visibility into areas of improvement.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Brand Diagnostic and Analysis Tool Kit

    A comprehensive set of tools to gather and interpret qualitative and quantitative brand performance metrics.

    • Brand Diagnostic Tool - Digital Metrics Analysis Template
    • Brand Diagnostic Tool - Financial Metrics Analysis Template
    • Brand Diagnostic Tool Survey and Interview Questionnaires and Lists Template
    • Survey Emails Best Practices Guidelines
    • Brand Diagnostic Tool - External and Internal Factors Metrics Analysis Template

    2. Brand Diagnostic Executive Presentation

    Fully customizable, pre-built PowerPoint presentation template to communicate the results of the brand performance diagnostic, areas of improvement and trends, as well as your recommendations. It will also allow you to identify and align executive members and key stakeholders on next steps, and set priorities.

    • Brand Diagnostic - Executive Presentation Template

    Infographic

    Further reading

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix it.

    EXECUTIVE BRIEF

    SoftwareReviews is a division of Info-Tech Research Group Inc., a world-class IT research and consulting firm established in 1997.
    Backed by two decades of IT research and advisory experience, SoftwareReviews offers the most comprehensive insight into the enterprise software landscape and client-vendor relationships.

    Analyst Perspective

    Brand Diagnostic and Monitoring

    In the ever-changing market landscape in which businesses operate, it is imperative to ensure that the brand stays top of mind and quickly adapts. Having a good understanding of where the brand stands and how it performs has become crucial for any company to stand out from its competitors and succeed in a crowded and very dynamic market.

    Unfortunately, the brand does not always receive the attention and importance it deserves, leaving it vulnerable to becoming outdated and unclear to the target audience and to losing its equity.

    Knowing how the brand is perceived, as opposed to how individuals within an organization perceive it, addressing any brand-related issues in a timely manner, and implementing processes to continuously monitor its performance have become key tactics for any company that wants to thrive in today's highly competitive market.

    Photo of Nathalie Vezina, Marketing Research Director, SoftwareReviews Advisory.

    Nathalie Vezina
    Marketing Research Director
    SoftwareReviews Advisory

    Executive Summary

    Your Challenge

    Because it is vulnerable to becoming outdated and unclear to the target audience and to losing its equity, it is essential to ensure that the brand is performing well and to be attentive to these signs of a weakened brand:

    • Low number and quality of leads generated, poor conversion rates, and declining customer retention and loyalty
    • Lack of understanding of the value proposition; lack of interest and interaction with the brand
    • Higher customer acquisition/marketing costs
    • Difficulties attracting and keeping talent, partners, or future investors
    • Low/slow growth; devaluation of the brand due to low brand equity
    		 Common Obstacles

    Building a strong brand is an everyday challenge, and brand leaders often face what may seem like overwhelming obstacles in achieving their goal. Here are some of the roadblocks they regularly face:

    • Limited visibility on brand perception and overall performance
    • Insufficient supporting information to make clear, undisputable data-driven decisions and convince key stakeholders how to improve brand performance
    • Limited resources (time, budget, headcount, tools) to diagnose, measure, and execute
    • Stakeholders may not be fully aware of the benefits of a strong brand and the impacts that a weak brand can have on the overall performance of the business
    		 SoftwareReviews’ Approach

    This SoftwareReviews blueprint provides the guidance and tools required to perform a thorough brand diagnostic and enable brand leaders to:

    • Know how the brand performs; pinpoint gaps and areas for improvement
    • Make clear, data-driven recommendations and decisions on how to fix and optimize the brand
    • Communicate, convince key stakeholders, and align on proposed solutions to optimize the brand’s performance
    • Continuously monitor and optimize the brand

    SoftwareReviews Advisory Insight

    The brand is a company’s most valuable asset that should never fall into disrepair. In fact, business leaders should ensure that at least half of their marketing budget is allocated to brand-building efforts.

    What is a brand?

    The brand – both intangible and the most valuable asset for businesses.

    Despite its intangible nature, the brand is at the heart of every business, small and large, around which rotates what drives business success and growth.

    While measuring its real value on the marketplace can be difficult, a brand with high salience will attract and retain customers for as long as it keeps evolving and adapting to its dynamic environment.

    Up to 90% of the total market value of companies is based on intangible assets, such as brand recognition. (Source: Ocean Tomo, 2020)

    		Multiple bubbles with the biggest bubble highlighted and labelled 'BRAND'. The other bubbles say 'IDENTITY', 'LOYALTY', 'TRUST', 'STRATEGY', 'GROWTH', 'AWARENESS', and 'VALUE'.

    What makes a brand strong?

    Perception Matters

    The brand reflects the image of a company or a product. The values it conveys and how it’s being perceived have a direct impact on a brand's ability to stand out and grow.

    A brand is strong when it:

    • Projects a positive image
    • Has a clear positioning and value proposition
    • Is authentic and inspiring
    • Conveys values that resonates
    • Is socially engaged
    • Builds awareness
    • Is consistent
    • Delivers on its promise
    • Inspires trust
    		 “In the past, a brand is what a company told you it was. Today, a brand is what people tell each other it is.” (Source: Mark Schaefer, 2019)

    Investing in building a brand, a top priority for businesses

    Company Valuation

    Branding has become a top priority for companies to increase the value of their business in the marketplace. A good market value is essential to attract and retain investors, obtain future rounds of financing, grow by acquisition, and find buyers.

    The more equity a brand gains, the higher its market value, despite the company’s annual revenue. While annual revenue is factored in the equation, the equity of the brand has a greater impact on the market value. A brand whose market value is lower than its revenue is an important indicator that the brand is weakened and needs to be addressed.

    		Revenue and Growth

    Most successful companies are investing heavily in building their brand, and for good reason. A strong brand will deliver the right messaging, and a unique and clear value proposition will resonate with its audience and directly impact customer acquisition costs, outperform competition, enable higher pricing, and increase sales volume and customer lifetime value.

    A strong brand also helps develop partner channels, attract and engage high-value partners, and allow for actionable and incremental KPIs.

    		Talent Acquisition and Retention

    Brands with strong values are more attractive to highly skilled talent without having to offer above-market salaries. In addition, when a brand inspires pride and shares common values with employees, it increases their motivation and the company’s retention rate.

    Retaining employees within the company allows for the development of talent and retention of knowledge within the organization, thus contributing to the sustainability of the organization.

    It's no wonder that employer branding has become an essential element of human resources strategies.

    “Sustainable Living Brands are growing 69% faster than the rest of the business and delivering 75% of the company’s growth.” (Source: Unilever, 2019, qtd. in Deloitte, 2021)

    Symptoms of a weakened brand

    Know if your brand is suffering and needs to be fixed.

    Brand leaders experiencing one or more of these brand-related symptoms should consider rebranding or optimizing their brand:
    • Low number and quality of leads generated, poor conversion rates, and declining customer retention and loyalty
    • Higher customer acquisition vs. marketing costs
    • Difficulties attracting and keeping talent, partners, and investors
    • Slow or low growth and devaluation of the brand due to low brand equity

    With visibility into your brand and the supporting data that provides a thorough diagnostic of the brand, combined with ongoing brand performance monitoring, you will have all the information you need to help you drive the brand forward, have a significant impact on business growth, and stand out as a brand leader.

    		The largest software companies have an average market cap of 18X their revenue (Source: Companies Market Cap, May 2022)

    Building a strong brand, an everyday challenge

    Brand leaders are often faced with overwhelming obstacles in building a strong brand.

    Limited visibility on brand perception and overall performance Insufficient information to make clear, undisputable data-driven decisions and convince key stakeholders how to improve brand performance Stock image of a person pulling a boulder.
    Misunderstanding of the benefits of a strong brand and negative impacts of a weak brand on business valuation and growth Limited resources (time, budget, headcount, tools) to diagnose, measure, and execute
    Only
    54%     		of businesses have a B2B brand program in place for measuring brand perceptions. (Source: B2B International, 2016) Only
    4%     		of B2B marketing teams measure the impact of their marketing/brand building efforts beyond six months. (Source: LinkedIn’s B2B Institute, 2019) 50%
    of marketing budget is what successful brands spend on average on brand-building efforts. (Source: Les Binet and Peter Field, 2018)
    82% of investors say name recognition is an important factor guiding them in their investment decisions. (Source: Global Banking & Finance Review, 2018) 77% of B2B marketers say branding is crucial for growth. (Source: Circle Research)

    Making brand performance visible

    Implement data-driven strategies and make fact-based decisions to continuously optimize brand performance.

    Diagnose your brand’s health
    Know how your brand is being perceived and have visibility on its performance.     		Cycle titled 'BRAND' with steps 'Diagnose', 'Identify', 'Fix', 'Keep Monitoring' and back to 'Diagnose'. Identify trends and areas of improvement
    Rely on undisputable and reliable data to make clear decisions and educate and communicate with key stakeholders.
    Keep monitoring your brand’s performance
    Stay on top of the game and keep away competitors by continuously monitoring your brand’s health.     		Fix issues with your brand in a timely manner
    Don’t lose the momentum. Achieve better results and have a greater impact on your success and chances to grow.

    Qualitative and quantitative brand performance measures

    Segmented by SoftwareReviews Advisory into three categories for a comprehensive diagnostic.

    Icon of a megaphone. Icon of a head with puzzle pieces. Icon of coins.
    Brand Equity
    • Awareness
    • Perception
    • Positioning
    • Recognition/recall
    • Trust
    		 Buyer’s Behavior
    • Interaction with the brand
    • Preference
    • Purchase intent
    • Product reviews
    • Social engagement
    • Website traffic
    • Lead generation
    		 Financial
    • Revenue
    • Profit margin
    • Customer lifetime value (CLV)
    • Customer acquisition cost (CAC)
    • Intangible asset market value (IAMV)

    Benefits of a strong and healthy brand

    A healthy brand is the foundation of your success.

    Ensure a better understanding of the value proposition and positioning Drive more interest, interaction, and traction Increase brand awareness and equity Generate higher number and quality of leads
    Achieve higher and faster conversion rate Build trust and improve customer retention and loyalty Attract and keep talent, partners, and investors Achieve higher and faster growth

    Visual explaining the brand diagnostic methodology: 1. data collection and analysis; and 2. presentation and alignment. Outcomes: gain visibility into the brand's performance, highlight areas for improvement, and make data-driven decisions.

    Who benefits from diagnosing the brand?

    This Research Is Designed for:

    Brand leaders who are looking to:

    • Detect and monitor brand performance, issues, trends, and areas of improvement
    • Optimize and fix their brand
    • Develop strategies, and make recommendations and decisions based on facts
    • Get the support they need from key stakeholders
    		 This Research Will Help You:
    • Get the visibility you need on your brand’s performance
    • Pinpoint brand issues, trends, and areas of improvement
    • Develop data-driven strategies, and make recommendations and decisions based on facts
    • Communicate with and convince key stakeholders
    • Get the support you need from key stakeholders
    • Put in place new diagnostic and monitoring processes to continually improve your brand
    This Research Will Also Assist:
    • Sales with qualified lead generation and customer retention and loyalty
    • Human Resources in their efforts to attract and retain talent
    • The overall business with growth and increased market value
    		 This Research Will Help Them:
    • Have a better understanding of the importance of a strong brand on business growth and valuation
    • Align on next steps

    SoftwareReviews’ Brand Diagnostic Methodology

    0. Communication & Alignment 1. Data Collection 2. Data Analysis & Interpretation 3. Report & Presentation
    Phase Steps
    1. Engage and unify the team
    2. Communicate and present
    3. Align on next steps
    1. Identify and document internal and external changes affecting the brand
    2. Conduct internal and external brand perception surveys
    3. Gather customer loyalty feedback
    4. Collect digital performance metrics
    1. Analyze data collected
    2. Identify issues, trends, gaps, and inconsistencies
    3. Compare data with current brand statement
    1. Build report with recommendations
    2. Prioritize brand fixes from high to low positive impact
    3. Build presentation
    Phase Outcomes
    • Importance of the brand is recognized
    • Endorsement and prioritization
    • Support and resources
    • All relevant data/information is collected in one place
    • Visibility on the performance of the brand
    • All the data in hand to support recommendations and make informed decisions
    • Visibility and clear understanding of the brand’s health and how to fix or improve its performance

    Insight summary

    The Brand: Intangible, yet a company’s most valuable asset

    Intangible assets, such as brand recognition, account for almost all of a company’s value.1 Despite its intangible nature, the brand is at the heart of every business and has a direct impact on business growth, profitability, and revenue. While measuring its real value on the marketplace can be difficult, a brand with high traction will attract customers and keep them for as long as it keeps evolving and adapting to its dynamic environment.

    Making brand issues visible

    Having a clear understanding of how the brand performs has become crucial for any company that wants to stand out from its competitors and succeed in a crowded and highly dynamic marketplace.

    Data-driven decisions for a strong brand

    Intuition-based or uninformed decisions are obsolete. Brand leaders must base their decisions on facts to be able to convince key stakeholders.

    Building a strong brand, an everyday challenge

    Brand leaders often face overwhelming obstacles building strong brands. They need guidance and tools to support them to drive the business forward.

    Get team buy-in and alignment

    Brand leaders must ensure that the key stakeholders are aware of the importance of a strong brand to business growth and value increase and that they are aligned and committed to the efforts required to build a successful brand.

    Investing in brand-building efforts means investing in your success

    Successful business leaders allocate at least half of their marketing budget2 to brand-building efforts, enabling them to set themselves apart, significantly increase their market share, grow their business, and thrive in a highly competitive marketplace.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

    Your engagement managers will work with you to schedule analyst calls.

    What does a typical GI on this topic look like?

    Brand Diagnostic

    Data Analysis & Interpretation

    Report & Presentation Building

    Communication & Alignment
    Call #1: Discuss concept and benefits of performing a brand diagnostic. Identify key stakeholders. Anticipate concerns and objections.

    Call #2: Discuss how to use the tool. Identify resources and internal support needed.

    		Call #3: Review results. Discuss how to identify brand issues, areas of improvement, and trends based on data collected and to interpret key metrics.

    Call #4 (optional): Continue discussion from call #3.

    Call #5: Discuss recommendations and best practices to fix the issues identified and resources required.

    		Call #6: Discuss purpose and how to build the report and presentation, Prioritize the brand fixes from high to low positive impact.

    Call #7 (optional): Follow up with call on report and presentation preparation.

    		Call #8: Discuss key points to focus on when presenting to key stakeholders and the desired outcome.

    Call #9: Discuss how to leverage brand diagnostic tools now in place and the benefits of continuously monitoring the brand.

    Call #10: Debrief and determine how we can help with next steps.

    Key deliverable:

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Brand Diagnostic Presentation Template

    Sample of the key deliverable, the Brand Diagnostic Presentation Template.

    Pre-built and fully customizable PowerPoint template to communicate key findings, areas of improvements, and recommendations to key stakeholders, align on next steps, and prioritize.

    Brand Diagnostic Report Dashboard

    Sample of the Brand Diagnostic Report Dashboard deliverable.

    Auto-filling dashboard built into the Brand Diagnostic Tool Kit. Ready to be saved and shared as a PDF.

    Brand Diagnostic Tool Kit

    Sample of the Brand Diagnostic Tool Kit deliverable.

    Comprehensive Excel Workbook to gather and interpret brand performance metrics. Includes survey questionnaires.

    Bibliography

    “71% of Consumers More Likely to Buy a Product or Service From a Name They Recognise.” Global Banking & Finance Review, 5 December 2018. Web.

    B2B Marketing Leaders Report. Circle Research, n.d. Web.

    Binet, Les, and Peter Field. Effectiveness In Context: A manual for Brand Building. Institute of Practitioners in Advertising, 12 October 2018. Ebook.

    “Current Trends in the World of B2B Marketing, 2016 Survey.” B2B International, 2016. Web.

    Intangible Asset Market Value Study. Ocean Tomo, July 2020. Web.

    Largest Software Companies By Market Cap. Companies Market Cap, May 2022. Web.

    “Unilever, purpose-led brands outperform.” Unilever, 6 October 2019. Web. qtd. in Kounkel, Suzanne, Amy Silverstein, and Kathleen Peeters. “2021 Global Marketing Trends.” Deloitte Insights, 2020. Web.

    Schaefer, Mark. “The Future Of Branding Is Human Impressions.” Mark Schaefer Blog, 3 June 2019. Web.

    The 5 Principles Of Growth In B2B Marketing - Empirical Observations on B2B Effectiveness. LinkedIn B2B Institute, 2019. Web.

    Visual explaining the brand diagnostic methodology: 1. data collection and analysis; and 2. presentation and alignment. Outcomes: gain visibility into the brand's performance, highlight areas for improvement, and make data-driven decisions.

    Who benefits from diagnosing the brand?

    This Research Is Designed for:

    Brand leaders who are looking to:

    • Detect and monitor brand performance, issues, trends, and areas of improvement
    • Optimize and fix their brand
    • Develop strategies, and make recommendations and decisions based on facts
    • Get the support they need from key stakeholders
    		 This Research Will Help You:
    • Get the visibility you need on your brand’s performance
    • Pinpoint brand issues, trends, and areas of improvement
    • Develop data-driven strategies, and make recommendations and decisions based on facts
    • Communicate with and convince key stakeholders
    • Get the support you need from key stakeholders
    • Put in place new diagnostic and monitoring processes to continually improve your brand
    This Research Will Also Assist:
    • Sales with qualified lead generation and customer retention and loyalty
    • Human Resources in their efforts to attract and retain talent
    • The overall business with growth and increased market value
    		 This Research Will Help Them:
    • Have a better understanding of the importance of a strong brand on business growth and valuation
    • Align on next steps

    SoftwareReviews’ Brand Diagnostic Methodology

    0. Communication & Alignment 1. Data Collection 2. Data Analysis & Interpretation 3. Report & Presentation
    Phase Steps
    1. Engage and unify the team
    2. Communicate and present
    3. Align on next steps
    1. Identify and document internal and external changes affecting the brand
    2. Conduct internal and external brand perception surveys
    3. Gather customer loyalty feedback
    4. Collect digital performance metrics
    1. Analyze data collected
    2. Identify issues, trends, gaps, and inconsistencies
    3. Compare data with current brand statement
    1. Build report with recommendations
    2. Prioritize brand fixes from high to low positive impact
    3. Build presentation
    Phase Outcomes
    • Importance of the brand is recognized
    • Endorsement and prioritization
    • Support and resources
    • All relevant data/information is collected in one place
    • Visibility on the performance of the brand
    • All the data in hand to support recommendations and make informed decisions
    • Visibility and clear understanding of the brand’s health and how to fix or improve its performance

    Insight summary

    The Brand: Intangible, yet a company’s most valuable asset

    Intangible assets, such as brand recognition, account for almost all of a company’s value.1 Despite its intangible nature, the brand is at the heart of every business and has a direct impact on business growth, profitability, and revenue. While measuring its real value on the marketplace can be difficult, a brand with high traction will attract customers and keep them for as long as it keeps evolving and adapting to its dynamic environment.

    Making brand issues visible

    Having a clear understanding of how the brand performs has become crucial for any company that wants to stand out from its competitors and succeed in a crowded and highly dynamic marketplace.

    Data-driven decisions for a strong brand

    Intuition-based or uninformed decisions are obsolete. Brand leaders must base their decisions on facts to be able to convince key stakeholders.

    Building a strong brand, an everyday challenge

    Brand leaders often face overwhelming obstacles building strong brands. They need guidance and tools to support them to drive the business forward.

    Get team buy-in and alignment

    Brand leaders must ensure that the key stakeholders are aware of the importance of a strong brand to business growth and value increase and that they are aligned and committed to the efforts required to build a successful brand.

    Investing in brand-building efforts means investing in your success

    Successful business leaders allocate at least half of their marketing budget2 to brand-building efforts, enabling them to set themselves apart, significantly increase their market share, grow their business, and thrive in a highly competitive marketplace.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

    Your engagement managers will work with you to schedule analyst calls.

    What does a typical GI on this topic look like?

    Brand Diagnostic

    Data Analysis & Interpretation

    Report & Presentation Building

    Communication & Alignment
    Call #1: Discuss concept and benefits of performing a brand diagnostic. Identify key stakeholders. Anticipate concerns and objections.

    Call #2: Discuss how to use the tool. Identify resources and internal support needed.

    		Call #3: Review results. Discuss how to identify brand issues, areas of improvement, and trends based on data collected and to interpret key metrics.

    Call #4 (optional): Continue discussion from call #3.

    Call #5: Discuss recommendations and best practices to fix the issues identified and resources required.

    		Call #6: Discuss purpose and how to build the report and presentation, Prioritize the brand fixes from high to low positive impact.

    Call #7 (optional): Follow up with call on report and presentation preparation.

    		Call #8: Discuss key points to focus on when presenting to key stakeholders and the desired outcome.

    Call #9: Discuss how to leverage brand diagnostic tools now in place and the benefits of continuously monitoring the brand.

    Call #10: Debrief and determine how we can help with next steps.

    Key deliverable:

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Brand Diagnostic Presentation Template

    Sample of the key deliverable, the Brand Diagnostic Presentation Template.

    Pre-built and fully customizable PowerPoint template to communicate key findings, areas of improvements, and recommendations to key stakeholders, align on next steps, and prioritize.

    Brand Diagnostic Report Dashboard

    Sample of the Brand Diagnostic Report Dashboard deliverable.

    Auto-filling dashboard built into the Brand Diagnostic Tool Kit. Ready to be saved and shared as a PDF.

    Brand Diagnostic Tool Kit

    Sample of the Brand Diagnostic Tool Kit deliverable.

    Comprehensive Excel Workbook to gather and interpret brand performance metrics. Includes survey questionnaires.

    Bibliography

    “71% of Consumers More Likely to Buy a Product or Service From a Name They Recognise.” Global Banking & Finance Review, 5 December 2018. Web.

    B2B Marketing Leaders Report. Circle Research, n.d. Web.

    Binet, Les, and Peter Field. Effectiveness In Context: A manual for Brand Building. Institute of Practitioners in Advertising, 12 October 2018. Ebook.

    “Current Trends in the World of B2B Marketing, 2016 Survey.” B2B International, 2016. Web.

    Intangible Asset Market Value Study. Ocean Tomo, July 2020. Web.

    Largest Software Companies By Market Cap. Companies Market Cap, May 2022. Web.

    “Unilever, purpose-led brands outperform.” Unilever, 6 October 2019. Web. qtd. in Kounkel, Suzanne, Amy Silverstein, and Kathleen Peeters. “2021 Global Marketing Trends.” Deloitte Insights, 2020. Web.

    Schaefer, Mark. “The Future Of Branding Is Human Impressions.” Mark Schaefer Blog, 3 June 2019. Web.

    The 5 Principles Of Growth In B2B Marketing - Empirical Observations on B2B Effectiveness. LinkedIn B2B Institute, 2019. Web.

    Explore the Secrets of SAP Digital Access Licensing

    • Buy Link or Shortcode: {j2store}143|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • SAP’s licensing rules surrounding use and indirect access are vague, making it extremely difficult to purchase with confidence and remain compliant.
    • SAP has released nine document-type licenses that can be used in digital access licensing scenarios, but this model has its own challenges.
    • Whether you decide to remain “as is” or proactively change licensing over to the document model, either option can be costly and confusing.
    • Indirect static read can be a cause of noncompliance when data is exported but the processing capability of SAP ERP is used in real time.

    Our Advice

    Critical Insight

    • Examine all indirect access possibilities. Understanding how in-house or third-party applications may be accessing and utilizing the SAP digital core is critical to be able to correctly address issues.
    • Know what’s in your contract. Each customer agreement is different, and older agreements may provide both benefits and challenges when evaluating your SAP license position.
    • Understand the intricacies of document licensing. While it may seem digital access licensing will solve compliance concerns, there are still questions to address and challenges SAP must resolve.

    Impact and Result

    • Conduct an internal analysis to examine where digital access licensing may be needed to mitigate risk, as SAP will be speaking with all customers in due course. Indirect access can be a costly audit settlement.
    • Conduct an analysis to remove inactive and duplicate users, as multiple logins may exist and could end up costing the organization license fees when audited.
    • Adopt a cyclical approach to reviewing your SAP licensing and create a reference document to track your software needs, planned licensing, and purchase negotiation points.
    • Learn the SAP way of conducting business, which includes a best-in-class sales structure and unique contracts and license use policies, combined with a hyper-aggressive compliance function. Conducting business with SAP is not a typical vendor experience, and you will need different tools to emerge successfully from a commercial transaction.

    Explore the Secrets of SAP Digital Access Licensing Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you need to understand and document your SAP digital access licensing strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand, assess, and decide on digital access licensing

    Begin your SAP digital access licensing journey by evaluating licensing changes and options, and then make contractual changes to ensure compliance.

    • Explore the Secrets of SAP Digital Access Licensing – Phase 1: Understand, Assess, and Decide on Digital Access Licensing
    • SAP License Summary and Analysis Tool
    • SAP Digital Access Licensing Pricing Tool
    [infographic]

    Optimize Your Software Selection Process: Why 5 and 30 Are the Magic Numbers

    • Buy Link or Shortcode: {j2store}607|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Selection & Implementation
    • Parent Category Link: /selection-and-implementation
    • Software selection takes forever. The process of choosing even the smallest apps can drag on for years: sometimes in perpetuity. Software selection teams are sprawling, leading to scheduling slowdowns and scope creep. Moreover, cumbersome or ad hoc selection processes lead to business-driven software selection.

    Our Advice

    Critical Insight

    • Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness is stagnant or decreases once the team grows beyond five people.
    • Tight project timelines are critical. Keep stakeholders engaged with a defined application selection timeline that moves the project forward briskly – 30 days is optimal.
    • Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.

    Impact and Result

    • Shatter stakeholder expectations with truly rapid application selections.
    • Put the “short” back in shortlist by consolidating the vendor shortlist up-front and reducing downstream effort.
    • Identify high-impact software functionality by evaluating fewer use cases.
    • Lock in hard savings and do not pay list price by using data-driven tactics.

    Optimize Your Software Selection Process: Why 5 and 30 Are the Magic Numbers Research & Tools

    Discover the Magic Numbers

    Increase project satisfaction with a five-person core software selection team that will close out projects within 30 days.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Optimize Your Software Selection Process: Why 5 and 30 Are the Magic Numbers Storyboard

    1. Align and eliminate elapsed time

    Ensure a formal selection process is in place and make a concerted effort to align stakeholder calendars.

    2. Reduce low-impact activities

    Reduce time spent watching vendor dog and pony shows, while reducing the size of your RFPs or skipping them entirely.

    3. Focus on high-impact activities

    Narrow the field to four contenders prior to in-depth comparison and engage in accelerated enterprise architecture oversight.

    4. Use these rapid and essential selection tools

    Focus on key use cases rather than lists of features.

    • The Software Selection Workbook
    • The Vendor Evaluation Workbook
    • The Guide to Software Selection: A Business Stakeholder Manual

    5. Engage Two Viable Vendors in Negotiation

    Save more by bringing two vendors to the final stage of the project and surfacing a consolidated list of demands prior to entering negotiation.

    [infographic]

    Further reading

    Optimize Your Software Selection Process: Why 5 and 30 Are the Magic Numbers

    Select your applications better, faster, and cheaper.

    How to Read This Software Selection Insight Primer

    1. 43,000 Data Points

      2. This report is based on data gathered from a survey of 43,000 real-world IT practitioners.

    2. Aggregating Feedback

      3. The data is compiled from SoftwareReviews (a sister company of Info-Tech Research Group), which collects and aggregates feedback on a wide variety of enterprise technologies.

    3. Insights Backed by Data

      4. The insights, charts, and graphs in this presentation are all derived from data submitted by real end users.

    The First Magic Number Is Five

    The optimal software selection team comprises five people

    • Derived from 43,000 data points. Analysis of thousands of software selection projects makes it clear a tight core selection team accelerates the selection process.
    • Five people make up the core team. A small but cross-functional team keeps the project moving without getting bogged down on calendar alignment and endless back-and-forth.
    • It is a balancing act. Having too few stakeholders on the core selection team will lead to missing valuable information, while having too many will lead to delays and politically driven inefficiencies.

    There Are Major Benefits to Narrowing the Selection Team Size to Five

    Limit the risk of ineffective “decision making by committee”

    Expedite resolution of key issues and accelerate crucial decisions

    Achieve alignment on critical requirements

    Streamline calendar management

    Info-Tech Insight

    Too many cooks spoil the broth: create a highly focused selection team that can devote the majority of its time to the project while it’s in flight to demonstrate faster time to value.

    Arm Yourself With Data to Choose the Right Plays for Selection

    Software selection takes forever. The process of choosing even the smallest apps can drag on for years: sometimes in perpetuity.

    Organizations keep too many players on the field, leading to scheduling slowdowns and scope creep.

    Keeping the size of the core selection team down, while liaising with more stakeholders and subject matter experts (SMEs), leads to improved results.

    Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness are stagnant or decrease once the team grows beyond five people.

    Cumbersome or ad hoc selection processes lead to business-driven software selection.

    Increase stakeholder satisfaction by using a consistent selection framework that captures their needs while not being a burden.

    Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.

    The image contains a graph that is titled: A compact selection team can save you weeks. The graph demonstrates time saved with a five person team in comparison to larger teams.

    Project Satisfaction and Effectiveness Are Stagnant Once the Team Grows Beyond Five People

    The image contains a graph to demonstrate project satisfaction and effectiveness being stagnant with a team larger than five.
    • There is only a marginal difference in selection effectiveness when more people are involved, so why include so many? It only bogs down the process!
    • Full-time resourcing: At least one member of the five team members must be allocated to the selection initiative as a full-time resource.

    Info-Tech Insight

    It sounds natural to include as many players as possible in the core selection group; however, expanding the group beyond five people does not lead to an increase in satisfaction. Consider including a general stakeholder feedback working session instead.

    Shorten Project Duration by Capping the Selection Team at Five People

    However, it is important to make all stakeholders feel heard

    The image contains a graph to demonstrate that an increase in time and effort connects with an increase in total number of people involved.

    Exclusion is not the name of the game.

    • Remember, we are talking about the core selection team.
    • Help stakeholders understand their role in the project.
    • Educate stakeholders about your approach to selection.
    • Ensure stakeholders understand why the official selection team is being capped at five people.
    • Soliciting requirements and feedback from a broader array of stakeholders is still critical.

    Large Organizations Benefit From Compact Selection Teams Just as Much as Small Firms

    Think big even if your organization is small

    Small organizations

    Teams smaller than five people are common due to limited resources.

    Medium organizations

    Selection project satisfaction peaks with teams of fewer than two people. Consider growing the team to about five people to make stakeholders feel more included with minimal drops in satisfaction.

    Large organizations

    Satisfaction peaks when teams are kept to three to five people. With many SMEs available, it is critical to choose the right players for your team.

    The image contains a multi bar graph to demonstrate the benefits of compact selection teams depending on the size of the company, small, medium, or large.

    Keep the Core Selection Team to Five People Regardless of the Software Category

    Smaller selection teams yield increased satisfaction across software categories

    Info-Tech Insight

    Core team size remains the same regardless of the application being selected. However, team composition will vary depending on the end users being targeted.

    Think beyond application complexity

    • Our instinct is to vary the size of the core selection team based on perceived application complexity.
    • The data has demonstrated that a small team yields increased satisfaction for applications across a wide array of application complexity profiles.
    • The real differentiator for complex applications will be the number of stakeholders that the core selection team liaise with, particularly for defining strong requirements.

    The image contains a graph to demonstrate satisfaction across software categories increases with smaller selection teams.

    The Second Magic Number Is 30

    Finish the project while stakeholders are still fully engaged in order to maximize satisfaction

    • 30- to 60-day project timelines are critical. Keep stakeholders engaged with a defined application selection timeline that moves the project forward briskly.
    • Strike while the iron is hot. Deliver applications in a timely manner after the initial request. Don’t let IT become the bottleneck for process optimization.
    • Minimize scope creep: As projects drag on in perpetuity, the scope of the project balloons to something that cannot possibly achieve key business objectives in a timely fashion.

    Aggressively Timeboxing the Project Yields Benefits Across Multiple Software Categories

    After four weeks, stakeholder satisfaction is variable

    The image contains a graph to demonstrate that aggressively timeboxing the project yields benefits across multiple software categories.
    Only categories with at least 1,000 responses were included in the analysis.

    Achieve peak satisfaction by allotting 30 days for an application selection project.

    • Spending two weeks or less typically leads to higher levels of satisfaction for each category because it leaves more time for negotiation, implementation, and making sure everything works properly (especially if there is a time constraint).
    • Watch out for the “satisfaction danger zone” once project enters the 6- to 12-week mark. Completing a selection in four weeks yields greater satisfaction.

    Spend Your Time Wisely to Complete the Selection in 30 Days

    Save time in the first three phases of the selection project

    Awareness

    Education & Discovery

    Evaluation

    Reduce Time

    Reduce Time

    Reduce Time

    Save time duplicating existing market research. Save time and maintain alignment with focus groups.

    Save time across tedious demos and understanding the marketplace.

    Save time gathering detailed historical requirements. Instead, focus on key issues.

    Info-Tech Insight – Awareness

    Timebox the process of impact analysis. More time should be spent performing the action than building a business case.

    Info-Tech Insight – Education

    Save time duplicating existing market research. Save time and maintain alignment with focus groups.

    Info-Tech Insight – Evaluation

    Decision committee time is valuable. Get up to speed using third-party data and written collateral. Use committee time to conduct investigative interviews instead. Salesperson charisma and marketing collateral quality should not be primary selection criteria. Sadly, this is the case far too often.

    Limit Project Duration to 30 Days Regardless of the Application Being Selected

    Timeboxing application selection yields increased satisfaction across software categories

    The image contains a graph to demonstrate selection effort in weeks by satisfaction. The graph includes informal and formal methods on the graph across the software categories.

    Info-Tech Insight

    Office collaboration tools are a great case study for increasing satisfaction with decreased time to selection. Given the sharp impetus of COVID-19, many organizations quickly selected tools like Zoom and Teams, enabling remote work with very high end-user satisfaction.

    There are alternative approaches for enterprise-sized applications:

    • New applications that demand rigorous business process improvement efforts may require allotting time for prework before engaging in the 30-day selection project.
    • To ensure that IT is using the right framework, understand the cost and complexity profile of the application you’re looking to select.

    The Data Also Shows That There Are Five Additional Keys to Improving Your Selection Process

    1. ALIGN & ELIMINATE ELAPSED TIME
    • Ensure a formal selection process is in place.
    • Balance the core selection team’s composition.
    • Make a concerted effort to align stakeholder calendars.
    2. REDUCE TIME SPENT ON LOW-IMPACT ACTIVITIES
    • Reduce time spent on internet research. Leverage hard data and experts.
    • Reduce RFP size or skip RFPs entirely.
    • Reduce time spent watching vendor dog and pony shows.
    3. FOCUS ON HIGH- IMPACT ACTIVITIES
    • Narrow the field to four contenders prior to in-depth comparison.
    • Identify portfolio overlap with accelerated enterprise architecture oversight.
    • Focus on investigative interviews and proof of concept projects.
    4. USE RAPID & ESSENTIAL ASSESSMENT TOOLS
    • Focus on key use cases, not lists of features.
    • You only need three essential tools: Info-Tech’s Vendor Evaluation Workbook, Software Selection Workbook, and Business Stakeholder Manual.
    5. ENGAGE TWO VIABLE VENDORS IN NEGOTIATION
    • Save more during negotiation by selecting two viable alternatives.
    • Surface a consolidated list of demands prior to entering negotiation.
    • Communicate your success with the organization.

    1. Align & Eliminate Elapsed Time

    ✓ Ensure a formal selection process is in place.

    ✓ Reduce time by timeboxing the project to 30 days.

    ✓ Align the calendars of the five-person core selection team.

    Improving Your IT Department’s Software Selection Capability Yields Big Results

    Time spent building a better process for software selection is a great investment

    • Enterprise application selection is an activity that every IT department must embark on, often many times per year.
    • The frequency and repeatability of software selection means it is an indispensable process to target for optimization.
    • A formal process is not always synonymous with a well-oiled process.
    • Even if you have a formal selection process already in place, it’s imperative to take a concerted approach to continuous improvement.

    It is critical to improve the selection process before formalizing

    Leverage Info-Tech’s Rapid Application Selection Framework to gain insights on how you can fine-tune and accelerate existing codified approaches to application selection.

    Before Condensing the Selection Team, First Formalize the Software Selection Process

    Software selection processes are challenging

    Vendor selection is politically charged, requiring Procurement to navigate around stakeholder biases and existing relationships.

    Stakeholders

    The process is time consuming and often started too late. In the absence of clarity around requirements, it is easy to default to looking at price instead of best functional and architectural fit.

    Timing

    Defining formal process and methodology

    Formal selection methodologies are repeatable processes that anybody can consistently follow to quickly select new technology.

    Repeatable

    The goal of formalizing the approach is to enable IT to deliver business value consistently while also empowering stakeholders to find tools that meet their needs. Remember! A formal selection process is synonymous with a bureaucratic, overblown approach.

    Driving Value

    Most Organizations Are Already Using a Formal Software Selection Methodology

    Don’t get left behind!

    • A common misconception for software selection is that only large organizations have formal processes.
    • The reality is that organizations of all sizes are making use of formal processes for software selection.
    • Moreover, using a standardized method to evaluate new technology is most likely common practice among your competitors regardless of their size.
    • It is important to remember that the level of rigor for the processes will vary based not only on project size but also on organization size.
    Only categories with at least 1,000 responses were included in the analysis.

    The image contains a double bar graph that compares the sizes of companies using formal or informal evaluation and selection methodology.

    Use a Formal Evaluation and Selection Methodology to Achieve Higher Satisfaction

    A formal selection process does not equal a bloated selection process

    • No matter what process is being used, you should consider implementing a formal methodology to reduce the amount of time required to select the software. This trend continues across different levels of software (commodity, complex, and enterprise).
    • It is worth noting that using a process can actually add more time to the selection process, so it is important to know how to use it properly.
    • Don’t use just one process: you should use a combination, but don’t use more than three when selecting your software.
    The image contains a double bar graph to demonstrate the difference between formal and informal evaluation to achieve a higher satisfaction.

    Hit a Home Run With Your Business Stakeholders

    Use a data-driven approach to select the right application vendor for their needs – fast

    The image contains a screenshot of the data-drive approach. The approach includes: awareness, education & discovery, evaluation, selection, negotiation & configuration.

    Investing time improving your software selection methodology has big returns.

    Info-Tech Insight

    Not all software selection projects are created equal – some are very small; some span the entire enterprise. To ensure that IT is using the right framework, understand the cost and complexity profile of the application you’re looking to select. The Rapid Application Selection Framework approach is best for commodity and mid-tier enterprise applications; selecting complex applications is better handled by the methodology described in Implement a Proactive and Consistent Vendor Selection Process.

    Lock Down the Key Players Before Setting Up the Relevant Timeline

    You are the quarterback of your selection team

    Don’t get bogged down “waiting for the stars to align” in terms of people’s availability: if you wait for the perfect alignment, the project may never get done.

    If a key stakeholder is unavailable for weeks or months due to PTO or other commitments, don’t jeopardize project timelines to wait for them to be free. Find a relevant designate that can act in their stead!

    You don’t need the entire team on the field at once. Keep certain stakeholders on the bench to swap in and out as needed.

    Info-Tech Insight

    Assemble the key stakeholders for project kick-off to synchronize the application selection process and limit elapsed time. Getting all parties on the same page increases output satisfaction and eliminates rework. Save time and get input from key stakeholders at the project kick-off.

    Assemble a Cross-Functional Team for Best Results

    A blend of both worlds gets the best of both worlds from domain expertise (technical and business)

    The image contains a graph labelled: Likeliness to recommend. It is described in the text below.

    How to manage the cross-functional selection team:

    • There should be a combination of IT and businesspeople involved in the selection process, and ideally the ratio would be balanced.
    • No matter what you are looking for, you should never include more than five people in the selection process.
    • You can keep key stakeholders and other important individuals informed with what is going on, but they don’t necessarily have to be involved in the selection process.

    Leverage a Five-Person Team With Players From Both IT and the Business

    For maximum effectiveness, assign at least one resource to the project on a full-time basis

    IT Leader

    Technical IT

    Business Analyst/ Project Manager

    Business Lead

    Process Expert

    This team member is an IT director or CIO who will provide sponsorship and oversight from the IT perspective.

    This team member will focus on application security, integration, and enterprise architecture.

    This team member elicits business needs and translates them into technology requirements.

    This team member will provide sponsorship from the business needs perspective.

    This team member will contribute their domain-specific knowledge around the processes that the new application supports.

    Info-Tech Insight

    It is critical for the selection team to determine who has decision rights. Organizational culture will play the largest role in dictating which team member holds the final say for selection decisions.

    Ensure That Your Project Has the Right Mix of the Core Team and Ancillary Stakeholders

    Who is involved in selecting the new application?

    • Core selection team:
      • The core team ideally comprises just five members.
      • There will be representatives from IT and the specific business function that is most impacted by the application.
      • The team is typically anchored by a business analyst or project management professional.
      • This is the team that is ultimately accountable for ensuring that the project stays on track and that the right vendor is selected.
    • Ancillary stakeholders:
      • These stakeholders are brought into the selection project on an as-needed basis. They offer commentary on requirements and technical know-how.
      • They will be impacted by the project outcome but they do not bear ultimate accountability for selecting the application.
    The image contains an outer circle that lists Ancillary Stakeholders, and an inner selection team that lists core selection teams.

    Tweak the Team Composition Based on the Application Category in Question

    All applications are different. Some categories may require a slightly different balance of business and IT users.

    When to adjust the selection team’s business to IT ratio:

    • Increase the number of business stakeholders for customer-centric applications like customer relationship management and customer service management.
    • Keep projects staffed with more technical resources when selecting internal-facing tools like network monitoring platforms, next-generation firewalls, and endpoint protection systems.
    The image contains a graph to demonstrate how to tweak the team composition based on the application category.

    When to adjust the selection team’s business to IT ratio:

    • Increase the number of business stakeholders for customer-centric applications like customer relationship management and customer service management.
    • Keep projects staffed with more technical resources when selecting internal-facing tools like network monitoring platforms, next-generation firewalls, and endpoint protection systems.

    Balance the Selection Team With Decision Makers and Front-Line Resources

    Find the right balance!

    • Make sure to include key decision makers to increase the velocity of approvals.
    • However, it is critical to include the right number of front-line resources to ensure that end-user needs are adequately reflected in the requirements and decision criteria used for selection.

    The image contains a graph on the team composition with number of decision makers involved.

    Info-Tech Insight

    When selecting their software, organizations have an average of two to four business and IT decision makers/influencers on the core selection team.

    Optimize Meeting Cadence to Complete Selection in 30 Days

    Project Cadence:

    • Execute approximately one phase per week.
    • Conduct weekly checkpoints to move through your formal selection framework.
    • Allot two to four hours per touchpoint.

    The image contains a calendar with the five phases spread put over five weeks.

    Info-Tech Insight

    Use weekly touchpoints with the core selection team to eliminate broken telephone. Hold focus groups and workshops to take a more collaborative, timely, and consensus-driven approach to zero in on critical requirements.

    2. Reduce Time Spent on Low-Impact Activities

    ✓ Reduce time spent on internet research. Leverage hard data and experts.

    ✓ Reduce RFP size or skip RFPs entirely.

    ✓ Reduce time spent watching vendor dog and pony shows.

    Reduce Time Spent on Internet Research by Leveraging Hard Data and Experts

    REDUCE BIAS

    Taking a data-driven approach to vendor selection ensures that decisions are made in a manner that reduces human bias and exposure to misaligned incentives.

    SCORING MODELS

    Create a vendor scoring model that uses several different scored criteria (alignment to needs, alignment to architecture, cost, relationship, etc.) and weight them.

    AGGREGATE EXPERIENCES

    When you leverage services such as SoftwareReviews, you’re relying on amalgamated data from hundreds of others that have already been down this path: benefit from their experience!

    PEER-DRIVEN INSIGHTS

    Formally incorporate a review of Category Reports from SoftwareReviews into your vendor selection process to take advantage of peer-driven expert insights.

    Contact Us

    Info-Tech is just a phone call away. Our expert analysts can guide you to successful project completion at no additional cost to you.

    Bloated RFPs Are Weighing You Down

    Avoid “RFP overload” – parse back deliverables for smaller projects

    1. Many IT and procurement professionals are accustomed to deliverable-heavy application selection projects.
    2. Massive amounts of effort is spent creating onerous RFIs, RFPs, vendor demo scripts, reference guides, and Pugh matrices – with only incremental (if any) benefits.
    3. For smaller projects, focus on creating a minimum viable RFP that sketches out a brief need statement and highlights three or four critical process areas to avoid RFP fatigue.

    Draft a lightweight RFI (or minimum viable RFP) to give vendors a snapshot of your needs while managing effort

    An RFI or MV-RFP is a truncated RFP document that highlights core use cases to vendors while minimizing the amount of time the team has to spend building it.

    You may miss out on the right vendor if:

    • The RFP is too long or cumbersome for the vendor to respond.
    • Vendors believe their time is better spent relationship selling.
    • The RFP is unclear and leads them to believe they won’t be successful.
    • The vendor was forced to guess what you were looking for.

    How to write a successful RFI/MV-RFP:

    • Expend your energy relative to the complexity of the required solution or product you’re seeking.
    • A good MV-RFP is structured as follows: a brief description of your organization, business context, and key requirements. It should not exceed a half-dozen pages in length.
    • Be transparent.
    • This could potentially be a long-term relationship, so don’t try to trick suppliers.
    • Be clear in your expectations and focus on the key aspects of what you’re trying to achieve.

    Use the appropriate Info-Tech template for your needs (RFI, RFQ, or RFP). The Request for Information Template is best suited to the RASF approach.

    If Necessary, Make Sure That You Are Going About RFPs the Right Way

    RFPs only add satisfaction when done correctly

    The image contains a graph to demonstrate RFP and satisfaction.

    Info-Tech Insight

    Prescriptive yet flexible: Avoid RFP overload when selecting customer experience–centric applications, but a formal approach to selection is still beneficial.

    When will an RFP increase satisfaction?

    • Satisfaction is increased when the RFP is used in concert with a formal selection methodology. An RFP on its own does not drive significant value.
    • RFPs that focus on an application’s differentiating features lead to higher satisfaction with the selection process.
    • Using the RFP to evaluate mandatory or standard and/or mandatory features yields neutral results.

    Reduce Time Spent Watching Vendor Dog and Pony Shows

    Salesperson charisma and marketing collateral quality should not be primary selection criteria. Sadly, this is the case far too often.

    Use data to take control back from the vendor

    • Taking a data-driven approach to vendor selection ensures that decisions are made in a manner that reduces human bias and exposure to misaligned incentives.
    • When you leverage services such as SoftwareReviews, you’re relying on amalgamated data from hundreds of others that have already been down this path: benefit from their collective experience!

    Kill the “golf course effect” and eliminate stakeholder bias

    • A leading cause of selection failure is human bias. While rarely malicious, the reality is that decision makers and procurement staff can become unduly biased over time by vendor incentives. Conference passes, box seats, a strong interpersonal relationship – these are all things that may be valuable to a decision maker but have no bearing on the efficacy of an enterprise application.
    • A strong selection process mitigates human bias by using a weighted scoring model and basing decisions on hard data: cost, user satisfaction scores, and trusted third-party data from services such as SoftwareReviews.

    Conduct a Day of Rapid-Fire Investigative Interviews

    Zoom in on high-value use cases and answers to targeted questions

    Make sure the solution will work for your business

    Give each vendor 60 to 90 minutes to give a rapid-fire presentation. We suggest the following structure:

    • 20 minutes: company introduction and vision
    • 20 minutes: one high-value scenario walkthrough
    • 20-40 minutes: targeted Q&A from the business stakeholders and procurement team

    To ensure a consistent evaluation, vendors should be asked analogous questions, and a tabulation of answers should be conducted.

    How to challenge the vendors in the investigative interview

    • Change the visualization/presentation.
    • Change the underlying data.
    • Add additional data sets to the artifacts.
    • Collaboration capabilities.
    • Perform an investigation in terms of finding BI objects and identifying previous changes and examine the audit trail.

    Rapid-Fire Vendor Investigative Interview

    Invite vendors to come onsite (or join you via videoconference) to demonstrate the product and to answer questions. Use a highly targeted demo script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

    Spend Your Time Wisely and Accelerate the Process

    Join the B2B software selection r/evolution

    Awareness

    Education & Discovery

    Evaluation

    Selection

    Negotiation & Configuration

    Reduce Time

    Reduce Time

    Reduce Time

    Reduce Time

    Reduce Time

    Save time
    duplicating existing market research. Save time and maintain alignment with focus groups.

    Save time across tedious demos and understanding the marketplace.

    Save time gathering detailed historical requirements. Instead, focus on key issues.

    Use your time to validate how the solution will handle mission-critical requirements.

    Spend time negotiating with two viable alternatives to reduce price by up to 50%.

    Use a tier-based model to accelerate commodity and complex selection projects.

    Eliminate elapsed process time with focus groups and workshops.

    3. Focus on High-Impact Activities

    ✓ Narrow the field to four contenders prior to in-depth comparison.

    ✓ Identify portfolio overlap with accelerated enterprise architecture oversight.

    ✓ Focus on investigative interviews and proof of concept projects.

    Narrow the Field to a Maximum of Four Contenders

    Focus time spent on the players that we know can deliver strong value

    1. ACCELERATE SELECTION

    Save time by exclusively engaging vendors that support the organization’s differentiating requirements.

    2. DECISION CLARITY

    Prevent stakeholders from getting lost in the weeds with endless lists of vendors.

    3.CONDENSED DEMOS

    Limiting the project to four contenders allows you to stack demos/investigative interviews into the same day.

    4. LICENSING LEVERAGE

    Keep track of key differences between vendor offerings with a tight shortlist.

    Rapid & Effective Selection Decisions

    Consolidating the Vendor Shortlist Up-Front Reduces Downstream Effort

    Put the “short” back in shortlist!

    • Radically reduce effort by narrowing the field of potential vendors earlier in the selection process. Too many organizations don’t funnel their vendor shortlist until nearing the end of the selection process. The result is wasted time and effort evaluating options that are patently not a good fit.
    • Leverage external data (such as SoftwareReviews) and expert opinion to consolidate your shortlist into a smaller number of viable vendors before the investigative interview stage and eliminate time spent evaluating dozens of RFP responses.
    • Having fewer RFP responses to evaluate means you will have more time to do greater due diligence.

    Rapid Enterprise Architecture Evaluations Are High-Impact Activities

    When accelerating selection decisions, finding the right EA is a balancing act

    • Neglecting enterprise architecture as a shortcut to save time often leads to downstream integration problems and decreases application satisfaction.
    • On the other hand, overly drawn out enterprise architecture evaluations can lead to excessively focusing on technology integration versus having a clear and concise understanding of critical business needs.

    Info-Tech Insight

    Targeting an enterprise architecture evaluation as part of your software selection process that does not delay the selection while also providing sufficient insight into platform fit is critical.

    Key activities for rapid enterprise architecture evaluation include:

    1. Security analysis
    2. Portfolio overlap review + integration assessment
    3. Application standards check

    The data confirms that it is worthwhile to spend time on enterprise architecture

    • Considering software architecture fit up-front to determine if new software aligns with the existing application architecture directly links to greater satisfaction.
    • Stakeholders are most satisfied with their software value when there is a good architectural platform fit.
    • Stakeholders that ranked Architectural Platform Fit lower during the selection process were ultimately more unsatisfied with their software choice.

    The image contains a screenshot of data to demonstrate that it is worthwhile to spend time on enterprise architecture.

    Identify Portfolio Overlap With an Accelerated Enterprise Architecture Assessment

    Develop a clear view of any overlap within your target portfolio subset and clear rationalization/consolidation options

    • Application sprawl is a critical pain point in many organizations. It leads to wasted time, money, and effort as IT (and the business) maintain myriad applications that all serve the same functional purpose.
    • Opportunities are missed to consolidate and streamline associated business process management, training, and end-user adoption activities.
    • Identify which applications in your existing architecture serve a duplicate purpose: these applications are the ones you will want to target for consolidation.
    • As you select a new application, identify where it can be used to serve the goal for application rationalization (i.e. can we replace/retire existing applications in our portfolio by standardizing the new one?).

    Keep the scope manageable!

    • Highlight the major functional processes that are closely related to the application you’re selecting and identify which applications support each.
    • The template below represents a top-level view of a set of customer experience management (CXM) applications. Identify linkages between sets of applications and if they’re uni- or bi-directional.
    The image contains a screenshot of images that demonstrate portfolio overlap with an accelerated enterprise architecture assessment.

    Rapidly Evaluate the Security & Risk Profile for a Right-Sized Enterprise Architecture Evaluation

    There are four considerations for determining the security and risk profile for the new application

    1. Financial Risk
    • Consider the financial impact the new application has on the organization.
      • How significant is the investment in technology?
    • If this application fails to meet its business goals and deliver strong return on investment, will there be a significant amount of financial resources to mitigate the problem?
  • Data Sensitivity Risk
    • Understand the type of data that will be handled/stored by the application.
      • For example, a CRM will house customer personally identifiable information (PII) and an ECM will store confidential business documentation.
    • Determine the consequences of a potential breach (i.e. legal and financial).
  • Application Vulnerability Risk
    • Consider whether the application category has a historically strong security track record.
      • For example, enterprise cloud storage solutions may have a different level of vulnerability than an HRIS platform.
  • Infrastructure Risk
    • Determine whether the new application requires changes to infrastructure or additional security investments to safeguard expanded infrastructure.
    • Consider the ways in which the changes to infrastructure increase the vectors for security breaches.

    Spend More Time Validating Key Issues With Deep Technical Assessments

    The image contains a screenshot of an image of an iceberg. The top part of the iceberg is above water and labelled 40%. The rest of the iceberg is below water and is labelled 60%.

    Conversations With the Vendor

    • Initial conversations with the vendor build alignment on overall application capabilities, scope of work, and pricing.

    Pilot Projects and Trial Environments

    • Conduct a proof of concept project to ensure that the application satisfies your non-functional requirements.
    • Technical assessments not only demonstrate whether an application is compatible with your existing systems but also give your technical resources the confidence that the implementation process will be as smooth as possible.
    • Marketing collateral glosses over actual capabilities and differentiation. Use unbiased third-party data and detailed system training material.

    4. Use Rapid & Essential Assessment Tools

    ✓ Focus on key use cases, not lists of features.

    ✓ You only need three essential tools:

    1. Info-Tech’s Vendor Evaluation Workbook
    2. The Software Selection Workbook
    3. A Business Stakeholder Manual

    Focus on Key Use Cases, Not an Endless Laundry List of Table Stakes Features

    Focus on Critical Requirements

    Failure to differentiate must-have and nice-to-have use cases leads to applications full of non-critical features.

    Go Beyond the Table Stakes

    Accelerate the process by skipping common requirements that we know that every vendor will support.

    Streamline the Quantity of Use Cases

    Working with a tighter list of core use cases increases time spent evaluating the most impactful functionality.

    Over-Customization Kills Projects

    Eliminating dubious “sacred cow” requirements reduces costly and painful platform customization.

    Only Make Use of Essential Selection Artifacts

    Vendor selection projects often demand extensive and unnecessary documentation

    The Software Selection Workbook

    Work through the straightforward templates that tie to each phase of the Rapid Application Selection Framework, from assessing the business impact to requirements gathering.

    The image contains a screenshot of The Software Selection Workbook.

    The Vendor Evaluation Workbook

    Consolidate the vendor evaluation process into a single document. Easily compare vendors as you narrow the field to finalists.

    The image contains a screenshot of The Vendor Evaluation Workbook.

    The Guide to Software Selection: A Business Stakeholder Manual

    Quickly explain the Rapid Application Selection Framework to your team while also highlighting its benefits to stakeholders.

    The image contains a screenshot of The Guide to Software Selection: A Business Stakeholder Manual.

    Software Selection Engagement

    Five advisory calls over a five-week period to accelerate your selection process

    • Expert analyst guidance over five weeks on average to select and negotiate software.
    • Save money, align stakeholders, speed up the process, and make better decisions.
    • Use a repeatable, formal methodology to improve your application selection process.
    • Better, faster results, guaranteed, included in membership.
    The image contains a screenshot of the calendar over 30 days that outlines the five calls.

    Click here to book your selection engagement

    Software Selection Workshop

    With 40 hours of advisory assistance delivered online, select better software, faster.

    • 40 hours of expert analyst guidance.
    • Project and stakeholder management assistance.
    • Save money, align stakeholders, speed up the process, and make better decisions.
    • Better, faster results, guaranteed; $20K standard engagement fee.
    The image contains a screenshot of the calendar over 30 days that outlines the five calls.

    CLICK HERE TO BOOK YOUR WORKSHOP ENGAGEMENT

    5. Select Two Viable Options & Engage Both in Negotiation

    ✓ Save more during negotiation by selecting two viable alternatives.

    ✓ Surface a consolidated list of demands prior to entering negotiation.

    ✓ Communicate your success with the organization.

    Save More During Negotiation by Selecting Two Viable Alternatives

    VENDOR 1

    Build in a realistic plan B that allows you to apply leverage to the incumbent or primary vendor of choice.

    VENDOR 2

    If the top contender is aware that they do not have competition, they will be less inclined to make concessions.

    Maintain momentum with two options

    • Should you realize that the primary contender is no longer a viable option (i.e. security concerns), keeping a second vendor in play enables you to quickly pivot without slowing down the selection project.

    Secure best pricing by playing vendors off each other

    • Vendors are more likely to give concessions on the base price once they become aware that a direct competitor has entered the evaluation.

    Truly commit to a thorough analysis of alternatives

    • By evaluating competitive alternatives, you’ll get a more comprehensive view on market standards for a solution and be able to employ a range of negotiation tactics.

    Focus on 5-10 Specific Contract Change Requests

    Accelerate negotiation by picking your battles

    ANALYZE

    DOCUMENT

    CONSOLIDATE

    PRESENT
    • Parse the contract, order form, and terms & conditions for concerning language.
    • Leverage expertise from internal subject matter experts in addition to relevant legal council.
    • Document all concerns and challenges with the language in the vendor contract in a single spreadsheet.
    • Make vendors more receptive to your cause by going one step beyond writing what the change should be. Provide the reasoning behind the change and even the relevant context.
    • Identify the change requests that are most important for the success of the selection project.
    • Compile a list of the most critical change requests.
    • Consider including nice-to-have requests that you can leverage as strategic concessions.
    • Present the consolidated list of critical change requests to the vendor rather than sharing the entire range of potential changes to the contract.
    • Make sure to include context and background for each request.
    • Eliminate potential delays by proactively establishing a timeline for the vendor’s response.

    Share Stories of Cost Savings With the Organization

    Secure IT’s seat at the table

    Hard cost savings speak louder than words. Executive leadership will see IT as the go-to team for driving business value quickly, yet responsibly.

    Build hype around the new software

    Generate enthusiasm by highlighting the improved user experience provided by the new software that was has just been selected.

    Drive end-user adoption

    Position the cost savings as an opportunity to invest in onboarding. An application is only as valuable as your employees’ ability to effectively use it.

    Keep the process rolling

    Use the momentum from the project and its successful negotiation to roll out the accelerated selection approach to more departments across the organization.

    Overall: The Magic Number Saves You Time and Money

    Software selection takes forever. The process of choosing even the smallest apps can drag on for years: sometimes in perpetuity.

    Organizations keep too many players on the field, leading to scheduling slowdowns and scope creep.

    Keeping the size of the core selection team down, while liaising with more stakeholders and subject matter experts (SMEs), leads to improved results.

    Maximize project effectiveness with a five-person team. Project satisfaction and effectiveness are stagnant or decrease once the team grows beyond five people.

    Cumbersome or ad hoc selection processes lead to business-driven software selection.

    Increase stakeholder satisfaction by using a consistent selection framework that captures their needs while not being a burden.

    Empower both IT and end users with a standardized selection process to consistently achieve high satisfaction coming out of software selection projects.

    The image contains a graph that is titled: A compact selection team can save you weeks. The graph demonstrates time saved with a five person team in comparison to larger teams.

    Key Takeaways for Improving Your Selection Process

    1. ALIGN & ELIMINATE ELAPSED TIME
    • Ensure a formal selection process is in place and reduce time by timeboxing the project to 30 days.
    • Align the calendars of the five-person core selection team to maximize efficiency.

    2. REDUCE TIME SPENT ON LOW-IMPACT ACTIVITIES
    • Go beyond the table stakes and accelerate the process by skipping common requirements that we know that every vendor will support.
    • Only make use of essential selection artifacts.

    3. FOCUS ON HIGH- IMPACT ACTIVITIES
    • Skip the vendor dog and pony shows with investigative interviews.
    • Minimize time spent on novel-sized RFPs; instead highlight three or four critical process areas.

    4. USE RAPID & ESSENTIAL ASSESSMENT TOOLS
    • Consolidating the vendor shortlist up-front reduces downstream effort.
    • Application sprawl is a critical pain point in many organizations that leads to wasted time and money.

    5. ENGAGE TWO VIABLE VENDORS IN NEGOTIATION
    • Build in a realistic plan B that allows you to apply leverage to the incumbent or primary vendor of choice.
    • Pick your battles and focus on 5-10 specific contract change requests.

    Appendix

    This study is based on a survey of 43,000 real-world IT practitioners.

    • SoftwareReviews (a sister company of Info-Tech Research Group) collects and aggregates feedback on a wide variety of enterprise technologies.
    • The practitioners are actual end users of hundreds of different enterprise application categories.
    • The following slides highlight the supplementary data points from the comprehensive survey.

    Methodology

    A comprehensive study based on the responses of thousands of real-world practitioners.

    Qualitative & Secondary

    Using comprehensive statistical techniques, we surveyed what our members identified as key drivers of success in selecting enterprise software. Our goal was to determine how organizations can accelerate selection processes and improve outcomes by identifying where people should spend their time for the best results.

    Large-n Survey

    To determine the “Magic Numbers,” we used a large-n survey: 40,000 respondents answered questions about their applications, selection processes, organizational firmographics, and personal characteristics. We used this data to determine what drives satisfaction not only with the application but with the selection process itself.

    Quantitative Drill-Down

    We used the survey to narrow the list of game-changing practices. We then conducted additional quantitative research to understand why our respondents may have selected the responses they did.

    Extend Agile Practices Beyond IT

    • Buy Link or Shortcode: {j2store}175|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Your organization has started to realize benefits from adopting Agile principles and practices. However, these advances are contained within your IT organization.
    • You are seeking to extend Agile development beyond IT into other areas of the organization. You are looking for a coordinated approach aligned to business priorities.

    Our Advice

    Critical Insight

    • Not all lessons from scaling Agile to IT are transferable. IT Agile scaling processes are tailored to IT’s scope, team, and tools, which may not account for diverse attributes within your organization.
    • Control may be necessary for coordination. With increased time-to-value, enforcing consistent cadences, reporting, and communication is a must if teams are not disciplined or lack good governance.
    • Extend Agile in departments tolerant to change. Incrementally roll out Agile in departments where its principles are accepted (e.g. a culture that embraces failures as lessons).

    Impact and Result

    • Complete an assessment of your prior efforts to scale Agile across IT to gauge successful, consistent adoption. Identify the business objectives and the group drivers that are motivating the extension of Agile to the business.
    • Understand the challenges that you may face when extending Agile to business partners. Investigate the root causes of existing issues that can derail your efforts.
    • Ideate solutions to your scaling challenges and envision a target state for your growing Agile environment. Your target state should realize new opportunities to drive more business value and eliminate current activities driving down productivity.
    • Coordinate the implementation and execution of your scaling Agile initiatives with an implementation action plan. This collaborative document will lay out the process, roles, goals, and objectives needed to successfully manage your Agile environment.

    Extend Agile Practices Beyond IT Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should extend Agile practices to improve product delivery, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess your readiness to scale agile vertically

    Assess your readiness to scale Agile vertically by identifying and mitigating potential Agile maturity gaps remaining after scaling Agile across your IT organization.

    • Extend Agile Practices Beyond IT – Phase 1: Assess Your Readiness to Scale Agile Vertically
    • Agile Maturity Assessment Tool

    2. Establish an enterprise scaled agile framework

    Complete an overview of various scaled Agile models to help you develop your own customized delivery framework.

    • Extend Agile Practices Beyond IT – Phase 2: Establish an Enterprise Scaled Agile Framework
    • Framework Selection Tool

    3. Create your implementation action plan

    Determine the effort and steps required to implement your extended delivery framework.

    • Extend Agile Practices Beyond IT – Phase 3: Create Your Implementation Action Plan
    [infographic]

    Workshop: Extend Agile Practices Beyond IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Current State of Agile Maturity

    The Purpose

    Assess your readiness to scale Agile vertically.

    Identify and mitigate potential Agile maturity gaps remaining after scaling Agile across your IT organization.

    Key Benefits Achieved

    IT Agile maturity gaps identified and mitigated to ensure successful extension of Agile to the business

    Activities

    1.1 Characterize your Agile implementation using the CLAIM model.

    1.2 Assess the maturity of your Agile teams and organization.

    Outputs

    Maturity gaps identified with mitigation requirements

    2 Establish an Enterprise Scaled Agile Framework

    The Purpose

    Complete a review of scaled Agile models to help you develop your own customized delivery framework.

    Key Benefits Achieved

    A customized Agile delivery framework

    Activities

    2.1 Explore various scaled frameworks.

    2.2 Select an appropriate scaled framework for your enterprise.

    2.3 Define the future state of your team and the communication structure of your functional business group.

    Outputs

    Blended framework delivery model

    Identification of team and communication structure impacts resulting from the new framework

    3 Create Your Implementation Action Plan

    The Purpose

    Create your implementation action plan for the new Agile delivery framework.

    Key Benefits Achieved

    A clearly defined action plan

    Activities

    3.1 Define your value drivers.

    3.2 Brainstorm the initiatives that must be completed to achieve your target state.

    3.3 Estimate the effort of your Agile initiatives.

    3.4 Define your Agile implementation action plan.

    Outputs

    List of target state initiatives

    Estimation of effort to achieve target state

    An implementation action plan

    Collaborate Effectively in Microsoft Teams

    • Buy Link or Shortcode: {j2store}63|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Your organization has adopted Microsoft Teams, but users are not maximizing their use of it.

    • IT needs to support the business to get the best value out of Microsoft Teams: managing Teams effectively while also enabling end users to use Teams creatively.
    • IT must follow best practices for evaluation of new functionality when integrating Microsoft and third-party apps and also communicate changes to end users.
    • Due in part to the frequent addition of new features and lack of communication and training, many organizations don’t know which apps would benefit their users.

    Our Advice

    Critical Insight

    Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

    Impact and Result

    Use Info-Tech’s Collaborate Effectively in Microsoft Teams to help collaboration flourish:

    • Collate key organizational collaboration use cases.
    • Prioritize the most important Teams apps and features to support use cases.
    • Implement request process for new Teams apps.
    • Communicate new Teams collaboration functionality.

    Collaborate Effectively in Microsoft Teams Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Collaborate Effectively in Microsoft Teams Deck – Maximize the use of your chosen collaboration software solution.

    Set up your users for Teams collaboration success. Create a process that improves their ability to access, understand, and maximize their use of your chosen collaboration software solution.

    • Collaborate Effectively in Microsoft Teams Storyboard

    2. Microsoft Teams End-User Satisfaction Survey – Capture end-user feedback on their collaborative use of Microsoft Teams.

    The survey responses will inform your organization's collaboration use cases for Teams and help you to identify which features and apps to enable.

    • Microsoft Teams End-User Satisfaction Survey

    3. Microsoft Teams Planning Tool – A tool to help prioritize features to implement.

    Use this Excel tool to help you document the organization’s key collaboration use cases and prioritize which Teams apps to implement and encourage adoption on.

    • Microsoft Teams Planning Tool
    [infographic]

    Further reading

    Collaborate Effectively in Microsoft Teams

    Empower your users to explore Teams collaboration beyond the basics.

    Analyst Perspective

    Life after Teams implementation

    You have adopted Teams, implemented it, and painted an early picture for your users on the basics. However, your organization is not yet maximizing its use of Teams' collaboration capabilities. Although web conferencing, channel-based collaboration, and chat are the most obvious ways Teams supports collaboration, users must explore Teams' functionality further to harness the application's full potential.

    You should enable your users to expand their collaboration use cases in Teams, but not at the risk of being flooded with app requests, nor user confusion or dissatisfaction. Instead, develop a process to evaluate and integrate new apps that will benefit the organization. Encourage your users to request new apps that will benefit them, while proactively planning for app integration that users should be alerted to.

    Photo of Emily Sugerman, Research Analyst, Infrastructure and Operations, Info-Tech Research Group. Emily Sugerman
    Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Your organization has adopted Microsoft Teams, but users are not getting the maximum benefit.

    • IT needs to support the business to get the best value out of Microsoft Teams: managing Teams effectively while enabling end-user creativity.
    • IT must follow best practices for evaluating new functionality when integrating Microsoft and third-party apps, while communicating changes to end users.
    • Due partly to the frequent addition of new features and lack of communication and training, many organizations don't know which apps would benefit their users.

    Common Obstacles

    • Users are unenthusiastic about exploring Teams further due to negative past experiences, preference for other applications, or indifference.
    • End users are unaware of the available range of features. When they become aware and try to add unapproved or unlicensed apps, they experience the frustration of being declined.
    • Users seek support from IT who are unfamiliar with new Teams features an apps, or with supporting Teams beyond the basics.
    • IT teams have no process to raise end-user awareness of these apps and functionality.

    Info-Tech's Approach

    Use Info-Tech's Collaborate Effectively in Microsoft Teams to help collaboration flourish:

    • Collate key organizational collaboration use cases
    • Prioritize the most important Teams apps and features to support use cases
    • Implement request process for new Teams apps
    • Communicate new Teams collaboration functionality

    Info-Tech Insight

    Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

    Are your users in a Teams rut?

    Are users failing to maximize their use of Teams to collaborate and get work done?

    Teams can do much more than chat, video conferencing, and document sharing. A fully-deployed Teams also lets users leverage apps and advanced collaboration features.

    However, IT must create a process for evaluating and approving Microsoft and third-party apps, and for communicating changes to end users.

    In the end, IT needs to support the business to get the best value out of Microsoft Teams: managing Teams effectively while also enabling end-user creativity.

    Third-party app use in Teams is rising:

    “Within Teams, the third-party apps with 10,000 users and above rose nearly 40% year-over-year.”
    Source: UC Today, 2023.

    Collaborate effectively in Microsoft Teams

    Set up your users for Teams collaboration success. Create a process that improves their ability to access, understand, and maximize their use of your chosen collaboration software solution.

    Challenges with Teams collaboration

    • Lack of motivation to explore available features
    • Scattered information
    • Lack of comfort using Teams beyond the basics
    • Blocked apps
    • Overlapping features
    • Confusing permissions

    Empowering Collaboration in Microsoft Teams

    1. Identify current collaboration challenges and use cases in Teams
    2. Create Teams app request workflows
    3. Set up communication hubs in Teams
    4. Empower end users to customize their Teams for effective collaboration

    Solution

    • Collate key organizational collaboration use cases
    • Prioritize the most important Teams apps and features to support use cases
    • Implement request process for new Teams apps
    • Communicate new Teams collaboration functionality

    Project deliverables

    Use these tools to develop your plan to enable effective collaboration in Microsoft Teams.

    Key deliverable:

    Microsoft Teams Planning Tool

    An Excel tool for documenting the organization's key collaboration use cases and prioritizing which Teams apps to implement and encourage adoption of.

    Sample of the Microsoft Teams Planning Tool deliverable.

    Additional support:

    Microsoft Teams End-User Satisfaction Survey

    Use or adapt this survey to capture user perception of how effectively Teams supports collaboration needs.

    Sample of the End-user satisfaction survey deliverable.

    Insight Summary

    Key Insight:

    Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

    Additional insights:

    Insight 1

    Users can browse the Teams app store and attempt to add unapproved apps, but they may not be able to distinguish between available and blocked apps. To avoid a bad user experience, communicate which apps they can add without additional approval and which they will need to send through an approval process.

    Insight 2

    Teams lets you customize the message users see when they request unapproved apps and/or redirect their request to your own URL. Review this step in the request process to ensure users are seeing the instructions that they need to see.

    Insight 3

    A Teams hub is where users can access a service catalog of approved Teams apps and submit service requests for new ones via the Make a Request button.

    Section 1: Collaborating Effectively in Teams for IT

    Section 1

    Collaborating Effectively in Teams for IT

    Section 2

    Collaborating Effectively in Teams for End Users

    Stop: Do you need the Teams Cookbook?

    If you:

    • are at the Teams implementation stage,
    • require IT best practices for initial governance of Teams creation, or
    • require end-user best practices for basic Teams functionality …

    Consult the Microsoft Teams Cookbook first.

    Understand the Microsoft vision of Teams collaboration

    Does it work for you?

    Microsoft's vision for Teams collaboration is to enable end-user freedom. For example, out of the box, users can create their own teams and channels unless IT restricts this ability.

    Teams is meant to be more than just chats and meetings. Microsoft is pushing Teams app integration so that Teams becomes, essentially, a landing page from which users can centralize their work and org updates.

    In partnership with the business, IT must determine which guardrails are necessary to balance end-user collaboration and creativity with the need for governance and control.

    Why is it difficult to increase the caliber of collaboration in Teams?

    Because collaboration is inherently messy, complex, and creative

    Schubert & Glitsch find that enterprise collaboration systems (such as Teams) have characteristics that reflect the unstructured and creative nature of collaboration. These systems “are designed to support joint work among people in the workplace. . . [They] contain, for the most part, unstructured content such as documents, blogs, or news posts,” and their implementations “are often reported to follow a ‘bottom up' and rather experimental introduction approach.” The open-endedness of the tool requires users to be able to creatively and voluntarily apply it, which in turn requires more enterprise effort to help increase adoption over time through trial and error.

    Source: Procedia Computer Science, 2015

    Info-Tech Insight

    Collaboration is as much an art as a science. IT can help users collaborate more effectively in Teams by removing friction – while still maintaining guardrails – for users attempting to build out and experiment with features and capabilities.

    Activity 1: Identify current challenges

    Input: Team input, Survey results
    Output: List of Teams challenges experienced by the organization
    Materials: Whiteboard (digital or physical)
    Participants: Teams collaboration working group

    First, identify what works and what doesn't for your users in Teams

    • Have users reported any challenges with Teams as their primary means of channel-based collaboration? Run a short survey to capture end-user sentiment on how Teams works for them. This survey can be set up and distributed through Microsoft Forms. Distribute either to the whole organization or a specific focus group. Gather feedback from users on the following: What are the major ways they need to collaborate to do their jobs? What IT-supported tools do they need to support this collaboration? What specific aspects of Teams do they want to better exploit?
    • If you send out transactional surveys on service desk tickets, run a report on Teams-related tickets to identify common complaints.
    • Brainstorm Teams challenges IT has experienced personally or have seen reported – especially difficulties with collaboration.
    • Once you have the data, group the challenges into themes. Are the challenges specifically related to collaboration? Data issues? Support issues? Access issues? Technical issues? Document them in tab 2 of the Microsoft Teams Planning Tool.

    Download the Microsoft Teams End-User Satisfaction Survey template

    Define your organization's key collaboration scenarios

    Next, identify what users need to do in Teams

    The term collaboration scenarios has been proposed to describe the types of collaboration behavior your software – in this case, Teams – must support (Schubert & Glitsch, 2015). A successful implementation of this kind of tool requires that you “identif[y] use cases and collaboration scenarios that best suit a specific company and the people working in it” (Schubert & Glitsch, 2016).

    Teams tends to support the following kinds of collaboration and productivity goals (see list).

    What types of collaboration scenarios arise in the user feedback in the previous activity? What do users most need to do?

    Be proactive: Configure Microsoft Teams to match collaboration scenarios/use cases your users must engage in. This will help prevent an increase in shadow IT, where users attempt to bring in unapproved/unreviewed software that might duplicate your existing service catalog and/or circumvent the proper review and procurement process.

    MS Teams Use Cases

    1. Gather feedback
    2. Collaboratively create content
    3. Improve project & task management
    4. Add media content
    5. Conduct knowledge management
    6. Increase meeting effectiveness
    7. Increase employee engagement
    8. Enhance professional development
    9. Provide or access support
    10. Add third-party apps

    Activity 2: Match your collaboration scenarios to Teams capabilities

    Input: Collaboration scenarios, Teams use cases
    Output: Ranked list of Teams features to implement and/or promote
    Materials: Microsoft Teams Planning Tool
    Participants: Teams collaboration working group

    Which features support the key collaboration use cases?

    1. Using the Microsoft Teams Planning Tool, list your organization's key collaboration scenarios. Draw on the data returned in the previous activity. List them in Tab 2.
    2. See the following slide for the types of collaboration use cases Teams is designed to support. In the planning tool, select use cases that best match your organizational collaboration scenarios.
    3. Dive into more specific features on Tab 3, which are categorized by collaboration use case. Where do users' collaboration needs align with Teams' inherent capabilities? Add lines in Tab C for the third-party apps that you are considering adding to Teams.
    4. In columns B and C of Tab 3, decide and prioritize the candidates for implementation. Review the list of prioritized features on tab 4.

    NB: Microsoft has introduced a Teams Premium offering, with additional capabilities for meetings and webinars (including customized banding, meeting watermarks, and virtual webinar green rooms) and will paywall some features previously available without Premium (live caption translations, meeting data on attendee departure/arrival times) (“What is Microsoft Teams Premium?”, n.d.)

    Download the Microsoft Teams Planning Tool

    MS Teams productivity & collab features

    Teams apps & collaboration features enable the following types of work. When designing collaboration use cases, identify which types of collaboration are necessary, then explore each category in depth.

    1. Gather feedback

      Solicit feedback and comments, and provide updates

    2. Collaboratively create content

      Compose as a group, with live-synced changes

    3. Improve project & task management

      Keep track of projects and tasks

    4. Add media content

      Enrich Teams conversations with media, and keep a library of video resources

    5. Knowledge management

      Pull together document libraries and make information easier to find

    6. Increase meeting effectiveness

      Facilitate interactions and document meeting outcomes

    7. Increase employee engagement

      Use features that enhance social interaction among Teams users

    8. Enhance professional development

      Find resources to help achieve professional goals

    9. Provide or access support

      IT and user-facing resources for accessing and/or providing support

    10. Add third-party apps

      Understand the availability/restrictions of the built-in Teams app catalog

    The Teams app store

    • The lure of the app store: Your users will encounter a mix of supported and unsupported applications, some of which they can access, some for which you have no licenses, some built by your organization, some built by Microsoft or third parties. However, the distinction between these categories may not be immediately apparent to users. Microsoft does not remove blocked apps from users' view.
    • Users may attempt to add unsupported apps and then receive error messages or prompts to send a request through Teams to IT for approval.
    • App add-ins are not limited to those built by Microsoft Corporation. The Teams app store also features a plethora of third-party apps that can provide value.
    • However, their third-party status introduces another set of complications.
    • Attempting to add third-party apps may expose users to sales pitches and encourage the implementation of shadow IT, circumventing the IT request process.

    Info-Tech Insight

    Users can browse and attempt to add unapproved apps in the Teams app store, but they may have difficulty distinguishing between available and blocked apps. To avoid a bad user experience, communicate to your users which apps they can add without additional approval, and which must be sent through an approval process.

    Decide how you will evaluate requests for new Teams apps

    • As you encourage users to explore and fully utilize Teams, you may see increased requests for admin approval for apps you do not currently support.
    • To prevent disorganized response and user dissatisfaction, build out a workflow for handling new/unapproved Teams app requests. Ensure the workflow accounts for Microsoft and third-party apps.
    • What must you consider when integrating third-party tools? You must have control over what users may add. These requests should follow, or build upon, your existing process for non-standard requests, including a process for communicating the change.
    • Track the fulfillment time for Teams app requests. The longer the user must wait for a response, the more their satisfaction will decline.

    icrosoft suggests that you regularly review the app usage report in the Teams admin center as “a signal about the demand for an app within your organization.” This will help you proactively determine which apps to evaluate for approval.

    Build request workflow for unsupported Teams apps

    What are the key steps?

    1. Request comes in
    2. Review by a technical review team
    3. Review by service desk or business analyst
    4. Additional operational technical reviews if necessary
    5. Procurement and installation
    6. Communication of result to requester
    7. App added to the catalog so it can be used by others

    Example workflow of a 'Non-Standard Software Request Process'.

    Info-Tech Insight

    Teams allows you to customize the message users see when they request an unapproved app and/or redirect their request to your own URL. Review this step in the request process to ensure your users are seeing the instructions that they need to see.

    Download the Service Request Workflow library

    Incorporate new approved service requests into a service request catalog

    Follow the process in Reduce Shadow IT With a Service Request Catalog to build out a robust request management process and service catalog to continuously incorporate new non-standard requests and advertise new Teams apps:

    • Design the service
    • Design the catalog
    • Build the catalog
    • Market the service

    Sample of the 'Reduce Shadow IT With a Service Request Catalog' blueprint.

    Add a company hub to Teams

    Use Teams to help users access the company intranet for organizational information that is relevant to their roles.

    This can be done in two ways:

    1. By adding a SharePoint home site to Teams.
    2. By leveraging Viva Connections: A hub to access other apps and Viva services. The user sees a personalized dashboard, feed, and resources.

    Venn diagram with two circles 'Viva Connections - App-based employee experience where individuals get their work done' and 'Home Sites - Portal that features organizational news, events, and supplemental resources'. The overlapping middle has a list: 'News, Shared navigation, Integrates with M365, Developer platforms & management, Audience targeting, Web parts, Permissions'. (Venn diagram recreated from Microsoft Learn, 2023.)

    Info-Tech Insight

    The hub is where users can access a service catalog of approved Teams apps and submit service requests for a new one via a Make a Request button.

    Communicate changes to Teams

    Let end users know what's available and how to add new productivity tools.

    Where will users find approved Teams apps? How will you inform people about what's available? Once a new app is available, how is this communicated?

    Options:

    • Communicate new Teams features in high-visibility places (e.g. the Hub).
    • Leverage the Power Apps Bulletins app in Teams to communicate regular announcements about new features.
    • Create a company-wide Team with a channel called “What's New in Teams.” Post updates on new features and integrations, and link to more detailed knowledgebase articles on how to use the new features.
    • Aim for the sweet spot of communication frequency: not too much nor too little.

    Measure your success

    Determine how you will evaluate the success of your efforts to improve the Teams collaboration experience

    Improved satisfaction with Teams: Increased net promoter score (NPS)

    Utilization of features: Increased daily average users on key features, apps, integrations

    Timeliness: % of SLAs met for service request fulfillment

    Improved communication to end users about Teams' functionality: Satisfaction with knowledgebase articles on Teams

    Satisfaction with communication from IT

    Section 2: Collaborating Effectively in Teams for End Users

    Section 1

    Collaborating Effectively in Teams for IT

    Section 2

    Collaborating Effectively in Teams for End Users

    For IT: Use this section to help users understand Teams collaboration features

    Share the collateral in this section with your users to support their deeper exploration of Teams collaboration.

    • Use the Microsoft Teams Planning Tool to prepare a simple service catalog of the features and apps available to your users.
    • Edit Tab 2 (MS Teams Collab Features & Apps) by deleting the blocked apps/features.
    • Share this document with your users by linking to it via this image on the following slides:
    Sample of the Microsoft Teams Planning Tool deliverable.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    End-user customization of Teams

    Consider how you want to set up your Teams view. Add the apps you already use to have them at your fingertips in Teams.

    You can . . .

    1. Customize your navigation bar by pinning your preferred apps and working with them within Teams (Microsoft calls these personal apps).
    2. Customize your message bar by adding the app extensions you find most useful. Screenshot of the message bar with the 3-dot highlighted.
    3. Customize chats and Teams by adding tabs with content your group needs frequent access to. Screenshot of MS Teams tabs with the plus sign highlighted.
    4. Set up connectors to send notifications from apps to a Team and bots to answer questions and automate simple tasks. Screenshot of the 'Set up a connector' button.

    Learn more from Microsoft here

    MS Teams productivity & collab features

    The Apps catalog includes a range of apps that users may add to channels, chat, or the navigation bar. Teams also possesses other collaboration features that may be underused in your organization.

    1. Gather feedback

      Solicit feedback and comments, and provide updates

    2. Collaboratively create content

      Compose as a group, with live-synced changes

    3. Improve project & task management

      Keep track of projects and tasks

    4. Add media content

      Enrich Teams conversations with media, and keep a library of video resources

    5. Knowledge management

      Pull together document libraries and make information easier to find

    6. Increase meeting effectiveness

      Facilitate interactions and document meeting outcomes

    7. Increase employee engagement

      Use features that enhance social interaction among Teams users

    8. Enhance professional development

      Find resources to help achieve professional goals

    9. Provide or access support

      IT and user-facing resources for accessing and/or providing support

    10. Add third-party apps

      Understand the availability/restrictions of the built-in Teams app catalog

    Samples of four features: 'Prioritize with a voting table', 'Launch a live meeting poll', 'Launch a survey', and 'Request an update'.

    Download the Microsoft Teams Collaboration Tool for an expanded list of features & apps

    Use integrated Teams features to gather feedback and provide updates

    • Vote: Create a list of items for teams to brainstorm pros and cons, and then tabulate votes on. This component can be edited inline by anyone with whom the component is shared. The edits will sync anywhere the component is shared.
    • Meeting polls: Capture instant feedback from teams, chat, and call participants. Participant anonymity can be set by the poll organizer. Results can be exported.
    • Create surveys and quizzes and share the results. Results can be exported.
    • Create, track, and review updates and progress reports from teams and individuals.

    Collaboratively create content

    Samples of four features: 'Add Office suite docs', 'Brainstorm in Whiteboard', 'Add Loop components', and 'Take notes in OneNote'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Use integrated Teams features composed as a group, with live-synced changes

    • Microsoft Office documents: Add/upload files to a chat or channel discussion. Find them again in the Files tab or add the file itself as a tab to a chat or channel and edit it within Teams.
    • Brainstorm with the Whiteboard application. Add a whiteboard to a tab or to a meeting.
    • Add Loop components to a chat: Create a list, checklist, paragraph, or table that can be edited in real time by anyone in the chat.
    • Add OneNote to a chat or channel tab or use during a meeting to take notes. Pin OneNote to your app bar if it's one of your most frequently-used apps.

    Improve project & task management

    Samples of four features: 'Request approvals and updates', 'Add & track tasks', 'Create a personal notespace', and 'Manage workflows'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Keep track of projects and tasks

    • Use the Approvals and Update apps to create, track, and respond to requests for approvals and progress reports within Teams.
    • Use Tasks by Planner & To Do to track both individual and team tasks. Pin the Tasks app to the app bar, add a plan as a tab to a Team, and turn any Teams message into a task by right-clicking on it.
    • Start a chat with yourself to maintain a private space to jot down quick notes.
    • Add Lists to a Teams channel.
    • Explore automation: Add pre-built Teams workflows from the Workflows app, or build new ones in PowerAutomate
    • IT teams may leverage Teams apps like Azure Boards, Pipelines, Repos, AD notifications, and GitHub.

    Add media content

    Samples of four features: 'Share news stories', 'Share YouTube videos', 'Share Stream content', and 'Add RSS feeds'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Enrich Teams conversations with media, and keep a library of video resources

    • Search for and add specific news stories to a chat or channel. See recent news stories in search.
    • Search, share, and watch YouTube videos.
    • Share video links from Microsoft Stream.
    • Add RSS feeds.

    Knowledge management

    Samples of four features: 'SharePoint Pages', 'SharePoint document library', 'SharePoint News', and 'Who'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Pull together document libraries and make information easier to find

    • Add a page from an existing SharePoint site to a Team as a tab.
    • Add a SharePoint document library to a Team as a tab.
    • Search names of members of your organization to learn about their role, place in the organizational structure, and contact information.

    Increase meeting effectiveness

    Samples of four features: 'Take meeting notes', 'Set up a Q&A', 'Use live captions', and 'Record and transcribe meetings'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Facilitate interactions and document meeting outcomes

    • Take simple notes during a meeting.
    • Start conversations and ask and answer questions in a dedicated Q&A space during the Teams meeting.
    • Turn on live captions during the meeting.
    • Record a meeting and automatically generate a transcript of the meeting.
    • Assign attendees to breakout rooms.
    • Track the effectiveness of the meeting by producing an attendance report with the number of attendees, the meeting start/end time, a list of the attendees, and participation in activities.

    Increase employee engagement

    Samples of four features: 'Send praise', 'Build an avatar', 'Add video effects', and 'Play games during meetings'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Use features that enhance social interaction among Teams users

    • Send supportive comments to colleagues using Praise.
    • Build out digital avatars to toggle on during meetings instead of your own video.
    • Apply different visual effects, filters, and backgrounds to your screen during meetings.
    • Games for Work: Launch icebreaker games during a meeting.
    • Translate a Teams message from another language to your default language.
    • Send emojis, GIFs, and stickers in messages or as reactions to others' messages. You can also send reactions live during meetings to increase meeting engagement.

    Enhance professional development

    Samples of four features: 'Launch Viva Learning', 'Turn on Speaker Coach', 'Viva Insights', and 'Viva Goals'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    Connect with learning resources and apply data-driven feedback based on Teams usage

    • Add learning materials from various course catalogs in Viva Learning.
    • Speaker Coach: Receive AI feedback on your performance as a speaker during a meeting.
    • Receive automatically generated insights and suggestions from Viva Insights on work habits and time allocation to different work activities.
    • Viva Goals: Track organizational "objectives and key results"/manage organizational goals

    Provide or access support

    Samples of four features: 'Access MS Support', 'Manage Teams & M365', 'Deploy power virtual agents', and 'Consult MS resource center'.

    Download the Microsoft Teams Planning Tool for an expanded list of features & apps

    IT and user-facing resources for accessing or providing support

    • Admin: Carry out simple Teams management tasks (for IT).
    • Power Virtual Agents: Build out chatbots to answer user questions (can be built by IT and end users for their customers).
    • Resource Center: A combination of pre-built Microsoft resources (tips, templates) with resources provided by organizational IT.
    • Support: Access Microsoft self-serve knowledgebase articles (for IT).

    Add third-party apps

    Understand the availability/restrictions of the built-in Teams app catalog

    • App add-ins are not limited to those built by Microsoft Corporation. The Teams app store also features a plethora of third-party apps that may provide value.
    • However, being able to view an app in the app store does not necessarily mean it's supported or licensed by your organization.
    • Teams will allow users to request access to apps, which will then be evaluated by your IT support team. Follow your service desk's recommended request process for requesting and justifying the addition of a new Teams app that is not currently supported.
    • Before making the request, investigate existing Teams features to determine if the functionality is already available.

    Research contributors

    Mike Cavanagh
    Global Service Desk Manager
    Clearwater Seafoods LP

    Info-Tech contributors:

    Benedict Chang, Senior Advisory Analyst

    John Donovan, Principal Research Director

    Allison Kinnaird, Practice Lead

    P.J. Ryan, Research Director

    Natalie Sansone, Research Director

    Christine West, Managing Partner

    Related Info-Tech Research

    Sample of the 'Reduce Shadow IT with a Service Request Catalog' blueprint.

    Reduce Shadow IT With a Service Request Catalog

    Foster business relationships through sourcing-as-a-service. There is a direct correlation between service delivery dissatisfaction and increases in shadow IT. Whether the goal is to reduce shadow IT or gain control, improved customer service and fast delivery are key to making lasting changes.

    Sample of the 'Microsoft Teams Cookbook' blueprint.

    Microsoft Teams Cookbook

    Recipes for best practices and use cases for Teams. Microsoft Teams is not a standalone app. Successful utilization of Teams occurs when conceived in the broader context of how it integrates with M365. Understanding how information flows between Teams, SharePoint Online, and OneDrive for Business, for instance, will aid governance with permissions, information storage, and file sharing.

    Sample of the 'Govern Office 365 (M365)' blueprint.

    Govern Office 365

    You bought it. Use it right. Map your organizational goals to the administration features available in the Office 365/M365 console. Your governance should reflect your requirements.

    Bibliography

    Mehta, Tejas. “The Home Site App for Microsoft Teams.” Microsoft Community Hub. https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/the-home-site-app-for-microsoft-teams/ba-p/1714255.

    Overview: Viva Connections. 7 Mar. 2023, https://learn.microsoft.com/en-us/viva/connections/viva-connections-overview.

    Rogers, Laura. “SharePoint Home Site in Teams.” Wonderlaura, 24 Jun 2021. https://wonderlaura.com/2021/06/24/sharepoint-home...

    Schubert, Petra, and Johannes H. Glitsch. “Adding Structure to Enterprise Collaboration Systems: Identification of Use Cases and Collaboration Scenarios.” Procedia Computer Science, vol. 64, Jan. 2015, pp. 161–69. ScienceDirect, https://doi.org/10.1016/j.procs.2015.08.477.

    Schubert, Petra, and Johannes Glitsch. “Use Cases and Collaboration Scenarios: How Employees Use Socially-Enabled Enterprise Collaboration Systems (ECS).” International Journal of Information Systems and Project Management, vol. 4, no. 2, Jan. 2016, pp. 41–62.

    Thompson, Mark. “User Requests for Blocked Apps in the Teams Store.” Supersimple365, 5 Apr 2022, https://supersimple365.com/user-requests-for-apps-...

    “What is Microsoft Teams Premium?” Breakwater IT, n.d., https://breakwaterit.co.uk/guides/microsoft-teams-...

    Wills, Jonny. “Microsoft Teams Monthly Users Hits 280 Million.” UC Today, 25 Jan. 2023, https://www.uctoday.com/unified-communications/microsoft-teams-monthly-users-hits-280-million/.

    Proactively Identify and Mitigate Vendor Risk

    • Buy Link or Shortcode: {j2store}227|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT priorities are focused on daily tasks, pushing risk management to secondary importance and diverging from a proactive environment.
    • IT leaders are relying on an increasing number of third-party technology vendors and outsourcing key functions to meet the rapid pace of change within IT.
    • Risk levels can fluctuate over the course of the partnership, requiring manual process checks and/or automated solutions.

    Our Advice

    Critical Insight

    • Every IT vendor carries risks that have business implications. These legal, financial, security, and operational risks could inhibit business continuity and IT can’t wait until an issue arises to act.
    • Making intelligent decisions about risks without knowing what their financial impact will be is difficult. Risk impact must be quantified.
    • You don’t know what you don’t know, and what you don’t know, can hurt you. To find hidden risks, you must use a structured risk identification method.

    Impact and Result

    • A thorough risk assessment in the selection phase is your first line of defense. If you follow the principles of vendor risk management, you can mitigate collateral losses following an adverse event.
    • Make a conscious decision whether to accept the risk based on time, priority, and impact. Spend the required time to correctly identify and enact defined vendor management processes that determine spend categories and appropriately evaluate potential and preferred suppliers. Ensure you accurately assess the partnership potential.
    • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.

    Proactively Identify and Mitigate Vendor Risk Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to create a vendor risk management program that minimizes your organization’s vulnerability and mitigates adverse scenarios.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review vendor risk fundamentals and establish governance

    Review IT vendor risk fundamentals and establish a risk governance framework.

    • Proactively Identify and Mitigate Vendor Risk – Phase 1: Review Vendor Risk Fundamentals and Establish Governance
    • Vendor Risk Management Maturity Assessment Tool
    • Vendor Risk Management Program Manual
    • Risk Event Action Plan

    2. Assess vendor risk and define your response strategy

    Categorize, prioritize, and assess your vendor risks. Follow up with creating effective response strategies.

    • Proactively Identify and Mitigate Vendor Risk – Phase 2: Assess Vendor Risk and Define Your Response Strategy
    • Vendor Classification Model Tool
    • Vendor Risk Profile and Assessment Tool
    • Risk Costing Tool
    • Risk Register Tool

    3. Monitor, communicate, and improve IT vendor risk process

    Assign accountability and responsibilities to formalize ongoing risk monitoring. Communicate your findings to management and share the plan moving forward.

    • Proactively Identify and Mitigate Vendor Risk – Phase 3: Monitor, Communicate, and Improve IT Vendor Risk Process
    • Risk Report
    [infographic]

    Workshop: Proactively Identify and Mitigate Vendor Risk

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Prepare for the Workshop

    The Purpose

    To prepare the team for the workshop.

    Key Benefits Achieved

    Avoids delays and interruptions once the workshop is in progress.

    Activities

    1.1 Send workshop agenda to all participants.

    1.2 Prepare list of vendors and review any contracts provided by them.

    1.3 Review current risk management process.

    Outputs

    All necessary participants assembled

    List of vendors and vendor contracts

    Understanding of current risk management process

    2 Review Vendor Risk Fundamentals and Establish Governance

    The Purpose

    Review IT vendor risk fundamentals.

    Assess current maturity and set risk management program goals.

    Engage stakeholders and establish a risk governance framework.

    Key Benefits Achieved

    Understanding of organizational risk culture and the corresponding risk threshold.

    Obstacles to effective IT risk management identified.

    Attainable goals to increase maturity established.

    Understanding of the gap to achieve vendor risk readiness.

    Activities

    2.1 Brainstorm vendor-related risks.

    2.2 Assess current program maturity.

    2.3 Identify obstacles and pain points.

    2.4 Develop risk management goals.

    2.5 Develop key risk indicators (KRIs) and escalation protocols.

    2.6 Gain stakeholders’ perspective.

    Outputs

    Vendor risk management maturity assessment

    Goals for vendor risk management

    Stakeholders’ opinions

    3 Assess Vendor Risk and Define Your Response Strategy

    The Purpose

    Categorize vendors.

    Prioritize assessed risks.

    Key Benefits Achieved

    Risk events prioritized according to risk severity – as defined by the business.

    Activities

    3.1 Categorize vendors.

    3.2 Map vendor infrastructure.

    3.3 Prioritize vendors.

    3.4 Identify risk contributing factors.

    3.5 Assess risk exposure.

    3.6 Calculate expected cost.

    3.7 Identify risk events.

    3.8 Input risks into the Risk Register Tool.

    Outputs

    Vendors classified and prioritized

    Vendor risk exposure

    Expected cost calculation

    4 Assess Vendor Risk and Define Your Response Strategy (continued)

    The Purpose

    Determine risk threshold and contract clause relating to risk prevention.

    Identify and assess risk response actions.

    Key Benefits Achieved

    Thorough analysis has been conducted on the value and effectiveness of risk responses for high-severity risk events.

    Risk response strategies have been identified for all key risks.

    Authoritative risk response recommendations can be made to senior leadership.

    Activities

    4.1 Determine the threshold for (un)acceptable risk.

    4.2 Match elements of the contract to related vendor risks.

    4.3 Identify and assess risk responses.

    Outputs

    Thresholds for (un)acceptable risk

    Risk responses

    5 Monitor, Communicate, and Improve IT Vendor Risk Process

    The Purpose

    Communicate top risks to management.

    Assign accountabilities and responsibilities for risk management process.

    Establish monitoring schedule.

    Key Benefits Achieved

    Risk monitoring responsibilities are established.

    Transparent accountabilities and established ongoing improvement of the vendor risk management program.

    Activities

    5.1 Create a stakeholder map.

    5.2 Complete RACI chart.

    5.3 Establish the reporting schedule.

    5.4 Finalize the vendor risk management program.

    Outputs

    Stakeholder map

    Assigned accountability for risk management

    Established monitoring schedule

    Risk report

    Vendor Risk Management Program Manual

    Decide What's Important and What Is Less So

    • Large vertical image:
    • member rating overall impact: Highly Rated
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • byline: Your BIA is your reality. Treat it as such.

    Redefining the business impact analysis through the lens of value

    The Business Impact Analysis (BIA) is easily one of the most misunderstood processes in the modern enterprise. For many, the term conjures images of dusty binders filled with disaster recovery plans. A compliance checkbox exercise focused solely on what to do when the servers are smoking or the building is flooded. This view, while not entirely incorrect, is dangerously incomplete. It relegates the BIA to a reactive, insurance-policy mindset when it should be a proactive, strategic intelligence tool.

    Yes, I got that text from AI. So recognizable. But you know what? There is a kernel of truth in this.

    A modern BIA is about understanding and protecting value more than just about planning for disaster. That is the one thing we must keep in mind at all times. The BIA really is a deep dive into the DNA of the organization. It maps the connections between information assets, operational processes, and business outcomes. It answers the critical question, “What matters? And why ? And what is the escalating cost of its absence?”

    The Strategic Starting Point: A Top-Down Business Analysis

    To answer “what matters,” the process must begin at the highest level: with senior management and, ideally, the board. Defining the organization's core mission and priorities is a foundational governance task, a principle now embedded in European regulations like DORA.

    Rank the Business Units

    The process begins at the highest level with senior management. I would say, the board. They need to decide what the business is all about. (This is in line with the DORA rules in Europe.) The core business units or departments of the organization are ranked based on their contribution to the company's mission. This ranking is frequently based on revenue generation, but it can also factor in strategic importance, market position, or essential support functions. For example, the “Production” and “Sales” units might be ranked higher than “Internal HR Administration.” This initial ranking provides the foundational context for all subsequent decisions.

    I want to make something crystal clear: this ranking is merely a practical assessment. Obviously the HR and well being departments play a pivotal role in the value delivery of the company. Happy employees make for happy customers.  

    But, being a bit Wall-Streety about it, the sales department generating the biggest returns is probably only surpassed by the business unit producing the product for those sales. And with that I just said that the person holding the wrench, who knows your critical production machine, is your most valuable HR asset. Just saying.

    Identify Critical Functions Within Each Unit

    With the business units prioritized, the next step is to drill down into each one and identify its critical operational functions. The focus here is on processes, not technology. For the top-ranked “Sales” unit, critical functions might include:

    • SF-01: Processing New Customer Orders

    • SF-02: Managing the Customer Relationship Management (CRM) System

    • SF-03: Generating Sales Quotes

    • SF-04: Closing the Sale

    These functions are then rated against each other within the business unit to create a prioritized list of what truly matters for that unit to achieve its goals.

    And here I'm going to give you some food for thought. There will be a superficial geographical difference in importance. If you value continuity then new business may not be the top critical department. I can imagine this is completely counter intuitive. But remember that it is cheaper to keep and upsell an existing client than it is to acquire a new one.

    Information asset classification is a key component of resilience.

    With a clear map of what the business does, the next logical step is to identify what it uses to get it done. This brings us to the non-negotiable foundation of resilience: comprehensive information asset classification.

    Without knowing what you have, where it is, and what it's worth, any attempt at risk management is simply guesswork. You risk spending millions protecting low/mid-value data while leaving the crown jewels exposed (I guess your Ciso will have said something 😊). In this article, we will explore how foundational asset classification can evolve into a mature, value-driven impact analysis, offering a blueprint for transforming the BIA from a tactical chore into a strategic imperative.

    Before you can determine the effect of losing an asset, you must first understand the asset itself. Information asset classification is the systematic process of inventorying, categorizing, and assigning business value to your organization's data. Now that we have terabyte-scale data on servers, cloud environments, and countless SaaS applications, you have your work cut out for you. It is, however, a most critical investment in the risk management lifecycle.

    Classification forces an organization to look beyond the raw data and evaluate it through two primary lenses: criticality and sensitivity.

    • Criticality is a measure of importance. It answers the question: “How much damage would the business suffer if this asset were unavailable or corrupted?” This is directly tied to the operational functions that depend on the asset. The criticality of a customer database, for instance, is determined by the impact on the sales, marketing, and support functions that would grind to a halt without it. This translates to the availability rating. 

    • Sensitivity is a measure of secrecy. It answers the question: “What is the potential harm if this asset were disclosed to unauthorized parties?” This considers reputational damage, competitive disadvantage, legal penalties, and customer privacy violations. This translates to the confidentiality rating.

    Without this dual understanding, it's impossible to implement a proportional and cost-effective security program. The alternative is a one-size-fits-all approach, which invariably leads to one of two expensive failures:

    1. Overprotection: Applying the highest level of security controls to all information is prohibitively expensive and creates unnecessary operational friction. It's like putting a bank vault door on a broom closet.

    2. Underprotection: Applying a baseline level of security to all assets leaves your most critical and sensitive information dangerously vulnerable. It exposes your organization to unacceptable risk. Remember assigning an A2 rating to all your infra because it cannot be related to specific business processes? The “we'll take care of it at the higher levels” approach leads to exactly this issue.

    By understanding the criticality and sensitivity of assets, organizations can ensure that security efforts are directly tied to business objectives, making the investment in protection proportional to the asset's value. Proportionality is also embedded in new European legislation.

    A practical framework for executing classification exercises

    While the concept is straightforward, the execution can be complex. A successful classification program requires a methodical framework that moves from high-level policy to granular implementation. in this first stage, we're going to talk about data.

    Step 1: Define the Classification Levels

    The first step is to establish a simple, intuitive classification scheme. When you complicate it, you lose your people. Most organizations find success with a three- or four-tiered model, which is easy for employees to understand and apply. For example:

    • Public: Information intended for public consumption with no negative impact from disclosure (e.g., marketing materials, press releases).

    • Internal: Information for use within the organization but not overly sensitive. Its disclosure would be inconvenient but not damaging (e.g., internal memos on non-sensitive topics, general project plans).

    • Confidential: Sensitive business information that, if disclosed, could cause measurable damage to the organization's finances, operations, or reputation (e.g., business plans, financial forecasts, customer lists).

    • Restricted or secret: The most sensitive data that could cause severe financial or legal damage if compromised. Access is strictly limited on a need-to-know basis (e.g., trade secrets, source code, PII, M&A details).

    Step 2: Tackle the Data Inventory Problem

    This is often the most challenging phase: identifying and locating all information assets. You must create a comprehensive inventory and detail not just the data itself but its entire context:

    • Data Owners: The business leader accountable for the data and for determining its classification.

    • Data Custodians: The IT or operational teams responsible for implementing and managing the security controls on the data.

    • Location: Where does the data live? Is it in a specific database, a cloud storage bucket, a third-party application, or a physical filing cabinet?

    • External Dependencies: Crucially, this inventory must extend beyond the company's walls. Which third-party vendors (payroll processors, cloud hosting providers, marketing agencies) handle, store, or transport your data? Their security posture is now part of your risk surface. In Europe, this is now a foundation of your data management through GDPR, DORA, the AI Act and other legislation. 

    Step 3: Establish a Lifecycle Approach

    Information isn't static. Its value and handling requirements can change over its lifecycle. Your classification process must define clear rules for each stage:

    • Creation: How is data classified when it's first created? How is it marked (e.g., digital watermarks, document headers)?

    • Storage & Use: What security controls apply to each classification level at rest and in transit (e.g., encryption standards, access control rules)? What about legislative initiatives?

    • Archiving & Retention: How long must the data be kept to meet business needs and legal requirements? What about external storage?

    • Destruction: What are the approved methods for securely destroying the data (e.g., cryptographic erasure, physical shredding) once it's no longer required?

    Without clear, consistent handling standards for each level, the classification labels themselves are meaningless. The classification directly dictates the required security measures.

    The hierarchy of importance.

    This dual (business processes and asset classification) top-down approach to determining criticality is often referred to as the 'hierarchy of importance,' which helps in systematically prioritizing assets based on their business value.

    Once assets are inventoried, the next step is to systematically determine their criticality. Randomly assigning importance to thousands of assets is futile. A far more effective method is a top-down, hierarchical approach that mirrors the structure of the business itself. This method creates a clear “chain of criticality,” where the importance of a technical asset is directly derived from the value of the business function it supports.

    Map the Supporting Assets and Resources

    Only now, once you have clearly defined the critical business functions and prioritized them, can you finally map the specific assets and resources they depend on. These are the people, technology, and facilities that enable the function. For the critical function “Processing New Customer Orders,” the supporting assets might include:

    • Application: SAP ERP System (Module SD)

    • Database: Oracle Customer Order Database

    • Hardware: Primary ERP Server Cluster

    • Personnel: Sales team and Order Entry team

    The criticality of the “Oracle Customer Order Database” is now clear. It is clearly integrated into the business; it is critically important because it is an essential asset for a top-priority function (SF-01) within a top-ranked business unit (“Sales”). This top-down structure provides a clear, business-justified view of risk that management can easily understand. It allows you to see precisely how a technical risk (e.g., a vulnerability in the Oracle database) can bubble up to impact a core business operation.

    From Criticality to Consequence: Master Impact Analysis

    With a clear understanding of what's indispensable, the BIA can now finally move to its core purpose: analyzing the tangible and intangible impacts of a disruption over time. A robust impact analysis prevents “impact inflation,” which is the common tendency to focus solely on unrealistic scenarios or self-importance assurances, as this just causes management to discount your findings. That just causes management to discount your findings. A more credible approach uses a range of outcomes that paint a realistic picture of escalating damage over time.

    Your analysis should assess the loss of the four core pillars of information security:

    • Loss of Confidentiality: The unauthorized disclosure of sensitive information. The impact can range from legal fines for a data breach to the loss of competitive advantage from a leaked product design.

    • Loss of Integrity: The unauthorized or improper modification of data. This can lead to flawed decision-making based on corrupted reports, financial fraud, or a complete loss of trust in the system.

    • Loss of Availability: The inability to access a system or process. This is the most common focus of traditional BIA, leading to lost productivity, missed sales, and an inability to deliver services.

    • Insecurity around Authenticity: Your ability to ensure you receive data from the expected party. 

    This brings us to the CIAA rating, which encompasses Confidentiality, Integrity, Availability, and Authenticity, providing a comprehensive framework for assessing information security impacts.

    Qualitative vs. Quantitative Analysis

    Impacts can be measured in two ways, and the most effective BIAs use a combination of both:

    • Qualitative Analysis: This uses descriptive scales (e.g., High, Medium, Low) to assess impacts that are difficult to assign a specific monetary value to. This is ideal for measuring things like reputational damage, loss of customer confidence, or employee morale. Its main advantage is prioritizing risks quickly, but it lacks the financial precision needed for a cost-benefit analysis.

    • Quantitative Analysis: This assigns a specific monetary value ($) to the impact. This is used for measurable losses like lost revenue per hour, regulatory fines, or the cost of manual workarounds. The major advantage is that it provides clear financial data to justify security investments. For example, “This outage will cost us $100,000 per hour in lost sales” is a powerful statement when requesting funding for a high-availability solution.

    A mature analysis might involve scenario modeling—where we walk through a small set of plausible disruption scenarios with business stakeholders to define a range of outcomes (minimum, maximum, and most likely). This provides a far more nuanced and credible dataset that aligns with how management views other business risks.

    The additional lens: The Customer Value Chain Contribution (CVCC)©

    To elevate the BIA from an internal exercise to a truly strategic tool, we can apply one more lens: the Customer Value Chain Contribution (CVCC)©. This approach reframes the impact analysis to focus explicitly on the customer. Instead of just asking, “What is the impact on our business?” we ask, “What is the impact on our customer's experience and our ability to deliver value to them?”

    The CVCC method involves mapping your critical processes and assets to specific stages of the customer journey. For example:

    • Awareness/Acquisition: A disruption to the company website or marketing automation platform directly impacts your ability to attract new customers.

    • Conversion/Sale: An outage of the e-commerce platform or CRM system prevents customers from making purchases, directly impacting revenue and frustrating users at a key moment.

    • Service Delivery/Fulfillment: A failure in the warehouse management or logistics system means orders can't be fulfilled, breaking promises made to the customer.

    • Support/Retention: If the customer support ticketing system is down, customers with problems can't get help, leading to immense frustration and potential churn.

    By analyzing impact through the CVCC lens, the consequences become far more vivid and compelling. “Loss of the CRM system” becomes “a complete inability to process new sales leads or support existing customers, causing direct revenue loss and significant reputational damage.” This framing aligns the BIA directly with the goal of any business: creating and retaining satisfied customers. It transforms the discussion from technical risk to the preservation of the customer relationship and the value chain that supports it.

    From document to real value

    When you build your BIA on this framework, meaning that it is rooted in sound asset classification, structured by the correct top-down criticality analysis, and enriched by the customer-centric view of impact, then it is no longer a static document. It becomes the dynamic, strategic blueprint for organizational resilience.

    These insights generate business decisions:

    • Prioritized risk mitigation: they show exactly where to focus security efforts and resources for the greatest return on investment.

    • Justified security spending: they provide the quantitative and qualitative data needed to make a compelling business case for new security controls, technologies, and processes.

    • Informed recovery planning: they establish clear, business-justified Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) that form the foundation of any effective business continuity and disaster recovery plan.

    I'm convinced that this expanded vision of the business impact analysis embeds the right analytical understanding of value and risk into the fabric of the organization. I want you to move beyond the fear of disaster and toward a confident, proactive posture of resilience. Like that, you ensure that in a world of constant change and disruption, the things that truly matter are always understood, always protected, and always available.

    Always happy to chat.

    Monitor IT Employee Experience

    • Buy Link or Shortcode: {j2store}543|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: $29,096 Average $ Saved
    • member rating average days saved: 19 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • In IT, high turnover and sub-optimized productivity can have huge impacts on IT’s ability to execute SLAs, complete projects on time, and maintain operations effectively.
    • With record low unemployment rates in IT, retaining top employees and keeping them motivated in their jobs has never been more critical.

    Our Advice

    Critical Insight

    • One bad experience can cost you your top employee. Engagement is the sum total of the day-to-day experiences your employees have with your company.
    • Engagement, not pay, drives results. Engagement is key to your team's productivity and ability to retain top talent. Approach it systematically to learn what really drives your team.
    • It’s time for leadership to step up. As the CIO, it’s up to you to take ownership of your team’s engagement.

    Impact and Result

    • Info-Tech tools and guidance will help you initiate an effective conversation with your team around engagement, and avoid common pitfalls in implementing engagement initiatives.
    • Monitoring employee experience continuously using the Employee Experience Monitor enables you to take a data-driven approach to evaluating the success of your engagement initiatives.

    Monitor IT Employee Experience Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should focus on employee experience to improve engagement in IT, review Info-Tech’s methodology, and understand how our tools will help you construct an effective employee engagement program.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Start monitoring employee experience

    Plan out your employee engagement program and launch the Employee Experience Monitor survey for your team.

    • Drive IT Performance by Monitoring Employee Experience – Phase 1: Start Monitoring Employee Experience
    • None
    • None
    • EXM Setup Guide
    • EXM Training Guide for Managers
    • None
    • EXM Communication Template

    2. Analyze results and ideate solutions

    Interpret your Employee Experience Monitor results, understand what they mean in the context of your team, and involve your staff in brainstorming engagement initiatives.

    • Drive IT Performance by Monitoring Employee Experience – Phase 2: Analyze Results and Ideate Solutions
    • EXM Focus Group Facilitation Guide
    • Focus Group Facilitation Guide Driver Definitions

    3. Select and implement engagement initiatives

    Select engagement initiatives for maximal impact, create an action plan, and establish open and ongoing communication about engagement with your team.

    • Drive IT Performance by Monitoring Employee Experience – Phase 3: Measure and Communicate Results
    • Engagement Progress One-Pager
    [infographic]

    Workshop: Monitor IT Employee Experience

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the EXM

    The Purpose

    Set up the EXM and collect a few months of data to build on during the workshop.

    Key Benefits Achieved

    Arm yourself with an index of employee experience and candid feedback from your team to use as a starting point for your engagement program.

    Activities

    1.1 Identify EXM use case.

    1.2 Identify engagement program goals and obstacles.

    1.3 Launch EXM.

    Outputs

    Defined engagement goals.

    EXM online dashboard with three months of results.

    2 Explore Engagement

    The Purpose

    To understand the current state of engagement and prepare to discuss the drivers behind it with your staff.

    Key Benefits Achieved

    Empower your leadership team to take charge of their own team's engagement.

    Activities

    2.1 Review EXM results to understand employee experience.

    2.2 Finalize focus group agendas.

    2.3 Train managers.

    Outputs

    Customized focus group agendas.

    3 Hold Employee Focus Groups

    The Purpose

    Establish an open dialogue with your staff to understand what drives their engagement.

    Key Benefits Achieved

    Understand where in your team’s experience you can make the most impact as an IT leader.

    Activities

    3.1 Identify priority drivers.

    3.2 Identify engagement KPIs.

    3.3 Brainstorm engagement initiatives.

    3.4 Vote on initiatives within teams.

    Outputs

    Summary of focus groups results

    Identified engagement initiatives.

    4 Select and Plan Initiatives

    The Purpose

    Learn the characteristics of successful engagement initiatives and build execution plans for each.

    Key Benefits Achieved

    Choose initiatives with the greatest impact on your team’s engagement, and ensure you have the necessary resources for success.

    Activities

    4.1 Select engagement initiatives with IT leadership.

    4.2 Discuss and decide on the top five engagement initiatives.

    4.3 Create initiative project plans.

    4.4 Build detailed project plans.

    4.5 Present project plans.

    Outputs

    Engagement project plans.

    Maximize Business Value From IT Through Benefits Realization

    • Buy Link or Shortcode: {j2store}337|cart{/j2store}
    • member rating overall impact: 6.0/10 Overall Impact
    • member rating average dollars saved: 4 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • IT and the business are often misaligned because business value is not well defined or communicated.
    • Decisions are made without a shared perspective of value. This results in cost misallocation and unexploited opportunities to improve efficiency and drive innovation.

    Our Advice

    Critical Insight

    • IT exists to provide business value and is part of the business value chain. Most IT organizations lack a way to define value, which complicates the process of making value-based strategic business decisions.
    • IT must link its spend to business value to justify its investments. IT doesn’t have an established process to govern benefits realization and struggles to demonstrate how it provides value from its investments.
    • Pursue value, not technology. The inability to articulate value leads to IT being perceived as a cost center.

    Impact and Result

    • Ensure there is a common understanding within the organization of what is valuable to drive growth and consistent strategic decision making.
    • Equip IT to evaluate, direct, and monitor investments to support the achievement of organizational values and business benefits.
    • Align IT spend with business value through an enhanced governance structure to achieve cost optimization. Ensure IT visibly contributes to the creation and maintenance of value.

    Maximize Business Value From IT Through Benefits Realization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should establish a benefits realization process, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand business value

    Ensure that all key strategic stakeholders hold a current understanding of what is valuable to the organization and a sense of what will be valuable based on future needs.

    • Maximize Business Value from IT Through Benefits Realization – Phase 1: Understand Business Value
    • Business Value Statement Template
    • Business Value Statement Example
    • Value Statement Email Communication Template
    • Feedback Consolidation Tool

    2. Incorporate benefits realization into governance

    Establish the process to evaluate spend on IT initiatives based on expected benefits, and implement the methods to monitor how well the initiatives achieve these benefits.

    • Maximize Business Value from IT Through Benefits Realization – Phase 2: Incorporate Benefits Realization into Governance
    • Business Value Executive Presentation Template

    3. Ensure an accurate reference of value

    Re-evaluate, on a consistent basis, the accuracy of the value drivers stated in the value statement with respect to the organization’s current internal and external environments.

    • Maximize Business Value from IT Through Benefits Realization – Phase 3: Ensure an Accurate Reference of Value
    [infographic]

    Workshop: Maximize Business Value From IT Through Benefits Realization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Business Value

    The Purpose

    Establish the business value statement.

    Understand the importance of implementing a benefits realization process.

    Key Benefits Achieved

    Unified stakeholder perspectives of business value drivers

    Establish supporters of the initiative

    Activities

    1.1 Understand what governance is and how a benefits realization process in governance will benefit the company.

    1.2 Discuss the mission and vision of the company, and why it is important to establish the target state prior to defining value.

    1.3 Brainstorm and narrow down organization value drivers.

    Outputs

    Stakeholder buy-in on benefits realization process

    Understanding of interrelations of mission, vision, and business value drivers

    Final three prioritized value drivers

    Completed business value statement

    2 Incorporate Benefits Realization Into Governance

    The Purpose

    Establish the intake, assessment and prioritization, and output and monitoring processes that are involved with implementing benefits realization.

    Assign cut-over dates and accountabilities.

    Establish monitoring and tracking processes.

    Key Benefits Achieved

    A thorough implementation plan that can be incorporated into existing governance documents

    Stakeholder understanding of implemented process, process ownership

    Activities

    2.1 Devise the benefits realization process.

    2.2 Establish launch dates, accountabilities, and exception handling on processes.

    2.3 Devise compliance monitoring and exception tracking methods on the benefits realization process.

    Outputs

    Benefits realization process incorporated into governance documentation

    Actionable plan to implement benefits realization process

    Reporting processes to ensure the successful delivery of the improved governance process

    3 Ensure an Accurate Reference of Value

    The Purpose

    Implement a process to ensure that business value drivers remain current to the organization.

    Key Benefits Achieved

    Align IT with the business and business to its environment

    Activities

    3.1 Determine regular review cycle to reassess business value drivers.

    3.2 Determine the trigger events that may cause off-cycle revisits to value.

    3.3 Devise compliance monitoring on value definition.

    Outputs

    Agenda and tools to assess the business context to verify the accuracy of value

    List of possible trigger events specific to your organization

    Reporting processes to ensure the continuous adherence to the business value definition

    Adopt Design Thinking in Your Organization

    • Buy Link or Shortcode: {j2store}327|cart{/j2store}
    • member rating overall impact: 9.6/10 Overall Impact
    • member rating average dollars saved: $23,245 Average $ Saved
    • member rating average days saved: 13 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • End users often have a disjointed experience while interacting with your organization in using its products and services.
    • You have been asked by your senior leadership to start a new or revive an existing design or innovation function within your organization. However, your organization has dismissed design thinking as the latest “management fad” and does not buy into the depth and rigor that design thinking brings.
    • The design or innovation function lives on the fringes of your organization due to its apathy towards design thinking or tumultuous internal politics.
    • You, as a CIO, want to improve the user satisfaction with the IT services your team provides to both internal and external users.

    Our Advice

    Critical Insight

    • A user’s perspective while interacting with the products and services is very different from the organization’s internal perspective while implementing and provisioning those. A design-based organization balances the two perspectives to drive user-satisfaction over end-to-end journeys.
    • Top management must have a design thinker – the guardian angel of the balance between exploration (i.e. discovering new business models) and exploitation (i.e. leveraging existing business models).
    • Your approach to adopt design thinking must consider your organization’s specific goals and culture. There’s no one-size-fits-all approach.

    Impact and Result

    • User satisfaction, with the end-to-end journeys orchestrated by your organization, will significantly increase.
    • Design-centric organizations enjoy disproportionate financial rewards.

    Adopt Design Thinking in Your Organization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should adopt design thinking in your organization, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. What is design thinking?

    The focus of this phase is on revealing what designers do during the activity of designing, and on building an understanding of the nature of design ability. We will formally examine the many definitions of design thinking from experts in this field. At the core of this phase are several case studies that illuminate the various aspects of design thinking.

    • Adopt Design Thinking in Your Organization – Phase 1: What Is Design Thinking?
    • Victor Scheinman's Experiment for Design

    2. How does an organization benefit from design thinking?

    This phase will illustrate the relevance of design in strategy formulation and in service-design. At the core of this phase are several case studies that illuminate these aspects of design thinking. We will also identify the trends impacting your organization and establish a baseline of user-experience with the journeys orchestrated by your organization.

    • Adopt Design Thinking in Your Organization – Phase 2: How Does an Organization Benefit From Design Thinking?
    • Trends Matrix (Sample)

    3. How do you build a design organization?

    The focus of this phase is to:

  • Measure the design-centricity of your organization and subsequently, identify the areas for improvement.
  • Define an approach for a design program that suites your organization’s specific goals and culture.

    • Adopt Design Thinking in Your Organization – Phase 3: How Do You Build a Design Organization?
    • Report on How Design-Centric Is Your Organization (Sample)
    • Approach for the Design Program (Sample)
    • Interview With David Dunne on Design Thinking
    • Interview With David Dunne on Design Thinking (mp3)
    [infographic]

    Workshop: Adopt Design Thinking in Your Organization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 What Is Design Thinking?

    The Purpose

    The focus of this module is on revealing what designers do during the activity of designing, and on building an understanding of the nature of design ability. We will also review the report on the design-centricity of your organization and subsequently, earmark the areas for improvement.

    Key Benefits Achieved

    An intimate understanding of the design thinking

    An assessment of design-centricity of your organization and identification of areas for improvement

    Activities

    1.1 Discuss case studies on how designers think and work

    1.2 Define design thinking

    1.3 Review report from Info-Tech’s diagnostic: How design-centric is your organization?

    1.4 Earmark areas for improvement to raise the design-centricity of your organization

    Outputs

    Report from Info-Tech’s diagnostic: ‘How design-centric is your organization?’ with identified areas for improvement.

    2 How Does an Organization Benefit From Design Thinking?

    The Purpose

    In this module, we will discuss the relevance of design in strategy formulation and service design. At the core of this module are several case studies that illuminate these aspects of design thinking. We will also identify the trends impacting your organization. We will establish a baseline of user experience with the journeys orchestrated by your organization.

    Key Benefits Achieved

    An in-depth understanding of the relevance of design in strategy formulation and service design

    An understanding of the trends that impact your organization

    A taxonomy of critical customer journeys and a baseline of customers’ satisfaction with those

    Activities

    2.1 Discuss relevance of design in strategy through case studies

    2.2 Articulate trends that impact your organization

    2.3 Discuss service design through case studies

    2.4 Identify critical customer journeys and baseline customers’ satisfaction with those

    2.5 Run a simulation of design in practice

    Outputs

    Trends that impact your organization.

    Taxonomy of critical customer journeys and a baseline of customers’ satisfaction with those.

    3 How to Build a Design Organization

    The Purpose

    The focus of this module is to define an approach for a design program that suits your organization’s specific goals and culture.

    Key Benefits Achieved

    An approach for the design program in your organization. This includes aspects of the design program such as its objectives and measures, its model (one of the five archetypes or a hybrid one), and its governance.

    Activities

    3.1 Identify objectives and key measures for your design thinking program

    3.2 Structure your program after reviewing five main archetypes of a design program

    3.3 Balance between incremental and disruptive innovation

    3.4 Review best practices of a design organization

    Outputs

    An approach for your design thinking program: objectives and key measures; structure of the program, etc.

    Assess the Viability of M365-O365 Security Add-Ons

    • Buy Link or Shortcode: {j2store}251|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    The technical side of IT security demands the best security possible, but the business side of running IT demands that you determine what is cost-effective and can still do the job. You likely shrugged off the early iterations of Microsoft’s security efforts, but you may have heard that things have changed. Where do you start in evaluating Microsoft’s security products in terms of effectiveness? The value proposition sounds tremendous to the CFO, “free” security as part of your corporate license, but how does it truly measure up and how do you articulate your findings to the business?

    Our Advice

    Critical Insight

    Microsoft’s security products have improved to the point where they are often ranked competitively with mainstream security products. Depending on your organization’s licensing of Office 365/Microsoft 365, some of these products are included in what you’re already paying for. That value proposition is hard to deny.

    Impact and Result

    Determine what is important to the business, and in what order of priority.

    Take a close look at your current solution and determine what are table stakes, what features you would like to have in its replacement, and what your current solution is missing.

    Consider Microsoft’s security solutions using an objective methodology. Sentiment will still be a factor, but it shouldn’t dictate the decision you make for the good of the business.

    Assess the Viability of M365/O365 Security Add-Ons Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to assess the viability of M365/O365 security add-ons. Review Info-Tech’s methodology and understand the four key steps to completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review your current state

    Examine what you are licensed for, what you are paying, what you need, and what your constraints are.

    • Microsoft 365/Office 365 Security Add-Ons Assessment Tool

    2. Assess your needs

    Determine what is “good enough” security and assess the needs of your organization.

    3. Select your path

    Decide what you will go with and start planning your next steps.

    [infographic]

    Modernize Your Applications

    • Buy Link or Shortcode: {j2store}178|cart{/j2store}
    • member rating overall impact: 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • Application modernization is essential to stay competitive and productive in today’s digital environment. Your stakeholders have outlined their digital business goals that IT is expected to meet.
    • Your application portfolio cannot sufficiently support the flexibility and efficiency the business needs because of legacy challenges.
    • Your teams do not have a framework to illustrate, communicate, and justify the modernization effort and organizational changes in the language your stakeholders understand.

    Our Advice

    Critical Insight

    • Build your digital applications around continuous modernization. End-user needs, technology, business direction, and regulations rapidly change in today’s competitive and fast-paced industry. This reality will quickly turn your modern applications into shelfware. Build continuous modernization at the center of your digital application vision to keep up with evolving business, end-user, and IT needs.
    • Application modernization is organizational change management. If you build and modernize it, they may not come. The crux of successful application modernization is centered on the strategic, well-informed, and onboarded adoption of changes in key business areas, capabilities, and processes. Organizational change management must be front and center so that applications are fit for purpose and are something that end users want and need to use.
    • Business-IT collaboration is not optional. Application modernization will not be successful if your lines of business (LOBs) and IT are not working together. IT must empathize how LOBs operate and proactively support the underlying operational systems. LOBs must be accountable for all products leveraging modern technologies and be able to rationalize the technical feasibility of their digital application vision.

    Impact and Result

    • Establish the digital application vision. Gain a grounded understanding of the digital application construct and prioritize these attributes against your digital business goals.
    • Define your modernization approach. Obtain a thorough view of your business and technical complexities, risks, and impacts. Employ the right modernization techniques based on your organization’s change tolerance.
    • Build your roadmap. Clarify the organizational changes needed to support modernization and adoption of your digital applications.

    Modernize Your Applications Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should strategically modernize your applications, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set your vision

    Describe your application vision and set the right modernization expectations with your stakeholders.

    • Modernize Your Applications – Phase 1: Set Your Vision

    2. Identify your modernization opportunities

    Focus your modernization efforts on the business opportunities that your stakeholders care about.

    • Modernize Your Applications – Phase 2: Identify Your Modernization Opportunities

    3. Plan your modernization

    Describe your modernization initiatives and build your modernization tactical roadmap.

    • Modernize Your Applications – Phase 3: Plan Your Modernization
    [infographic]

    Workshop: Modernize Your Applications

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Set Your Vision

    The Purpose

    Discuss the goals of your application modernization initiatives

    Define your digital application vision and priorities

    List your modernization principles

    Key Benefits Achieved

    Clear application modernization objectives and high priority value items

    Your digital application vision and attributes

    Key principles that will guide your application modernization initiatives

    Activities

    1.1 State Your Objectives

    1.2 Characterize Your Digital Application

    1.3 Define Your Modernization Principles

    Outputs

    Application modernization objectives

    Digital application vision and attributes definitions

    List of application modernization principles and guidelines

    2 Identify Your Modernization Opportunities

    The Purpose

    Identify the value streams and business capabilities that will benefit the most from application modernization

    Conduct a change tolerance assessment

    Build your modernization strategic roadmap

    Key Benefits Achieved

    Understanding of the value delivery improvements modernization can bring

    Recognizing the flexibility and tolerance of your organization to adopt changes

    Select an approach that best fits your organization’s goals and capacity

    Activities

    2.1 Identify the Opportunities

    2.2 Define Your Modernization Approach

    Outputs

    Value streams and business capabilities that are ideal modernization opportunities

    Your modernization strategic roadmap based on your change tolerance and modernization approach

    3 Plan Your Modernization

    The Purpose

    Identify the most appropriate modernization technique and the scope of changes to implement your techniques

    Develop an actionable tactical roadmap to complete your modernization initiatives

    Key Benefits Achieved

    Clear understanding of what must be changed to the organization and application considering your change tolerance

    An achievable modernization plan

    Activities

    3.1 Shortlist Your Modernization Techniques

    3.2 Roadmap Your Modernization Initiatives

    Outputs

    Scope of your application modernization initiatives

    Your modernization tactical roadmap

    Implement a Transformative IVR Experience That Empowers Your Customers

    • Buy Link or Shortcode: {j2store}68|cart{/j2store}
    • member rating overall impact: 8.5/10 Overall Impact
    • member rating average dollars saved: $6,499 Average $ Saved
    • member rating average days saved: 15 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Today’s customers expect a top-tier experience when interacting with businesses.
    • The advancements in IVR technology mean that IT departments are managing added complexity in drafting a strategy for a top-tier IVR approach.
    • Implementing best practices and the right enabling technology stack is critical to supporting world-class customer experience through IVR.

    Our Advice

    Critical Insight

    • Don’t assume that contact centers and IVR systems are relics of the past. Customers still look to phone calls as being the most effective way to get a fast answer.
    • Tailor your IVR system for your customers. There is no “one-size-fits-all” approach – understand your key customer demographics and support their experience by implementing the most effective strategies for them.
    • Don’t buy best of breed, buy best for you. Base your enabling technology selection on your requirements and use cases, not on the latest industry trends and developments.

    Impact and Result

    • Before selecting and deploying technology solutions, create a database of common customer pain points and FAQs to act as an outline for the call flow tree.
    • Understand and apply operational best practices, such as ensuring proper call menu organization and using self-service applications, to improve IVR metrics and, ultimately, the customer experience.
    • Understand emerging technologies and evolving trends in the IVR space, including natural language processing and integrating your IVR with other essential enterprise applications (e.g. customer relationship management platforms).

    Implement a Transformative IVR Experience That Empowers Your Customers Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Transformative IVR Experience Deck – A deck outlining the best strategies and enabling technologies to implement in your IVR approach to improve your customer experience.

    This storyboard offers insight into impactful strategies and beneficial enabling technologies to implement in your IVR approach to improve your customers’ experience and to reduce the load on your support staff. This deck outlines IT’s role in the IVR development process, offering insight into how to develop an effective IVR call flow and providing details on relevant enabling technologies to consider implementing to further improve your offering.

    • Implement a Transformative IVR Experience That Empowers Your Customers – Phases 1-4

    2. IVR Call Flow Template – A template designed to help you build an effective call flow tree by providing further insight into how to better understand your customers.

    This template demonstrates an ideal IVR approach, outlining a sample call flow for a telecommunications company designed to meet the needs of a curated customer persona. Use this template to gain a better understanding of your own key customers and to construct your own call flow tree.

    • Create an IVR Call Flow That Empowers Your Customers
    [infographic]

    Further reading

    Implement a Transformative IVR Experience That Empowers Your Customers

    Learn the strategies that will allow you to develop an effective interactive voice response (IVR) framework that supports self-service and improves customer experience.

    Stop! Are you ready for this project?

    This Research Is Designed For:

    • Business analysts, application directors/managers, and customer service leaders tasked with developing and executing a technology enablement strategy for optimizing their contact center approach.
    • Any organization aiming to improve its customer experience by implementing a customer-centric approach to over-the-phone service via an IVR system.

    This Research Will Help You:

    • Adopt the best strategies for outlining an effective IVR approach and for transforming an existing IVR system.
    • Improve customer experience and ultimately customer satisfaction by enabling you to create a more efficient IVR call flow tree.
    • Select the proper IVR strategies to focus on based on the maturity level of your organization's call center.
    • Review the "art of the possible" and learn of the latest developments in successful IVR execution.
    • Learn IT's role in developing a successful IVR system and in developing a technology strategy that optimizes your IVR approach.

    Executive Summary

    Your Challenge

    • Today's customers expect a top-tier experience when interacting with businesses.
    • The advancements in IVR technology mean that IT departments are managing added complexity in drafting a strategy for a top-tier IVR approach.
    • Implementing best practices and the right enabling technology stack is critical to supporting world-class customer experience through IVR.

    Common Obstacles

    • Many organizations do not have a clear understanding of customers' drivers for contacting their IVR.
    • As many contact centers look to improve the customer experience, the need for an impactful IVR system has markedly increased. The proliferation of recommendations for IVR best practices and related technologies has made it difficult to identify and implement the right approach.
    • With a growing number of IVR-related requests, IT must be prepared to speak intelligently about requirements and the "art of the possible."

    Info-Tech's Approach

    • Before selecting and deploying technology solutions, create a database of common customer call drivers to act as an outline for the call flow tree.
    • Understand and apply operational best practices, such as ensuring proper call menu organization and using self-service applications, to improve IVR metrics and, ultimately, the customer experience.
    • Understand evolving trends and emerging technologies in the IVR space, including offering personalized service and using natural language processing/conversational AI.

    Info-Tech Insight

    Tailor your IVR system specifically for your customers. There is no one-size-fits-all approach. Understand your key customers and support their experience by implementing the most effective strategies for them.

    Voice is still the dominant way in which customers choose to receive support

    Despite the contrary beliefs that the preference for phone support and IVR systems is declining, studies have consistently shown that consumers still prefer receiving customer service over the phone.

    76%

    of customers prefer the "traditional" medium of phone calls to reach customer support agents.

    50%

    of customers across all age groups generally use the phone to contact customer support, making it the most-used customer service channel.

    Your IVR approach can make or break your customers' experience

    The feelings that customers are left with after interacting with contact centers and support lines has a major impact on their future purchase decisions

    Effective IVR systems provide customers with positive experiences, keeping them happy and satisfied. Poorly executed IVR systems leave customers feeling frustrated and contribute to an overall negative experience. Negative experiences with your IVR system could lead to your customers taking their business elsewhere.

    In fact, research by Haptik shows that an average of $262 per customer is lost each year due to poor IVR experiences ("7 Conversational IVR Trends for 2021 and Beyond," Haptik, 2021).

    50%

    of customers have abandoned their business transactions while dealing with an IVR system.

    Source: Vonage, 2020

    45%

    of customers will abandon a business altogether due to a poor IVR experience.

    Source: "7 Remarkable IVR Trends For the Year 2022 And Beyond," Haptik, 2021

    IVR systems only improve your customers' experience when done properly

    There are many common mistakes that organizations make when implementing their own IVR strategies:

    1. Offering too many menu options. IVR systems are supposed to allow customers to resolve their inquiries quickly, so it is integral that you organize your menu effectively. Less is more when it comes to your IVR call flow tree.
    2. A lack of self-service capabilities. IVR systems are meant to maximize customer service and improve the customer experience by offering self-service functionality. If resolutions for common issues can't be found through IVR, your return on investment (ROI) is limited.
    3. Having callers get stuck in an "IVR loop." Customers caught hearing the same information repeatedly will often abandon their call. Don't allow customers to get "tangled" in your call flow tree; always make human contact an option.
    4. Not offering personalized service. The inability to identify customers by their number or other identifying features leads to poor personalization and time wasted repeating information, contributing to an overall negative experience.
    5. Not updating the IVR system. By not taking advantage of new developments in IVR technology and by not using customer and employee feedback to upgrade your offering, you are missing out on the potential to improve your customers' experience. Complacency kills, and your organization will be at a competitive disadvantage because of it.

    Implement a transformative IVR approach that empowers your customers

    Call flow trees don't grow overnight; they require commitment, nurturing, and care

    1. Focus on the Roots of Your Call Flow Tree
      • Your call flow tree will only grow as strong as the roots allow it; begin beneath the surface by understanding the needs of your customers and the goals of your organization first, before building your initial IVR menu.
    2. Allow Customers the Opportunity to Branch Out
      • Empower your customers by directing your call flow tree to self-service applications where possible and to live agents when necessary.
    3. Let Your Call Flow Tree Flourish
      • Integrate your IVR with other relevant business applications and apply technological developments that align with the needs of your customers and the goals of your organization.
    4. Keep Watering Your Call Flow Tree
      • Don't let your call flow tree die! Elicit feedback from relevant stakeholders and develop an iterative review cycle to identify and implement necessary changes to your call flow tree, ensuring continued growth.

    IT plays an integral role in supporting the IVR approach

    IT is responsible for providing technology enablement of the IVR strategy

    While IT may not be involved in organizing the call flow tree itself, their impact on an organization's IVR approach is undeniable. Not only will IT assist with the implementation and integration of your IVR system, they will also be responsible for maintaining the technology on an ongoing basis. As such, IT should be a part of your organization's software selection team, following Info-Tech's methodology for optimizing your software selection process.

    • With an understanding of the organization's customer experience management strategy and business goals, IT should be looked toward to:
    • Provide insight into the "art of the possible" with IVR systems.
    • Recommend enabling technologies relative to your call center's maturity (e.g. agent assist and natural language processing).
    • Outline integration capabilities with your existing application portfolio.
    • Highlight any security concerns.
    • Assist with vendor engagement.
    • Take part in stakeholder feedback groups, consulting with agents about their pain points and attempting to solve their problems.

    Guided Implementation

    What does a typical GI on this topic look like?

    Focus on the Roots of Your Call Flow Tree

    		Allow Customers the Opportunity to Branch Out Let Your IVR Call Flow Tree Flourish Keep Watering Your Call Flow Tree

    Call #1: Introduce the project, scoping customer call drivers and defining metrics of success.

    Call #3: Discuss the importance of promoting self-service and how to improve call routing processes, assessing the final tiers of the IVR.

    Call #4: Discuss the benefits of integrating your IVR within your existing business architecture and using relevant enabling technologies.

    Call #5: Discuss how to elicit feedback from relevant stakeholders and develop an iterative IVR review cycle, wrapping up the project.

    Call #2: Begin assessing initial IVR structure.

    A Guided Implementation (GI) is a series

    of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 5 to 7 calls over the course of 4 to 6 months.

    Phase 1

    Focus on the Roots of Your Call Flow Tree

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Building a database of your customers' call drivers
    • Developing IVR-related goals and connecting them with your key performance indicators (KPIs)
    • Developing the first tier of your IVR menu

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 1.1

    Understand Your Customers

    This step will walk you through the following activity:

    1.1.1 Build a database of the reasons why your customers call your contact center

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • List of your customers' call drivers

    Help your customers get to where they need to go

    Understand which questions customers need answered the most and organize your IVR menu accordingly

    • With any IVR system, your primary focus should be creating a simple, easily navigated call flow. You not only want your customers to be able to find the solutions that they are looking for, but you want them to be able to do so easily and quickly.
    • In order to direct customers more efficiently, you need to understand why they're motivated to call your contact center. This will be different for every organization, so it requires a deeper understanding of your customers.
    • After understanding the motivators behind your customers' reasons for calling, you'll be able to organize your call flow tree effectively.
    • Assign the most popular reasons that customers call first in your IVR call flow. Organizing your call flow in such a way will ensure a quicker turn around time for customer inquiries, providing callers with the immediate resolution that they are seeking.

    "Call flows are the structure of a call center's interactive voice response (IVR). They define the path a caller takes to reach a resolution. The more efficient the flow, the quicker a resolution can be – thereby delivering a better caller experience."

    Thomas Randall, Ph.D.
    Senior Research Analyst
    Info-Tech Research Group

    1.1.1 Activity: Build a list of the most common reasons that your key customers call your contact center

    30 minutes

    1. As a group, review the reasons that customers call your contact center. This includes reviewing which questions are asked most frequently, what services are most often inquired about, and what pain points and complaints live agents hear most regularly.
    2. Organize each call driver from most to least popular based on how often they are heard.
    3. Record your findings.
    Input Output
    • List of common customer questions
    • List of common customer pain points/complaints
    • Database of customer call drivers
    Materials Participants
    • Whiteboard
    • Markers
    • Project team
    • Customer service leaders/live agents

    Info-Tech Insight

    To understand why your customers are calling, first you need to know who your customers are. Improve your caller understanding by creating customer personas.

    1.1.1 Activity: Build a list of the most common reasons that your key customers call your contact center

    Example

    Customer Call Drivers
    Need to pay a bill
    Complaints about an outage to their service
    Inquiry about new plans
    Need to update account information
    Complaints about their last bill

    Step 1.2

    Develop Goals for Your IVR

    This step will walk you through the following activity:

    1.2.1 Outline IVR-related goals relevant to your organization.

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Goals for your organizational IVR

    Create IVR-related goals you wish for your organization to achieve

    Organizations across different industries will measure success in a multitude of ways; develop goals that are relevant to your needs and desires

    Based on your customer experience strategy and what industry you're in, the goals that you aim to accomplish will look different. A doctor's office will be more concerned with an accurate diagnosis and high first call resolution rate than low average talk time!

    Setting business goals relevant to your organization is only half of the battle; it's just as important to hold your organization accountable to those goals and measure your continued progress toward meeting them.

    1.2.1 Activity: Brainstorm a list of goals that you would like your organization to achieve when optimizing your IVR approach

    30 minutes

    1. In two to three groups, brainstorm goals related to your IVR that are relevant to your organization.
    2. Classify these goals as being either quick wins or part of a longer-term engagement based on the time they would take to accomplish.
    3. Introduce your goals to the entire group, coming to an agreement on the top goals that the organization should aim to achieve through implementing a new/transformed IVR approach.
    InputOutput
    • Customer experience strategy
    • Desired IVR-related achievements
    • Organizational IVR goals
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    1.2.1 Activity: Brainstorm a list of goals that you would like your organization to achieve when optimizing your IVR approach

    Example

    Goal Designation
    Lower the average queue time Quick win
    Lower call abandonment rate Quick win
    Lower customer attrition Long-term
    Lower employee attrition Long-term
    Increase average speed of answer Quick win

    Step 1.3

    Align Your Goals With Your KPIs

    This step will walk you through the following activity:

    1.3.1 Review your organizational IVR goals and connect them with your key performance indicators (KPIs)

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Metrics used to measure organizational success related to your IVR

    Ensure you are using the proper metrics for measuring the success of your call flow tree

    You won't know if your IVR is operating successfully if you don't know what success looks like for you. It is important to align your contact center KPIs with your business goals so you can hold your IVR system accountable.

    Example

    Metric Description Current Score Target Score [Date/Year]
    First call resolution
    Average abandonment rate
    Customer attrition
    Employee attrition
    Average queue time
    Service level
    Average speed of answer
    Average handle time
    Average call transfer rate
    Average talk time
    Customer self-service resolution
    Agent satisfaction
    Customer satisfaction

    1.3.1 Activity: Develop KPIs for your contact center and connect them to your organization's business goals

    30 minutes

    1. As a group, establish the metrics or KPIs that will be used to measure your progress against the organizational IVR goals created in Activity 1.2.1.
    2. Take note of your current score for each of your organizational goals and determine your target score.
    3. Attach a deadline or target date by which you would like to reach your target score. Target dates can vary based on whether your goal is classified as a quick win or part of a longer-term engagement.
    InputOutput
    • Organizational IVR goals
    • KPIs
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    Step 1.4

    Build Your Initial IVR Menu

    This step will walk you through the following activity:

    1.4.1 Develop the first tier of your IVR menu, determining the initial selections that customers will have to choose from

    Focus on the Roots of Your Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Tier one of your IVR call flow tree

    Keep your IVR concise – minimize the length of your voice prompts and limit the depth of your menus

    You don't want to overload your customers with information. Providing your callers with overly detailed prompts and too many menu options will only lead to frustration, ultimately diminishing both the efficiency and the effectiveness of your IVR. Limiting the length of your voice prompts and the depth of your menus will lay out a clear path for your callers, increasing the likelihood that they are able to navigate your IVR accurately.

    Each of your IVR menus should provide your customers with no more than five selections.

    Your IVR should offer a maximum of three menu tiers.

    Each of your selection "descriptions" or voice prompts should be no longer than four seconds in length.

    Info-Tech Insight

    According to a study by Telzio (2020), introductory IVR messages that greet your customers and identify your company should be under 7.9 seconds in length. Longer introductions will only bore, frustrate, and overload the customer before the call really even begins.

    When developing your voice prompts, it is integral to speak clearly using simple and easily understood language

    • Speak clearly and stay away from industry-specific jargon to ensure that your voice prompts are widely understood by your customer base. This will allow callers to digest the information relayed through your IVR more accurately.
    • Part of increasing the retention of information communicated through your IVR is also ensuring that sufficient pauses are taken between each of your voice prompts. Just as you want to avoid overloading your customers with voice prompts that are too long and too detailed, you also want to give your callers adequate time to process the information that is being relayed to them.
    • Improving the ease of listening to your IVR will reduce the risk of overwhelming your callers and will increase the likelihood that they are able to follow along appropriately, directing themselves down the proper call flow.

    Info-Tech Insight

    Securing voice talent and be expensive and cumbersome. Consider using an automated voice through a text-to-speech solution for your prompts. This will ensure that all your prompts are consistent throughout your menus, and it also makes it significantly easier to provide crucial updates within your IVR system.

    When sufficient pauses are taken between menu options, input errors can be reduced by over…

    Source: Ansafone Contact Centers, 2019

    1.4.1 Activity: Begin building your call flow tree by developing the initial selections that customers will choose from when dialing into your IVR

    30 minutes

    1. Review the database of customer call drivers completed in Activity 1.1.1 to create the opening menu of your IVR call flow tree.
    2. Limit your selections/prompts to a maximum of five by grouping related questions, services, and complaints/pain points into broad categories.
    3. Organize your selections/prompts according to how often customers call in relating to that topic.

    Info-Tech Insight

    Remember: You don't need five selections! That is the maximum recommended number of prompts to use and will most likely be reserved for more complex call flows. More isn't always better. If you can limit your initial menu to fewer selections, then do so.

    InputOutput
    • Database of customer call drivers
    • Initial IVR menu
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    1.4.1 Activity: Begin building your call flow tree by developing the initial selections that customers will choose from when dialing into your IVR

    Example

    IVR Initial Greeting

    1. For Billing and Payments

    2. To Report an Outage

    3. To Make Changes to Your Plan or Account

    Phase 2

    Allow Customers the Opportunity to Branch Out

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Completing the second tier of your call flow tree
    • Completing the third and final tier of your call flow tree

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 2.1

    Build the Second Tier of Your IVR Menu

    This step will walk you through the following activity:

    • 2.1.1 Complete the second tier of your call flow tree, branching out from your initial menu

    Allow Customers the Opportunity to Branch Out

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Tier 2 of your IVR call flow tree

    An IVR system should empower your customers to solve problems on their own

    Integrate business applications into your IVR menus to enable self-service capabilities and automate processes where possible

    • An IVR system should assist your customer service team while also empowering your customers. This can be accomplished through offering self-service and using automated messaging via a broadcast messaging system.
    • Some common self-service practices include providing callers with the ability to check credit card statements, pay bills, and track shipments.
    • Automated messaging can be used to address common customer questions. For instance, if a company-wide issue exists, an automated message can outline the issue and highlight the approximate time for resolution, providing customers with the answer they were seeking while eliminating the need to speak to a live agent. This technique is commonly practiced by internet providers during outages.
    • Providing callers with the opportunity to find a resolution for themselves through self-service and automated messaging not only improves the customer experience but also frees up your customer service team for more pressing matters.

    73%

    of customers want to be provided with the ability to solve issues on their own.

    67%

    of customers prefer to use self-service options over speaking with a customer service representative.

    Source: Raffle, 2020

    2.1.1 Activity: Grow your call flow tree! Begin branching out from your initial menu options and develop the second tier of your IVR system

    30 minutes

    1. Branch out from your initial IVR menu created in Activity 1.4.1. Get more specific in your prompts, branching out from the general groupings you have created.
    2. Consult with your database of customer call drivers created in Activity 1.1.1 to organize your subgroupings, again prioritizing the services most sought and the questions, complaints, and pain points most frequently heard.
    3. Limit each subsection to a maximum of five prompts.

    Info-Tech Insight

    Always provide your callers with the option to go back to a previous menu or to have menu options repeated.

    InputOutput
    • Database of customer call drivers
    • Initial IVR menu
    • Second IVR menu
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    2.1.1 Activity: Grow your call flow tree! Begin branching out from your initial menu options and develop the second tier of your IVR system

    Example

    This is an image of the sample flow tree from Activity 2.1.1


    Step 2.2

    Build the Third Tier of Your IVR Menu

    This step will walk you through the following activity:

    2.2.1 Complete your call flow tree by branching out your third and final tier of menu options.

    Allow Customers the Opportunity to Branch Out

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Third and final tier of your IVR call flow tree

    Provide your callers with the option to speak to a live agent – but not too soon

    While promoting self-service and automating certain processes will improve the functionality of your IVR, it is also important to realize that some issues will ultimately require human intervention. An effective IVR system harmonizes these concepts by making human contact an option, but not too early in the process. You need to find the right balance!

    When organizing your IVR call flow tree, you need to be conscious of sending clients in an endless "IVR loop." You should never have your IVR continually repeat its menu options. Customers will abandon an IVR if they are stuck in an IVR loop, being forced to listen to the same information repeatedly without having a way to reach an agent.

    If a problem cannot be solved within three steps or by the third tier of your IVR menus, callers should be provided with the option to speak to a live agent, if not automatically routed to one. By providing your callers with the option to speak to a live agent on the third tier of your IVR, you are still offering ample time for customers to discover an avenue to solve their issue on their own through self-service, without frustrating them by losing them in an endless loop of IVR options.

    30%

    of customers say that not being able to reach a human agent is the most frustrating aspect of a poor customer service experience.

    Source: ProProfs Chat, 2022

    Info-Tech Insight

    Consider routing callers to a live agent not only on the third tier of your IVR menus but also after three input errors. Multiple input errors can show an eagerness to speak to a representative or a strong misunderstanding of the IVR offering.

    How you direct a customer to a live agent can make all the difference

    Don't think that just offering your customers the option to speak to a live agent is enough. When aiming to significantly improve your customers' experience, how you direct calls to your live agents plays a major role. When a call is being directed to a live agent, be sure to:

    • Optimize your call routing and minimize call transfers. Use skills-based routing to direct your incoming client calls to the most suitable agent to resolve their issue. Inaccurately routing callers through your IVR leads to having to transfer the customer to another agent, which is a major contributor to a negative customer experience.
    • Include wait-time expectations and call-back functionality. There is no denying it: Waiting on hold can be a real pain. If a customer needs to go on hold, inform them of where they are in the queue and what the approximate wait time is. A little transparency can go a long way. You should also provide customers with the option to have a representative call them back. This greatly improves the customer experience, particularly when wait times are long.
    • Play useful on-hold messages. If a customer does decide to wait on the line to speak to a representative, ensure your on-hold messaging doesn't negatively impact their experience. Always have multiple songs and messages available to cycle through to limit customer annoyance. For on-hold messages, consider mentioning self-service capabilities available on other channels or providing company news and information on special promotions. Know your key customer demographics and plan your on-hold messaging accordingly.

    72%

    of customers view having to talk to multiple agents as poor customer service.

    Source: ProProfs Chat, 2022

    33%

    of customers highlight waiting on hold as being their biggest frustration.

    Source: EmailAnalytics, 2022

    2.2.1 Activity: Complete your call flow tree!

    30 minutes

    1. Branch out from the second tier of your IVR call flow tree created in Activity 2.1.1, connecting relevant prompts with self-service applications and automated responses. Keep in mind, most of your frequently asked questions can and should be directed toward an automated response.
    2. Direct all remaining prompts to a live agent, ensuring each selection from your second-tier menu is capped off appropriately.

    Info-Tech Insight

    Remember: Your IVR system doesn't live in isolation. The information offered by your IVR, particularly from automated messages, should be consistent with information found within other resources (e.g. online knowledge bases).

    InputOutput
    • Tier 1 and 2 of your IVR menus
    • Completed IVR call flow
    MaterialsParticipants
    • Whiteboard
    • Markers
    • Project team

    2.2.1 Activity: Complete your call flow tree!

    Example

    This is an image of the sample flow tree from Activity 2.2.1

    Phase 3

    Let Your IVR Call Flow Tree Flourish

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Reviewing the benefits of offering personalized service
    • Reviewing new technologies offered in the IVR space

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 3.1

    Learn the Benefits of a Personalized IVR

    This step will walk you through the following activity:

    3.1.1 Review the benefits of offering personalized service, namely by connecting your IVR system with your customer knowledge base

    Let Your IVR Call Flow Tree Flourish

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding the importance of offering personalized service

    Personalizing service is integral for improving your customer experience

    Integrate your IVR system with your customer relationship management (CRM) system or customer knowledge base of choice to provide support to your customers on a personal level.

    The integration of your IVR system with your CRM or other applicable knowledge base allows for customer data (e.g. customer history and previous interactions) to be accessible to your staff during calls. Access to this data allows for a deeper understanding of your customers and for personalization of service. This provides immediate benefits to your contact center that will improve your customer experience.

    When you inevitably do need to transfer a customer to another agent, they won't have to repeat their issue to a new representative, as all their information will now be easily accessible. Being forced to repeat themselves to multiple agents is a major cause of frustration for customers. This integration would also allow you to route callers to the previous agent that they dealt with whenever possible for the purpose of continuity, and it would enable you to implement other beneficial technologies as well.

    One such example is "agent assist." Agent assist is an AI bot that listens in on calls, learning customer context and automatically searching knowledge bases to help resolve queries without the agent having to put the caller on hold to manually perform that work themselves. Not only does agent assist improve customer resolution times, but it also ramps up onboarding time, allowing for new agents to enter the workforce and perform with confidence earlier.

    76%

    of consumers expect personalized experiences.

    71%

    of customers expect internal collaboration so that they don't have to repeat themselves.

    Source: Zendesk, 2019

    Personalization can empower your IVR in many ways

    Personalizing your IVR does much more than just provide your customer service representatives with conversational context. Personalization enables your IVR to recognize callers by their phone number, or even by voice via biometric authentication technologies.

    This advanced level of recognition allows your IVR to greet your callers by name, speak to them in their preferred language, send follow-up correspondence to their preferred method of communication (i.e. email or SMS), and even provide them with contact numbers and addresses for your organization's physical locations that are closest to them.

    An example of a more advanced functionality is having your IVR call flow personalized for each customer based on their call history. As customers call in, their data is collected, ultimately improving your IVR's ability to predict and understand caller intent. This makes personalized call flows possible. If customers typically call in to make payments, your IVR can logically deduce that their next call will be for the same reason, and it will alter the call menu to direct them to that functionality more efficiently.

    Step 3.2

    Review New Technology to Apply to Your IVR

    This step will walk you through the following activity:

    3.2.1 Review new technologies offered in the IVR space and understand their impact

    Let Your IVR Call Flow Tree Flourish

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding of key technologies

    Let your customers tell you exactly what they need

    Use natural language processing and conversational AI to further advance your IVR offering

    Instead of making your customers work their way through your call flow tree to find out what they need, why not just ask them? Conversational IVR, also known as an "intuitive IVR system," makes this possible.

    Think Google Assistant, Siri, and Alexa. Your customers can simply tell you what they need and your conversational IVR, using the advancements in natural language processing and conversational AI, will take it from there, directing callers to the resources needed to resolve their issues.

    Powerful enough to understand full sentences and not just select words or phrases, the increased intelligence of a conversational IVR system allows it to handle complex customer inquiries. Leveraging machine learning capabilities, the system will only continue to improve its ability to understand caller intent, ultimately leading to increased call routing accuracy as it fields more and more calls.

    Info-Tech Insight

    Remember: Your customers want fast and easy, not overwhelming and confusing. Some customers who are greeted with an open-ended question from a conversational IVR may not be sure how to respond.

    Understand your key customer demographics and act accordingly. It may be beneficial to provide your callers with guidelines of what to say. Outlining appropriate responses that will guide your customers to their desired department quicker will boost their experience with your conversational IVR.

    There are a lot of benefits to implementing a conversational IVR

    • Putting your callers in control and offering a more humanized approach, conversational IVRs are the preferred first point of contact for customers.
    • Conversational IVRs reduce the time required to reach resolution and can handle more calls than a standard IVR.
    • Conversational IVRs allow for the collection of more relevant data. By not limiting callers to predetermined menu options, you can track the reasons behind customers' calls with more accuracy, using this data to drive future IVR developments.
    • Conversational IVRs are more cost-effective than standard IVRs. According to a report by IBM, companies world-wide spend over $1.3 trillion to address 256 billion customer calls annually. This means that each call a live agent addresses costs an average of $30 (Cognigy, 2020). With a conversational IVR, that cost can be reduced to one-eighth (ETCIO.com, 2020).
    • Conversational IVRs can be handle calls in multiple languages, offering improved scalability for companies operating multi-nationally.

    60%

    of callers will bypass the pre-recorded messages in a standard IVR to reach a human voice.

    Source: Cognigy, 2020

    66%

    of requests can be resolved faster by a conversational IVR than by a live agent.

    Source: Cognigy, 2020

    Despite this, only...

    28%

    of IVR systems contacted use voice response as their primary input method.

    Source: Telzio, 2020

    How do you know if a conversational IVR is right for your organization?

    Large, enterprise-level organizations that field a high volume of customer calls are more likely to receive the benefits and higher ROI from implementing a conversational IVR

    Instead of updating the entire IVR system and implementing a conversational IVR, smaller and mid-level organizations should consider attaching a natural language processing front-end to their existing IVR. Through this, you will be able to reap a lot of the same benefits you would if you were to upgrade to a conversational IVR.

    You can attach a natural language processing front-end to your existing IVR in two ways.

    1. Use an API to recognize your customer's voice prompts. Greet your customers with a question, such as "what is your reason for calling," as your initial IVR menu, and when your customer answers, their response will be sent to your selected API (Amazon Lex, IBM Watson, Google Dialogflow, etc.). The API will then process the customer's input and direct the caller to the appropriate branch of your call flow tree.
    2. Use a conversational AI platform to field your calls. Implement a conversational AI platform to be the first point of contact for your customers. After receiving and analyzing the input from your customers, the platform would then route your callers to your current IVR system and to the appropriate menu, whether that be to an automated message, a self-service application, or a live agent.

    Phase 4

    Keep Watering Your IVR Call Flow Tree

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    1.1 Understand your customers

    1.2 Develop goals for your IVR

    1.3 Align goals with KPIs

    1.4 Build your initial IVR menu

    2.1 Build the second tier of your IVR menu

    2.2 Build the third tier of your IVR menu

    3.1 Learn the benefits of a personalized IVR

    3.2 Review new technology to apply to your IVR

    4.1 Gather insights on your IVR's performance

    4.2 Create an agile review method

    This phase will walk you through the following activities:

    • Understanding the importance of receiving feedback from relevant stakeholders and the best practices for obtaining feedback
    • Understanding the best practices for developing an ongoing review cycle

    This phase involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Implement a Transformative IVR Approach That Empowers Your Customers

    Step 4.1

    Gather Insights on Your IVR's Performance

    This step will walk you through the following activity:

    4.1.1 Understand the importance of receiving feedback and review the best methods for obtaining it from your clients.

    Keep Watering Your IVR Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding of the importance of receiving feedback and how to obtain it from customers

    Elicit feedback from your employees and from your customers

    Your live agents are on the proverbial front lines, fielding calls from customers daily. As such, they are the prime stakeholders for knowing what kinds of calls the organization receives and how often. Their input on the most frequent reasons that customers call, whether it be to address common pain points or to have FAQs answered, is invaluable. Ask them regularly for their feedback on how the IVR system is performing and which updates should be implemented.

    While improving the agent experience is a driver behind adopting an IVR system, the focus should always be improving your customer experience. So why wouldn't you ask your customers for their feedback on your IVR offering? Most customers don't only want to be asked to provide feedback, they expect to be asked. Have your agents ask your customers directly about their experience with your IVR or use the functions of your IVR to offer automated end-of-call surveys.

    Info-Tech Insight

    Many IVR systems are capable of recording calls. Listening back on previous calls is another great way to further understand how your IVR is performing, and it also can provide a glimpse into your customers' experience.

    Surveys provide great insight into your customers' level of satisfaction – not only with your IVR but also with your live agents

    Customer satisfaction score (CSAT) is a great way to determine how happy callers are with their experiences with your organization. CSAT surveys ask your clients outright how satisfied they are with their recent interaction and have them rate your service on a scale. While straightforward, the feedback received from CSAT surveys is more general and can lack depth.

    For more detailed responses, consider asking your clients an open-ended question as opposed to using a rating scale. This will provide you with a more specific understanding of your customers' experience. For this, an IVR system that supports voice transcription is best. Automated speech-to-text functionality will ensure rapid results.

    Another option is to offer a survey that includes skip logic. These multi-tiered surveys, much like an IVR call flow tree, direct your callers to different follow-up questions based on their previous answers. While capable of providing more insight into the customer experience, these surveys are only recommended for more complex service offerings.

    Customer feedback is vitally important

    Asking for feedback makes your callers feel valued, and it also provides your organization with extremely useful information – including an understanding of what you may need to change within your IVR

    90%

    of consumers believe that organizations should provide them with the opportunity to give customer feedback.

    Source: SmallBizGenius, 2022

    41%

    of customer support professionals say that CSAT is their team's most important KPI.

    Source: Hiver, 2022

    Step 4.2

    Create an Agile Review Method

    This step will walk you through the following activity:

    4.2.1 Understand the best practices for developing an ongoing review cycle for your IVR approach

    Keep Watering Your IVR Call Flow Tree

    This step involves the following participants:

    • Business stakeholders (business analysts, application director/manager, customer service leaders)
    • IT project team

    Outcomes of this step

    • Understanding of the importance of IVR maintenance and of the development of an iterative review cycle

    Create an agile review method to continually enhance your call flows

    • Track items
      • Elicit feedback from your key stakeholders (i.e. live agents) as part of a regular review – every month, two months, six months, or year – of your call flow tree's efficiency. Delve into the feedback elicited from your customers at the same intervals. Look for patterns and trends and record items accordingly.
    • Manage backlog
      • Store and organize your recorded items into a backlog, prioritizing items to implement in order of importance. This could be structured by way of identifying which items are a quick win vs. which items are part of a more strategic and long-term implementation.
    • Perform iteration
      • Record key metric scores and communicate the changes you have planned to stakeholders before you implement items. Then, make the change.
    • Be retrospective
      • Examine the success of the implementation by comparing your metric scores from before and after the change. Record instances where performing similar changes could be carried out better in future iterations.

    Summary of Accomplishment

    • Knowledge Gained
      • Benefits of enabling personalized service
      • IVR-enabling technologies
      • Methods of eliciting feedback
    • Processes Optimized
      • IVR voice prompt creation
      • IVR voice prompt organization
      • IVR review cycles
    • Deliverables Completed
      • Database of customer call drivers
      • Organizational IVR goals and KPIs
      • IVR call flow tree

    Related Info-Tech Research

    This is a picture of a hand holding a cellular phone

    Choose a Right-Sized Contact Center Solution

    • IT needs a method to pinpoint which contact center solution best aligns with business objectives, adapting to a post-COVID-19 world of remote work, flexibility, and scalability.
    This image contains a screenshot from Info-tech's Build a Strong Technology Foundation for Customer Experience Management.

    Build a Strong Technology Foundation for Customer Experience Management

    • Customer expectations around personalization, channel preferences, and speed-to-resolution are at an all-time high. Your customers are willing to pay more for high-value experiences, and having a strong customer experience management (CXM) strategy is a proven path to creating sustainable value for the organization.
    This image contains a screenshot from Info-tech's IT Strategy Research Center

    IT Strategy Research Center

    • Create an IT strategy based on business needs, not just intuition.
    This image contains a screenshot from Info-tech's SoftwareReviews blueprint.

    SoftwareReviews

    • Accelerate and improve your software selection process with enterprise software reviews. Focus on available resources for communications platform as a service providers and conversational intelligence software.

    Bibliography

    "7 Conversational IVR Trends for 2021 and Beyond." Haptik, 25 March 2021. Accessed 16 June 2022.
    "7 Remarkable IVR Trends For the Year 2022 And Beyond." Haptik, 30 Dec. 2021. Accessed 27 April 2022.
    "8 IVR Strategies that Keep Customers Happy." Ansafone Contact Centers, 31 May 2019. Accessed 25 April 2022.
    "Agent Assist." Speakeasy AI, 19 April 2022. Accessed 27 April 2022.
    "AI chatbot that's easy to use." IBM, n.d. Accessed 21 June 2022.
    "IVR Trends to Watch in 2020 and Beyond: Inside CX." Intrado, 1 May 2020. Accessed 27 April 2022.
    "RIP IVR: 1980-2020." Vonage, 2 June 2020. Accessed 16 June 2022.
    Andrea. "What do Customers Want? – 37 Customer Service Statistics." SmallBizGenius, 17 March 2022. Accessed 24 May 2022.
    Anthony, James. "106 Customer Service Statistics You Must See: 2021/2022 Data & Analysis." FinancesOnline, 14 Jan. 2022. Accessed 27 April 2022.
    Brown, James. "14 stats that prove the importance of self-service in customer service." raffle, 13 Oct. 2020. Accessed 17 June 2022.
    Buesing, Eric, et al. "Getting the best customer service from your IVR: Fresh eyes on an old problem." McKinsey & Company, 1 Feb. 2019. Accessed 25 April 2022.
    Callari, Ron. "IVR Menus and Best Practices." Telzio, 4 Sep. 2020. Accessed 27 April 2022.
    Cornell, Jared. "104 Customer Service Statistics & Facts of 2022." ProProfs Chat, 6 April 2022. Accessed 16 June 2022.
    DeCarlo, Matthew. "18 Common IVR Mistakes & How To Configure Effective IVR." GetVoIP, 13 June 2019. Accessed 27 April 2022.
    DeMers, Jayson. "77 Customer Service Statistics to Know." EmailAnalytics, 23 March 2022. Accessed 27 April 2022.
    Frants, Valeriy. Interview. Conducted by Austin Wagar, 22 June 2022.
    Grieve, Patrick. "Personalized customer service: what it is and how to provide it." Zendesk, 28 June 2019. Accessed 27 April 2022.
    "How Natural Language Processing Can Help Your Interactive Voice Response System Meet Best Practice." Hostcomm, 15 July 2019. Accessed 25 April 2022.
    "IVR and customer experience: get the best UX for your clients." Kaleyra, 14 Dec. 2020. Accessed 25 April 2022.
    Irvine, Bill. "Selecting an IVR System for Customer Satisfaction Surveys." IVR Technology Group, 14 April 2020. Accessed 22 June 2022.
    Kulbyte, Toma. "Key Customer Experience Statistics to Know." SuperOffice, 24 June 2021. Accessed 24 May 2022.
    Leite, Thiago. "What's the Difference Between Standard & Conversational IVR?" Cognigy, 27 Oct. 2020. Accessed 24 May 2022.
    Maza, Cristina. "What is IVR? The ultimate guide." Zendesk, 30 Sep. 2020. Accessed 25 April 2022.
    McCraw, Corey. "What is IVR Call Flow? Benefits, Features, Metrics & More." GetVoIP, 30 April 2020. Accessed 25 April 2022.
    Mircevski, Bruno. "Smart IVR Introduction – What Is It and Why You Should Use It." Ideta, 7 March 2022. Accessed 28 April 2022.
    Oriel, Astha. "Artificial Intelligence in IVR: A Step Towards Faster Customer Services." Analytics Insight, 19 Aug. 2020. Accessed 24 May 2022.
    Perzynska, Kasia. "What is CSAT & How to Measure Customer Satisfaction?" Survicate, 9 March 2022. Accessed 22 June 2022.
    Pratt, Mary K. "How to set business goals, step by step." TechTarget, 27 April 2022. Accessed 21 June 2022.
    Robinson, Kerry. "Insight of the Week: Make Your IVR More Like Alexa." Waterfield Tech, 20 April 2022. Accessed 25 April 2022.
    Sehgal, Karishma. "Exclusive Research – 76% of customer service teams offer support outside of business hours." Hiver, 4 May 2022. Accessed 22 June 2022.
    Smith, Mercer. "111 Customer Service Statistics and Facts You Shouldn't Ignore." Help Scout, 23 May 2022. Accessed 24 June 2022.
    Thompson, Adrian. "A Guide to Conversational IVR." The Bot Forge, 27 Jan. 2021. Accessed 21 June 2022.
    Tolksdorf, Juergen. " 5 Ways to Leverage AI and Agent-Assist to Improve Customer Experience." Genesys, 19 May 2020. Accessed 27 April 2022.
    Vaish, Aakrit. "5 ways conversational IVR is helping businesses revolutionize customer service." ETCIO.com, 20 March 2020. Web.
    Westfall, Leah. "Improving customer experience with the right IVR strategy." RingCentral, 23 July 2021. Accessed 25 April 2022.

    Break Open Your DAM With Intuitive Metadata

    • Buy Link or Shortcode: {j2store}389|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Organizations are facing challenges from explosive information growth in both volume and complexity, as well as the need to use more new sources of information for social media just to remain in business.
    • A lot of content can be created quickly, but managing those digital assets properly through metadata tagging that will be used consistently and effectively requires processes to be in place to create standardized and informational metadata at the source of content creation.
    • Putting these processes in place changes the way the organization handles its information, which may generate pushback, and requires socialization and proper management of the metadata strategy.

    Our Advice

    Critical Insight

    • Metadata is an imperative part of the organizations broader information management strategy. Some may believe that metadata is not needed anymore; Google search is not a magic act – it relies on information tagging that reflects cultural sentiment.
    • Metadata should be pliable. It needs to grow with the changing cultural and corporate vernacular and knowledge, and adapt to changing needs.
    • Build a map for your metadata before you dig for buried treasure. Implement metadata standards and processes for current digital assets before chasing after your treasure troves of existing artifacts.

    Impact and Result

    • Create a sustainable and effective digital asset management (DAM) program by understanding Info-Tech’s DAM framework and how the framework fits within your organization for better management of key digital assets.
    • Create an enterprise-wide metadata design principles handbook to keep track of metadata schemas and standards, as well as communicate the standards to the entire organization.
    • Gather requirements for your DAM program, as well as the DAM system and roles, by interviewing key stakeholders and identifying prevalent pains and opportunities. Understand where digital assets are created, used, and stored throughout the enterprise to gain a high-level perspective of DAM requirements.
    • Identify the organization’s current state of metadata management along with the target state, identify the gaps, and then define solutions to fill those gaps. Ensure business initiatives are woven into the mix.
    • Create a comprehensive roadmap to prioritize initiatives and delineate responsibilities.

    Break Open Your DAM With Intuitive Metadata Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a digital asset management program focused on metadata, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a foundation for your DAM project

    Gain an in-depth understanding of what digital asset management is as well as how it is supported by Info-Tech’s DAM framework.

    • Break Open Your DAM With Intuitive Metadata – Phase 1: Build a Foundation for Your DAM Project
    • DAM Design Principles Handbook
    • Where in the World Is My Digital Asset? Tool
    • Digital Asset Inventory Tool
    • DAM Requirements Gathering Tool

    2. Dive into the DAM strategy

    Create a metadata program execution strategy and assess current and target states for the organization’s DAM.

    • Break Open Your DAM With Intuitive Metadata – Phase 2: Dive Into the DAM Strategy
    • DAM Roadmap Tool
    • DAM Metadata Execution Strategy Document

    3. Create intuitive metadata for your DAM

    Design a governance plan for ongoing DAM and metadata management.

    • Break Open Your DAM With Intuitive Metadata – Phase 3: Create Intuitive Metadata for Your Digital Assets
    • Metadata Manager Tool
    [infographic]

    Workshop: Break Open Your DAM With Intuitive Metadata

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Structure the Metadata Project

    The Purpose

    Develop a foundation of knowledge regarding DAM and metadata, as well as the best practices for organizing the organization’s information and digital assets for ideal findability.

    Key Benefits Achieved

    Design standardized processes for metadata creation and digital asset management to help to improve findability of key assets.

    Gain knowledge of how DAM can benefit both IT and the business.

    Activities

    1.1 Build a DAM and metadata knowledge foundation.

    1.2 Kick-start creation of the organization’s DAM design principles handbook.

    1.3 Interview key business units to understand drivers for the program.

    1.4 Develop a DAM framework.

    Outputs

    DAM Design Principles Handbook

    DAM Execution Strategy Document

    2 Assess Requirements for the DAM Program

    The Purpose

    Inventory the organization’s key digital assets and their repositories.

    Gather the organization’s requirements for a full-time digital asset librarian, as well as the DAM system.  

    Key Benefits Achieved

    Determine clear and specific requirements for the organization from the DAM system and the people involved.

    Activities

    2.1 Conduct a digital asset inventory to identify key assets to include in DAM.

    2.2 Prioritize digital assets to determine their risk and value to ensure appropriate support through the information lifecycle.

    2.3 Determine the requirements of the business and IT for the DAM system and its metadata.

    Outputs

    Digital Asset Inventory Tool

    DAM Requirements Gathering Tool

    3 Design Roadmap and Plan Implementation

    The Purpose

    Determine strategic initiatives and create a roadmap outlining key steps required to get the organization to start enabling data-driven insights.

    Determine timing of the initiatives. 

    Key Benefits Achieved

    Establish a clear direction for the DAM program.

    Build a step-by-step outline of how to create effective metadata with true business-IT collaboration.

    Have prioritized initiatives with dependencies mapped out.

    Activities

    3.1 Assess current and target states of DAM in the organization.

    3.2 Brainstorm and document practical initiatives to close the gap.

    3.3 Discuss strategies rooted in business requirements to execute the metadata management program to improve findability of digital assets.

    Outputs

    DAM Roadmap Tool

    4 Establish Metadata Governance

    The Purpose

    Identify the roles required for effective DAM and metadata management.

    Create sample metadata according to established guiding principles and implement a feedback method to create intuitive metadata in the organization. 

    Key Benefits Achieved

    Metadata management is an ongoing project. Implementing it requires user input and feedback, which governance will help to support.

    By integrating metadata governance with larger information or data governance bodies, DAM and metadata management will gain sustainability. 

    Activities

    4.1 Discuss and assign roles and responsibilities for initiatives identified in the roadmap.

    4.2 Review policy requirements for the information assets in the organization and strategies to address enforcement.

    4.3 Integrate the governance of metadata into larger governance committees.

    Outputs

    DAM Execution Strategy

    The State of Black Professionals in Tech

    • Buy Link or Shortcode: {j2store}550|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • The experience of Black professionals in IT differs from their colleagues.
    • Job satisfaction is also lower for Black IT professionals.
    • For organizations to gain from the benefits of diversity, equity, and inclusion, they need to ensure they understand the landscape for many Black professionals.

    Our Advice

    Critical Insight

    • As an IT leader, you can make a positive difference in the working lives of your team; this is not just the domain of HR.
    • Employee goals can vary depending on the barriers that they encounter. IT leaders must ensure they have an understanding of unique employee needs to better support them, increasing their ability to recruit and retain.
    • Improve the experience of Black IT professionals by ensuring your organization has diversity in leadership and supports mentorship and sponsorship.

    Impact and Result

    • Use the data from Info-Tech’s analysis to inform your DEI strategy.
    • Learn about actions that IT leaders can take to improve the satisfaction and career advancement of their Black employees.

    The State of Black Professionals in Tech Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The State of Black Professionals in Tech Report – A report providing you with advice on barriers and solutions for leaders of Black employees.

    IT leaders often realize that there are barriers impacting their employees but don’t know how to address them. This report provides insights on the barriers and actions that can help improve the lives of Black professionals in technology.

    • The State of Black Professionals in Tech Report

    Infographic

    Further reading

    The State of Black Professionals in Tech

    Keep inclusion at the forefront to gain the benefits from diversity.

    Analysts' Perspective

    The experience of Black professionals in technology is unique.

    Diversity in tech is not a new topic, and it's not a secret that technology organizations struggle to attract and retain Black employees. Ever since the early '90s, large tech organizations have been dealing with public critique of their lack of diversity. This topic is close to our hearts, but unfortunately while improvements have been made, progress is quite slow.

    In recent years, current events have once again brought diversity to the forefront for many organizations. In addition, the pandemic along with talent trends such as "the great resignation" and "quiet quitting" and preparations for a recession have not only impacted diversity at large but also Black professionals in technology. Our previous research has focused on the wider topic of Recruiting and Retaining People of Color in Tech, but we've found that the experiences of persons of color are not all the same.

    This study focuses on the unique experience of Black professionals in technology. Over 600 people were surveyed using an online tool; interviews provided additional insights. We're excited to share our findings with you.

    This is a picture of Allison Straker This is an image of Ugbad Farah

    Allison Straker
    Research Director
    Info-Tech Research Group

    Ugbad Farah
    Research Director
    Info-Tech Research Group

    Demographics

    In October 2021, we launched a survey to understand what the Black experience is like for people in technology. We wanted and received a variety of responses which would help us to understand how Black technology professionals experienced their working world. We received responses from 633 professionals, providing us with the data for this report.

    For more information on our survey demographics please see the appendix at this end of this report.

    A pie chart showing 26% black and 74% All Other

    26% of our respondents either identified as Black or felt the world sees them as Black.

    Professionals from various countries responded to the survey:

    • Most respondents were born in the US (52%), Canada (14%), India (14%), or Nigeria (4%).
    • Most respondents live in the US (56%), Canada (25%), Nigeria (2%), or the United Kingdom (2%).

    Companies with more diversity achieve more revenue from innovation

    Organizations do better and are more innovative when they have more diversity, a key ingredient in an organization's secret sauce.
    Organizations also benefit from engaged employees, yet we've seen that organizations struggle with both. Just having a certain number of diverse individuals is not enough. When it comes to reaping the benefits of diversity, organizations can flourish when employees feel safe bringing their whole selves to work.

    45% Innovation Revenue by Companies With Above-Average Diversity Scores
    26%

    Innovation Revenue by Companies With Below-Average Diversity Scores

    (Chart source: McKinsey, 2020)


    Companies with higher employee engagement experience 19.2% higher earnings.

    However, those with lower employee engagement experience 32.7% lower earnings.
    (DecisionWise, 2020)

    If your workforce doesn't reflect the community it serves, your business may be missing out on the chance to find great employees and break into new and growing markets, both locally and globally.
    Diversity makes good business sense.
    (Business Development Canada, 2023)

    A study about Black professionals

    Why is this about Black professionals and not other diverse groups?

    While there are a variety of diversity dimensions, it's important to understand what makes up a "multicultural workforce." There is more to diversity than gender, race, and ethnicity. Organizations need to understand that there is diversity within these groups and Black professionals have their own unique experience when it comes to entering and navigating tech that needs to be addressed.

    This image contains two bar graphs from the Brookfield Institute for Innovation and Entrepreneurship. They show the answers to two questions, sorted by the following categories: Black; Non-White; Asian; White. The questions are as follows: I feel comfortable to voice my opinion, even when it differs from the group opinion; I am part of the decision-making process at work.

    (Brookfield Institute for Innovation and Entrepreneurship, 2019)

    The solutions that apply to Black professionals are not only beneficial for Black employees but for all. While all demographics are unique, the solutions in this report can support many.

    Unsatisfied and underrepresented

    Less Black professionals responded as "satisfied" in their IT careers. The question is: How do we mend the Gap?

    Percentage of IT Professionals Who Reported Being Very Satisfied in Their Current Role

    • All Other Professionals: 34%
    • Black Professionals: 23%

    Black workers are underrepresented in most professional roles, especially computer and math Occupations

    A bar graph showing representation of black workers in the total workforce compared to computer and mathematical science occupations.

    The gap in satisfaction

    What's Important?

    Our research suggests that the differences in satisfaction among ethnic groups are related to differences in value systems. We asked respondents to rank what's important, and we explored why.

    Non-Black professionals rated autonomy and their manager working relationships as most important.

    For Black professionals, while those were important, #1 was promotion and growth opportunities, ranked #7 by all other professionals. This is a significant discrepancy.

    Recognition of my work/accomplishments also was viewed significantly differently, with Black professionals ranking it low on the list at #7 and all other professionals considering it very important at #3.

    All Other Professionals

    Black Professionals

    Two columns, containing metrics of satisfaction rated by Black Professionals, and All Other Professionals.

    Maslow's Hierarchy of Needs applies to job satisfaction

    In Maslow's hierarchy, it is necessary for people to achieve items lower on the hierarchy before they can successfully pursue the higher tiers.

    An image of Maslow's Hierarchy of Needs modified to apply to Job Satisfaction

    Too many Black professionals in tech are busy trying to achieve some of the lower parts of the hierarchy; it is stopping them from achieving elements higher up that can lead to job satisfaction.

    This can stop them from gaining esteem, importance, and ultimately, self-actualization. The barriers that impact safety and social belonging happen on a day-to-day basis, and so the day-to-day lives of Black professionals in tech can look very different from their counterparts.

    There are barriers that hinder and solutions that support employees

    An image showing barriers to success An image showing Actions for Success.
    There are various barriers that increase the likelihood for Black professionals to focus on the lower end of the needs hierarchy:

    These are among some of the solutions that, when layered, can support Black professionals in tech in moving up the needs hierarchy.

    Focusing on these actions can support Black professionals in achieving much needed job satisfaction.

    What does this mean?

    The minority experience is not a monolith

    The barriers that Black professionals encounter aren't limited to the same barriers as their colleagues, and too often this means that they aren't in a position to grow their careers in a way that leads to job satisfaction.

    There is a 11% gap between the satisfaction of Black professionals and their peers.

    Early Steps:
    Take time to understand the Black experience.

    As leaders, it's important to be aware that employee goals vary depending on the barriers they're battling with.

    Intermediate:
    If Black employees don't have strong relationships, networks, and mentorships it becomes increasingly difficult to navigate the path to upward mobility.

    As a leader, you can look for opportunities to bridge the gap on these types of conversations.

    Advanced:
    Black professionals in tech are not advancing like their counterparts.

    Creating clear career paths will not only benefit Black employees but also support your entire organization.

    Key metrics:

    • Engagement
    • Committed Executive Leadership
    • Development Opportunities
    • Organizational Programs

    Black respondents are significantly more likely to report barriers to their career advancement

    Common barriers

    Black professionals, like their colleagues, encounter barriers as they try to advance their careers. The barriers both groups encounter include microaggressions, racism, ageism, accessibility issues, sexual orientation, bias due to religion, lack of a career-supported network, gender bias, family status bias, and discrimination due to language/accents.

    What tops the list

    Microaggressions and racism are at the top of these barriers, but Black professionals also deal with other barriers that their colleagues may experience, such as gender-based bias, accessibility issues, religion, and more.

    One of these barriers alone can be difficult to deal with but when they are compounded it can be very difficult to navigate through the working environment in tech.

    A graph charting the impact of the common barriers

    What are microaggressions?

    Microaggression

    A statement, action, or incident regarded as an instance of indirect, subtle, or unintentional discrimination against members of a marginalized group such as a racial or ethnic minority.

    (Oxford Languages, 2023)

    Why are they significant?

    These things may seem innocent enough but the messaging that is received and the lasting impression is often far from it.

    Our research shows that racism and discrimination contribute to poor mental health among Black professionals.

    Examples

    • You're so articulate!
    • How do you always have different hair, can I touch it?
    • Where are you really from?
    • I don't see color.
    • I believe the most qualified person should get the job; everyone can succeed in this society if they work hard enough.

    "The experience of having to question whether something happened to you because of your race or constantly being on edge because your environment is hostile can often leave people feeling invisible, silenced, angry, and resentful."
    Dr. Joy Bradford,
    clinical Psychologist, qtd. In Pfizer

    It takes some time to get in the door

    For too many Black respondents, It took Longer than their peers to Find Technology Jobs.

    Both groups had some success finding jobs in "no time" – however, there was a difference. Thirty-four percent of "all others" found their jobs quickly, while the numbers were less for Black professionals, at 26%. There was also a difference at the opposite end of the spectrum. For 29% of Black professionals, it took seven months or longer to find their IT job, while that number is only 19% for their peers.

    .a graph showing time taken for respondents sorted by black; and all other.

    This points to the need for improvements in recruitment and career advancement.

    29% of Black respondents said that it took them 7 months or longer to find their technology job.

    Compared to 19% of all other professionals that selected the same response.

    And once they're in, it's difficult to advance

    Black Professionals are not Advancing as Quickly as their Colleagues. Especially when you look at their Experience.

    Our research shows that compared to all other ethnicities; Black participants were 55% more likely to report that they had no career advancement/promotion in their career. There is a bigger percentage of Black professionals who have never received a promotion; there's also a large number of Black professionals who have been working a significant amount time in the same role without a promotion.

    .Career Advancement

    A graph showing career advancement for the categories: Black and All Other.

    Black participants were 55% more likely to report that they had had no career advancement/promotion in their career.

    No advancement

    A graph showing the number of respondents who reported no career advancement over time, for the categories: Black; and All Other.

    There's a high cost to lack of engagement

    When employees feel disillusioned with things like career advancement and microaggressions, they often become disengaged. When you continuously have to steel yourself against microaggressions, racism, and other barriers, it prevents you from bringing your whole self to the office. The barriers can lead to what's been coined as "emotional tax." An emotional tax is the experience of feeling different from colleagues because of your inherent diversity and the associated negative effects on health, wellbeing, and the ability to thrive at work.

    Earnings of companies with higher employee engagement

    		19.2%

    Earnings of companies with lower employee engagement

    		-32.7%

    (DecisionWise, 2020)

    "I've conditioned myself for the corporate world, I don't bring my authentic self to work."
    Anonymous Interview Subject

    Lack of engagement also costs the organization in terms of turnover, something many organizations today are struggling with how to address. Organizations want to increase the ability of the workforce to remain in the organization. For Black employees, this gets harder when they're not engaged and they're the only one. When the emotional tax gets to be too much, this can lead to turnover. Turnover not only costs companies billions in profits, it also negatively impacts leadership diversity. It's difficult to imagine career growth when you don't see anyone that looks like you at the top. It is a challenge to see your future when there aren't others that you can relate to at top levels in the organization, leading to one of our interview subjects to muse, "How long can I last?"

    "Being Black in tech can be hard on your mental health. Your mind is constantly wondering, 'how long can I last?' "
    Anonymous Interview Subject

    Fewer Black professionals feel like they can be their authentic selves at work

    Authentic vs. Successes

    For many Black professionals, "code-switching," or altering the way one speaks and acts depending on context, becomes the norm to make others more comfortable. Many feel that being authentic and succeeding in the workplace are mutually exclusive.

    Programs and Resources

    We asked respondents "What's in place to build an inclusive culture at your company?" Most respondents (51% and 45%) reported that there were employee resource groups at their organizations.

    Do you feel you can be your authentic self at work?

    A bar graph showing 86% for All Other Professions, and 75% for Black Professionals

    A bar graph showing responses to the question What’s in place to build an inclusive culture at your company.

    What can be done?

    An image showing actions for success.

    There are various actions that organizations can take to help address barriers.

    It's important to ensure these are not put in as band-aid solutions but that they are carefully thought out and layered.

    Our findings demonstrate that remote work, career development, and DEI programs along with mentorship and diverse leadership are strong enablers of professional satisfaction. An unfortunate consequence, if professionals are not nurtured, is that we risk losing much needed talent to self-employment or to other organizations.

    There are several solutions

    Respondents were asked to distribute points across potential solutions that could lead to job satisfaction. The ratings showed that there were common solutions that could be leveraged across all groups.

    Respondents were asked what solutions were valuable for their career development.

    All groups were mostly aligned on the order of the solutions that would lead to career satisfaction; however, Black professionals rated the importance of employee resource groups as higher than their colleagues did.

    An image showing how respondents rate a number of categories, sorted into Ratings by Black Professionals, and Ratings by Other Professionals

    Mentorship and sponsorship are seen as key for all employees, as is of course training.

    However, employee resource groups (ERGs) were rated significantly higher for Black professionals and discussions around diversity were higher for their colleagues. This may be because other groups feel a need to learn more about diversity, whereas Black professionals live this experience on a day-to day basis, so it's not as critical for them.

    Double the number of satisfied Black professionals through mentorship and sponsorship

    a bar graph showing the number of very satisfied people with and without mentors/sponsors.

    Mentorship and sponsorship help to close the job satisfaction gap for Black IT professionals. The percentage of satisfied Black employees almost doubles when they have a mentor or sponsorship, moving the satisfaction rate to closer to all other colleagues.

    As leaders, you likely benefit from a few different advisors, and your staff should be able to benefit in the same way.

    They can have their own personal board of advisors, both inside and outside of your organization, helping them to navigate the working world in IT.

    To support your staff, provide guidance and coaching to internal mentors so that they can best support employees, and ensure that your organizational culture supports relationship building and trust.

    While all are critical, coaching, mentoring, and sponsorship are not the same

    Coaching

    Performance-driven guidance geared to support the employee with on-the-job performance. This could be a short-term relationship.

    Mentorship

    A relationship where the mentor provides guidance, information, and expertise to support the long-term career development of the mentee.

    Sponsorship

    The act of advocating on the behalf of another for a position, promotion, development opportunity, etc. over a longer period.

    For more information on setting up a mentorship program, see Optimize the Mentoring Program to Build a High Performing Learning Organization.

    On why mentorship and sponsorship are important:

    "With some degree of mentorship or sponsorship, it means that your ability to thrive or to have a positive experience in organizations increases substantially.

    Mentorship and sponsorship are very often the lynchpin of someone being successful and sticking with an organization.

    Sponsorship is an endorsement to other high-level stakeholders who very often are the gatekeepers of opportunity. Sponsors help to shepherd you through the gate."

    		An Image of Carlos Thomas

    Carlos Thomas
    Executive Councilor, Info-Tech Research Group

    What is an employee resource group?

    IT Professionals rated ERGs as the third top driver of success at work

    Employee resource groups enable employees to connect in their workplace based on shared characteristics or life experiences.

    ERGs generally focus on providing support, enhancing career development, and contributing to personal development in the work environment. Some ERGs provide advice to the organization on how they can support their diverse employees.

    As leaders, you should support and encourage the formation of ERGs in your organization.

    What each ERG does will vary according to the needs of employees in your organization. Your role is to enable the ERGs as they are created and maintained.

    On setting up and leveraging employee resource groups:

    "Employee resource groups, when leveraged in an authentically intentional way, can be the some of the most impactful stakeholders in the development and implementation of the organizational diversity, equity, and inclusion strategy.

    ERGs are essential to the development of policies, programs, and initiatives that address the needs of equity-seeking groups and are key to driving organizational culture and employee wellbeing, in addition to hiring and recruitment.

    ERGs must be set up for success by having adequate resources to do the work, which includes adequate budgets, executive sponsorship, training, support, and capacity to do the work. According to a Great Place To Work survey (2021), 50% of ERGs identified the need for adequate resources as a challenge for carrying out the work.:"

    		An image of Cinnamon Clark

    CINNAMON CLARK
    PRACTICE LEAD, DIVERSITY, EQUITY AND INCLUSION services, MCLEAN & CO

    There is a gap when it comes to diversity in leadership

    Representation at leadership levels is especially stagnant.

    Black Americans comprise 13.6% of the US population
    (2022 data from the US Census Bureau)

    And yet only 5.9% of the country's CEOs are Black, with only 6 (1%) at the top of Fortune 500 companies.
    (2021 data from the Bureau of Labor Statistics and Fortune.com)

    I've never worked for a company that has Black executives. It's difficult to envision long-term growth with an organization when you don't see yourself represented in leadership.
    – Anonymous Interview Subject

    Having diversity in your leadership team doubles satisfaction

    An image of a bar graph showing satisfaction for those who do, and do not see diversity in their company's leadership.

    Our research shows that Black professionals are more satisfied in their role when they see leaders that look like them.

    Satisfaction of other professionals is not as impacted by diversity in leadership as for Black professionals. Satisfaction doubles in organizations that have a diverse leadership team.

    To reap the benefits from diversity, we need to ensure diversity is not just in entry or mid-level positions and provide employees an opportunity to see diversity in their company's leadership.

    On the need for diversity in leadership:

    "As a Black professional leader, it's not lost on me that I have a responsibility. I have to demonstrate authenticity, professionalism, and exemplary behavior that others can mimic. And I must also showcase that there are possibilities for those coming up in their career. I feel very grateful that I can bestow onto others my knowledge, my experience, my journey, and the tips that I've used to help bring me to be where I am.
    (Having Black leaders in an organization) demonstrates that there is talent across the board, that there are all types of women and people with proficiencies. What it brings to the table is a difference in thoughts and experience.
    A person like myself, sitting at the table, can bring a unique perspective on employee behavior and employee impact. CCL is an organization focused on equity, diversity, and inclusion; for sure having me at the table and others that look like me at the table demonstrates to the public an organization that's practicing what it preaches."

    		An image of C. Fara Francis

    C. Fara Francis
    CIO, Center for creative leadership

    Work from home

    While all groups have embraced the work-from-home movement, many Black professionals find it reduces the impact of racial incidents in the workplace.

    Percentage of employees who experienced positive changes in motivation after working remotely.

    Black: 43%; All Other: 43%

    I have to guard and protect myself from experiencing and witnessing racism every day. I am currently working remotely, and I can say for certain my mood and demeanor have improved. Not having to decide if I should address a racist comment or action has made my day easier.
    Source: Slate, 2022

    Remote work significantly led to feelings of better chances for career advancement

    Survey respondents were asked about the positive and negative changes they saw in their interactions and experiences with remote work. Black employees and their colleagues replied similarly, with mostly positive experiences.

    While both groups enjoyed better chances for career advancement, the difference was significantly higher for Black professionals.

    An image of a series of bar graphs showing the effects of remote work on a number of factors.

    Reasons for Self-Employment:

    More Black professionals have chosen self-employment than their colleagues.

    All Other: 26%; Black: 30%.

    A bar graph showing rankings for reasons for self employment, sorted by Black and All Other.

    The biggest reasons for both groups in choosing self-employment were for better pay, career growth, and work/life balance.

    While the desire for better pay was the highest reason for both groups, for engaged employees salary is a lower priority than other concerns (Adecco Group's Global Workforce of the Future report). Consider salary in conjunction with career growth, work/life balance, and the variety in the work that your employees have.

    A bar graph showing rankings for reasons for self employment, sorted by Black and All Other.

    If we don't consider our Black employees, not only do we risk them leaving the organization, but they may decide to just work for themselves.

    Most professionals believe their organizations are committed to diversity, equity, and inclusion

    38% of all respondents believe their organizations are very committed to DEI
    49% believe they are somewhat committed
    9% feel they are not committed
    4% are unsure

    Make sure supports are in place to help your employees grow in their careers:

    Leadership
    IT Leadership Career Planning Research Center

    Diversity and Inclusion Tactics
    IT Diversity & Inclusion Tactics

    Employee Development Planning
    Implement an IT Employee Development Plan

    Belief in your organization's diversity, equity, and inclusion efforts isn't consistent across groups: Make sure actions are seen as genuine

    While organization's efforts are acknowledged, Black professionals aren't as optimistic about the commitment as their peers. Make sure that your programs are reaching the various groups you want to impact, to increase the likelihood of satisfaction in their roles.

    SATISFACTION INCREASES IN BOTH BLACK AND NON-BLACK PROFESSIONALS

    When they believe in their company's commitment to diversity, equity. and inclusion.

    Of those who believe in their organization's commitment, 61% of Black professionals and 67% of non-Black professionals are very satisfied in their roles.

    BELIEVE THEIR ORGANIZATION IS NOT COMMITTED TO DEI

    BELIEVE THEIR ORGANIZATION IS VERY COMMITTED TO DEI

    NON-BLACK PROFESSIONALS

    8%

    41%

    BLACK PROFESSIONALS

    13%

    30%

    Recommendations

    It's important to understand the current landscape:

    • The barriers that Black employees often face.
    • The potential solutions that can help close the gap in employee satisfaction.

    We recognize that resolving this is not easy. Although senior executives are recognizing that a diverse set of experiences, perspectives, and backgrounds is crucial to fostering innovation and competing on the global stage, organizations often don't take the extra step to actively look for racialized talent, and many people still believe that race doesn't play an important part in an individual's ability to access opportunities.

    Look at a variety of solutions that you can implement within your organization; layering solutions is the key to driving business diversity. Always keep in mind that diversity is not a monolith, that the experiences of each demographic varies.

    Info-Tech resources

    Appendix

    About the research

    Diversity in tech survey

    As part of the research process for the State of Black Tech Report, Info-Tech Research Group conducted an open online survey among its membership and wider community of professionals. The survey was fielded from October 2021 to April 2022, collecting 633 responses.

    An image of Page 1 of the Appendix.

    Current Position

    An image of Page 2 of the Appendix.

    Education and Experience

    Education was fairly consistent across both groups, with a few exceptions: more Black professionals had secondary school (9% vs. 4%) and more Black professionals had Doctorate degrees (4% vs. 2%).

    We had more non-Black respondents with 20+ years of experience (31% vs. 19%) and more Black respondents with less than 1 year of experience (8% vs. 5%) – the rest of the years of experience were consistent across the two groups.

    An image of Page 3 of the Appendix.

    It is important to recognize that people are often seen by "the world" as belonging to a different race or set of races than what they personally identify as. Both aspects impact a professional's experience in the workplace.

    An image of Page 4 of the Appendix.

    Bibliography

    Barton, LeRon. “I’m Black. Remote Work Has Been Great for My Mental Health.” Slate, 15 July 2022.

    “Black or African American alone, percent.” U.S. Census Bureau QuickFacts: United States. Accessed 14 February 2023.

    Boyle, Matthew. “More Workers Ready to Quit Over ‘Window Dressing’ Racism Efforts.” Bloomberg.com, 9 June 2022.

    Boyle, Matthew. “Remote Work Has Vastly Improved the Black Worker Experience.” Bloomberg.com, 5 October 2021.

    Cooper, Frank, and Ranjay Gulati. “What Do Black Executives Really Want?” Harvard Business Review, 18 November 2021.

    “Emotional Tax.” Catalyst. Accessed 1 April 2022.

    “Employed Persons by Detailed Occupation, Sex, Race, and Hispanic or Latino Ethnicity” U.S. Bureau of Labor Statistics. Accessed February 14, 2023.

    “Equality in Tech Report - Welcome.” Dice, 9 March 2022. Accessed 23 March 2022.

    Erb, Marcus. "Leaders Are Missing the Promise and Problems of Employee Resource Groups." Great Place To Work, 30 June 2021.

    Gawlak, Emily, et al. “Key Findings - Being Black In Corporate America.” Coqual, Center for Talent Innovation (CTI), 2019.

    “Global Workforce of the Future Research.” Adecco, 2022. Accessed 4 February 2023.

    Gruman, Galen. “The State of Ethnic Minorities in U.S. Tech: 2020.” Computerworld, 21 September 2020. Accessed 31 May 2022.

    Hancock, Bryan, et al. “Black Workers in the US Private Sector.” McKinsey, 21 February 2021. Accessed 1 April 2022.

    “Hierarchy Of Needs Applied To Employee Engagement.” Proactive Insights, 12 February 2020.

    Hobbs, Cecyl. “Shaping the Future of Leadership for Black Tech Talent.” Russell Reynolds Associates, 27 January 2022. Accessed 3 August 2022.

    Hubbard, Lucas. “Race, Not Job, Predicts Economic Outcomes for Black Households.” Duke Today, 16 September 2021. Accessed 30 May 2022.

    Knight, Marcus. “How the Tech Industry Can Be More Inclusive to the Black Community.” Crunchbase, 23 February 2022.

    “Maslow’s Hierarchy of Needs in Employee Engagement (Pre and Post Covid 19).” Vantage Circle HR Blog, 30 May 2022.

    McDonald, Autumn. “The Racism of the ‘Hard-to-Find’ Qualified Black Candidate Trope (SSIR).” Stanford Social Innovation Review, 1 June 2021. Accessed 13 December 2021.

    McGlauflin, Paige. “The Fortune 500 Features 6 Black CEOs—and the First Black Founder Ever.” Fortune, 23 May 2022. Accessed 14 February 2023.

    “Microaggression." Oxford English Dictionary, Oxford Languages, 2023.

    Reed, Jordan. "Understanding Racial Microaggression and Its Effect on Mental Health." Pfizer, 26 August 2020.

    Shemla, Meir “Why Workplace Diversity Is So Important, And Why It’s So Hard To Achieve.” Forbes, 22 August 2018. Accessed 4 February 2023.

    “The State of Black Women in Corporate America.” Lean In and McKinsey & Company, 2020. Accessed 14 January 2022.

    Van Bommel, Tara. “The Power of Empathy in Times of Crisis and Beyond (Report).” Catalyst, 2021. Accessed 1 April 2022.

    Vu, Viet, Creig Lamb, and Asher Zafar. “Who Are Canada’s Tech Workers?” Brookfield Institute for Innovation and Entrepreneurship, January 2019. Accessed on Canadian Electronic Library, 2021. Web.

    Warner, Justin. “The ROI of Employee Engagement: Show Me the Money!” DecisionWise, 1 January 2020. Web.

    White, Sarah K. “5 Revealing Statistics about Career Challenges Black IT Pros Face.” CIO (blog), 9 February 2023. Accessed 5 July 2022.

    Williams, Joan C. “Stop Asking Women of Color to Do Unpaid Diversity Work.” Bloomberg.com, 14 April 2022.

    Williams, Joan C., Rachel Korn, and Asma Ghani. “A New Report Outlines Some of the Barriers Facing Asian Women in Tech.” Fast Company, 13 April 2022.

    Wilson, Valerie, Ethan Miller, and Melat Kassa. “Racial representation in professional occupations.” Economic Policy Institute, 8 June 2021.

    “Workplace Diversity: Why It’s Good for Business.” Business Development Canada (BDC.ca), 6 Feb. 2023. Accessed 4 February 2023.

    Manage Requirements in an Agile Environment

    • Buy Link or Shortcode: {j2store}522|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Requirements & Design
    • Parent Category Link: /requirements-and-design

    The process of navigating from waterfall to Agile can be incredibly challenging. Even more problematic; how do you operate your requirements management practices once there? There traditionally isn’t a role for a business analyst, the traditional keeper of requirements. It isn’t like switching on a light.

    You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they’ve leveraged Agile.

    But you aren’t here for assurances. You’re here for answers and help.

    Our Advice

    Critical Insight

    Agile and requirements management are complementary, not competitors.

    Impact and Result

    Info-Tech’s advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. How can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

    Manage Requirements in an Agile Environment is your guide.

    Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

    Manage Requirements in an Agile Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Manage Requirements in an Agile Environment Blueprint – Agile and Requirements Management are complementary, not competitors

    Provides support and guidance for organizations struggling with their requirements management practices in Agile environments.

    • Manage Requirements in an Agile Environment Storyboard

    2. Agile Requirements Playbook – A practical playbook for aligning your teams, and articulating the guidelines for managing your requirements in Agile.

    The Agile Requirements Playbook becomes THE artifact for your Agile requirements practices. Great for onboarding, reviewing progress, and ensuring a shared understanding of your ways of working.

    • Agile Requirements Playbook

    3. Documentation Calculator – A tool for determining the right level of documentation for your organization, and whether you’re spending too much, or even not enough, on Agile Requirements documentation.

    The Documentation Calculator can inform your documentation decison making, ensuring you're investing just the right amount of time, money, and effort.

    • Documentation Calculator

    4. Agile Requirements Workbook – Supporting tools and templates in advancing your Agile Requirements practice, to be used in conjunction with the Agile Requirements Blueprint, and the Playbook.

    This workbook is designed to capture the results of your exercises in the Manage Requirements in an Agile Environment Storyboard. Each worksheet corresponds to an exercise in the storyboard. This is a tool for you, so customize the content and layout to best suit your product. The workbook is also a living artifact that should be updated periodically as the needs of your team and organization change.

    • Agile Requirements Workbook

    5. Agile Requirements Assessment – Establishes your current Agile requirements maturity, defines your target maturity, and supports planning to get there.

    The Agile Requirements Assessment is a great tool for determining your current capabilities and maturity in Agile and Business Analysis. You can also articulate your target state, which enables the identification of capability gaps, the creation of improvement goals, and a roadmap for maturing your Agile Requirements practice.

    • Agile Requirements Assessment

    Infographic

    Workshop: Manage Requirements in an Agile Environment

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Framing Agile and Business Analysis

    The Purpose

    Sets the context for the organization, to ensure a shared understanding of the benefits of both Agile and business analysis/requirements management.

    Key Benefits Achieved

    Have a shared definition of Agile and business analysis / requirements.

    Understand the current state of Agile and business analysis in your organization.

    Activities

    1.1 Define what Agile and business analysis mean in your organization.

    1.2 Agile requirements assessment.

    Outputs

    Alignment on Agile and business analysis / requirements in your organization.

    A current and target state assessment of Agile and business analysis in your organization.

    2 Tailoring Your Approach

    The Purpose

    Confirm you’re going the right way for effective solution delivery.

    Key Benefits Achieved

    Confirm the appropriate delivery methodology.

    Activities

    2.1 Confirm your selected methodology.

    Outputs

    Confidence in your selected project delivery methodology.

    3 Defining Your Requirements Thresholds

    The Purpose

    Provides the guardrails for your Agile requirements practice, to define a high-level process, roles and responsibilities, governance and decision-making, and how to deal with change.

    Key Benefits Achieved

    Clearly defined interactions between the BA and their partners

    Define a plan for management and governance at the project team level

    Activities

    3.1 Define your agile requirements process.

    3.2 Define your agile requirements RACI.

    3.3 Define your governance.

    3.4 Define your change and backlog refinement plan.

    Outputs

    Agile requirements process.

    Agile requirements RACI.

    A governance and documentation plan.

    A change and backlog refinement approach.

    4 Planning Your Next Steps

    The Purpose

    Provides the action plan to achieve your target state maturity

    Key Benefits Achieved

    Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

    Establish a roadmap for next steps to mature your Agile requirements practice.

    Activities

    4.1 Define your stakeholder communication plan.

    4.2 Identify your capability gaps.

    4.3 Plan your agile requirements roadmap.

    Outputs

    A stakeholder communication plan.

    A list of capability gaps to achieve your desired target state.

    A prioritized roadmap to achieve the target state.

    5 Agile Requirements Techniques (Optional)

    The Purpose

    To provide practical guidance on technique usage, which can enable an improved experience with technical elements of the blueprint.

    Key Benefits Achieved

    An opportunity to learn new tools to support your Agile requirements practice.

    Activities

    5.1 Managing requirements' traceability.

    5.2 Creating and managing user stories.

    5.3 Managing your requirements backlog.

    5.4 Maintaining a requirements library.

    Outputs

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Support and advice for leveraging a given tool or technique.

    Further reading

    Manage Requirements in an Agile Environment

    Agile and requirements management are complementary, not competitors

    Analyst's Perspective

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business then you have failed, regardless of how fast you've gone.

    Delivery in Agile doesn't mean you stop needing solid business analysis. In fact, it's even more critical, to ensure your products and projects are adding value. With the rise of Agile, the role of the business analyst has been misunderstood.

    As a result, we often throw out the analysis with the bathwater, thinking we'll be just fine without analysis, documentation, and deliberate action, as the speed and dexterity of Agile is enough.

    Consequently, what we get is wasted time, money, and effort, with solutions that fail to deliver value, or need to be re-worked to get it right.

    The best organizations find balance between these two forces, to align, and gain the benefits of both Agile and business analysis, working in tandem to manage requirements that bring solutions that are "just right".

    This is a picture of Vincent Mirabelli

    Vincent Mirabelli
    Principal Research Director, Applications Delivery and Management
    Info-Tech Research Group

    EXECUTIVE BRIEF

    Executive Summary

    Your Challenge

    The process of navigating from waterfall to Agile can be incredibly challenging. And even more problematic; how do you operate your requirements management practices once there? Since there traditionally isn't a role for a business analyst; the traditional keeper of requirements. it isn't like switching on a light.

    You likely find yourself struggling to deliver high quality solutions and requirements in Agile. This is a challenge for many organizations, regardless of how long they've leveraged Agile.

    But you aren't here for assurances. You're here for answers and help.

    Common Obstacles

    many organizations and teams face is that there are so busy doing Agile that they fail to be Agile.

    Agile was supposed to be the saving grace of project delivery but is misguided in taking the short-term view of "going quickly" at the expense of important elements, such as team formation and interaction, stakeholder engagement and communication, the timing and sequencing of analysis work, decision-making, documentation, and dealing with change.

    The idea that good requirements just happen because you have user stories is wrong. So, requirements remain superficial, as you "can iterate later"…but sometimes later never comes, or doesn't come fast enough.

    Organizations need to be very deliberate when aligning their Agile and requirements management practices. The work is the same. How the work is done is what changes.

    Info-Tech's Approach

    Infotech's advice? Why choose? Why have to pick between traditional waterfall and Agile delivery? If Agile without analysis is a recipe for disaster, Agile with analysis is the solution. And how can you leverage the Info-Tech approach to align your Agile and requirements management efforts into a powerful combination?

    Manage Requirements in an Agile Environment is your guide.

    Use the contents and exercises of this blueprint to gain a shared understanding of the two disciplines, to find your balance in your approach, to define your thresholds, and ultimately, to prepare for new ways of working.

    Info-Tech Insight

    Agile and requirements management are complementary, not competitors.

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone.

    Insight summary

    Overarching insight

    Agile and requirements management are complementary, not competitors.

    The temptation when moving to Agile is to deemphasize good requirements practices in favor of perceived speed. If you're not delivering on the needs of the business, then you have failed, regardless of how fast you've gone

    Phase 1 insight

    • The purpose of requirements in waterfall is for approval. The purpose in Agile is for knowledge management, as Agile has no memory.
    • When it comes to the Agile manifesto, "over" does not mean "instead of".
    • In Agile, the what of business analysis does doesn't change. What does change is the how and when that work happens.

    Phase 2 insight

    • Understand your uncertainties; it's a great way to decide what level of Agile (if any) is needed.
    • Finding your "Goldilocks" zone will take time. Be patient.

    Phase 3 insight

    • Right-size your governance, based on team dynamics and project complexity. A good referee knows when to step in, and when to let the game flow.
    • Agile creates a social contract amongst the team, and with their leaders and organization.
    • Documentation needs to be valuable. Do what is acceptable and necessary to move work to future steps. Not documenting also comes with a cost, but one you pay in the future. And that bill will come due, with interest (aka, technical debt, operational inefficiencies, etc.).
    • A lack of acceptable documentation makes it more difficult to have agility. You're constantly revalidating your current state (processes, practices and structure) and re-arguing decisions already made. This slows you down more than maintaining documentation ever would.

    Phase 4 insight

    • Making Agile predictable is hard, because people are not predictable; people are prone to chaos.

    There have been many challenges with waterfall delivery

    It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

    • Lack of flexibility
    • Difficulty in measuring progress
    • Difficulties with scope creep
    • Limited stakeholder involvement
    • Long feedback loops

    48%
    Had project deadlines more than double

    85%
    Exceeded their original budget by at least 20%

    25%
    At least doubled their original budget

    This is an image of the waterfall project results

    Source: PPM Express.

    Agile was meant to address the shortcomings of waterfall

    The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution, became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stay with the status quo. Given that organizations evolve at a rapid pace, what was a pain at the beginning of an initiative may not be so even 6 months later.

    Agile became the answer.

    Since its' first appearance nearly 20 years ago, Agile has become the methodology of choice for a many of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

    Adopting Agile led to challenges with requirements

    Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

    "One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
    – "Large Scale IT Projects – From Nightmare to Value Creation"

    "Requirements maturity is more important to project outcomes than methodology."
    – "Business Analysis Benchmark: Full Report"

    "Mature Agile practices spend 28% of their time on analysis and design."
    – "Quantitative Analysis of Agile Methods Study (2017): Twelve Major Findings"

    "There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
    – "The Business Case for Agile Business Analysis" - Requirements Engineering Magazine

    Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

    This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories. these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

    N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

    Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

    Info-Tech's Agile requirements framework

    This is an image of Info-Tech's Agile requirements framework. The three main categories are: Sprint N(-1); Sprint N; Sprint N(+1)

    Agile requirements are a balancing act

    Collaboration

    Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

    Communication

    Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

    Documentation

    Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

    Control

    Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

    What changes for the business analyst?

    In Agile, the what of business analysis does not change.

    What does change is the how and when that work happens.

    Business analysts need to focus on six key elements when managing requirements in Agile.

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    Where does the business analysis function fit on an Agile team?

    Team formation is key, as Agile is a team sport

    A business analyst in an Agile team typically interacts with several different roles, including:

    • The product owner,
    • The Sponsor or Executive
    • The development team,
    • Other stakeholders such as customers, end-users, and subject matter experts
    • The Design team,
    • Security,
    • Testing,
    • Deployment.

    This is an image the roles who typically interact with a Business Analyst.

    How we do our requirements work will change

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    As a result, you'll need to focus on;

    • Emphasizing flexibility
    • Enabling continuous delivery
    • Enhancing collaboration and communication
    • Developing a user-centered approach

    Get stakeholders on board with Agile requirements

    1. Stakeholder feedback and management support are key components of a successful Agile Requirements.
    2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
    3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
    4. Agile will bring a new mindset and significant numbers of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
    5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
    6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

    Measuring your success

    Tracking metrics and measuring your progress

    As you implement the actions from this Blueprint, you should see measurable improvements in;

    • Team and stakeholder satisfaction
    • Requirements quality
    • Documentation cost

    Without sacrificing time to delivery

    Metric Description and motivation
    Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
    Stakeholder satisfaction (%) Expect Stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value
    Requirements rework Measures the quality of requirements from your Agile Projects. Expect that the Requirements Rework will decrease, in terms of volume/frequency.
    Cost of documentation Quantifies the cost of documentation, including Elicitation, Analysis, Validation, Presentation, and Management
    Time to delivery Balancing Metric. We don't want improvements in other at the expense of time to delivery

    Info-Tech's methodology for Agile requirements

    1. Framing Agile and Business Analysis

    2. Tailoring Your Approach

    3. Defining Your Requirements Thresholds

    4. Planning Your Next Steps

    Phase Activities

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Decide the best-fit approach for delivery

    2.2 Manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 Define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    Phase Outcomes

    Recognize the benefits and detriments of both Agile and BA.

    Understand the current state of Agile and business analysis in your organization.

    Confirm the appropriate delivery methodology.

    Manage your requirements backlog.

    Connect the business need to user story.

    Clearly defined interactions between the BA and their partners.

    Define a plan for management and governance at the project team level.

    Documentation and tactics that are right-sized for the need.

    Recognize and prepare for the new ways of working for communication, stakeholder engagement, within the team, and across the organization.

    Establish a roadmap for next steps to mature your Agile requirements practice.

    Blueprint tools and templates

    Key deliverable:

    This is a screenshot from the Agile Requirements Playbook

    Agile Requirements Playbook

    A practical playbook for aligning your teams and articulating the guidelines for managing your requirements in Agile

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    This is a screenshot from the Documentation Calculator

    Documentation Calculator

    A tool to help you answer the question: What is the right level of Agile requirements documentation for my organization?

    This is a screenshot from the Agile Requirements Assessment

    Agile Requirements Assessment

    Establishes your current maturity level, defines your target state, and supports planning to get there.

    This is a screenshot from the Agile Requirements Workbook

    Agile Requirements Workbook

    Supporting tools and templates in advancing your Agile requirements practice, to be used with the Agile Requirements Blueprint and Playbook.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5
    1. Framing Agile and Business Analysis / 2. Tailoring Your Approach 3. Defining Your Requirements
    Thresholds    		 3. Defining Your Requirements Thresholds / 4. Planning Your Next Steps (OPTIONAL) Agile Requirements Techniques (a la carte) Next Steps and Wrap-Up (Offsite)

    Activities

    What does Agile mean in your organization? What do requirements mean in your organization?

    Agile Requirements Assessment

    Confirm your selected methodology

    Define your Agile requirements process

    Define your Agile requirements RACI (Optional)

    Define your Agile requirements governance

    Defining your change management plan

    Define your

    communication plan

    Capability gap list

    Planning your Agile requirements roadmap

    Managing requirements traceability

    Creating and managing user stories

    Managing your requirements backlog

    Maintaining a requirements library

    Develop Agile Requirements Playbook

    Complete in-progress deliverables from previous four days.

    Set up review time for workshop deliverables and next steps

    Outcomes

    Shared definition of Agile and business analysis / requirements

    Understand the current state of Agile and business analysis in your organization

    		 Agile requirements process

    Agile requirements RACI (Optional)

    Defined Agile requirements governance and documentation plan

    Change and backlog refinement plan

    Stakeholder communication plan

    Action plan and roadmap for maturing your Agile requirements practice

    		 Practical knowledge and practice about various tactics and techniques in support of your Agile requirements efforts

    Completed Agile Requirements Playbook

    Guided Implementation

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope objectives, and your specific challenges.

    Call #4: Define your approach to project delivery.

    Call #6: Define your Agile requirements process.

    Call #9: Identify gaps from current to target state maturity.

    Call #2: Assess current maturity.

    Call #5: Managing your requirements backlog.

    Call #7: Define roles and responsibilities.

    Call #10: Pprioritize next steps to mature your Agile requirements practice.

    Call #3: Identify target-state capabilities.

    Call #8: Define your change and backlog refinement approach.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 10 calls over the course of 4 to 6 months.

    Framing Agile and Business Analysis

    Phase 1

    Framing Agile and Business Analysis

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • EXERCISE: What do Agile and requirements mean in your organization?
    • ASSESSMENT: Agile requirements assessment
    • KEY DELIVERABLE: Agile Requirements Playbook

    This phase involves the following participants:

    • Business analyst and project team
    • Stakeholders
    • Sponsor/Executive

    Managing Requirements in an Agile Environment

    Step 1.1

    Understand the benefits and limitations of Agile and business analysis

    Activities

    1.1.1 Define what Agile and business analysis mean in your organization

    This step involves the following participants:

    • Business analyst and project team
    • Sponsor/Executive

    Outcomes of this step

    • Recognize the benefits and detriments of both Agile and business analysis

    Framing Agile and Business Analysis

    There have been many challenges with waterfall delivery

    It turns out waterfall is not that great at reducing risk and ensuring value delivery after all

    • Lack of flexibility
    • Difficulty in measuring progress
    • Difficulties with scope creep
    • Limited stakeholder involvement
    • Long feedback loops

    48%
    Had project deadlines more than double

    85%
    Exceeded their original budget by at least 20%

    25%
    At least doubled their original budget

    This is an image of the Waterfall Project Results

    Source: PPM Express.

    Business analysis had a clear home in waterfall

    Business analysts had historically been aligned to specific lines of business, in support of their partners in their respective domains. Somewhere along the way, the function was moved to IT. Conceptually this made sense, in that it allowed BAs to provide technical solutions to complex business problems. This had the unintended result of lost domain knowledge, and connection to the business.

    It all starts with the business. IT enables business goals. The closer you can get to the business, the better.

    Business analysts were the main drivers of helping to define the business requirements, or needs, and then decompose those into solution requirements, to develop the best option to solve those problems, or address those needs. And the case for good analysis was clear. The later a poor requirement was caught, the more expensive it was to fix. And if requirements were poor, there was no way to know until much later in the project lifecycle, when the cost to correct them was exponentially higher, to the tune of 10-100x the initial cost.

    This is an image of a graph showing the cost multiplier for Formulating Requirements, Architecture Design, Development, Testing and, Operations

    Adapted from PPM Express. "Why Projects Fail: Business Analysis is the Key".

    Agile was meant to address the shortcomings of waterfall

    The wait for solutions was too long for our business partners. The idea of investing significant time, money, and resources upfront, building an exhaustive and complete vision of the desired state, and then waiting months or even years to get that solution became unpalatable for them. And rightfully so. Once we cast a light on the pains, it became difficult to stand pat in the current state. And besides, organizations evolve at a rapid pace. What was a pain at the beginning of an initiative may not be so even six months later.

    Agile became the answer.

    Since its first appearance nearly 20 years ago, Agile has become the methodology of choice for a huge swathe of organizations. According to the 15th Annual State of Agile report, Agile adoption within software development teams increased from 37% in 2020 to 86% in 2021.

    To say that's significant is an understatement.

    The four core values of Agile helped shift focus

    According to the Agile manifesto, "We value. . ."

    This is an image of what is valued according to the Agile Manifesto.

    "…while there is value in the items on the right, we value the items on the left more."

    Source: Agilemanifesto, 2001

    Agile has made significant inroads in IT and beyond

    94% of respondents report using Agile practices in their organization

    according to Digital.AI's "The 15th State of Agile Report"

    That same report notes a steady expansion of Agile outside of IT, as other areas of the organization seek to benefit from increased agility and responsiveness, including Human Resources, Finance and Marketing.

    While it addressed some problems…

    This is an image of the Waterfall Project Results, compared to Agile Product Results.

    "Agile projects are 37% faster to market than [the] industry average"

    (Requirements Engineering Magazine, 2017)

    • Business requirements documents are massive and unreadable
    • Waterfall erects barriers and bottlenecks between the business and the development team
    • It's hard to define the solution at the outset of a project
    • There's a long turnaround between requirements work and solution delivery
    • Locking in requirements dictates an often-inflexible solution. And the costs to make changes tend to add up.

    …Implementing Agile led to other challenges

    This is an image of a series of thought bubbles, each containing a unique challenge resulting from implementing Agile.

    Adopting Agile led to challenges with requirements

    Requirements analysis, design maturity, and management are critical for a successful Agile transformation.

    "One of the largest sources of failure we have seen on large projects is an immature Agile implementation in the context of poorly defined requirements."
    – BCG, 2015

    "Requirements maturity is more important to project outcomes than methodology."
    – IAG Consulting, 2009.

    "Mature Agile practices spend 28% of their time on analysis and design."
    – InfoQ, 2017."

    "There exists a Requirements Premium… organizations using poor practices spent 62% more on similarly sized projects than organizations using the best requirements practices."
    – Requirements Engineering Magazine, 2017

    Strong stakeholder satisfaction with requirements results in higher satisfaction in other areas

    This is an image of a bar graph comparing the percentage of respondents with high stakeholder satisfaction, to the percentage of respondents with low stakeholder satisfaction for four different categories. these include: Availability of IT Capacity to Complete Projects; Overall IT Projects; IT Projects Meet Business Needs; Overall IT Satisfaction

    N= 324 small organizations from Info-Tech Research Group's CIO Business Vision diagnostic.

    Note: High satisfaction was classified as organizations with a score greater or equal to eight and low satisfaction was every organization that scored below eight on the same questions.

    Agile is being misinterpreted as an opportunity to bypass planning and analysis activities

    Agile is a highly effective tool.

    This isn't about discarding Agile. It is being used for things completely outside of what was originally intended. When developing products or code, it is in its element. However, outside of that realm, its being used to bypass business analysis activities, which help define the true customer and business need.

    Business analysts were forced to adapt and shift focus. Overnight they morphed into product owners, or no longer had a place on the team. Requirements and analysis took a backseat.

    The result?

    Increased rework, decreased stakeholder satisfaction, and a lot of wasted money and effort.

    "Too often, the process of two-week sprints becomes the thing, and the team never gets the time and space to step back and obsess over what is truly needed to delight customers."
    Harvard Business Review, 9 April 2021.

    Info-Tech Insight

    Requirements in Agile are the same, but the purpose of requirements changes.

    • The purpose of requirements in waterfall is for stakeholder approval.
    • The purpose of requirements in Agile is knowledge management; to maintain a record of the current state.

    Many have misinterpreted the spirit of Agile and waterfall

    The stated principles of waterfall say nothing of how work is to be linear.

    This is an image of a comparison between using Agile and Being Prescriptive.This is an image of Royce's 5 principles for success.

    Source: Royce, Dr. Winston W., 1970.

    For more on Agile methodology, check out Info-Tech's Agile Research Centre

    How did the pendulum swing so far?

    Shorter cycles of work made requirements management more difficult. But the answer isn't to stop doing it.

    Organizations went from engaging business stakeholders up front, and then not until solution delivery, to forcing those partners to give up their resources to the project. From taking years to deliver a massive solution (which may or may not even still fit the need) to delivering in rapid cycles called sprints.

    This tug-of-war is costing organizations significant time, money, and effort.

    Your approach to requirements management needs to be centered. We can start to make that shift by better aligning our Agile and business analysis practices. Outside of the product space, Agile needs to be combined with other disciplines (Harvard Business Review, 2021) to be effective.

    Agility is important. Though it is not a replacement for approach or strategy (RCG Global Services, 2022). In Agile, team constraints are leveraged because of time. There is a failure to develop new capabilities to address the business needs Harvard Business Review, 2021).

    Agility needs analysis.

    Agile requirements are a balancing act

    Collaboration

    Many subject matter experts are necessary to create accurate requirements, but their time is limited too.

    Communication

    Stakeholders should be kept informed throughout the requirements gathering process, but you need to get the right information to the right people.

    Documentation

    Recording, organizing, and presenting requirements are essential, but excessive documentation will slow time to delivery.

    Control

    Establishing control points in your requirements gathering process can help confirm, verify, and approve requirements accurately, but stage gates limit delivery.

    Start by defining what the terms mean in your organization

    We do this because there isn't even agreement by the experts on what the terms "Agile" and "business analysis" mean, so let's establish a definition within the context of your organization.

    1.1.1 What do Agile and business analysis mean in your organization?

    Estimated time: 30 Minutes

    1. Explore the motivations behind the need for aligning Agile with business analysis. Are there any current challenges related to outputs, outcomes, quality? How can the team and organization align the two more effectively for the purposes of requirements management?
    2. Gather the appropriate stakeholders to discuss their definition of the terms "Agile" and "business analysis" It can be related to their experience, practice, or things they've read or heard.
    3. Brainstorm and document all shared thoughts and perspectives.
    4. Synthesize those thoughts and perspectives into a shared definition of each term, of a sentence or two.
    5. Revisit this definition as needed, and as your Agile requirements efforts evolve.

    Input

    • Challenges and experiences/perspectives related to Agile and business requirements

    Output

    • A shared definition of Agile and business analysis, to help guide alignment on Agile requirements management

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Build your Agile Requirements Playbook

    Keep the outcomes of this blueprint in a single document

    Share at the beginning of a new project, as part of team member onboarding, and revisit as your practice matures.

    This is a series of three screenshots from the Agile Requirements Playbook.

    Your Agile Requirements Playbook will include

    • Your shared definition of Agile and business analysis for your organization
    • The Agile Requirements Maturity Assessment
    • A Methodology Selection Matrix
    • Agile requirements RACI
    • A defined Agile requirements process
    • Documentation Calculator
    • Your Requirements Repository Information
    • Capability Gap List (from current to target state)
    • Target State Improvement Roadmap and Action Plan

    Step 1.2

    Align Agile and Business Analysis Within Your Organization

    Activities

    1.2.1 Assess your Agile requirements maturity

    This step involves the following participants:

    • Business Analyst and Project Team
    • Stakeholders
    • Sponsor/Executive

    Outcomes of this step

    • Complete the Agile Requirements Maturity Assessment to establish your current and target states

    Framing Agile and Business Analysis

    Consider the question: "Why Agile?"

    What is the driving force behind that decision?

    There are many reasons to leverage the power of Agile within your organization, and specifically as part of your requirements management efforts. And it shouldn't just be to improve productivity. That's only one aspect.
    Begin by asking, "Why Agile?" Are you looking to improve:

    • Time to market
    • Team engagement
    • Product quality
    • Customer satisfaction
    • Stakeholder engagement
    • Employee satisfaction
    • Consistency in delivery of value
    • Predictably of your releases

    Or a combination of the above?

    Info-Tech Insight

    Project delivery methodologies aren't either/or. You don't have to be 100% waterfall or 100% Agile. Select the right approach for your project, product, or service.

    In the end, your business partners don't want projects delivered faster, they want value faster!

    For more on understanding Agile, check out the Implement Agile Practices That Work Blueprint

    Responses to a 2019 KPMG survey:

    13% said that their top management fully supports Agile transformation.

    76% of organizations did not agree that their organization supports Agile culture.

    62% of top management believe Agile has no implications for them.

    What changes for the business analyst?

    Business analysts need to focus on six key elements when managing requirements in Agile.

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    In Agile, the what of business analysis does not change.

    What does change is the how and when that work happens.

    1.2.1 Assess your Agile requirements maturity

    This is a series of screenshots from the Agile Requirements Maturity Assessment.

    1.2.1 Assess your Agile requirements maturity

    Estimated time: 30 Minutes

      1. Using the Agile Requirements Maturity Assessment, gather all appropriate stakeholders, and discuss and score the current state of your practice. Scoring can be done by:
        1. Consensus: Generally better with a smaller group, where the group agrees the score and documents the result
        2. Average: Have everyone score individually, and aggregate the results into an average, which is then entered.
        3. Weighted Average: As above, but weight the individual scores by individual or line of business to get a weighted average.
      2. When current state is complete, revisit to establish target state (or hold as a separate session) using the same scoring approach as in current state.
        1. Recognize that there is a cost to maturity, so don't default to the highest score by default.
        2. Resist the urge at this early stage to generate ideas to navigate from current to target state. We will re-visit this exercise in Phase 4, once we've defined other pieces of our process and practice.

    Input

    • Participant knowledge and experience

    Output

    • A current and target state assessment of your Agile requirements practice

    Materials

    • Agile Requirements Maturity Assessment

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Tailoring Your Approach

    Phase 2

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Selecting the appropriate delivery methodology
    • Managing your requirements backlog
    • Tracing from business need to user story

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 2.1

    Confirm the Best-fit Approach for Delivery

    Activities

    2.1.1 Confirm your methodology

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A review of potential delivery methodologies to select the appropriate, best-fit approach to your projects

    Confirming you're using the best approach doesn't have be tricky

    Selecting the right approach (or confirming you're on the right track) is easier when you assess two key inputs to your project; your level of certainty about the solution, and the level of complexity among the different variables and inputs to your project, such as team experience and training, the number of impacted stakeholders or context. lines of business, and the organizational

    Solution certainty refers to the level of understanding of the problem and the solution at the start of the project. In projects with high solution certainty, the requirements and solutions are well defined, and the project scope is clear. In contrast, projects with low solution certainty have vague or changing requirements, and the solutions are not well understood.

    Project complexity refers to the level of complexity of the project, including the number of stakeholders, the number of deliverables, and the level of technical complexity. In projects with high complexity, there are many stakeholders with different priorities, many deliverables, and high technical complexity. In contrast, projects with low complexity have fewer stakeholders, fewer deliverables, and lower technical complexity.

    "Agile is a fantastic approach when you have no clue how you're going to solve a problem"

    • Ryan Folster, Consulting Services Manager, Business Analysis, Dimension Data

    Use Info-Tech's methodology selection matrix

    Waterfall methodology is best suited for projects with high solution certainty and high complexity. This is because the waterfall model follows a linear and sequential approach, where each phase of the project is completed before moving on to the next. This makes it ideal for projects where the requirements and solutions are well-defined, and the project scope is clear.

    On the other hand, Agile methodology is best suited for projects with low solution certainty. Agile follows an iterative and incremental approach, where the requirements and solutions are detailed and refined throughout the project. This makes it ideal for projects where the requirements and solutions are vague or changing.

    Note that there are other models that exist for determining which path to take, should this approach not fit within your organization.

    Use info-tech's-methodology-selection-matrix

    This is an image of Info-Tech’s methodology selection matrix

    Adapted from The Chaos Report, 2015 (The Standish Group)

    Download the Agile Requirements Workbook

    2.1.1 Confirm your methodology

    Estimated time: 30 Minutes

    1. Using the Agile Requirements Workbook, find the tab labelled "Methodology Assessment" and answer the questions to establish your complexity and certainty scores, where;

    1 = Strongly disagree
    2 = Disagree
    3 = Neutral
    4 = Agree
    5 = Strongly agree.

    1. In the same workbook, plot the results in the grid on the tab labelled "Methodology Matrix".
    2. Projects falling into Green are good fits for Agile. Yellow are viable. And Red may not be a great fit for Agile.
    3. Note: Ultimately, the choice of methodology is yours. Recognize there may be additional challenges when a project is too complex, or uncertainty is high.

    Input

    • Current project complexity and solution certainty

    Output

    • A clear choice of delivery methodology

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Step 2.2

    Manage Your Requirements Backlog

    Activities

    2.2.1 Create your user stories

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • Understand how to convert requirements into user stories, which populate the Requirements Backlog.

    Tailoring Your Approach

    There is a hierarchy to requirements

    This is a pyramid, with the base being: Solution Requirements; The middle being: Stakeholder Requirements; and the Apex being: Business Requirements.
    • Higher-level statements of the goals, objectives, or needs of the enterprise.
    • Business requirements focus on the needs of the organization, and not the stakeholders within it.

    Defines

    Intended benefits and outcomes
    • Statements of the needs of a particular stakeholder or class of stakeholders, and how that stakeholder will interact with a solution.

    Why it is needed, and by who
    • Describes the characteristics of a solution that meets business requirements and stakeholder requirements. Functional describes the behavior and information that the solution will manage. They describe capabilities the system will be able to perform in terms of behaviors or operations. Non-functional represents constraints on the ultimate solution and tends to be less negotiable.

    What is needed, and how its going to be achieved

    Connect the dots with a traceability matrix

    Business requirements describe what a company needs in order to achieve its goals and objectives. Solution requirements describe how those needs will be met. User stories are a way to express the functionality that a solution will provide from the perspective of an end user.

    A traceability matrix helps clearly connect and maintain your requirements.

    To connect business requirements to solution requirements, you can start by identifying the specific needs that the business has and then determining how those needs can be met through technology or other solutions; or what the solution needs to do to meet the business need. So, if the business requirement is to increase online sales, a solution requirement might include implementing a shopping cart feature on your company website.

    Once you have identified the solution requirements, you can then use those to create user stories. A user story describes a specific piece of functionality that the solution will provide from the perspective of a user.

    For example, "As a customer, I want to be able to add items to my shopping cart so that I can purchase them." This user story is directly tied to the solution requirement of implementing a shopping cart feature.

    Tracing from User Story back up to Business Requirement is essential in ensuring your solutions support your organization's strategic vison and objectives.

    This is an image of a traceability matrix for Business Requirements.

    Download the Info-Tech Requirements Traceability Matrix

    Improve the quality of your solution requirements

    A solution requirement is a statement that clearly outlines the functional capability that the business needs from a system or application.

    There are several attributes to look for in requirements:

    Verifiable

    Unambiguous

    Complete

    Consistent

    Achievable

    Traceable

    Unitary

    Agnostic

    Stated in a way that can be easily tested

    Free of subjective terms and can only be interpreted in one way

    Contains all relevant information

    Does not conflict with other requirements

    Possible to accomplish with budgetary and technological constraints

    Trackable from inception through to testing

    Addresses only one thing and cannot be decomposed into multiple requirements

    Doesn't pre-suppose a specific vendor or product

    For more on developing high quality requirements, check out the Improve Requirements Gathering Blueprint

    Prioritize your requirements

    When everything is a priority, nothing is a priority.

    Prioritization is the process of ranking each requirement based on its importance to project success. Each requirement should be assigned a priority level. The delivery team will use these priority levels to ensure efforts are targeted toward the proper requirements as well as to plan features available on each release. Use the MoSCoW Model of Prioritization to effectively order your requirements.

    The MoSCoW Model of Prioritization

    This is an image of The MoSCoW Model of Prioritization

    The MoSCoW model was introduced by Dai Clegg of Oracle UK in 1994

    (Source: ProductPlan).

    Base your prioritization on the right set of criteria

    Criteria Description
    Regulatory and legal compliance These requirements will be considered mandatory.
    Policy compliance Unless an internal policy can be altered or an exception can be made, these requirements will be considered mandatory.
    Business value significance Give a higher priority to high-value requirements.
    Business risk Any requirement with the potential to jeopardize the entire project should be given a high priority and implemented early.
    Likelihood of success Especially in proof-of-concept projects, it is recommended that requirements have good odds.
    Implementation complexity Give a higher priority to low implementation difficulty requirements.
    Alignment with strategy Give a higher priority to requirements that enable the corporate strategy.
    Urgency Prioritize requirements based on time sensitivity.
    Dependencies A requirement on its own may be low priority, but if it supports a high-priority requirement, then its priority must match it.

    Info-Tech Insight

    It is easier to prioritize requirements if they have already been collapsed, resolved, and rewritten. There is no point in prioritizing every requirement that is elicited up front when some of them will eventually be eliminated.

    Manage solution requirements in a Product backlog

    What is a backlog?

    Agile teams are familiar with the use of a Sprint Backlog, but in Requirements Management, a Product Backlog is a more appropriate choice.

    A product backlog and a Sprint backlog are similar in that they are both lists of items that need to be completed in order to deliver a product or project, but there are some key differences between the two.

    A product backlog is a list of all the features, user stories, and requirements that are needed for a product or project. It is typically created and maintained by the business analyst or product owner and is used to prioritize and guide the development of the product.

    A Sprint backlog, on the other hand, is a list of items specifically for an upcoming sprint, which is an iteration of work in Scrum. The Sprint backlog is created by the development team and is used to plan and guide the work that will be done during the sprint. The items in the Sprint backlog are typically taken from the product backlog and are prioritized based on their importance and readiness.

    For more on building effective product backlogs, visit Deliver on Your Digital Product Vision

    A backlog stores and organizes requirements at various stages

    Your backlog must give you a holistic understanding of demand for change in the product.

    A well-formed backlog can be thought of as a DEEP backlog

    Detailed appropriately: Requirements are broken down and refined as necessary

    Emergent: The backlog grows and evolves over time as requirements are added and removed.

    Estimated: The effort to deliver a requirement is estimated at each tier.

    Prioritized: A requirement's value and priority are determined at each tier.

    This is an image of an inverted funnel, with the top being labeled: Ideas; The middle being labeled: Qualified; and the bottom being labeled: Ready.

    Adapted from Essential Scrum

    Ensure requests and requirements are ready for development

    Clearly define what it means for a requirement, change, or maintenance request to be ready for development.

    This will help ensure the value and scope of each functionality and change are clear and well understood by both developers and stakeholders before the start of the sprint. The definition of ready should be two-fold: ready for the backlog, and ready for coding.

    1. Create a checklist that indicates when a requirement or request is ready for the development backlog. Consider the following questions:
      1. Is the requirement or request in the correct format?
      2. Does the desired functionality or change have significant business value?
      3. Can the requirement or request be reasonably completed within defined release timelines under the current context?
      4. Does the development team agree with the budget and points estimates?
      5. Is there an understanding of what the requirement or request means from the stakeholder or user perspective?
    2. Create a checklist that indicates when a requirement or request is ready for development. Consider the following questions:
      1. Have the requirements and requests been prioritized in the backlog?
      2. Has the team sufficiently collaborated on how the desired functionality or change can be completed?
      3. Do the tasks in each requirement or request contain sufficient detail and direction to begin development?
      4. Can the requirement or request be broken down into smaller pieces?

    Converting solution requirements into user stories

    Define the user

    Who will be interacting with the product or feature being developed? This will help to focus the user story on the user's needs and goals.

    Create the story

    Create the user story using the following template: "As a [user], I want [feature] so that [benefit]."
    This helps articulate the user's need and the value that the requirement will provide.

    Decompose

    User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

    Prioritize

    User stories are typically too large to be implemented in a single sprint, so they should be broken down into smaller, more manageable tasks.

    2.2.1 Create your user stories

    Estimated time: 60 Minutes

    1. Gather the project team and relevant stakeholders. Have access to your current list of solution requirements.
    2. Leverage the approach on previous slide "Converting Solution Requirements into User Stories" to generate a collection of user stories.

    NOTE: There is not a 1:1 relationship between requirements and user stories.
    It is possible that a single requirement will have multiple user stories, and similarly, that a single user story will apply to multiple solution requirements.

    Input

    • Requirements
    • Use Case Template

    Output

    • A collection of user stories

    Materials

    • Current Requirements

    Participants

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Use the INVEST model to create good user stories

    At this point your requirements should be high-level stories. The goal is to refine your backlog items, so they are . . .

    A vertical image of the Acronym: INVEST, taken from the first letter of each bolded word in the column to the right of the image.

    Independent: Ideally your user stories can be built in any order (i.e. independent from each other). This allows you to prioritize based on value and not get caught up in sequencing and prerequisites.
    Negotiable: As per the Agile principle, collaboration over contracts. Your user stories are meant to facilitate collaboration between the developer and the business. Therefore, they should be built to allow negotiation between all parties.
    Valuable: A user story needs to state the value so it can be effectively prioritized, but also so developers know what they are building.
    Estimable: As opposed to higher-level approximation given to epics, user stories need more accuracy in their estimates in order to, again, be effectively prioritized, but also so teams can know what can fit into a sprint or release plans.
    Small: User stories should be small enough for a number of them to fit into a sprint. However, team size and velocity will impact how many can be completed. A general guideline is that your teams should be able to deliver multiple stories in a sprint.
    Testable: Your stories need to be testable, which means they must have defined acceptance criteria and any related test cases as defined in your product quality standards.
    Source: Agile For All

    Defining Your Requirements Thresholds

    Phase 3

    Defining Your Requirements Thresholds

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Assigning roles and responsibilities optional (Tool: RACI)
    • Define your Agile requirements process
    • Calculate the cost of your documentation (Tool: Documentation Calculator)
    • Define your backlog refinement plan

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 3.1

    Define Project Roles and Responsibilities

    Activities

    3.1.1 Define your Agile requirements RACI (optional)

    3.1.2 Define your Agile requirements process

    Defining Your Requirements Thresholds

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A defined register of roles and responsibilities, along with a defined process for how Agile requirements work is to be done.

    Defining Your Requirements Thresholds

    Where does the BA function fit on an Agile team?

    Team formation is key, as Agile is a team sport

    A business analyst in an Agile team typically interacts with several different roles, including the product owner, development team, and many other stakeholders throughout the organization.

    This is an image the roles who typically interact with a Business Analyst.

    • The product owner, to set the priorities and direction of the project, and to gather requirements and ensure they are being met. Often, but not always, the BA and product owner are the same individual.
    • The development team, to provide clear and concise requirements that they can use to build and test the product.
    • Other stakeholders, such as customers, end-users, and subject matter experts to gather their requirements, feedback and validate the solution.
      • Design, to ensure that the product meets user needs. They may provide feedback and ensure that the design is aligned with requirements.
      • Security, to ensure that the solution meets all necessary security requirements and to identify potential risks and appropriate use of controls.
      • Testing, to ensure that the solution is thoroughly tested before it is deployed. They may create test cases or user scenarios that validate that everything is working as intended.
      • Deployment, to ensure that the necessary preparations have been made, including testing, security, and user acceptance.

    Additionally, during the sprint retrospectives, the team will review their performance and find ways to improve for the next sprint. As a team member, the business analyst helps to identify areas where the team could improve how they are working with requirements and understand how the team can improve communication with stakeholders.

    3.1.1 (Optional) Define Your Agile Requirements RACI

    Estimated Time: 60 Minutes

    1. Identify the project deliverables: The first step is to understand the project deliverables and the tasks that are required to complete them. This will help you to identify the different roles and responsibilities that need to be assigned.
    2. Define the roles and responsibilities: Identify the different roles that will be involved in the project and their associated responsibilities. These roles may include project manager, product owner, development team, stakeholders, and any other relevant parties.
    3. Assign RACI roles: Assign a RACI role to each of the identified tasks. The RACI roles are:
      1. Responsible: the person or team who is responsible for completing the task
      2. Accountable: the person who is accountable for the task being completed on time and to the required standard
      3. Consulted: the people or teams who need to be consulted to ensure the task is completed successfully
      4. Informed: the people or teams who need to be informed of the task's progress and outcome
    4. Create the RACI chart: Use the information gathered in the previous steps to create a matrix or chart that shows the tasks, the roles, and the RACI roles assigned to each task.
    5. Review and refine: Review the RACI chart with the project team and stakeholders to ensure that it accurately reflects the roles and responsibilities of everyone involved. Make any necessary revisions and ensure that all parties understand their roles and responsibilities.
    6. Communicate and implement: Communicate the RACI chart to all relevant parties and ensure that it is used as a reference throughout the project. This will help to ensure that everyone understands their role and that tasks are completed on time and to the required standard.

    Input

    • A list of required tasks and activities
    • A list of stakeholders

    Output

    • A list of defined roles and responsibilities for your project

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    A Case Study in Team Formation

    Industry: Anonymous Organization in the Energy sector
    Source: Interview

    Challenge

    Agile teams were struggling to deliver within a defined sprint, as there were consistent delays in requirements meeting the definition of ready for development. As such, sprints were often delayed, or key requirements were descoped and deferred to a future sprint.

    During a given two-week sprint cycle, the business analyst assigned to the team would be working along multiple horizons, completing elicitation, analysis, and validation, while concurrently supporting the sprint and dealing with stakeholder changes.

    Solution

    As a part of addressing this ongoing pain, a pilot program was run to add a second business analyst to the team.

    The intent was, as one is engaged preparing requirements through elicitation, analysis, and validation for a future sprint, the second is supporting the current sprint cycle, and gaining insights from stakeholders to refine the requirements backlog.

    Essentially, these two were leap-frogging each other in time. At all times, one BA was focused on the present, and one on the future.

    Result

    A happier team, more satisfied stakeholders, and consistent delivery of features and functions by the Agile teams. The pilot team outperformed all other Agile teams in the organization, and the "2 BA" approach was made the new standard.

    Understanding the Agile requirements process

    Shorter cycles make effective requirements management more necessary, not less

    Short development cycles can make requirements management more difficult because they often result in a higher rate of change to the requirements. In a shorter timeframe, there is less time to gather and verify requirements, leading to a higher likelihood of poor or incomplete requirements. Additionally, there may be more pressure to make decisions quickly, which can lead to less thorough analysis and validation of requirements. This can make it more challenging to ensure that the final solution meets the needs of the stakeholders.
    When planning your requirements cycles, it's important to consider;

    • Your sprint logistics (how long?)
    • Your release plan (at the end of every sprint, monthly, quarterly?)
    • How the backlog will be managed (as tickets, on a visual medium, such as a Kanban board?)
    • How will you manage communication?
    • How will you monitor progress?
    • How will future sprint planning happen?

    Info-Tech's Agile requirements framework

    Sprint N(-1)

    Sprint N

    Sprint N(+1)

    An image of Sprint N(-1) An image of Sprint N An image of Sprint N(+1)

    Changes from waterfall to Agile

    Gathering and documenting requirements: Requirements are discovered and refined throughout the project, rather than being gathered and documented up front. This can be difficult for business analysts who are used to working in a waterfall environment where all requirements are gathered and documented before development begins.
    Prioritization of requirements: Requirements are prioritized based on their value to the customer and the team's ability to deliver them. This can be difficult for business analysts who are used to prioritizing requirements based on the client's needs or their own understanding of what is important.

    Defining acceptance criteria: Acceptance criteria are defined for each user story to ensure that the team understands what needs to be delivered. Business analysts need to understand how to write effective acceptance criteria and how to use them to ensure that the team delivers what the customer needs.
    Supporting Testing and QA: The business analyst plays a role in ensuring that testing (and test cases) are completed and of proper quality, as defined in the requirements.

    Managing changing requirements: It is expected that requirements will change throughout the project. Business analysts need to be able to adapt quickly to changing requirements and ensure that the team is aware of the changes and how they will impact the project.
    Collaboration with stakeholders: Requirements are gathered from a variety of stakeholders, including customers, users, and team members. Business analysts need to be able to work effectively with all stakeholders to gather and refine requirements and ensure that the team is building the right product.

    3.1.2 Define your Agile requirements process

    Estimated time: 60 Minutes

    1. Gather all relevant stakeholders to discuss and define your process for requirements management.
    2. Have a team member facilitate the session to define the process. The sample in the Agile Requirements Workbook can be used optionally as a starting point. You can also use any existing processes and procedures as a baseline.
    3. Gain agreement on the process from all involved stakeholders.
    4. Revisit the process periodically to review its performance and make adjustments as needed.

    NOTE: The process is intended to be at a high enough level to leave space and flexibility for team members to adapt and adjust, but at a sufficient depth that everyone understands the process and workflows. In other words, the process will be both flexible and rigid, and the two are not mutually exclusive.

    Input

    • Project team and RACI
    • Existing Process (if available)

    Output

    • A process for Agile requirements that is flexible yet rigid

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Establish the right level of governance and decision-making

    Establishing the right level of governance and decision making is important in Agile requirements because there is a cost to decision making, as time plays an important factor. Even the failure to decide can have significant impacts.

    Good governance and decision-making practices can help to minimize risks, ensure that requirements are well understood and managed, and that project progress is tracked and reported effectively.

    In Agile environments, this often involves establishing clear roles and responsibilities, implementing effective communication and collaboration practices, and ensuring that decision-making processes are efficient and effective.

    Good requirements management practices can help to ensure that projects are aligned with organizational goals and strategy, that stakeholders' needs are understood and addressed, and that deliverables are of high quality and meet the needs of the business.

    By ensuring that governance and decision-making is effective, organizations can improve the chances of project success, and deliver value to the business. Risks and costs can be mitigated by staying small and nimble.

    Check out Make Your IT Governance Adaptable

    Develop an adaptive governance process

    A pyramid, with the number 4 at the apex, and the number 1 at the base. In order from base-apex, the following titles are found to the right of the pyramid: Ad-Hoc governance; Controlled Governance; Agile Governance; Embedded/Automated governance.

    Maturing governance is a journey

    Organizations should look to progress in their governance stages. Ad-hoc and controlled governance tends to be slow, expensive, and a poor fit for modern practices.

    The goal as you progress through your stages is to delegate governance and empower teams to make optimal decisions in real-time, knowing that they are aligned with the understood best interests of the organization.

    Automate governance for optimal velocity, while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive and able to react effectively to volatility and uncertainty.

    A graph charting Trust and empowerment on the x-axis, and Progress Integration on the Y axis.

    Five key principles for building an adaptive governance framework

    Delegate and empower

    Decision making must be delegated down within the organization, and all resources must be empowered and supported to make effective decisions.

    Define outcomes

    Outcomes and goals must be clearly articulated and understood across the organization to ensure decisions are in line and stay within reasonable boundaries.

    Make risk- informed decisions

    Integrated risk information must be available with sufficient data to support decision making and design approaches at all levels of the organization.

    Embed / automate

    Governance standards and activities need to be embedded in processes and practices. Optimal governance reduces its manual footprint while remaining viable. This also allows for more dynamic adaptation.

    Establish standards and behavior

    Standards and policies need to be defined as the foundation for embedding governance practices organizationally. These guardrails will create boundaries to reinforce delegated decision making.

    Sufficient decision-making power should be given to your Agile teams

    Push the decision-making process down to your pilot teams.

    • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
    • Bring your business stakeholders and subject matter experts together to identify the potential high-level risks.
    • Discuss with the business the level of risk they are willing to accept.
    • Define the level of authority project teams have in making critical decisions.

    "Push the decision making down as far as possible, down to the point where sprint teams completely coordinate all the integration, development, and design. What I push up the management chain is risk taking. [Management] decides what level of risk they are willing to take and [they] demonstrate that by the amount of decision making you push down."
    – Senior Manager, Canadian P&C Insurance Company, Info-Tech Interview

    Step 3.2

    Define Your Level of Acceptable Documentation

    Activities

    3.2.1 Calculate the cost of documentation

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • Quantified cost of documentation produced for your Agile project.

    Defining Your Requirements Thresholds

    Right-size Your Documentation

    Why do we need it, and what purpose does it serve?

    Before creating any documentation, consider why; why are you creating documentation, and what purpose is it expected to serve?
    Is it:

    • … to gain approval?
    • … to facilitate decision-making?
    • .. to allow the team to think through a challenge or compare solution options?

    Next, consider what level of documentation would be acceptable and 'enough' for your stakeholders. Recognize that 'enough' will depend on your stakeholder's personal definition and perspective.
    There may also be considerations for maintaining documentation for the purposes of compliance, and auditability in some contexts and industries.
    The point is not to eliminate all documentation, but rather, to question why we're producing it, so that we can create just enough to deliver value.

    "What does the next person need to do their work well, to gain or create a shared understanding?"
    - Filip Hendrickx, Innovating BA and Founder, altershape

    Documentation comes at a cost

    We need to quantify the cost of documentation, against the expected benefit

    All things take time, and that would imply that all things have an inherent cost. We often don't think in these terms, as it's just the work we do, and costs are only associated with activities requiring additional capital expenditure. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

    When creating documentation, we are making a decision. There is an opportunity cost of investing time to create, and concurrently, not working on other activities. Documentation of requirements can come at a cost in terms of time and resources. Creating and maintaining detailed documentation requires effort from project team members, which could be spent on other aspects of the project such as development or testing. Additionally, there may be costs associated with storing and distributing the documentation.

    In order to make better informed decisions about the types, quantity and even quality of the documentation we are producing, we need to capture that data. To ensure we are receiving good value for our documentation, we should compare the expected costs to the expected benefits of a sprint or project.

    3.2.1 Calculate the cost of documentation

    Estimated time: as needed

    1. Use this tool to quantify the cost of creating and maintaining current state documentation for your Agile requirements team. It provides an indication, via the Documentation Cost Index, of when your project is documenting excessively, relative to the expected benefits of the sprint or project.
    2. In Step 1, enter the hourly rate for the person (or persons) completing the business analysis function for your Agile team. NB: This does not have to be a person with the title of business analyst. If there are multiple people fulfilling this role, enter the average rate (if their rates are same or similar) or a weighted average (if there is a significant range in the hourly rate)
    3. In Step 2, enter the expected benefit (in $) for the sprint or project.
    4. In Step 3, enter the total number of hours spent on each task/activity during the sprint or project. Use blank spaces as needed to add tasks and activities not listed.
    5. In Step 4, you'll find the Documentation Cost Index, which compares your total documentation cost to the expected benefits. The cell will show green when the value is < 0.8, yellow between 0.8 and 1, and red when >1.
    6. Use the information to plan future sprints and documentation needs, identify opportunities for improvement in your requirements practice, and find balance in "just enough" documentation.

    Input

    • Project team and RACI
    • Existing Process (if available)

    Output

    • A process for Agile requirements that is flexible yet rigid

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Lack of documentation also comes at a cost

    Lack of documentation can bring costs to Agile projects in a few different ways.

    • Onboarding new team members
    • Improving efficiency
    • Knowledge management
    • Auditing and compliance
    • Project visibility
    • Maintaining code

    Info-Tech Insight

    Re-using deliverables (documentation, process, product, etc.) is important in maintaining the velocity of work. If you find yourself constantly recreating your current state documentation at the start of a project, it's hard to deliver with agility.

    Step 3.3

    Manage Requirements as an Asset

    Activities

    3.3.1 Discuss your current perspectives on requirements as assets

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • Awareness of the value in, and tactics for enabling effective management of requirements as assets

    Defining Your Requirements Thresholds

    What do we mean by "assets"?

    And when do requirements become assets?

    In order to delivery with agility, you need to maximize the re-usability of artifacts. These artifacts could take the form of current state documentation, user stories, test cases, and yes, even requirements for re-use.
    Think of it like a library for understanding where your organization is today. Understanding the people, processes, and technology, in one convenient location. These artifacts become assets when we choose to retain them, rather than discard them at the end of a project, when we think they'll no longer be needed.
    And just like finding a single book in a vast library, we need to ensure our assets can be found when we need them. And this means making them searchable.
    We can do this by establishing criteria for requirements and artifact reuse;

    • What business need and benefit is it aligned to?
    • What metadata needs to be attached, related to source, status, subject, author, permissions, type, etc.?
    • Where will it be stored for ease of retrieval?

    Info-Tech Insight

    When writing requirements for products or services, write them for the need first, and not simply for what is changing.

    The benefits of managing requirements as assets

    Retention of knowledge in a knowledge base that allows the team to retain current business requirements, process documentation, business rules, and any other relevant information.
    A clearly defined scope to reduce stakeholder, business, and compliance conflicts.
    Impact analysis of changes to the current organizational assets.

    Source: Requirement Engineering Magazine, 2017.

    A case study in creating an asset repository

    Industry: Anonymous Organization in the Government sector
    Source: Interview

    Challenge

    A large government organization faced a challenge with managing requirements, processes, and project artifacts with any consistency.

    Historically, their documentation was lacking, with multiple versions existing in email sent folders and manila folders no one could find. Confirming the current state at any given time meant the heavy lift of re-documenting and validating, so that effort was avoided for an excessive period.

    Then there was a request for audit and compliance, to review their existing documentation practices. With nothing concrete to show, drastic recommendations were made to ensure this practice would end.

    Solution

    A small but effective team was created to compile and (if not available) document all existing project and product documentation, including processes, requirements, artifacts, business cases, etc.

    A single repository was built and demonstrated to key stakeholders to ensure it would satisfy the needs of the audit and compliance group.

    Result

    A single source of truth for the organization, which was;

    • Accessible (view access to the entire organization).
    • Transparent (anyone could see and understand the process and requirements as intended).
    • A baseline for continuous improvement, as it was clear what the one defined "best way" was.
    • Current, where no one retained current documentation outside of this library.

    3.3.1 Discuss your current perspectives on requirements as assets

    Estimated time: 30 Minutes

    1. Gather all relevant stakeholder to share perspectives on the use of requirements as assets, historically in the organization.
    2. Have a team member facilitate the session. It is optional to document the findings.
    3. After looking at the historical use of requirements as assets, discuss the potential uses, benefits, and drawbacks of managing as assets in the target state.

    Input

    • Participant knowledge and experience

    Output

    • A shared perspective and history on requirements as assets

    Materials

    • A method for data capture (optional)

    Participants

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Apply changes to baseline documentation

    Baseline + Release Changes = New Baseline

    • Start from baseline documentation dramatically to reduce cost and risk
    • Treat all scope as changes to baseline requirements
    • Sum of changes in the release scope
    • Sum of changes and original baseline becomes the new baseline
    • May take additional time and effort to maintain accurate baseline

    What is the right tool?

    While an Excel spreadsheet is great to start off, its limitations will become apparent as your product delivery process becomes more complex. Look at these solutions to continue your journey in managing your Agile requirements:

    Step 3.4

    Define Your Requirements Change Management Plan

    Activities

    3.4.1 Triage your requirements

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Relevant Stakeholders

    Outcomes of this step

    • An approach for determining the appropriate level of governance over changes to requirements.

    Expect and embrace change

    In Agile development, change is expected and embraced. Instead of trying to rigidly follow a plan that may become outdated, Agile teams focus on regularly reassessing their priorities and adapting their plans accordingly. This means that the requirements can change often, and it's important for the team to have a process in place for managing these changes.

    A common approach to managing change in Agile is to use a technique called "backlog refinement." Where previously we populated our backlog with requirements to get them ready for development and deployment, this involves regularly reviewing and updating the list of work to be done. The team will prioritize the items on the evolving backlog, and the prioritized items will be worked on during the next sprint. This allows the team to quickly respond to changes in requirements and stay focused on the most important work.

    Another key aspect of managing change in Agile is effective communication. The team should have regular meetings, such as daily stand-up meetings or weekly sprint planning meetings, to discuss any changes in requirements and ensure that everyone is on the same page.

    Best practices in change and backlog refinement

    Communicate

    Clearly communicate your change process, criteria, and any techniques, tools, and templates that are part of your approach.

    Understand impacts/risks

    Maintain consistent control and communication and ensure that an impact assessment is completed. This is key to managing risks.

    Leverage tools

    Leverage tools when you have them available. This could be a Requirements Management system, a defect/change log, or even by turning on "track changes" in your documents.

    Cross-reference

    For every change, define the source of the change, the reason for the change, key dates for decisions, and any supporting documentation.

    Communicate the reason, and stay on message throughout the change

    Leaders of successful change spend considerable time developing a powerful change message: a compelling narrative that articulates the desired end state and makes the change concrete and meaningful to staff. They create the change vision with staff to build ownership and commitment.

    • The change message should:
    • Explain why the change is needed.
    • Summarize the things that will stay the same.
    • Highlight the things that will be left behind.
    • Emphasize the things that are being changed.
    • Explain how the change will be implemented.
    • Address how the change will affect the various roles in the organization.
    • Discuss staff's role in making the change successful.

    The five elements of communicating the reason for the change:

    An image of a cycle, including the five elements for communicating the reason for change. these include: What will the role be for each department and individual?; What is the change?; Why are we doing it?; How are we going to go about it?; How long will it take us?

    How to make the management of changes more effective

    Key decisions and considerations

    How will changes to requirements be codified?
    How will intake happen?

    • What is the submission process?
    • Who has approval to submit?
    • What information is needed to submit a request?

    How will potential changes be triaged and evaluated?

    • What criteria will be used to assess the impact and urgency of the potential change?
    • How will you treat material and non-material changes?

    What is the review and approval process?

    • How will acceptance or rejection status be communicated to the submitter?

    3.4.1 Triage Your requirements

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, are text boxes elaborating on each heading.

    If there's no material impact, update and move on

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Validate change; Update requirements; Track change (log); Package and communicate

    Material changes require oversight and approval

    An image of an inverted triangle, with the top being labeled: No Material Impact, the middle being labeled: Material impact; and the bottom being labeled: Governance Impact. To the right of the image, is a cycle including the following terms: Define impact; Revise; Change control needed?; Implement change.

    Planning Your Next Steps

    Phase 4

    Planning Your Next Steps

    Phase 1Phase 2Phase 3Phase 4

    1.1 Understand the benefits and limitations of Agile and business analysis

    1.2 Align Agile and business analysis within your organization

    2.1 Confirm the best-fit approach for delivery

    2.2 manage your requirements backlog

    3.1 Define project roles and responsibilities

    3.2 define your level of acceptable documentation

    3.3 Manage requirements as an asset

    3.4 Define your requirements change management plan

    4.1 Preparing new ways of working

    4.2 Develop a roadmap for next steps

    This phase will walk you through the following activities:

    • Completing Your Agile Requirements Playbook
    • EXERCISE: Capability Gap List

    This phase involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Managing Requirements in an Agile Environment

    Step 4.1

    Preparing New Ways of Working

    Activities

    4.1.1 Define your communication plan

    Planning Your Next Steps

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • Recognize the changes required on the team and within the broader organization, to bring stakeholders on board.

    How we do requirements work will change

    • Team formation and interaction
    • Stakeholder engagement and communication
    • The timing and sequencing of their work
    • Decision-making
    • Documentation
    • Dealing with change

    As a result, you'll need to focus on;

    Emphasizing flexibility: In Agile organizations, there is a greater emphasis on flexibility and the ability to adapt to change. This means that requirements may evolve over time and may not be fully defined at the beginning of the project.
    Enabling continuous delivery: Agile organizations often use continuous delivery methods, which means that new features and functionality are delivered to users on a regular basis. This requires a more iterative approach to requirements management, as new requirements may be identified and prioritized during the delivery process.
    Enhancing collaboration and communication: Agile organizations place a greater emphasis on collaboration and communication between team members, stakeholders, and customers.
    Developing a user-centered approach: Agile organizations often take a user-centered approach to requirements gathering, which means that the needs and goals of the end-user are prioritized.

    Change within the team, and in the broader organization

    How to build an effective blend Agile and requirements management

    Within the team

    • Meetings should happen as needed
    • Handoffs should be clear and concise
    • Interactions should add value
    • Stand-ups should similarly add value, and shouldn't be for status updates

    Within the organization

    • PMO inclusion, to ensure alignment across the organization
    • Business/Operating areas, to recognize what they are committing to for time, resources, etc.
    • Finance, for how your project or product is funded
    • Governance and oversight, to ensure velocity is maintained

    "Whether in an Agile environment or not, collaboration and relationships are still required and important…how you collaborate, communicate, and how you build relationships are key."
    - Paula Bell, CEO, Paula A. Bell Consulting

    Get stakeholders on board with Agile requirements

    1. Stakeholder feedback and management support are key components of successful Agile requirements.
    2. Stakeholders can see a project's progression and provide critical feedback about its success at critical milestones.
    3. Management helps teams succeed by trusting them to complete projects with business value at top of mind and by removing impediments that are inhibiting their productivity.
    4. Agile will bring a new mindset and significant amounts of people, process, and technology changes that stakeholders and management may not be accustomed to. Working through these issues in requirements management enables a smoother rollout.
    5. Management will play a key role in ensuring long-term Agile requirements success and ultimately rolling it out to the rest of the organization.
    6. The value of leadership involvement has not changed even though responsibilities will. The day-to-day involvement in projects will change but continual feedback will ultimately dictate the success or failure of a project.

    4.1.1 Define your communication plan

    Estimated time: 60 Minutes

      1. Gather all relevant stakeholder to create a communication plan for project or product stakeholders.
      2. Have a team member facilitate the session.
      3. Identify
      4. ;
        1. Each stakeholder
        2. The nature of information they are interested in
        3. The channel or medium best to communicate with them
        4. The frequency of communication
      5. (Optional) Consider validating the results with the stakeholders, if not present.
      6. Document the results in the Agile Requirements Workbook and include in Agile Requirements Playbook.
      7. Revisit as needed, whether at the beginning of a new initiative, or over time, to ensure the content is still valid.

    Input

    • Participant knowledge and experience

    Output

    • A plan for communicating with stakeholders

    Materials

    • Agile Requirements Workbook

    Participants

    • Business Analyst(s)
    • Project Team

    Step 4.2

    Develop a Roadmap for Next Steps

    Activities

    4.2.1 Develop your Agile requirements action plan

    4.2.2 Prioritize with now, next, later

    This step involves the following participants:

    • Business Analyst(s)
    • Project Team
    • Sponsor/Executive
    • Relevant Stakeholders

    Outcomes of this step

    • A comprehensive and prioritized list of opportunities and improvements to be made to mature the Agile requirements practice.

    Planning Your Next Steps

    Identify opportunities to improve and close gaps

    Maturing at multiple levels

    With a mindset of continuous improvement, there is always some way we can get better.

    As you mature your Agile requirements practice, recognize that those gaps for improvement can come from multiple levels, from the organizational down to the individual.

    Each level will bring challenges and opportunities.

    The organization

    • Organizational culture
    • Organizational behavior
    • Political will
    • Unsupportive stakeholders

    The team

    • Current ways of working
    • Team standards, norms and values

    The individual

    • Practitioner skills
    • Practitioner experience
    • Level of training received

    Make sure your organization is ready to transition to Agile requirements management

    A cycle is depicted, with the following Terms: Learning; Automation; Integrated teams; Metrics and governance; Culture.

    Learning:

    Agile is a radical change in how people work
    and think. Structured, facilitated learning is required throughout the transformation to
    help leaders and practitioners go from

    doing Agile to being Agile.

    Automation:

    While Agile is tool-agnostic at its roots, Agile work management tools and DevOps inspired SDLC tools that have become a key part of Agile practices.

    Integrated Teams:


    While temporary project teams can get some benefits from Agile, standing, self-organizing teams that cross business, delivery, and operations are essential to gain the full benefits of Agile.

    Metrics and Governance:

    Successful Agile implementations
    require the disciplined use

    of delivery and operations
    metrics that support governance focused on developing better teams.

    Culture:

    Agile teams believe that value is best created by standing, self-organizing cross-functional teams who deliver sustainably in frequent,
    short increments supported by leaders
    who coach them through challenges.

    Info-Tech Insight

    Agile gaps may only have a short-term, perceived benefit. For example, coding without a team mindset can allow for maximum speed to market for a seasoned developer. Post-deployment maintenance initiatives, however, often lock the single developer as no one else understands the rationale for the decisions that were made.

    4.2.1 Develop your Agile requirements action plan

    Estimated time: 60 Minutes

    1. Gather all relevant stakeholder to create a road map and action plan for requirements management.
    2. Have a team member facilitate the session using the results of the Agile Requirements Maturity Assessment.
    3. Identify gaps from current to future state and brainstorm possible actions that can be taken to address those gaps. Resist the urge to analyze or discuss the feasibility of each idea at this stage. The intent is idea generation.
    4. When the group has exhausted all ideas, the facilitator should group like ideas together, with support from participants. Discuss any ideas that are unclear or ambiguous.
    5. Document the results in the Agile Requirements Workbook.

    Note: the feasibility and timing of the ideas will happen in the following "Now, Next, Later" exercise.

    Prioritize your roadmap

    Taking steps to mature your Agile requirements practice.

    An image of the Now; Next; Later technique.

    The "Now, Next, Later" technique is a method for prioritizing and planning improvements or tasks. This involves breaking down a list of tasks or improvements into three categories:

    • "Now" tasks are those that must be completed immediately. These tasks are usually urgent or critical, and they must be completed to keep the project or organization running smoothly.
    • "Next" tasks are those that should be completed soon. These tasks are not as critical as "now" tasks, but they are still important and should be tackled relatively soon.
    • "Later" tasks are those that can be completed later. These tasks are less critical and can be deferred without causing major problems.

    By using this technique, you can prioritize and plan the most important tasks first, while also allowing for flexibility and the ability to adjust plans as necessary.
    This process also helps you get a clear picture on what needs to be done first and what can be done later. This way you can work on the most important things first, and keep track of what you need to do next, for keeping the development/improvement process smooth and efficient.

    Monitor your progress

    Monitoring progress is important in achieving your target state. Be deliberate with your actions, to continue to mature your Agile requirements practice.

    As you navigate toward your target state, continue to monitor your progress, your successes, and your challenges. As your Agile requirements practice matures, you should see improvements in the stated metrics below.

    Establish a cadence to review these metrics, as well as how you are progressing on your roadmap, against the plan.

    This is not about adding work, but rather, about ensuring you're heading in the right direction; finding the balance in your Agile requirements practice.

    Metric
    Team satisfaction (%) Expect team satisfaction to increase as a result of clearer role delineation and value contribution.
    Stakeholder satisfaction (%) Expect stakeholder satisfaction to similarly increase, as requirements quality increases, bringing increased value.
    Requirements rework Measures the quality of requirements from your Agile projects. Expect that the requirements rework will decrease, in terms of volume/frequency.
    Cost of documentation Quantifies the cost of documentation, including elicitation, analysis, validation, presentation, and management.
    Time to delivery Balancing metric. We don't want improvements in other at the expense of time to delivery.

    Appendix

    Research Contributors and Experts

    This is a picture of Emal Bariali

    Emal Bariali
    Business Architect & Business Analyst
    Bariali Consulting

    Emal Bariali is a Senior Business Analyst and Business Architect with 17 years of experience, executing nearly 20 projects. He has experience in both waterfall and Agile methodologies and has delivered solutions in a variety of forms, including custom builds and turnkey projects. He holds a Master's degree in Information Systems from the University of Toronto, a Bachelor's degree in Information Technology from York University, and a post-diploma in Software & Database Development from Seneca College.

    This is a picture of Paula Bell

    Paula Bell
    Paula A. Bell Consulting, LLC

    Paula Bell is the CEO of Paula A Bell Consulting, LLC. She is a Business Analyst, Leadership and Career Development coach, consultant, speaker, and author with 21+ years of experience in corporate America in project roles including business analyst, requirements manager, business initiatives manager, business process quality manager, technical writer, project manager, developer, test lead, and implementation lead. Paula has experience in a variety of industries including media, courts, manufacturing, and financial. Paula has led multiple highly-visible multi-million-dollar technology and business projects to create solutions to transform businesses as either a consultant, senior business analyst, or manager.

    Currently she is Director of Operations for Bridging the Gap, where she oversees the entire operation and their main flagship certification program.

    This is a picture of Ryan Folster

    Ryan Folster
    Consulting Services Manager, Business Analysis
    Dimension Data

    Ryan Folster is a Business Analyst Lead and Product Professional from Johannesburg, South Africa. His strong focus on innovation and his involvement in the business analysis community have seen Ryan develop professionally from a small company, serving a small number of users, to large multi-national organizations. Having merged into business analysis through the business domain, Ryan has developed a firm grounding and provides context to the methodologies applied to clients and projects he is working on. Ryan has gained exposure to the Human Resources, Asset Management, and Financial Services sectors, working on projects that span from Enterprise Line of Business Software to BI and Compliance.

    Ryan is also heavily involved in the local chapter of IIBA®; having previously served as the chapter president, he currently serves as a non-executive board member. Ryan is passionate about the role a Business Analyst plays within an organization and is a firm believer that the role will develop further in the future and become a crucial aspect of any successful business.

    This is a picture of Filip Hendrickx

    Filip Hendrickx
    Innovating BA, Visiting Professor @ VUB
    altershape

    Filip loves bridging business analysis and innovation and mixes both in his work as speaker, trainer, coach, and consultant.

    As co-founder of the BA & Beyond Conference and IIBA Brussels Chapter president, Filip helps support the BA profession and grow the BA community in and around Belgium. For these activities, Filip received the 2022 IIBA® EMEA Region Volunteer of the Year Award.

    Together with Ian Richards, Filip is the author ofBrainy Glue, a business novel on business analysis, innovation and change. Filip is also co-author of the BCS book Digital Product Management and Cycles, a book, method and toolkit enabling faster innovation.

    This is a picture of Fabricio Laguna

    Fabricio Laguna
    Professional Speaker, Consultant, and Trainer
    TheBrazilianBA.com

    Fabrício Laguna, aka The Brazilian BA, is the main reference on business analysis in Brazil. Author and producer of videos, articles, classes, lectures, and playful content, he can explain complex things in a simple and easy-to-understand way. IIBA Brazil Chapter president between 2012-2022. CBAP, AAC, CPOA, PMP, MBA. Consultant and instructor for more than 25 years working with business analysis, methodology, solution development, systems analysis, project management, business architecture, and systems architecture. His online courses are approved by students from 65 countries.

    This is a picture of Ryland Leyton

    Ryland Leyton
    Business Analyst and Agile Coach
    Independent Consultant

    Ryland Leyton, CBAP, PMP, CSM, is an avid Agile advocate and coach, business analyst, author, speaker, and educator. He has worked in the technology sector since 1998, starting off with database and web programming, gradually moving through project management and finding his passion in the BA and Agile fields. He has been a core team member of the IIBA Extension to the BABOK and the IIBA Agile Analysis Certification. Ryland has written popular books on agility, business analysis, and career. He can be reached at www.RylandLeyton.com.

    This is a picture of Steve Jones

    Steve Jones
    Supervisor, Market Support Business Analysis
    ISO New England

    Steve is a passionate analyst and BA manager with more than 20 years of experience in improving processes, services and software, working across all areas of software development lifecycle, business change and business analysis. He rejoices in solving complex business problems and increasing process reproducibility and compliance through the application of business analysis tools and techniques.

    Steve is currently serving as VP of Education for IIBA Hartford. He is a CBAP, certified SAFe Product Owner/Product Manager, Six Sigma Green Belt, and holds an MS in Information Management and Communications.

    This is a picture of Angela Wick

    Angela Wick
    Founder
    BA-Squared and BA-Cube

    Founder of BA-Squared and BA-Cube.com, Angela is passionate about teaching practical, modern product ownership and BA skills. With over 20 years' experience she takes BA skills to the next level and into the future!
    Angela is also a LinkedIn Learning instructor on Agile product ownership and business analysis, an IC-Agile Authorized Trainer, Product Owner and BA highly-rated trainer, highly-rated speaker, sought-after workshop facilitator, and contributor to many industry publications, including:

    • IIBA BABOK v3 Core Team, leading author on the BABOK v3
    • Expert Reviewer, IIBA Agile Extension to the BABOK
    • PMI BA Practice Guide – Expert Reviewer
    • PMI Requirements Management Practice Guide – Expert Reviewer
    • IIBA Competency Model – Lead Author and Team Lead, V1, V2, and V3.

    This is a picture of Rachael Wilterdink

    Rachael Wilterdink
    Principal Consultant
    Infotech Enterprises

    Rachael Wilterdink is a Principal Consultant with Infotech Enterprises. With over 25 years of IT experience, she holds multiple business analysis and Agile certifications. As a consultant, Rachael has served clients in the financial, retail, manufacturing, healthcare, government, non-profit, and insurance industries. Giving back to the professional community, Ms. Wilterdink served on the boards of her local IIBA® and PMI® chapters. As a passionate public speaker, Rachael presents various topics at conferences and user groups across the country and the world. Rachael is also the author of the popular eBook "40 Agile Transformation Pain Points (and how to avoid or manage them)."

    Bibliography

    "2021 Business Agility Report: Rising to the Challenge." Business Agility, 2021. Accessed 13 June 2022.
    Axure. "The Pitfalls of Agile and How We Got Here". Axure. Accessed 14 November 2022.
    Beck, Kent, et al. "Manifesto for Agile Software Development." Agilemanifesto. 2001.
    Brock, Jon, et al. "Large-Scale IT Projects: From Nightmare to Value Creation." BCG, 25 May 2015.
    Bryar, Colin and Bill Carr. "Have We Taken Agile Too Far?" Harvard Business Review, 9 April 2021. Accessed 11 November, 2022.
    Clarke, Thomas. "When Agile Isn't Responsive to Business Goals" RCG Global Services, Accessed 14 November 2022.
    Digital.ai "The 15th State of Agile Report". Digital.ai. Accessed 21 November 2022.
    Hackshall, Robin. "Product Backlog Refinement." Scrum Alliance. 9 Oct. 2014.
    Hartman, Bob. "New to Agile? INVEST in good user stories." Agile For All.
    IAG Consulting. "Business Analysis Benchmark: Full Report." IAG Consulting, 2009.
    Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce. 18 May 2018
    KPMG. Agile Transformation (2019 Survey on Agility). KPMG. Accessed November 29.
    Laguna, Fabricio "REQM guidance matrix: A framework to drive requirements management", Requirements Engineering Magazine. 12 September 2017. Accessed 10 November 2022.
    Miller, G. J. (2013). Agile problems, challenges, & failures. Paper presented at PMI® Global Congress 2013—North America, New Orleans, LA. Newtown Square, PA: Project Management Institute.
    Product Management: MoSCoW Prioritization." ProductPlan, n.d. Web.
    Podeswa, Howard "The Business Case for Agile Business Analysis" Requirements Engineering Magazine. 21 February 2017. Accessed 7 November 2022.
    PPM Express. "Why Projects Fail: Business Analysis is the Key". PPM Express. Accessed 16 November 2022.
    Reifer, Donald J. "Quantitative Analysis of Agile Methods Study: Twelve Major Findings." InfoQ, 6 February, 2017.
    Royce, Dr. Winston W. "Managing the Development of Large Software Systems." Scf.usc.edu. 1970. (royce1970.pdf (usc.edu))
    Rubin, Kenneth S. Essential Scrum: A Practical Guide to the Most Popular Agile Process. Pearson Education. 2012.
    Singer, Michael. "15+ Surprising Agile Statistics: Everything You Need To Know About Agile Management". Enterprise Apps Today. 22 August 2022.
    The Standish Group. The Chaos Report, 2015. The Standish Group.

    Where do I go next?

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Make the Case for Product Delivery

    Align your organization on the practices to deliver what matters most.

    Requirements for Small and Medium Enterprises

    Right-size the guidelines of your requirements gathering process.

    Implement Agile Practices that Work

    Improve collaboration and transparency with the business to minimize project failure.

    Create an Agile-Friendly Gating and Governance Model

    Use Info-Tech's Agile Gating Framework as a guide to gating your Agile projects following a "trust but verify" approach.

    Make Your IT Governance Adaptable

    Governance isn't optional, so keep it simple and make it flexible.

    Deliver on Your Digital Product Vision

    Build a product vision your organization can take from strategy through execution.

    Leadership, Culture and Values

    • Buy Link or Shortcode: {j2store}34|cart{/j2store}
    • Related Products: {j2store}34|crosssells{/j2store}
    • member rating overall impact: 9.4/10
    • member rating average dollars saved: $912
    • member rating average days saved: 7
    • Parent Category Name: People and Resources
    • Parent Category Link: /people-and-resources
    • byline: Build your employee engagement program.

    The challenge

    • Your talent pool determines IT performance and stakeholder satisfaction. You need to retain talent and continually motivate them to go the extra mile.
    • The market for IT talent is growing, in the sense that talent has many more options these days. Turnover is a serious threat to IT's ability to deliver top-notch service to your company.
    • Engagement is more than HR's responsibility. IT leadership is accountable for the retention of top talent and the overall productivity of IT employees.

    Our advice

    Insight

    • Engagement goes both ways. Your initiatives must address a real need, and employees must actively seek the outcomes. Engagement is not a management edict.
    • Engagement is not about access to the latest perks and gadgets. You must address the right and challenging issues. Use a systematic approach to find what lives among the employees and address these.
    • Your impact on your employees is many times bigger than HR's. Leverage your power to lead your team to success and peak performance.

    Impact and results 

    • Our engagement diagnostic and other tools will help get to the root of disengagement in your team.
    • Our guidance helps you to avoid common errors and engagement program pitfalls. They allow you to take control of your own team's engagement.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why engagement is critical to IT performance in your company. We'll show you our methodology and the ways we can help you in handling this.

    Measure your employee engagement

    You can use our full engagement surveys.

    • Improve Employee Engagement to Drive IT Performance – Phase 1: Measure Employee Engagement (ppt)
    • Engagement Strategy Record (doc)
    • Engagement Communication Template (doc)

    Analyze the results and brainstorm solutions

    Understand your employees' engagement drivers. Involve your team in brainstorming engagement initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 2: Analyze Results and Ideate Solutions (ppt)
    • Engagement Survey Results Interpretation Guide (ppt)
    • Full Engagement Survey Focus Group Facilitation Guide (ppt)
    • Pulse Engagement Survey Focus Group Facilitation Guide (ppt)
    • Focus Group Facilitation Guide Driver Definitions (doc)
    • One-on-One Manager Meeting Worksheet (doc)

    Select and implement engagement initiatives

    Choose those initiatives that show the most promise with the most significant impact. Create your action plan and establish transparent and open, and ongoing communication with your team.

    • IT Knowledge Transfer Plan Template (xls)
    • IT Knowledge Identification Interview Guide Template (doc)

    Build your knowledge transfer roadmap

    Knowledge transfer is an ongoing effort. Prioritize and define your initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 3: Select and Implement Engagement Initiatives (ppt)
    • Summary of Interdepartmental Engagement Initiatives (doc)
    • Engagement Progress One-Pager (ppt)

     

    Cybersecurity in Healthcare 2024

    Healthcare cybersecurity is a major concern for healthcare organizations and patients alike. In 2024, the healthcare industry faces several cybersecurity challenges, including the growing threat of ransomware, the increasing use of mobile devices in healthcare, and the need to comply with new regulations.

    Continue reading

    There should never be only one.

    • Large vertical image:
    • member rating overall impact: High Impact
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    Today, we're talking about a concept that’s both incredibly simple and dangerously overlooked: the single point of failure, or SPOF for short.

    Imagine you’ve built an impenetrable fortress. It has high walls, a deep moat, and strong gates. But the entire fortress can only be accessed through a single wooden bridge. That bridge is your single point of failure. If it collapses or is destroyed, your magnificent fortress is completely cut off. It doesn't matter how strong the rest of it is; that one weak link renders the entire system useless.

    In your work, your team, and your processes and technology, these single bridges are everywhere. A SPOF is any part of a system that, if it stops working, will cause the entire system to shut down. It’s the one critical component, the one indispensable person, or the one vital process that everything else depends on.

    When you identify and fix these weak points you aren't being pessimistic; you're fixing the very foundation of something that can withstand shocks and surprises. It’s about creating truly resilient systems and teams, not just seemingly strong ones. So, let’s explore where these risks hide and what you can do about them.

    When People Become the Problem

    For those of you who know me, saying something like this feels at odds with who I am. And yet, it's one of the most common and riskiest areas in any organization. Human single points of failure don't happen because of malicious intent. They typically grow out of good intentions, hard work, and necessity. But the result is the same: a fragile system completely dependent on an individual.

    The Rise of the Hero

    We all know a colleague like this. The “hero” is the one person who has all the answers. When a critical system goes down at 3 AM, they're the only one who can fix it. They understand the labyrinthine codebase nobody else dares to touch. They have the historical context for every major decision made in the last decade. On the surface, this person is invaluable. Management loves them because they solve problems. The team relies on them because they’re a walking encyclopedia.

    But here’s the inconvenient truth: your hero is your biggest liability.

    This isn’t their fault. They likely became the hero by stepping up when no one else would or could. The hero may actually feel like they are the only ones qualified to handle the issue because “management” does not take the necessary actions to train other people. Or “management” places other priorities. Be aware, this is a perception thing. The manager is very likely to be very concerned about the well-being of their employee. (I'm taking "black companies", akin to black sites, out of the equation for a moment and concentrating on generally healthy workplaces.) The hero will likely feel a strong bond to their environment. Also, every hero is different. There is a single point of failure, but not a single type of person. Every person has a different driver.

    I watched a YouTube video by a famous entrepreneur the other day. And she said something that triggered a response in me, because it sows the seeds of the hero. She said, Would you rather have an employee who just fixes it, handles it, and deals with it? Or an employee that talks about it? Obviously, the large majority will take the person behind door number 1. I would too. But then you need to step up as a manager, as an owner, as an executive, and enforce knowledge sharing.

    If you channel all critical knowledge and capabilities through one person, if you let this person become your go-to specialist for everything, you've created a massive SPOF. What happens when your hero gets sick, takes a well deserved two week vacation to a place with no internet, or leaves the company for a new opportunity? The system grinds to a halt. A minor issue becomes a major crisis because the only person who can fix it is unavailable.

    This overreliance doesn't just create a risk; it stifles growth. Other team members don't get the opportunity to learn and develop new skills because the hero is always there to swoop in and save the day. The answer? I guess that depends on your situation and what your ability is to keep this person happy without alienating the rest of the team. The answer may lie in the options discussed later in the article around KPIs.

    The Knowledge Hoarders

    A step beyond the individual hero is the team that acts as a collective SPOF. This is the team that “protects” its know how. They might use complex, undocumented tools, speak in a language of acronyms only they understand, or resist any attempts to standardize their processes. They've built a silo around their work, making themselves indispensable as a unit.

    Unlike the hero, this often comes from a place of perceived self preservation. If they are the only ones who understand how something works, their jobs are secure, right? But this behavior is incredibly damaging to the organization's resilience. Not to mention that it is just plain wrong. The team becomes inundated with requests for new features, but also for help in solving incidents. The result in numerous instances is that the team succeeds in neither. Next the manager is called to the senior management because the business is complaining that things don't progress as expected. 

    This team thus has become a bottleneck. Any other team that needs to interact with their system is completely at their mercy. Progress slows to a crawl, dependent on their availability and willingness to cooperate. Preservation has turned into survival.  

    The real root cause at the heart of both the hero and the knowledge hoarding team is a failure of knowledge management. When information isn't shared, documented, and made accessible, you are actively choosing to create single points of failure. We'll dive deeper into building a robust knowledge sharing culture in a future article, but for now, recognize that knowledge kept in one person's or team's head is a disaster waiting to happen.

    When Your Technology is a House of Cards

    People aren't the only source of fragility. The way you build and manage your technology stacks can easily create critical SPOFs that leave you vulnerable. These are often less obvious at first, but they can cause dangerous failures when they finally break.

    The Danger of the Single Node

    Let's start with the most straightforward technical SPOF: the single node setup. Imagine you have a critical application like maybe your company's main website or an internal database. If you run that entire application on one single server (a single “node”), you've created a classic SPOF.

    It’s like a restaurant with only one chef. If that chef goes home, the kitchen closes. It doesn't matter how many waiters or tables you have. If that single server experiences a hardware failure, a software crash, or even just needs to be rebooted for an update, your entire service goes offline. There is no failover. The service is simply down until that one machine is fixed, patched or rebooted.

    You need to set up your systems so that when one node goes down, the other takes over. This is not just something for large enterprises. SMEs must do the same. I've had numerous calls from business owners who did something to their web server or system and now “it doesn't work!” Not only are they down, now they have to call me and I then must arrange for subject matter experts to fix it immediately. Typically at a cost much larger than if they had set up their system with active, warm or even cold standbys. 

    The Mystery of Closed Technologies

    Another major risk comes from an overreliance on closed, proprietary technologies. This happens when you build a core part of your business on a piece of software or hardware that you don't control and can't inspect. It’s a “black box.” You know what it’s supposed to do, but you have no idea how it does it, and you can’t fix it if it breaks. When something goes wrong, you are completely at the mercy of the company that created it. You have to submit a support ticket and wait.

    This is actually relatable to the next chapter, please follow along and take the advice there.

    The Trap of Vendor Lock In

    Closely related to closed technology is the concept of vendor lock-in. This is a subtle but powerful SPOF. It happens when you become so deeply integrated with a single vendor's ecosystem that the cost and effort of switching to a competitor are impossibly high. Your vendor effectively becomes a strategic single point of failure. Your ability to innovate, control costs, and pivot your strategy is now tied to the decisions of another company.

    This may even run afoul of legal standards. In Europe, we have the DORA and NIS2 regulations. DORA specifically mandates that companies have exit plans for their systems, starting with their critical and important functions. Functions refers to business services, to be clear. 

    But we get there so easily. The native functions of AWS, Azure and Google Cloud, just to name a few, are very enticing to use. They offer convenience, low code, and performance on tap. It's just that, once you integrate deeply with them, you are taken, hook, line, and sinker. And then you have people like me, or worse, your regulator, who demands “What is your exit plan?”

    Your Resilience Playbook: Practical Steps to Eliminate SPOFs

    Identifying your single points of failure is the first step. The real work is in systematically eliminating them. This isn't about a single, massive project; it's about building new habits and principles into your daily work. Here's a playbook I think you can start using today.

    Mitigate People-Based Risks

    The cure for depending on one person is to create a culture where knowledge is fluid and shared by default. Your goal is to move from individual heroics to collective resilience.

    • Mandate real vacations. This might sound strange, but one of the best ways to reveal and fix a “hero” problem is to make sure your hero takes a real, disconnected vacation. This isn't a punishment; it's a benefit to them and a necessary stress test for the team. It forces others to step up and document their processes in preparation. The first time will be painful, but it gets easier each time as the team builds its own knowledge.

    • Adopt the “teach, don't just do” rule. Coach your senior experts to see their role as multipliers. When someone asks them a question, their first instinct should be to show, not just to do. This can be a five minute screen sharing session, grabbing a colleague to pair program on a fix, or taking ten minutes to write down the answer in a shared knowledge base so it never has to be asked again.

      Many companies have knowledge sharing solutions in place. Take a moment to actually use them. Prepare for when new people come into the company. Have a place where they can get into the groove and learn the heart beat of the company. There is a reason why the Madonna song is so captivating to so many people. Getting into the groove elevates you. And the same thing happens in your company. 

    • Rotate responsibilities and run "game days". Actively move people around. Let a developer handle support tickets for a week to understand common customer issues. Have your infrastructure expert sit with the product team. Also, create “game days” where you simulate a crisis. For example: "Okay team, our lead developer is 'on vacation' today. Let's practice a full deployment without them.” This makes learning safe and proactive.

    • Celebrate team success, not individual firefighting. Shift your praise and recognition. Instead of publicly thanking a single person for working all night to resolve a problem, celebrate the team that built a system so resilient it didn't break in the first place. Reward the team that wrote excellent documentation that allowed a junior member to solve a complex issue. Culture follows what you celebrate. At the same time, if the team does not pony up, definitely praise the person and follow up with the team to fix this.

    • Host internal demos and tech talks. Create a regular, informal forum where people can share what they're working on. This could be a “brown bag lunch” session or a Friday afternoon demo. It demystifies what other teams are doing, breaks down silos, and encourages people to ask questions in a low pressure environment.

    • Remunerate sharing. Make sharing knowledge a bonus-eligible key performance indicator. The more sharing an expert does, with their peers acknowledging this, the more the expert earns. You can easily incorporate this into your peer feedback system. 

    • Run DRP exercises without your top engineers: This is taking a leap of faith, and I would never recommend this until all of the above are in place and proven. 

    Building Resilient Technical Systems

    The core principle here is to assume failure will happen and to design for it. A resilient system isn't one where parts never fail, but one where the system as a whole keeps working even when they do.

    • Embrace the rule of three. This is a simple but powerful guideline. For critical data, aim to have three copies on two different types of media, with one copy stored off-site (or in a different cloud region). For critical services, aim for at least three instances running in different availability zones. This simple rule protects you from a wide range of common failures.

    • Automate everything you can. Every manual process is a potential SPOF. It relies on a person remembering a series of steps perfectly, often under pressure. Automate your testing, your deployments, your server setup, and your backup procedures. Scripts are consistent and repeatable; tired humans at 3 AM are not.

    • Use health checks and smart monitoring. It's not enough to have a backup server; you need to know that it's healthy and ready to take over. Implement automated health checks that constantly monitor your primary and redundant systems. Your monitoring should alert you the moment a backup component fails, not just when the primary one does.

    • Practice chaos engineering. Don't wait for a real failure to test your resilience. Intentionally introduce failures in a controlled environment. This is known as chaos engineering. Start small. What happens if you turn off a non-critical service during work hours? Does the system handle it gracefully? Does the team know how to respond? This turns a potential crisis into a planned, educational drill.

    Avoiding Technology and Vendor Traps

    Your resilience also depends on the choices you make about the technology and partners you rely on. The goal is to maintain control over your destiny.

    • Build abstraction layers. Instead of having your application code talk directly to a specific vendor's service, create an intermediary layer that you control. This “abstraction layer” acts as a buffer. If you ever need to switch vendors, you only have to update your abstraction layer, not your entire application. It’s more work up front but gives you immense flexibility later.

    • Make “ease of exit” a key requirement. When you evaluate a new technology or vendor, make portability a primary concern. Ask tough questions: How do we get our data out? What is the process for migrating to a competitor? Is the technology based on open standards? Run a small proof of concept to test how hard it would be to leave before you commit fully.

    • Consider a multi-vendor strategy. For your most critical dependencies, like cloud hosting, avoid going all in on a single provider if you can. Using services from two or more vendors is an advanced strategy, but it provides the ultimate protection against a massive, platform wide outage or unfavorable changes in pricing or terms.

    It's a journey, not a destination

    You will never be “ready.” Building resilience by eliminating single points of failure isn't a one time project you can check off a list. It’s a continuous process. New SPOFs will emerge as your systems evolve, people change roles, and your business grows.

    The key is to make this thinking a part of your culture. Make “What's the bus factor for this project?” a regular question in your planning meetings. Make redundancy and documentation a non negotiable requirement for new systems. By constantly looking for the one thing that can bring everything down, you can build teams and technology that don't just survive shocks—they eat them for breakfast.

    Adapt Your Customer Experience Strategy to Successfully Weather COVID-19

    • Buy Link or Shortcode: {j2store}536|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • COVID-19 is an unprecedented global pandemic. It’s creating significant challenges across every sector.
    • Collapse of financial markets and a steep decline in consumer confidence has most firms nervous about revenue shortfalls and cash burn rates.
    • The economic impact of COVID-19 is freezing IT budgets and sharply changing IT priorities.
    • The human impact of COVID-19 is likely to lead to staffing shortfalls and knowledge gaps.
    • COVID-19 may be in play for up to two years.

    Our Advice

    Critical Insight

    The challenges posed by the virus are compounded by the fact that consumer expectations for strong service delivery remain high:

    • Customers still expect timely, on-demand service from the businesses they engage with.
    • There is uncertainty about how to maintain strong, revenue-driving experiences when faced with the operational challenges posed by the virus.
    • COVID-19 is changing how organizations prioritize spending priorities within their CXM strategies.

    Impact and Result

    • Info-Tech recommends rapidly updating your strategy for customer experience management to ensure it can rise to the occasion.
    • Start by assessing the risk COVID-19 poses to your CXM approach and how it’ll impact marketing, sales, and customer service functions.
    • Implement actionable measures to blunt the threat of COVID-19 while protecting revenue, maintaining consistent product and service delivery, and improving the integrity of your brand. We’ll dive into five proven techniques in this brief!

    Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Research & Tools

    Start here

    Read our concise Executive Brief to find out why you should examine the impact of COVID-19 on customer experience strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Adapt Your Customer Experience Strategy to Successfully Weather COVID-19 Storyboard

    1. Assess the impact of COVID-19 on your CXM strategy

    Create a consolidated, updated view of your current customer experience management strategy and identify which elements can be capitalized on to dampen the impact of COVID-19 and which elements are vulnerabilities that the pandemic may threaten to exacerbate.

    2. Blunt the damage of COVID-19 with new CXM tactics

    Create a roadmap of business and technology initiatives through the lens of customer experience management that can be used to help your organization protect its revenue, maintain customer engagement, and enhance its brand integrity.

    [infographic]

    pricing

    • TymansGroupVideosExcerpt: BasicFor freelancers$19/ month 10 presentations/monthSupport at $25/hour1 campaign/month Choose plan StandardFor medium sized teams$29/ month 50 presentations/month5 hours of free support10 campaigns/month Choose plan EnterpriseFor large companies$79/ month Unlimited presentationsUnlimited supportUnlimited campaigns Choose plan

    Pricing

    Our pricing options will be available soon for simple download,

    In the meantime, please book a free discovery call. No cost, no sales pitch.

    Continue reading

    Modernize Enterprise Storage

    • Buy Link or Shortcode: {j2store}538|cart{/j2store}
    • member rating overall impact: N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Current storage solutions are nearing end of life, performance or capacity limits.
    • Data continues to grow at an exponential rate, and management complexity is growing even faster. Some kinds of data, like unstructured data, are leading factors in the exponential growth of data.
    • Emerging storage technologies and storage software/automation are disrupting the market and redefining the role of disk arrays, including how storage aligns with people and process.
    • Storage infrastructure budgets are not satisfying the exponential growth of data.

    Our Advice

    Critical Insight

    • Start with the data, not storage. Answer what is being stored and why before investigating the where and how of storage solutions.
    • Governance and archiving are not IT projects. These can have tremendous benefits for managing data growth but must involve the larger business.
    • More capacity is not a long-term solution. Data is growing faster than decreasing storage costs. Data and capacity mitigation strategies will help in more effective and efficient infrastructure utilization and cost reduction.

    Impact and Result

    • It’s about the data. Start with what is being supported and why. Decide on what and how data is stored before you decide on where. Let the needs of your workloads and governance requirements of your business drive your storage infrastructure decisions and the technologies you adopt.
    • Identify current and future capacity needs for current and future data drivers. Evaluating the ability of current infrastructure to meet these needs will help you discover necessary additions to meet these requirements.
    • Identify governance requirements and constraints that exist across the organization and are specific to workloads. Technology has to conform to these requirements and constraints, not the other way around.
    • Align people and process with technology changes. To effectively utilize the changes in storage, appropriate changes must be made to existing people and process.

    Modernize Enterprise Storage Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize enterprise storage, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the case for storage modernization

    Develop the business case for modernizing storage and assess your existing infrastructure for meeting data needs.

    • Modernize Enterprise Storage – Phase 1: Build the Case for Storage Modernization
    • Modernize Enterprise Storage Workbook

    2. Develop your storage technology needs and goals

    Review data governance, explore emerging storage technologies, and identify current and future storage needs.

    • Modernize Enterprise Storage – Phase 2: Develop Your Storage Technology Needs and Goals
    • Evaluate Hyperconverged Infrastructure for Your Infrastructure Roadmap
    • Evaluate Software-Defined Storage Solutions for Your Infrastructure Roadmap
    • Evaluate All Flash in Primary Storage for Your Infrastructure Roadmap
    • Infrastructure Roadmap Technology Assessment Tool

    3. Develop and communicate the roadmap, TCO, and RFP

    Communicate the roadmap with people, process, and technology initiatives, develop an RFP, and conduct a TCO.

    • Modernize Enterprise Storage – Phase 3: Develop and Communicate the Roadmap and RFP
    • Modernize Enterprise Storage Communications Report
    [infographic]

    Workshop: Modernize Enterprise Storage

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Business Case and Assess Current State

    The Purpose

    Identify a business case and need for storage modernization by assessing current and future storage needs.

    Key Benefits Achieved

    A clear understanding of the business expectations and needs of storage infrastructure.

    Activities

    1.1 Identify current storage pain points.

    1.2 Discuss storage modernization drivers.

    1.3 Identify data growth drivers.

    1.4 Determine relative growth burden.

    Outputs

    Alignment of storage modernization with organizational pain points

    Desired outcomes of storage modernization

    An understanding of growth impact across drivers

    An understanding of capacity and expansion needs

    2 Review Governance and Emerging Technologies

    The Purpose

    Review existing data governance.

    Explore emerging technologies and trends in the storage space.

    Key Benefits Achieved

    Review data governance objectives that must be met.

    Identify a shortlist of storage technologies and trends that may be of interest.

    Activities

    2.1 Shortlist interest in storage technologies.

    2.2 Prioritize shortlist of storage technologies.

    2.3 Identify solutions that meet data and governance needs.

    Outputs

    A starting point for research into new and emerging storage technologies

    Expressed interest in adopting storage technologies

    A list of storage solutions needed to deliver on future data and governance needs

    3 Identify Storage Needs and Develop Initiatives

    The Purpose

    Identify the people, process, and technology initiatives required to adopt new storage technologies.

    Key Benefits Achieved

    Align your organizational people and process with new and disruptive technologies to best take advantage of what these new technologies have to offer.

    Activities

    3.1 Complete future storage structure planning tool.

    3.2 Identify storage modernization technology initiatives.

    3.3 Identify storage modernization people initiatives.

    3.4 Identify storage modernization process initiatives.

    Outputs

    A understanding of the future state of your storage infrastructure

    Technology initiatives needed to adopt storage structure

    People initiatives needed to adopt storage structure

    Process initiatives needed to adopt storage structure

    4 Build a Roadmap and RFP, Calculate TCO

    The Purpose

    Develop an executive communications report.

    Conduct a TCO analysis comparing on-premises and cloud storage solutions.

    Key Benefits Achieved

    Communicate storage modernization goals and plans to stakeholders.

    Activities

    4.1 Prioritize storage modernization initiatives.

    4.2 Complete project timeline and build roadmap.

    4.3 Compare TCO of on-premises and cloud storage solutions.

    Outputs

    Alignment of people, process, and technology with storage adoption

    Communicate storage modernization goals and plans to stakeholders and executives

    Compare cost of on-premises and cloud storage alternatives

    More Articles …