Assess Infrastructure Readiness for Digital Transformation

Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers to success.

Analyst Perspective

It’s not just about the technology!

Many businesses fail in their endeavors to complete a digital transformation, but the reasons are complex, and there are many ways to fail, whether it is people, process, or technology. In fact, according to many surveys, 70% of digital transformations fail, and it’s mainly down to strategy – or the lack thereof.

A lot of organizations think of digital transformation as just an investment in technology, with no vision of what they are trying to achieve or transform. So, out of the gate, many organizations fail to undergo a meaningful transformation, change their business model, or bring about a culture of digital transformation needed to be seriously competitive in their given market.

When it comes to I&O leaders who have been given a mandate to drive digital transformation projects, they still must align to the vision and mission of the organization; they must still train and hire staff that will be experts in their field; they must still drive process improvements and align the right technology to meet the needs of a digital transformation.

John Donovan

Principal Research Director, I&O
Info-Tech Research Group

Insight summary

Overarching insight

Digital transformation requires I&O teams to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence through effective integration of people, process, and technology.

Insight 1

Collaboration is a key component of I&O – Promote strong collaboration between I&O and other business functions. When doing a digital transformation, it is clear that this is a cross-functional effort. Business leaders and IT teams need to align their objectives, prioritize initiatives, and ensure that you are seamlessly integrating technologies with the new business functions.

Insight 2

Embrace agility and adaptability as core principles – As the digital landscape continues to evolve, it is paramount that I&O leaders are agile and adaptable to changing business needs, adopting new technology and implementing new innovative solutions. The culture of continuous improvement and openness to experimentation and learning will assist the I&O leaders in their journey.

Insight 3

Future-proof your infrastructure and operations – By anticipating emerging technologies and trends, you can proactively plan and organize your team for future needs. By investing in scalable, flexible infrastructure such as cloud services, automation, AI technologies, and continuously upskilling the IT staff, you can stay relevant and forward-looking in the digital space.

Tactical insight

An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployment of services.

Tactical insight

Having a clear strategy, with leadership commitment along with hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

Executive Summary

Info-Tech Insight

By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

The cost of digital transformation

The challenges that stand in the way of your success, and what is needed to reverse the risk

What CIOs are saying about their challenges

26% of those CIOs surveyed cite resistance to change, with entrenched viewpoints demonstrating a real need for a cultural shift to enhance the digital transformation journey.

Source: Prophet, 2019.

70% of digital transformation projects fall short of their objectives – even when their leadership is aligned, often with serious consequences.

Source: BCG, 2020.

Having a clear strategy and commitment from leadership, hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

Cultural change, business alignment, skills training, and setting a clear strategy with KPIs to demonstrate success are all key to being successful in your digital journey.

Small and medium-sized enterprises

What business owners and CEOs are saying about their digital transformation

57% of small business owners feel they must improve their IT infrastructure to optimize their operations.

Source: SMB Story, 2023.

64% of CEOs believe driving digital transformation at a rapid pace is critical to attracting and retaining talent and customers.

Source: KPMG, 2022.

Info-Tech Insight

An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployments.

Integrate Physical Security and Information Security

Securing information security, physical security, or personnel security in silos may not secure much

Analyst Perspective

Ensure integrated security success with close and continual collaboration

From physical access control systems (PACS) such as electronic locks and fingerprint biometrics to video surveillance systems (VSS) such as IP cameras to perimeter intrusion detection and prevention to fire and life safety and beyond: physical security systems pose unique challenges to overall security. Additionally, digital transformation of physical security to the cloud and the convergence of operational technology (OT), internet of things (IoT), and industrial IoT (IIoT) increase both the volume and frequency of security threats.

These threats can be safety, such as the health impact when a gunfire attack downed wastewater pumps at Duke Energy Substation, North Carolina, US, in 2022. The threats can also be economic, such as theft of copper wire, or they can be reliability, such as when a sniper attack on Pacific Gas & Electric’s Metcalf Substation in California, US, damaged 17 out of 21 power transformers in 2013.

Considering the security risks organizations face, many are unifying physical, cyber, and information security systems to gain the long-term overall benefits a consolidated security strategy provides.

Ida Siahaan

Research Director, Security and Privacy Practice
Info-Tech Research Group

Executive Summary

Info-Tech Insight

An integrated security architecture, including people, process, and technology, will improve your overall security posture. These benefits are leading many organizations to consolidate their siloed systems into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Existing information security models are not comprehensive

Current security models do not cover all areas of security, especially if physical systems and personnel are involved and safety is also an important property required.

• The CIA triad (confidentiality, integrity, availability) is a well-known information security model that focuses on technical policies related to technology for protecting information assets.
• The US Government’s Five Pillars of Information Assurance includes CIA, authentication, and non-repudiation, but it does not cover people and processes comprehensively.
• The AAA model, created by the American Accounting Association, has properties of authentication, authorization, and accounting but focuses only on access control.
• Donn Parker expanded the CIA model with three more properties: possession, authenticity, and utility. This model, which includes people and processes, is known as the Parkerian hexad. However, it does not cover physical and personnel security.

CIA Triad

Parkerian Hexad

Sources: Parker, 1998; Pender-Bey, 2012; Cherdantseva and Hilton, 2015

Adopt an integrated security model

The security ecosystem is shifting from segregation to integration

Sources: Cisco, n.d.; Preparing for Technology Convergence in Manufacturing, Info-Tech Research Group, 2018

Physical security includes:

• Securing physical access,
  e.g. facility access control, alarms, surveillance cameras
• Securing physical operations
  (operational technology – OT), e.g. programmable logic controllers (PLCs), SCADA

Info-Tech Insight

Why is integrating physical and information security gaining more and more traction? Because the supporting technologies are becoming more matured. This includes, for example, migration of physical security devices to IP-based network and open architecture.

Reactive responses to physical security incidents

April 1995

Target: Alfred P. Murrah Federal Building, Oklahoma, US. Method: Bombing. Impact: Destroyed structure of 17 federal agencies, 168 casualties, over 800 injuries. Result: Creation of Interagency Security Committee (ISC) in Executive Order 12977 and “Vulnerability Assessment of Federal Facilities” standard.
(Source: Office of Research Services, 2017)

April 2013

Target: Pacific Gas & Electric’s Metcalf Substation, California, US. Method: Sniper attack. Impact: Out of 21 power transformers, 17 were damaged. Result: Creation of Senate Bill No. 699 and NERC- CIP-014 standard.
(Source: T&D World, 2023)

Sep. 2022

Target: Nord Stream gas pipelines connecting Russia to Germany, Baltic sea. Method: Detonations. Impact: Methane leaks (~300,000 tons) at four exclusive economic zones (two in Denmark and two in Sweden). Result: Sweden’s Security Service investigation.
(Source: CNBC News, 2022)

Dec. 2022

Target: Duke Energy Substation, North Carolina, US. Method: Gunfire. Impact: Power outages of ~40,000 customers and wastewater pumps in sewer lift stations down. Result: State of emergency was declared.
(Source: CBS News, 2022)

Info-Tech Insight

When it comes to physical security, we have been mostly reactive. Typically the pattern starts with physical attacks. Next, the impacted organization mitigates the incidents. Finally, new government regulatory measures or private sector or professional association standards are put in place. We must strive to change our pattern to become more proactive.

Physical security market forecast and top physical security challenges

Physical security market forecast
(in billions USD)

A forecast by MarketsandMarkets projected growth in the physical security market, using historical data from 2015 until 2019, with a CAGR of 6.4% globally and 5.2% in North America.

Source: MarketsandMarkets, 2022

Top physical security challenges

An Ontic survey (N=359) found that threat data management (40%) was the top physical security challenge in 2022, up from 33% in 2021, followed by physical security threats to the C-suite and company leadership (35%), which was a slight increase from 2021. An interesting decrease is data protection and privacy (32%), which dropped from 36% in 2021.

Source: Ontic Center for Protective Intelligence, 2022

Info-Tech Insight

The physical security market is growing in systems and services, especially the integration of threat data management with cybersecurity.

Top physical security initiatives and operations integration investments

We know the physical security challenges and how the physical security market is growing, but what initiatives are driving this growth? These are the top physical security initiatives and top investments for physical security operations integration:

Top physical security initiatives

A survey by Brivo asked 700 security professionals about their top physical security initiatives. The number one initiative is integrating physical security systems. Other initiatives with similar concerns included data and cross-functional integration.

Source: Brivo, 2022

Top investments for physical security operations integration

An Ontic survey (N=359) on areas of investment for physical security operations integration shows the number one investment is on access control systems with software to identify physical threat actors. Another area with similar concern is integration of digital physical security with cybersecurity.

Source: Ontic Center for Protective Intelligence, 2022

Evaluate security integration opportunities with these guiding principles

Opportunity focus

• Identify the security integration problems to solve with visible improvement possibilities
• Don’t choose technology for technology’s sake
• Keep an eye to the future
• Use strategic foresight

Piece by piece

• Avoid taking a big bang approach
• Test technologies in multiple conditions
• Run inexpensive pilots
• Increase flexibility
• Build a technology ecosystem

Buy-in

• Collaborate with stakeholders
• Gain and sustain support
• Maintain transparency
• Increase uptake of open architecture

Key Recommendations:

Focus on your master plan

Build a technology ecosystem

Engage stakeholders

Info-Tech Insight

When looking for a quick win, consider learning the best internal or external practice. For example, in 1994 IBM reorganized its security operation by bringing security professionals and non-security professionals in one single structure, which reduced costs by approximately 30% in two years.

Sources: Create and Implement an IoT Strategy, Info-Tech Research Group, 2022; Baker and Benny, 2013; Erich Krueger, Omaha Public Power District (contributor); Doery Abdou, March Networks Corporate (contributor)

Case Study

4Wall Entertainment – Asset Owner

4Wall Entertainment is quite mature in integrating its physical and information security; physical security has always been under IT as a core competency.

4Wall Entertainment is a provider of entertainment lighting and equipment to event venues, production companies, lighting designers, and others, with a presence in 18 US and UK locations.

After many acquisitions, 4Wall Entertainment needed to standardize its various acquired systems, including physical security systems such as access control. In its integrated security approach, IT owns the integrated security, but they interface with related entities such as HR, finance, and facilities management in every location. This allows them to obtain information such as holidays, office hours, and what doors need to be accessed as inputs to the security system and to get sponsorship in budgeting.

In the past, 4Wall Entertainment tried delegating specific physical security to other divisions, such as facilities management and HR. This approach was unsuccessful, so IT took back the responsibility and accountability.

Currently, 4Wall Entertainment works with local vendors, and its biggest challenge is finding third-party vendors that can provide nationwide support.

In the future, 4Wall Entertainment envisions physical security modernization such as camera systems that allow more network accessibility, with one central system to manage and IoT device integration with SIEM and MDR.

Results

Lessons learned in integrating security from 4Wall Entertainment include:

• Start with forming relationships with related divisions such as HR, finance, and facilities management to build trust and encourage sponsorship across management.
• Create policies, procedures, and standards to deploy in various systems, especially when acquiring companies with low maturity in security.
• Select third-party providers that offer the required functionalities, good customer support, and standard systems interoperability.
• Close skill gaps by developing training and awareness programs for users, especially for newly acquired systems and legacy systems, or by acquiring expertise from consulting services.
• Complete cost-benefit analysis for solutions on legacy systems to determine whether to keep them and create interfacing with other systems, upgrade them, or replace them entirely with newer systems.
• Delegate maintenance of specific highly regulated systems, such as fire alarms and water sprinklers, to facilities management.

Tracking progress of physical and information security integration

Physical security is often part of facilities management. As a result, there are interdependencies with both internal departments (such as IT, information security, and facilities) and external parties (such as third-party vendors). IT leaders, security leaders, and operational leaders should keep the big picture in mind when designing and implementing integration of physical and information security. Use this checklist as a tool to track your security integration journey.

Plan

• Engage stakeholders and justify value for the business.
• Define roles and responsibilities.
• Establish/update governance for integrated security.
• Identify integrated elements and compliance obligations.

Enhance

• Determine the level of security maturity and update security strategy for integrated security.
• Assess and treat risks of integrated security.
• Establish/update integrated physical and information security policies and procedures.
• Update incident response, disaster recovery, and business continuity plan.

Monitor & Optimize

• Identify skill requirements and close skill gaps for integrating physical and information security.
• Design and deploy integrated security architecture and controls.
• Establish, monitor, and report integrated security metrics on effectiveness and efficiency.

Benefits of the security integration framework

Today’s matured technology makes security integration possible. However, the governance and management of single integrated security presents challenges. These can be overcome using a multi-phased framework that enables a modular, incremental, and repeatable integration process, starting with planning to justify the value of investment, then enhancing the integrated security based on risks and open architecture. This is followed by using metrics for monitoring and optimization.

1. Modular

   • Implementing a consolidated security strategy is complex and involves the integration of process, software, data, hardware, and network and infrastructure.
   • A modular framework will help to drive value while putting in appropriate guardrails.

2. Incremental

   • Integration of physical security and information security involves many components such as security strategy, risk management, and security policies.
   • An incremental framework will help track, manage, and maintain each step while providing appropriate structure.

3. Repeatable

   • Integration of physical security and information security is a journey that can be approached with a pilot program to evaluate effectiveness.
   • A repeatable framework will help to ensure quick time to value and enable immediate implementation of controls to meet operational and security requirements.

Potential risks of the security integration framework

Just as medicine often comes with side effects, our Integration of Physical and Information Security Framework may introduce risks too. However, as John F. Kennedy, thirty-fifth president of the United States, once said, "There are risks and costs to a program of action — but they are far less than the long-range cost of comfortable inaction."

Plan Phase

• Lack of transparency in the integration process can lead to lack of trust among stakeholders.
• Lack of support from leadership results in unclear governance or lack of budget or human resources.
• Key stakeholders leave the organization during the engagement and their replacements do not understand the organization’s operation yet.

Enhance Phase

• The risk assessment conducted focuses too much on IT risk, which may not always be applicable to physical security systems nor OT systems.
• The integrated security does not comply with policies and regulations.

Monitor and Optimize Phase

• Lack of knowledge, training, and awareness.
• Different testing versus production environments.
• Lack of collected or shared security metrics.

Data

• Data quality issues and inadequate data from physical security, information security, and other systems, e.g. OT, IoT.
• Too much data from too many tools are complex and time consuming to process.

Develop an integration of information security, physical security, and personnel security that meets your organization’s needs

Integrate security in people, process, and technology to improve your overall security posture

Having siloed systems running security is not beneficial. Many organizations are realizing the benefits of consolidating into a single platform across physical security, cybersecurity, HR, legal, and compliance.

Plan and engage stakeholders

Assemble the right team to ensure the success of your integrated security ecosystem, decide the governance model, and clearly define the roles and responsibilities.

Enhance strategy and risk management

Strategically, we want a physical security system that is interoperable with most technologies, flexible with minimal customization, functional, and integrated, despite the challenges of proprietary configurations, complex customization, and silos.

Monitor and optimize

Find the most optimized architecture that is strategic, realistic, and based on risk. Next, perform an evaluation of the security systems and program by understanding what, where, when, and how to measure and to report the relevant metrics.

Focus on master plan

Identify the security integration problems to solve with visible improvement possibilities, and don’t choose technology for technology’s sake. Design first, then conduct market research by comparing products or services from vendors or manufacturers.

Build a technology ecosystem

Avoid a big bang approach and test technologies in multiple conditions. Run inexpensive pilots and increase flexibility to build a technology ecosystem.

Deliverables

Each step of this framework is accompanied by supporting deliverables to help you accomplish your goals:

Integrate Physical Security and Information Security Requirements Gathering Tool

Map organizational goals to IT goals, facilities goals, OT goals (if applicable), and integrated security goals. Identify your security integration elements and compliance.

Integrate Physical Security and Information Security RACI Chart Tool

Identify various security integration stakeholders across the organization and assign tasks to suitable roles.

Key deliverable:

Integrate Physical Security and Information Security Communication Deck

Present your findings in a prepopulated document that summarizes the work you have completed.

Plan

Planning is foundational to engage stakeholders. Start with justifying the value of investment, then define roles and responsibilities, update governance, and finally identify integrated elements and compliance obligations.

Plan

Engage stakeholders

• To initiate communication between the physical and information security teams and other related divisions, it is important to identify the entities that would be affected by the security integration and involve them in the process to gain support from planning to delivery and maintenance.
• Possible stakeholders:
  • Executive leadership, Facilities Management leader and team, IT leader, Security & Privacy leader, compliance officer, Legal, Risk Management, HR, Finance, OT leader (if applicable)
• A successful security integration depends on aligning your security integration initiatives and migration plan to the organization’s objectives by engaging the right people to communicate and collaborate.

Info-Tech Insight

It is important to speak the same language. Physical security concerns safety and availability, while information security concerns confidentiality and integrity. Thus, the two systems have different goals and require alignment.

Similarly, taxonomy of terminologies needs to be managed,¹ e.g. facility management with an emergency management background may have a different understanding from a CISO with an information security background when discussing the same term. For example:

In emergency management prevention means “actions taken to eliminate the impact of disasters in order to protect lives, property and the environment, and to avoid economic disruption.”²

In information security prevention is “preventing the threats by understanding the threat environment and the attack surfaces, the risks, the assets, and by maintaining a secure system.”³

Sources: ¹ Owen Yardley, Omaha Public Power District (contributor); ² Translation Bureau, Government of Canada, n.d.; ³ Security Intelligence, 2020

Map organizational goals to integrated security goals

1. As a group, brainstorm organization goals.
   • Review relevant corporate, IT, and facilities strategies.
2. Record the most important business goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool. Try to limit the number of business goals to no more than ten goals. This limitation will be critical to helping focus on your integrated security goals.
3. For each goal, identify one to two security alignment goals. These should be objectives for the security strategy that will support the identified organization goals.

Download the Integrate Physical Security and Information Security Requirements Gathering Tool.

Record organizational goals

Refer to the Integration of Physical and Information Security Framework when filling in the table.

1. Record your identified organizational goals in the “Goals Cascade” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each organizational goal, identify IT alignment goals.
3. For each organizational goal, identify OT alignment goals (if applicable).
4. For each organizational goal, identify Facilities alignment goals.
5. For each organizational goal, select an integrated security goal from the drop-down menu.

Justify value for the business

Facilities in most cases have a team that is responsible for physical security installations such as access key controllers. Whenever there is an issue, they contact the provider to fix the error. However, with smart buildings and smart devices, the threat surface grows to include information security threats, and Facilities may not possess the knowledge and skills required to deal with them. At the same time, delegating physical security to IT may add more tasks to their already-too-long list of responsibilities. Consolidating security to a focused security team that covers both physical and information security can help.1 We need to develop the security integration business case beyond physical security "gates, guns, and guards" mentality.2

An example of a cost-benefit analysis for security integration:

Sources: 1 Andrew Amaro, KLAVAN Security Services (contributor); 2 Baker and Benny, 2013;
Industrial Control System Modernization, Info-Tech Research Group, 2023; Lawrence Berkeley National Laboratory, 2021

Plan

Define roles and responsibilities

Many factors impact an organization’s level of effectiveness as it relates to integration of physical and information security. How the team interacts, what skill sets exist, the level of clarity around roles and responsibilities, and the degree of executive support and alignment are only a few. Thus, we need to identify stakeholders that are:

• Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
• Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
• Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
• Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download the Integrate Physical Security and Information Security RACI Chart Tool

Define RACI chart

Define Responsible, Accountable, Consulted, Informed (RACI) stakeholders.

1. Customize the Work Units to best reflect your operation with applicable stakeholders.
2. Customize the Action rows as required.

Sources: ISC, 2015; ISC, 2021

Info-Tech Insight

The roles and responsibilities should be clearly defined. For example, IT Security should be responsible for the installation and configuration of all physical access controllers and devices, and facility managers should be responsible for the physical maintenance including malfunctioning such as access device jammed or physically broken.

Plan

Establish/update governance for integrated security

HR & Finance

HR provides information such as new hires and office hours as input to the security system. Finance assists in budgeting.

Security & Privacy

The security and privacy team will need to evaluate solutions and enforce standards on various physical and information security systems and to protect data privacy.

Business Leaders

Business stakeholders will provide clarity for their strategy and provide input into how they envision security furthering those goals.

IT Executives

IT stakeholders will be a driving force, ensuring all necessary resources are available and funded.

Facilities/ Operations

Operational plans will include asset management, monitoring, and support to meet functional goals and manage throughout the asset lifecycle.

Infrastructure & Enterprise Architects

Each solution added to the environment will need to be chosen and architected to meet business goals and security functions.

Info-Tech Insight

Assemble the right team to ensure the success of your integrated security ecosystem and decide the governance model, e.g. security steering committee (SSC) or a centralized single structure.

Adapted from Create and Implement an IoT Strategy, Info-Tech Research Group, 2022

What does the SSC do?

Ensuring proper governance over your security program is a complex task that requires ongoing care and feeding from executive management to succeed.

Your SSC should aim to provide the following core governance functions for your security program:

1. Define Clarity of Intent and Direction

   How does the organization’s security strategy support the attainment of the business, IT, facilities management, and physical and information security strategies? The SSC should clearly define and communicate strategic linkage and provide direction for aligning security initiatives with desired outcomes.

2. Establish Clear Lines of Authority

   Security programs contain many important elements that need to be coordinated. There must be clear and unambiguous authority, accountability, and responsibility defined for each element so lines of reporting/escalation are clear and conflicting objectives can be mediated.

3. Provide Unbiased Oversight

   The SSC should vet the organization’s systematic monitoring processes to ensure there is adherence to defined risk tolerance levels and that monitoring is appropriately independent from the personnel responsible for implementing and managing the security program.

4. Optimize Security Value Delivery

   Optimized value delivery occurs when strategic objectives for security are achieved and the organization’s acceptable risk posture is attained at the lowest possible cost. This requires constant attention to ensure controls are commensurate with any changes in risk level or appetite.

Adapted from Improve Security Governance With a Security Steering Committee , Info-Tech Research Group, 2018

Plan

Identify integrated elements and compliance obligations

To determine what elements need to be integrated, it’s important to scope the security integration program and to identify the consequences of integration for compliance obligations.

INTEGRATED ELEMENTS

What are my concerns?

Process integrations

Determine which processes need to be integrated and how

• Examples: Security prevention, detection, and response; risk assessment

Software and data integration

Determine which software and data need to be integrated and how

• Examples: Threat management tools, SIEM, IDPS, security event logs

Hardware integration

Determine which hardware needs to be integrated and how

• Examples: Sensors, alarms, cameras, keys, locks, combinations, and card readers

Network and infrastructure

Determine which network and infrastructure components need to be integrated and how

• Example: Network segmentation for physical access controllers.

COMPLIANCE

How can I address my concerns?

Regulations

Adhere to mandatory laws, directives, industry standards, specific contractual obligations, etc.

• Examples: NERC CIP (North American Utilities), Network and Information Security (NIS) Directive (EU), Health and Safety at Work etc Act 1974 (UK), Occupational Safety and Health Act, 1970 (US), Emergency Management Act, 2007 (Canada)

Standards

Adhere to voluntary standards and obligations

• Examples: NIST Cybersecurity Framework (CSF), The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (US), Cybersecurity Maturity Model Certification (CMMC), Service Organization Control (SOC 1 and 2)

Guidelines

Adopt guidelines that can improve the integrated security program

• Examples: Best Practices for Planning and Managing Physical Security Resources (US Interagency Security Committee), Information Security Manual - Guidelines for Physical Security (Australian Cyber Security Centre), 1402-2021-Guide for Physical Security of Electric Power Substations (IEEE)

Record integrated elements

Refer to the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool when filling in the following elements.

1. Record your integrated elements, i.e. process integration, software and data integration, hardware integration, network and infrastructure, and physical scope of your security integration, in the “Scope” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.
2. For each of your scoping give the rationale for including them in the Comments column. Careful attention should be paid to any elements that are not in scope.

Record your compliance obligations

Refer to the “Compliance Obligations” tab of the Integrate Physical Security and Information Security Requirements Gathering Tool.

1. Identify your compliance obligations. These can include both mandatory and voluntary obligations. Mandatory obligations include:
   • Laws
   • Government regulations
   • Industry standards
   • Contractual agreements
   Voluntary obligations include standards that the organization has chosen to follow for best practices and any obligations that are required to maintain certifications. Organizations will have many different compliance obligations. For the purposes of your integrated security, include those that include physical security requirements.
2. Record your compliance obligations, along with any notes, in your copy of the Integrate Physical Security and Information Security Requirements Gathering Tool.
3. Refer to the “Compliance DB” tab for lists of standards/regulations/ guidelines.

Remediate third-party compliance gaps

If you have third-party compliance gaps, there are four primary ways to eliminate them:

1. Find a New, Compliant Partner

   Terminate existing contract and find another organization to partner with.

2. Bring the Capability In-House

   Expense permitting, this may be the best way to protect yourself.

3. Demand Compliance

   Tell the third party they must become compliant. Make sure you set a deadline.

4. Accept Noncompliance and Assume the Risk

   Sometimes remediation just isn’t cost effective and you have no choice.

Follow Contracting Best Practices to Mitigate the Risk of Future Third-Party Compliance Gaps

1. Perform Initial Due Diligence: Request proof of third-party compliance prior to entering into a contract.
2. Perform Ongoing Due Diligence: Request proof of third-party contractor compliance annually.
3. Contract Negotiation: Insert clauses requesting periodic assertions of compliance.

View a sample contract provided by the US Department of Health and Human Services.

Source: Take Control of Compliance Improvement to Conquer Every Audit, Info-Tech Research Group, 2015

Pitfalls to avoid when planning security integration

• No Resources Lineups

  Integration of security needs support from leadership, proper planning, and clear and consistent communication across the organization.

• Not Addressing Holistic Security

  Create policies and procedures and follow standards that are holistic and based on threats and risks, e.g. consolidated access control policies.

• Lack of Governance

  While the IT department is a critical partner in cybersecurity, the ownership of such a role sits squarely in the organizational C-suite, with regular reporting to the board of directors (if applicable).

• Overlooking Business Continuity Effort

  IT and physical security are integral to business continuity and disaster recovery strategies.

• Not Having Relevant Training and Awareness

  Provide a training and awareness program based on relevant attack vectors. Trained employees are key assets to the development of a safe and secure environment. They must form the base of your security culture.

• Overbuilding or Underbuilding

  Select third-party providers that offer systems interoperability with other security tools. The intent is to promote a unified approach to security to avoid a cumbersome tooling zoo.

Sources: Real Time Networks, 2022; Andrew Amaro, KLAVAN Security Services (contributor)

Enhance

Enhancing is the development of an integrated security strategy, policies, procedures, BCP, DR, and IR based on the organization’s risks.

Enhance

Determine the level of security maturity and update the security strategy

• Before updating your security strategies, you need to understand the organization’s business strategies, IT strategies, facilities strategies, and physical and information security strategies. The goal is to align your integrated security strategies to contribute to your organization’s success.
• The integrated security leaders need to understand the direction of the organization. For example:
  • Growth expectation
  • Expansions or mergers anticipation
  • Product or service changes
  • Regulatory requirements
• Wise security investments depend on aligning your security initiatives to the organization’s objectives by supporting operational performance and ensuring brand protection and shareholder values.

Sources: Amy L. Meger, Platte River Power Authority (contributor); Baker and Benny, 2013; IFSEC Global, 2023; Security Priorities 2023, Info-Tech Research Group, 2023; Build an Information Security Strategy, Info-Tech Research Group, 2020; ISC, n.d.

Understanding security maturity

Maturity models are very effective for determining security states. This table provides examples of general descriptions for physical and information security maturity levels.

Determine which framework is suitable and select the description that most accurately reflects the ideal state for security in your organization.

Sources: ¹ Fennelly, 2013; ² Build an Information Security Strategy, Info-Tech Research Group, 2020

Enhance

Assess and treat integrated security risks

The risk assessment conducted consists of analyzing existing inherent risks, existing pressure to the risks such as health and safety laws and codes of practice, new risks from the integration process, risk tolerance, and countermeasures.

• Some organizations already integrate security into corporate security that consists of risk management, compliance, governance, information security, personnel security, and physical security. However, some organizations are still separating security components, especially physical security and information security, which limits security visibility and the organization’s ability to complete a comprehensive risks assessment.
• Many vendors are also segregating physical security and information security solutions because their tools do well only on certain aspects. This forces organizations to combine multiple tools, creating a complex environment.
• Additionally, risks related to people such as mental health issues must be addressed properly. The prevalence of hybrid work post-pandemic makes this aspect especially important.
• Assess and treat risks based on the organization’s requirements, including its environments. For example, the US federal facility security organization is required to conduct risk assessments at least every five years for Level I (lowest risk) and Level II facilities and at least every three years for Level III, IV, and V (highest risk) facilities.

Sources: EPA, n.d.; America's Water Infrastructure Act (AWIA), 2018; ISC, 2021

“In 2022, 95% of US companies are consolidating into a single platform across physical security, cybersecurity, HR, legal and compliance.”

Source: Ontic Center for Protective Intelligence, 2022; N=359

Example risk levels

The risk assessment conducted is based on a combination of physical and information security factors such as certain facilities factors. The risk level can be used to determine the baseline level of protection (LOP). Next, the baseline LOP is customized to the achievable LOP. The following is an example for federal facilities determined by Interagency Security Committee (ISC).

Source: ISC, 2021

Example assets

It is important to identify the organization’s requirements, including its environments (IT, IoT, OT, facilities, etc.), and to measure and evaluate its risks and threats using an appropriate risk framework and tools with the critical step of identifying assets prior to acquiring solutions.

Info-Tech Insight

Certain exceptions must be identified in risk assessment. Usually physical barriers such as gates and intrusion detection sensors are considered as countermeasures,1 however, under certain assessment, e.g. America's Water Infrastructure Act (AWIA),2 physical barriers are also considered assets and as such must also be assessed.

Compromising a fingerprint scanner

An anecdotal example of why physical security alone is not sufficient.

Image by Rawpixel.com on Freepik

Lessons learned from using fingerprints for authentication:

• Fingerprint scanners can be physically circumvented by making a copy an authorized user’s fingerprint with 3D printing or even by forcefully amputating an authorized user’s finger.
• Authorized users may not be given access when the fingerprint cannot be recognized, e.g. if the finger is covered by bandage due to injury.
• Integration with information security may help detect unauthorized access, e.g. a fingerprint being scanned in a Canadian office when the same user was scanned at a close time interval from an IP in Europe will trigger an alert of a possible incident.

Info-Tech Insight

In an ideal world, we want a physical security system that is interoperable with all technologies, flexible with minimal customization, functional, and integrated. In the real world, we may have physical systems with proprietary configurations that are not easily customized and siloed.

Source: Robert Dang, Info-Tech Research Group

Use case: Microchip implant

Microchip implants can be used instead of physical devices such as key cards for digital identity and access management. Risks can be assessed using quantitative or qualitative approaches. In this use case a qualitative approach is applied to impact and likelihood, and a quantitative approach is applied to revenue and cost.

Asset: Microchip implant

Benefits

Risks

Sources: Business Insider, 2018; BBC News, 2022; ISC, 2015

Enhance

Update integrated security policies and procedures

Global policies with local implementation

This model works for corporate groups with a parent company. In this model, global security policies are developed by a parent company and local policies are applied to the unique business that is not supported by the parent company.

Update of existing security policies

This model works for organizations with sufficient resources. In this model, integrated security policies are derived from various policies. For example, physical security in smart buildings/devices (sensors, automated meters, HVAC, etc.) and OT systems (SCADA, PLCs, RTUs, etc.) introduce unique risk exposures, necessitating updates to security policies.

Customization of information security policies

This model works for smaller organizations with limited resources. In this model, integrated security policies are derived from information security policies. The issue is when these policies are not applicable to physical security systems or other environments, e.g. OT systems.

Sources: Kris Krishan, Waymo (contributor); Isabelle Hertanto, Info-Tech Research Group (contributor); Physical and Environmental Security Policy Template, Info-Tech Research Group, 2022.

Enhance

Update BCP, DR, IR

• Physical threats such as theft of material, vandalism, loitering, and the like are also part of business continuity threats.
• These threats can be carried out by various means such as vehicles breaching perimeter security, bolt cutters used for cutting wire and cable, and ballistic attack.
• Issues may occur when security operations are owned separately by physical security or information security, thus lacking consistent application of best practices.
• To overcome this issue, organizations need to update BCP, DR, and IR holistically based on a cost-benefit analysis and the level of security maturity, which can be defined based on the suitable framework.

Sources: IEEE, 2021; ISC, 2021

“The best way to get management excited about a disaster plan is to burn down the building across the street.”

Source: Dan Erwin, Security Officer, Dow Chemical Co., in Computerworld, 2022

Optimize

Optimizing means working to make the most effective and efficient use of resources, starting with identifying skill requirements and closing skill gaps, followed by designing and deploying integrated security architecture and controls, and finally monitoring and reporting integrated security metrics.

Optimize

Identify skill requirements and close skill gaps

• The pandemic changed how people work and where they choose to work, and most people still want a hybrid work model. Our survey in July 2022 (N=516) found that 55.8% of employees have the option to work offsite 2-3 days per week, 21.0% can work offsite 1 day per week, and 17.8% can work offsite 4 days per week.
• The investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the costs didn’t end there; organizations needed to maintain the secure remote work infrastructure to facilitate the hybrid work model.
• Moreover, roles are evolving due to convergence and modernization. These new roles require an integrative skill set. For example, the grid security and ops team might consist of an IT security specialist, a SCADA technician/engineer, and an OT/IIOT security specialist, where OT/IIOT security specialist is a new role.

Strategic investment in internal security team

Internal security governance and management using in-house developed tools or off-the-shelf solutions, e.g. security information and event management (SIEM).

Security management using third parties

Internal security management using third-party security services, e.g. managed security service providers (MSSPs).

Outsourcing security management

Outsourcing the entire security functions, e.g. using managed detection and response (MDR).

Sources: Info-Tech Research Group’s Security Priorities 2023, Close the InfoSec Skills Gap, Build an IT Employee Engagement Program, and Grid Modernization

Select the right certifications

What are the options?

• One issue in security certification is the complexity of relevancy in topics with respect to roles and levels.
• The European Union Agency for Cybersecurity (ENISA) takes the approach of analyzing existing certifications of ICS/SCADA professionals' cybersecurity skills by orientation, scope, and supporting bodies that are grouped into specific certifications, relevant certifications, and safety certifications (ENISA, 2015).
• This approach can also be applied to integrated security certifications.

Physical security certification

• Examples: Industrial Security Professional Certification (NCMS-ISP); Physical Security Professional (ASIS-PSP); Physical Security Certification (CDSE-PSC); ISC I-100, I-200, I-300, and I-400

Cyber physical system security certification

• Examples: Certified SCADA Security Architect (CSSA), EC-Council ICS/SCADA Cybersecurity Training Course

Information security certification

• Examples: Network and Information Security (NIS) Driving License, ISA/IEC 62443 Cybersecurity Certificate Program, GIAC Global Industrial Cyber Security Professional (GICSP)

Safety Certifications

• Examples: Board of Certified Safety Professionals (BCSP), European Network of Safety and Health Professional Organizations (ENSHPO)

Optimize

Design and deploy integrated security architecture and controls

• A survey by Brivo found that 38% of respondents have partly centralized security platforms, 25% have decentralized platforms, and 36% have centralized platforms (Brivo, 2022; N=700).
• If your organization’s security program is still decentralized or partly centralized and your organization is planning to establish an integrated security program, then the recommendation is to perform a holistic risk assessment based on probability and impact assessments on threats and vulnerabilities.
• The impacted factors, for example, are customers served, criticality of services, equipment present inside the building, personnel response time for operational recovery and the mitigation of hazards, and costs.
• Frameworks such as Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and Related Technologies (COBIT), and The Open Group Architecture Framework (TOGAF) can be used to build security architecture that aligns security goals with business goals.
• Finally, analyze the security design against the design criteria.

Sources: ISA and Honeywell Integrated Security Technology Lab, n.d.; IEEE, 2021

“As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one.”

Source: FedTech magazine, 2009

Analyze architecture design

Cloud, on-premises, or hybrid? During the pandemic, many enterprises were under tight deadlines to migrate to the cloud. Many did not refactor data and applications correctly for cloud platforms during migration, with the consequence of high cloud bills. This happened because the migrated applications cannot take advantage of on-premises capabilities such as autoscaling. Thus, in 2023, it is plausible that enterprises will bring applications and data back on-premises.

Below is an example of a security design analysis of platform architecture. Design can be assessed using quantitative or qualitative approaches. In this example, a qualitative approach is applied using high-level advantages and disadvantages.

Info-Tech Insight

It is important for organizations to find the most optimized architecture to support them, for example, a hybrid architecture of cloud and on-premises based on operations and cost-effectiveness. To help design a security architecture that is strategic, realistic, and based on risk, see Info-Tech’s Identify the Components of Your Cloud Security Architecture research.

Sources: InfoWorld, 2023; Identify the Components of Your Cloud Security Architecture , Info-Tech Research Group, 2021

Analyze equipment design

Below is an example case of a security design analysis of electronic security systems. Design can be assessed using quantitative or qualitative approaches. In this example a qualitative approach is applied using advantages and disadvantages.

Info-Tech Insight

Once the design has been analyzed, the next step is to conduct market research to analyze the solutions landscape, e.g. to compare products or services from vendors or manufacturers.

Sources: IEEE, 202; IEC, n.d.; IEC, 2013

Analyze off-the-shelf solutions

Criteria to consider when comparing solutions:

Visibility and Asset Management

Passively monitoring data using various protocol layers, actively sending queries to devices, or parsing configuration files of physical security devices, OT, IoT, and IT environments on assets, processes, and connectivity paths.

Threat Detection, Mitigation, and Response (+ Hunting)

Automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only in IT but also in relevant environments, e.g. physical, IoT, IIoT, and OT on assets, data, network, and orchestration with threat intelligence sharing and analytics.

Risk Assessment and Vulnerability Management

Risk scoring approach (qualitative, quantitative) based on variables such as behavioral patterns and geolocation. Patching and vulnerability management.

Usability, Architecture, Cost

The user and administrative experience, multiple deployment options, extensive integration capabilities, and affordability.

Source: Secure IT/OT Convergence, Info-Tech Research Group, 2022

Optimize

Establish, monitor, and report integrated security metrics

Security metrics serve various functions in a security program.1 For example:

• As audit requirements. For integrated security, the requirements are derived from mandatory or voluntary compliance, e.g. NERC CIP.
• As an indicator of maturity level. For integrated security, maturity level is used to measure the state of security, e.g. C2M2, CMMC.
• As a measurement of effectiveness and efficiency. Security metrics consist of operational metrics, financial metrics, etc.

Safety

Physical security interfaces with the physical world. Thus, metrics based on risks related to safety are crucial. These metrics motivate personnel by making clear why they should care about security.
Source: EPRI, 2017

Business Performance

The impact of security on the business can be measured with various metrics such as operational metrics, service level agreements (SLAs), and financial metrics.
Source: BMC, 2022

Technology Performance

Early detection leads to faster remediation and less damage. Metrics such as maximum tolerable downtime (MTD) and mean time to recovery (MTR) indicate system reliability.
Source: Dark Reading, 2022

Security Culture

Measure the overall quality of security culture with indicators such as compliance and audit, vulnerability management, and training and awareness.

Info-Tech Insight

Security failure can be avoided by evaluating the security systems and program. Security evaluation requires understanding what, where, when, and how to measure and to report the relevant metrics.

Related Info-Tech Research

Secure IT/OT Convergence

The previously entirely separate OT ecosystem is migrating into the IT ecosystem, primarily to improve access via connectivity and to leverage other standard IT capabilities for economic benefit.

Hence, IT and OT need to collaborate, starting with communication to build trust and to overcome their differences and followed by negotiation on components such as governance and management, security controls on OT environments, compliance with regulations and standards, and establishing metrics for OT security.

Preparing for Technology Convergence in Manufacturing

Information technology (IT) and operational technology (OT) teams have a long history of misalignment and poor communication.

Stakeholder expectations and technology convergence create the need to leave the past behind and build a culture of collaboration.

Build an Information Security Strategy

Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations.

This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building a security roadmap.

Bibliography

"1402-2021 - IEEE Guide for Physical Security of Electric Power Substations." IEEE, 2021. Accessed 25 Jan. 2023.

"2022 State of Protective Intelligence Report." Ontic Center for Protective Intelligence, 2022. Accessed 16 Jan. 2023.

"8 Staggering Statistics: Physical Security Technology Adoption." Brivo, 2022. Accessed 5 Jan. 2023.

"America's Water Infrastructure Act of 2018." The United States' Congress, 2018. Accessed 19 Jan. 2023.

Baker, Paul and Daniel Benny. The Complete Guide to Physical Security. Auerbach Publications. 2013

Bennett, Steve. "Physical Security Statistics 2022 - Everything You Need to Know." WebinarCare, 4 Dec. 2022. Accessed 30 Dec. 2022.

"Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide." Interagency Security Committee (ISC), Dec. 2015. Accessed 23 Jan. 2023.

Black, Daniel. "Improve Security Governance With a Security Steering Committee." Info-Tech Research Group, 23 Nov. 2018. Accessed 30 Jan. 2023.

Borg, Scott. "Don't Put Up Walls Between Your Security People." FedTech Magazine, 17 Feb. 2009. Accessed 15 Dec. 2022.

Burwash, John. “Preparing for Technology Convergence in Manufacturing.” Info-Tech Research Group, 12 Dec. 2018. Accessed 7 Dec. 2022.

Carney, John. "Why Integrate Physical and Logical Security?" Cisco. Accessed 19 Jan. 2023.

"Certification of Cyber Security Skills of ICS/SCADA Professionals." European Union Agency for Cybersecurity (ENISA), 2015. Accessed 27 Sep. 2022.

Cherdantseva, Yulia and Jeremy Hilton. "Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals." Organizational, Legal, and Technological Dimensions of IS Administrator, Almeida F., Portela, I. (eds.), pp. 1204-1235. IGI Global Publishing, 2013.

Cobb, Michael. "Physical security." TechTarget. Accessed 8 Dec. 2022.

“Conduct a Drinking Water or Wastewater Utility Risk Assessment.” United States Environmental Protection Agency (EPA), n.d. Web.

Conrad, Sandi. "Create and Implement an IoT Strategy." Info-Tech Research Group, 28 July 2022. Accessed 7 Dec. 2022.

Cooksley, Mark. "The IEC 62443 Series of Standards: A Product Manufacturer's Perspective." YouTube, uploaded by Plainly Explained, 27 Apr. 2021. Accessed 26 Aug. 2022.

"Cyber and physical security must validate their value in 2023." IFSEC Global, 12 Jan. 2023. Accessed 20 Jan. 2023.

"Cybersecurity Evaluation Tool (CSET®)." Cybersecurity and Infrastructure Security Agency (CISA). Accessed 23 Jan. 2023.

"Cybersecurity Maturity Model Certification (CMMC) 2.0." The United States' Department of Defense (DOD), 2021. Accessed 29 Dec. 2022.

“Cyber Security Metrics for the Electric Sector: Volume 3.” Electric Power Research Institute (EPRI), 2017.

Czachor, Emily. "Mass power outage in North Carolina caused by gunfire, repairs could take days." CBS News, 5 Dec. 2022. Accessed 20 Jan. 2023.

Dang, Robert, et al. “Secure IT/OT Convergence.” Info-Tech Research Group, 9 Dec. 2022. Web.

"Emergency Management Act (S.C. 2007, c. 15)." The Government of Canada, 2007. Accessed 19 Jan. 2023.

"Emergency management vocabulary." Translation Bureau, Government of Canada. Accessed 19 Jan. 2023.

Fennelly, Lawrence. Effective physical security. Butterworth-Heinemann, 2013.

Ghaznavi-Zadeh, Rassoul. "Enterprise Security Architecture - A Top-down Approach." The Information Systems Audit and Control Association (ISACA). Accessed 25 Jan. 2023.

"Good Practices for Security of Internet of Things." European Union Agency for Cybersecurity (ENISA), 2018. Accessed 27 Sep. 2022.

"Health and Safety at Work etc Act 1974." The United Kingdom Parliament. Accessed 23 Jan. 2023.

Hébert, Michel, et al. “Security Priorities 2023.” Info-Tech Research Group, 1 Feb. 2023. Web.

"History and Initial Formation of Physical Security and the Origin of Authority." Office of Research Services (ORS), National Institutes of Health (NIH). March 3, 2017. Accessed 19 Jan. 2023.

"IEC 62676-1-1:2013 Video surveillance systems for use in security applications - Part 1-1: System requirements - General." International Electrotechnical Commission (IEC), 2013. Accessed 9 Dec. 2022.

"Incident Command System (ICS)." ICS Canada. Accessed 17 Jan. 2023.

"Information Security Manual - Guidelines for Physical Security." The Australian Cyber Security Centre (ACSC), Dec. 2022. Accessed 13 Jan. 2023.

"Integrated Physical Security Framework." Anixter. Accessed 8 Dec. 2022.

"Integrating Risk and Security within a TOGAF® Enterprise Architecture." TOGAF 10, The Open Group. Accessed 11 Jan. 2023.

Latham, Katherine. "The microchip implants that let you pay with your hand." BBC News, 11 Apr. 2022. Accessed 12 Jan. 2023.

Linthicum, David. "2023 could be the year of public cloud repatriation." InfoWorld, 3 Jan. 2023. Accessed 10 Jan. 2023.

Ma, Alexandra. "Thousands of people in Sweden are embedding microchips under their skin to replace ID cards." Business Insider, 14 May 2018. Accessed 12 Jan. 2023.

Mendelssohn, Josh and Dana Tessler. "Take Control of Compliance Improvement to Conquer Every Audit." Info-Tech Research Group, 25 March 2015. Accessed 27 Jan. 2023.

Meredith, Sam. "All you need to know about the Nord Stream gas leaks - and why Europe suspects 'gross sabotage'." CNBC, 11 Oct. 2022. Accessed 20 Jan. 2023.

Nicaise, Vincent. "EU NIS2 Directive: what’s changing?" Stormshield, 20 Oct. 2022. Accessed 17 Nov. 2022.

"NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations." The National Institute of Standards and Technology (NIST), 13 Jul. 2022. Accessed 27 Jan. 2023.

"North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) Series." NERC. Accessed 23 Jan. 2023.

"North America Physical Security Market - Global Forecast to 2026." MarketsandMarkets, June 2021. Accessed 30 Dec. 2022.

"NSTISSI No. 4011 National Training Standard For Information Systems Security (InfoSec) Professionals." The United States Committee on National Security Systems (CNSS), 20 Jun. 1994. Accessed 23 Jan. 2023.

"Occupational Safety and Health Administration (OSH) Act of 1970." The United States Department of Labor. Accessed 23 Jan. 2023.

Palter, Jay. "10 Mistakes Made in Designing a Physical Security Program." Real Time Networks, 7 Sep. 2022. Accessed 6 Jan. 2023.

Parker, Donn. Fighting Computer Crime. John Wiley & Sons, 1998.

Pathak, Parag. "What Is Threat Management? Common Challenges and Best Practices." Security Intelligence, 2020. Accessed 5 Jan. 2023.

Pender-Bey, Georgie. "The Parkerian Hexad." Lewis University, 2012. Accessed 24 Jan. 2023.

Philippou, Oliver. "2023 Trends to Watch: Physical Security Technologies." Omdia. Accessed 20 Jan. 2023.

Phinney, Tom. "IEC 62443: Industrial Network and System Security." ISA and Honeywell Integrated Security Technology Lab. Accessed 30 Jan. 2023.

"Physical Security Market, with COVID-19 Impact Analysis - Global Forecast to 2026." MarketsandMarkets, Jan. 2022. Accessed 30 Dec. 2022.

"Physical Security Professional (PSP)" ASIS International. Accessed 17 Jan. 2023.

"Physical Security Systems (PSS) Assessment Guide" The United States' Department of Energy (DOE), Dec. 2016. Accessed 23 Jan. 2023.

"Policies, Standards, Best Practices, Guidance, and White Papers." Interagency Security Committee (ISC). Accessed 23 Jan. 2023.

"Profiles, Add-ons and Specifications." ONVIF. Accessed 9 Dec. 2022.

"Protective Security Policy Framework (PSPF)." The Australian Attorney-General's Department (AGD). Accessed 13 Jan. 2023.

"Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

""Satellites detect methane plume in Nord Stream leak." The European Space Agency (ESA), 6 oct. 2022. Accessed 23 Jan. 2023.

Satgunananthan, Niru. "Challenges in Security Convergence?" LinkedIn, 8 Jan. 2022. Accessed 20 Dec. 2022.

Sooknanan, Shastri and Isaac Kinsella. "Identify the Components of Your Cloud Security Architecture." Info-Tech Research Group, 12 March 2021. Accessed 26 Jan. 2023.

"TC 79 Alarm and electronic security systems." International Electrotechnical Commission (IEC), n.d. Accessed 9 Dec. 2022.

"The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard." Interagency Security Committee (ISC), 2021. Accessed 26 Jan. 2023.

"The Short Guide to Why Security Programs Can Fail." CyberTalk, 23 Sep. 2021. Accessed 30 Dec. 2022.

Verton, Dan. "Companies Aim to Build Security Awareness." Computerworld, 27 Nov. 2022. Accessed 26 Jan. 2023.

"Vulnerability Assessment of Federal Facilities." The United States' Department of Justice, 28 Jun. 1995. Accessed 19 Jan. 2023.

"What is IEC 61508?" 61508 Association. Accessed 23 Jan. 2023.

Wolf, Gene. "Better Include Physical Security With Cybersecurity." T&D World 5 Jan. 2023. Accessed 19 Jan. 2023.

Wood, Kate, and Isaac Kinsella. “Build an Information Security Strategy.” Info-Tech Research Group, 9 Sept. 2020. Web.

Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.

"Work Health and Safety Act 2011." The Australian Government. Accessed 13 Jan. 2023.

Wu, Jing. “Industrial Control System Modernization: Unlock the Value of Automation in Utilities.” Info-Tech Research Group, 6 April 2023. Web.

Research Contributors and Experts

Amy L. Meger, IGP

Information and Cyber Governance Manager
Platte River Power Authority

Andrew Amaro

Chief Security Officer (CSO) & Founder
KLAVAN Security

Bilson Perez

IT Security Manager
4Wall Entertainment

Dan Adams

VP of Information Technology
4Wall Entertainment

Doery Abdou

Senior Manager
March Networks Corporate

Erich Krueger

Manager of Security Engineering
Omaha Public Power District

Kris Krishan

Head of IT
Waymo

Owen Yardley

Director, Facilities Security Preparedness
Omaha Public Power District

Reduce Risk With Rock-Solid Service-Level Agreements

Hold Service Providers more accountable to their contractual obligations with meaningful SLA components & remedies

EXECUTIVE BRIEF

Analyst Perspective

Reduce Risk With Rock-Solid Service-Level Agreements

Every year organizations outsource more and more IT infrastructure to the cloud, and IT operations to managed service providers. This increase in outsourcing presents an increase in risk to the CIO to save on IT spend through outsourcing while maintaining required and expected service levels to internal customers and the organization. Ensuring that the service provider constantly meets their obligations so that the CIO can meet their obligation to the organization can be a constant challenge. This brings forth the importance of the Service Level Agreement.

Research clearly indicates that there is a general lack of knowledge when comes to understanding the key elements of a Service Level Agreement (SLA). Even less understanding of the importance of the components of Service Levels and the Service Level Objectives (SLO) that service provider needs to meet so that the outsourced service consistently meets requirements of the organization. Most service providers are very good at providing the contracted service and they all are very good at presenting SLOs that are easy to meet with very few or no ramifications if they don’t meet their objectives. IT leaders need to be more resolute in only accepting SLOs that are meaningful to their requirements and have meaningful, proactive reporting and associated remedies to hold service providers accountable to their obligations.

Ted Walker

Principal Research Director, Vendor Practice

Info-Tech Research Group

Executive Brief

Vendors provide service level commitments to customers in contracts to show a level of trust, performance, availability, security, and responsiveness in an effort create a sense of confidence that their service or platform will meet your organization’s requirements and expectations. Sifting through these promises can be challenging for many IT Leaders. Customers struggle to understand and evaluate what’s in the SLA – are they meaningful and protect your investment? Not understanding the details of SLAs applicable to various types of Service (SaaS, MSP, Service Desk, DR, ISP) can lead to financial and compliance risk for the organization as well as poor customer satisfaction.

This project will provide IT leadership the knowledge & tools that will allow them to:

• Understand what SLAs are and why they need them.
• Develop standard SLAs that meet the organization’s requirements.
• Negotiate meaningful remedies aligned to Service Levels metrics or KPIs.
• Create SLA monitoring & reporting and remedies requirements to hold the provider accountable.

This research:

1. Is designed for:

• The CIO or CFO who needs to better understand their provider’s SLAs.
• The CIO or BU that could benefit from improved service levels.
• Vendor management who needs to standardize SLAs for the organization IT leadership that needs consistent service levels to the business
• The contract manager who needs a better understanding of contact SLAs

• Understand what a Service Level Agreement is and what it’s for
• Learn what the components are of an SLA and why you need them
• Create a checklist of required SLA elements for your organization
• Develop standard SLA template requirements for various service types
• Learn the importance of SLA management to hold providers accountable

Reduce Risk With Rock-Solid Service-Level Agreements (SLAs)

Hold service providers more accountable to their contractual obligations with meaningful SLA components and remedies

The Problem

IT Leadership doesn't know how to evaluate an SLA.

Misunderstanding of obligations given the type of service provided (SAAS, IAAS, DR/BCP, Service Desk)

Expectations not being met, leading to poor service from the provider.

No way to hold provider accountable.

Why it matters

SLAS are designed to ensure that outsourced IT services meet the requirements and expectations of the organization. Well-written SLAs with all the required elements, metrics, and remedies will allow IT departments to provide the service levels to their customer and avoid financial and contractual risk to the organization.

The Solution

1. Understand the key service elements within an SLA

• Develop a solid understanding of the key elements within an SLA and why they're important.

• Prioritize contractual services and establish concise SLA checklists and performance metrics.

Service types

• Availability/Uptime
• Response Times
• Resolution Time
• Accuracy
• First-Call Resolution

Agreement Types

• SaaS/IaaS
• Service Desk
• MSP
• Co-Location
• DR/BCP
• Security Ops

Performance Metrics

• Reporting
• Remedies & Credits
• Monitoring
• Exclusion

Example SaaS Provider

• Response Times ✓
• Availability/Uptime ✓
• Resolution Time ✓
• Update Times ✓
• Coverage Time ✓
• Monitoring ✓
• Reporting ✓
• Remedies/Credits ✓

SLA Management Framework

1. SLO Monitoring

• SLOs must be monitored by the provider, otherwise they can't be measured.

• This is the key element for the provider to validate their performance.

• Capturing SLO metric attainment provides performance trending for each provider.

• Tracking details provide input into overall vendor performance ratings.

Executive Summary

Your Challenge

To understand which SLAs are required for your organization and how they can differ depending on the service type. In addition, these other challenges can also cloud your knowledge of SLAs

• No standardized SLA documents, Service levels, or metrics
• Dealing with lost productivity & revenue due to persistent downtime
• Understanding SLA components and what service levels are requires for a particular service
• How to manage the SLA and hold the vendor accountable

Common Obstacles

There are several unknowns that SLA can present to different departments within the organization:

• Little knowledge of what service levels are required
• Not knowing SLO standards for a service type
• Lack of resources to manage vendor obligations
• Negotiating required metrics/KPIs with the provider
• Low understanding of the risk that poor SLAs can present to the organization

Info-Tech's Approach

Info-Tech has a three-step approach to effective SLAs

• Understand the elements of an SLA
• Create Requirements for your organization
• Manage the SLA obligations

There are some basic components that every SLA should have – most don’t have half of what is required

Info-Tech Insight

SLAs need to have clear, easy to measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

Your challenge

This research is designed to help organizations gain a better understanding of what an SLA is, understand the importance of SLAs in IT contracts, and ensure organizations are provided with rock-solid SLAs that meet their requirements and not just what the vendor wants to provide.

• Vendors can make SLAs weak and difficult to understand; sometimes the metrics are meaningless. Not fully understanding what makes up a good SLA can bring unknown risks to the organization.
• Managing vendor SLA obligations effectively is important. Are adequate resources available? Does the vendor provide manual vs. automated processes and which do you need? Is the process proactive from the vendor or reactive from the customer?

SLAs come in many variations and for many service types. Understanding what needs to be in them is one of the keys to reducing risk to your organization.

“One of the biggest mistakes an IT leader can make is ignoring the ‘A’ in SLA,” adds Wendy M. Pfeiffer, CIO at Nutanix. “

An agreement isn’t a one-sided declaration of IT capabilities, nor is it a one-sided demand of business requirements,” she says. “An agreement involves creating a shared understanding of desired service delivery and quality, calculating costs related to expectations, and then agreeing to outcomes in exchange for investment.” (15 SLA mistakes IT leaders still make | CIO)

Common obstacles

There are typically a lot of unknowns when it comes to SLAs and how to manage them.

Most organizations don’t have a full understanding of what SLAs they require and how to ensure they are met by the vendor. Other obstacles that SLAs can present are:

• Inadequate resources to create and manage SLAs
• Poor awareness of standard or required SLA metrics/KPIs
• Lack of knowledge about each provider’s commitment as well as your obligations
• Low vendor willingness to provide or negotiate meaningful SLAs and credits
• The know-how or resources to effectively monitor and manage the SLA’s performance

SLAs need to address your requirements

55% of businesses do not find all of their service desk metrics useful or valuable (Freshservice.com)

27% of businesses spend four to seven hours a month collating metric reports (Freshservice.com)

Executive Summary

Info-Tech’s Approach

• Understand the elements of an SLA
  • Availability
  • Monitoring
  • Response Times
  • SLO Calculation
  • Resolution Time
  • Reporting
  • Milestones
  • Exclusions
  • Accuracy
  • Remedies & Credits
• Create standard SLA requirements and criteria
  • SLA Element Checklist
  • Corporate Requirements and Standards
  • SLA Templates and Policy
• Effectively Manage the SLA Obligations
  • SLA Management Framework
    • SLO Monitoring
    • Concise Reporting
    • Attainment Tracking
    • Score Carding
    • Remedy Reconciliation

Info-Tech’s three phase approach

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 1

Understand SLA Elements

Phase Content:

• 1.1 What are SLAs, types of SLAs, and why are they needed?
• 1.2 Elements of an SLA
• 1.3 Obligation management monitoring, Reporting requirements
• 1.4 Exclusions
• 1.5 SLAs vs. SLOs vs. SLIs

Outcome:

This phase will present you with an understanding of the elements of an SLA: What they are, why you need them, and how to validate them.

Phase 2

Create Requirements

Phase Content:

• 2.1 Create a list of your SLA criteria
• 2.2 Develop SLA policy & templates
• 2.3 Create a negotiation strategy
• 2.4 SLA Overachieving discussion

Outcome:

This phase will leverage knowledge gained in Phase 1 and guide you through the creation of SLA requirements, criteria, and templates to ensure that providers meet the service level obligations needed for various service types to meet your organization’s service expectations.

Phase 3

Manage Obligations

Phase Content:

• 3.1 SLA Monitoring, Tracking
• 3.2 Reporting
• 3.3 Vendor SLA Reviews & Optimizing
• 3.4 Performance management

Outcome:

This phase will provide you with an SLA management framework and the best practices that will allow you to effectively manage service providers and their SLA obligations.

Insight summary

Overarching insight

SLAs need to have clear, easy-to-measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

Phase 1 insight

Not understanding the required elements of an SLA and not having meaningful remedies to hold service providers accountable to their obligations can present several risk factors to your organization.

Phase 2 insight

Creating standard SLA criteria for your organization’s service providers will ensure consistent service levels for your business units and customers.

Phase 3 insight

SLAs can have appropriate SLOs and remedies but without effective management processes they could become meaningless.

Tactical insight

Be sure to set SLAs that are easily measurable from regularly accessible data and that are straight forward to interpret.

Tactical insight

Beware of low, easy to attain service levels and metrics/KPIs. Service levels need to meet your expectations and needs not the vendor’s.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

SLA Tracker & Trending Tool

Track the provider’s SLO attainment and see how their performance is trending over time

SLA Evaluation Tool

Evaluate SLA service levels, metrics, credit values, reporting, and other elements

SLA Template & Metrics Reference Guide

Reference guide for typical SLA metrics with a generic SLA Template

Service-Level Agreement Checklist

Complete SLA component checklist for core SLA and contractual elements.

Key deliverable:

Service-Level Agreement Evaluation Tool

Evaluate each component of the SLA , including service levels, metrics, credit values, reporting, and processes to meet your requirements

Blueprint objectives

Understand the components of an SLA and effectively manage their obligations

• To provide an understanding of different types of SLAs, their required elements, and what they mean to your organization. How to identify meaningful service levels based on service types. We will break down the elements of the SLA such as service types and define service levels such as response times, availability, accuracy, and associated metrics or KPIs to ensure they are concise and easy to measure.
• To show how important it is that all metrics have remedies to hold the service provider accountable to their SLA obligations.

Once you have this knowledge you will be able to create and negotiate SLA requirements to meet your organization’s needs and then manage them effectively throughout the term of the agreement.

InfoTech Insight:

Right-size your requirements and create your SLO criteria based on risk mitigation and create measurements that motivate the desired behavior from the SLA.

Blueprint benefits

IT Benefits

• An understanding of standard SLA service levels and metrics
• Reduced financial risk through clear and concise easy-to-measure metrics and KPIs
• Improved SLA commitments from the service provider
• Meaningful reporting and remedies to hold the provider accountable
• Service levels and metrics that meet your requirements to support your customers

Business Benefits

• Better understanding of an SLA framework and required SLA elements
• Improved vendor performance
• Standardized service levels and metrics aligned to your organization’s requirements
• Reduced time in reviewing and comprehending vendor SLAs
• Consistent performance from your service providers

Measure the value of this blueprint

1. Dollars Saved

• Improved performance from your service provider
• Reduced financial risk through meaningful service levels & remedies
• Dollars gained through:
  • Reconciled credits from obligation tracking and management
  • Savings due to automated processes

• Reduced time in creating effective SLAs through requirement templates
• Time spent tracking and managing SLA obligations
• Reduced negotiation time
• Time spent tracking and reconciling credits

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way wound help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between three to six calls over the course of two to three months.

Phase 1 - Understand

• Call #1: Scope requirements, objectives, and your specific SLA challenges

Phase 2 - Create Requirements

• Call #2: Review key SLA and how to identify them
• Call #3: Deep dive into SLA elements and why you need them
• Call #4: Review your service types and SLA criteria
• Call #5: Create internal SLA requirements and templates

Phase 3 - Management

• Call #6: Review SLA Management Framework
• Call #7: Review and create SLA Reporting and Tracking

Workshop Overview

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 1

Phase 1

Understand SLA Elements

Phase Steps

• 1.1 What are SLAs, the types of SLAs, and why are they needed?
• 1.2 Elements of an SLA
• 1.3 Obligation management monitoring, Reporting requirements
• 1.4 Exclusions and exceptions
• 1.5 SLAs vs. SLOs vs. SLIs

Create Requirements

Manage Obligations

1.1 What are SLAs, the types of SLAs, and why are they needed?

SLA Overview

What is a Service Level Agreement?

An SLA is an overarching contractual agreement between a service provider and a customer (can be external or internal) that describes the services that will be delivered by the provider. It describes the service levels and associated performance metrics and expectations, how the provider will show it has attained the SLAs, and defines any remedies or credits that would apply if the provider fails to meet its commitments. Some SLAs also include a change or revision process.

SLAs come in a few forms. Some are unique, separate, standalone documents that define the service types and levels in more detail and is customized to your needs. Some are separate documents that apply to a service and are web posted or linked to an MSA or SSA. The most common is to have them embedded in, or as an appendix to an MSA or SSA. When negotiating an MSA it’s generally more effective to negotiate better service levels and metrics at the same time.

Objectives of an SLA

To be effective, SLAs need to have clearly described objectives that define the service type(s) that the service provider will perform, along with commitment to associated measurable metrics or KPIs that are sufficient to meet your expectations. The goal of these service levels and metrics is to ensure that the service provider is committed to providing the service that you require, and to allow you to maintain service levels to your customers whether internal or external.

1.1 What are SLAs, the types of SLAs, and why are they needed?

Key Elements of an SLA

Principle service elements of an SLA

There are several more common service-related elements of an SLA. These generally include:

• The Agreement – the document that defines service levels and commitments.
• The service types – the type of service being provided by the vendor. These can include SaaS, MSP, Service Desk, Telecom/network, PaaS, Co-Lo, BCP, etc.
• The service levels – these are the measurable performance objectives of the SLA. They include availability (uptime), response times, restore times, priority level, accuracy level, resolution times, event prevention, completion time, etc.
• Metrics/KPIs – These are the targets or commitments associated to the service level that the service provider is obligated to meet.
• Other elements – Reporting requirements, monitoring, remedies/credit values and process.

Contractual Construct Elements

These are construct components of an SLA that outline their roles and responsibilities, T&Cs, escalation process, etc.

In addition, there are several contractual-type elements including, but not limited to:

• A statement regarding the purpose of the SLA.
• A list of services being supplied (service types).
• An in-depth description of how services will be provided and when.
• Vendor and customer requirements.
• Vendor and customer obligations.
• Acknowledgment/acceptance of the SLA.
• They also list each party’s responsibilities and how issues will be escalated and resolved.

Common types of SLAs explained

Service-level SLA

• This service-level agreement construct is the Service-based SLA. This SLA covers an identified service for all customers in general (for example, if an IT service provider offers customer response times for a service to several customers). In a service-based agreement, the response times would be the same and apply to all customers using the service. Any customer using the service would be provided the same SLA – in this case the same defined response time.

Customer-based SLA

• A customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer (for example, you may use several services from one telecom vendor). The SLAs for these services would be covered in one contract between you and the vendor, creating a unique customer-based vendor agreement. Another scenario could be where a vendor offers general SLAs for its services but you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

Multi-level SLA

• This service-level agreement construct is the multi-level SLA. In a multi-level SLA, components are defined to the organizational levels of the customer with cascading coverage to sublevels of the organization. The SLA typically entails all services and is designed to the cover each sub-level or department within the organization. Sometimes the multi-level SLA is known as a master organization SLA as it cascades to several levels of the organization.

InfoTech Insight: Beware of low, easy to attain Service levels and metrics/KPIs. Service levels need to meet your requirements, expectations, and needs not the vendor’s.

1.2 Elements of SLA-objectives, service types, and service levels

Objectives of Service Levels

The objective of the service levels and service credits are to:

• Ensure that the services are of a consistently high quality and meet the requirements of the customer
• Provide a mechanism whereby the customer can attain meaningful recognition of the vendors failure to deliver the level of service for which it was contracted to deliver
• Incentivize the vendor or service provider to comply with and to expeditiously provide a remedy for any failure to attain the service levels committed to in the SLA
• To ensure that the service provider fulfills the defined objectives of the outsourced service

Service types

There are several service types that can be part of an SLA. Service types are the different nature of services associated with the SLA that the provider is performing and being measured against. These can include:

Service Desk, SaaS, PaaS, IaaS, ISP/Telecom/Network MSP, DR & BCP, Co-location security ops, SOW.

Each service type should have standard service level targets or obligations that can vary depending on your requirements and reliance on the service being provided.

Service levels

Service levels are measurable targets, metrics, or KPIs that the service provider has committed to for the particular service type. Service levels are the key element of SLAs – they are the performance expectations set between you and the provider. The service performance of the provider is measured against the service level commitments. The ability of the provider to consistently meet these metrics will allow your organization to fully benefit from the objectives of the service and associated SLAs. Most service levels are time related but not all are.

Common service levels are:

Response times, resolution times per percent, restore/recovery times, accuracy, availability/uptime, completion/milestones, updating/communication, latency.

Each service level has standard or minimum metrics for the provider. The metrics, or KPIs, should be relatively easy to measure and report against on a regular basis. Service levels are generally negotiable to meet your requirements.

1.2.1 Activity SLA Checklist Tool

1-2 hours

Input

• SLA content, Service elements
• Contract terms & exclusions
• Service metrices/KPIs

Output

• A concise list of SLA components
• A list of missing SLA elements
• Evaluation of the SLA

Materials

• Comprehensive checklist
• Service provider SLA
• Internal templates or policies

Participants

• Vendor or contract manager
• IT or business unit manager
• Legal
• Finance

Using this checklist will help you review a provider’s SLA to ensure it contains adequate service levels and remedies as well as contract-type elements.

Instructions:

Use the checklist to identify the principal service level elements as well as the contractual-type elements within the SLA.

Review the SLA and use the dropdowns in the checklist to verify if the element is in the SLA and whether it is within acceptable parameters as well the page or section for reference.

The checklist contains a list of service types that can be used for reference of what SLA elements you should expect to see in that service type SLA.

Download the SLA Checklist Tool

1.3 Monitoring, reporting requirements, remedies/credit process

Monitoring & Reporting

As mentioned, well-defined service levels are key to the success of the SLA. Validating that the metrics/KPIs are being met on a consistent basis requires regular monitoring and reporting. These elements of the SLA are how you hold the provider accountable to the SLA commitments and obligations. To achieve the service level, the service must be monitored to validate that timelines are met and accuracy is achieved.

• Data or details from monitoring must then be presented in a report and delivered to the customer in an agreed-upon format. These formats can be in a dashboard, portal, spreadsheet, or csv file, and they must have sufficient criteria to validate the service-level metric. Reports should be kept for future review and to create historical trending.
• Monitoring and reporting should be the responsibility of the service provider. This is the only way that they can validate to the customer that a service level has been achieved.
• Reporting criteria and delivery timelines should be defined in the SLA and can even have a service level associated with it, such as a scheduled report delivery on the fifth day of the following month.
• Reports need to be checked and balanced. When defining report criteria, be sure to define data source(s) that can be easily validated by both parties.
• Report criteria should include compliance requirements, target metric/KPIs, and whether they were attained.
• The report should identify any attainment shortfall or missed KPIs.

Too many SLAs do not have these elements as often the provider tries to put the onus on the customer to monitor their performance of the service levels. .

1.3.1 Monitoring, reporting requirements, remedies/credit process

Remedies and Credits

Service-level reports validate the performance of the service provider to the SLA metrics or KPIs. If the metrics are met, then by rights, the service provider is doing its job and performing up to expectations of the SLA and your organization.

• What if the metrics are not being met either periodically or consistently? Solving this is the goal of remedies. Remedies are typically monetary costs (in some form) to the provider that they must pay for not meeting a service-level commitment. Credits can vary significantly and should be aligned to the severity of the missed service level. Sometimes there no credits offered by the vendor. This is a red flag in an SLA.
• Typically expressed as a monetary credit, the SLA will have service levels and associated credits if the service-level metric/KPI is not met during the reporting period. Credits can be expressed in a dollar format, often defined as a percentage of a monthly fee or prorated annual fee. Although less common, some SLAs offer non-financial credits. These could include: an extension to service term, additional modules, training credits, access to a higher support level, etc.
• Regardless of how the credit is presented, this is typically the only way to hold your provider accountable to their commitments and to ensure they perform consistently to expectations. You must do a rough calculation to validate the potential monetary value and if the credit is meaningful enough to the provider.

Research shows that credit values that equate to just a few dollars, when you are paying the provider tens of thousands of dollars a month for a service or product, the credit is insignificant and therefore doesn’t incent the provider to achieve or maintain a service level.

1.3.2 Monitoring, reporting requirements, remedies/credit process

Credit Process

Along with meaningful credit values, there must be a defined credit calculation method and credit redemption process in the SLA.

Credit calculation. The credit calculation should be simple and straight forward. Many times, we see providers define complicated methods of calculating the credit value. In some cases complicated service levels require higher effort to monitor and report on, but this shouldn’t mean that the credit for missing the service level needs to require the same effort to calculate. Do a sample credit calculation to validate if the potential credit value is meaningful enough or meets your requirements.

Credit redemption process. The SLA should define the process of how a credit is provided to the customer. Ideally the process should be fairly automated by the service provider. If the report shows a missed service level, that should trigger a credit calculation and credit value posted to account followed by notification. In many SLAs that we review, the credit process is either poorly defined or not defined at all. When it is defined, the process typically requires the customer to follow an onerous process and submit a credit request that must then be validated by the provider and then, if approved, posted to your account to be applied at year end as long as you are in complete compliance with the agreement and up-to-date on your account etc. This is what we need to avoid in provider-written SLAs. You need a proactive process where the service provider takes responsibility for missing an SLA and automatically assigns an accurate credit to your account with an email notice.

Secondary level remedies. These are remedies for partial performance. For example, the platform is accessible but some major modules are not working (i.e.: the payroll platform is up and running and accessible but the tax table is not working properly so you can’t complete your payroll run on-time). Consider the requirement of a service level, metric, and remedy for critical components of a service and not just the platform availability.

Info-Tech Insight SLA’s without adequate remedies to hold the vendor accountable to their commitments make the SLAs essentially meaningless.

1.4 Exclusions indemnification, force majeure, scheduled maintenance

Contract-Related Exclusions

Attaining service-level commitments by the provider within an SLA can depend on other factors that could greatly influence their performance to service levels. Most of these other factors are common and should be defined in the SLA as exclusions or exceptions. Exceptions/exclusions can typically apply to credit calculations as well. Typical exceptions to attaining service levels are:

• Denial of Service (DoS) attacks
• Communication/ISP outage
• Outages of third-party hosting
• Actions or inactions of the client or third parties
• Scheduled maintenance but not emergency maintenance
• Force majeure events which can cover several different scenarios

Attention should be taken to review the exceptions to ensure they are in fact not within the reasonable control of the provider. Many times the provider will list several exclusions. Often these are not reasonable or can be avoided, and in most cases, they allow the service provider the opportunity to show unjustified service-level achievements. These should be negotiated out of the SLA.

1.5 Activity SLA Evaluation Tool

1-2 hours

Input

• SLA content
• SLA elements
• SLA objectives
• SLO calculation methods

Output

• Rating of the SLA service levels and objectives
• Overall rating of the SLA content
• Targeted list of required improvements

Materials

• SLA comprehensive checklist
• Service provider SLA

Participants

• Vendor or contract manager
• IT manager or leadership
• Application or business unit manager

The SLA Evaluation Tool will allow you evaluate an SLA for content. Enter details into the tool and evaluate the service levels and SLA elements and components to ensure the agreement contains adequate SLOs to meet your organization’s service requirements.

Instructions:

Review and identify SLA elements within the service provider’s SLA.

Enter service-level details into the tool and rate the SLOs.

Enter service elements details, validate that all required elements are in the SLA, and rate them accordingly.

Capture and evaluate service-level SLO calculations.

Review the overall rating for the SLA and create a targeted list for improvements with the service provider.

Download the SLA Evaluation Tool

1.5 Clarification: SLAs vs. SLOs vs. SLIs

SLA – Service-Level Agreement The promise or commitment

• This is the formal agreement between you and your service provider that contains their service levels and obligations with measurable metrics/KPIs and associated remedies. SLAs can be a separate or unique document, but are most commonly embedded within an MSA, SOW, SaaS, etc. as an addendum or exhibit.

SLO – Service-Level Objective The goals or targets

• This service-level agreement construct is the customer-based SLA. A Customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer. For example, you may use several services from one telecom vendor. The SLAs for these services would be covered in one contract between you and the Telco vendor, creating a unique customer-based to vendor agreement. Another scenario: a vendor offers general SLAs for its services and you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

Other common names are Metrics and Key Performance Indicators (KPIs )

SLI – Service-Level Indicator How did we do? Did we achieve the objectives?

• An SLI is the actual metric attained after the measurement period. SLI measures compliance with an SLO (service level objective). So, for example, if your SLA specifies that your systems will be available 99.95% of the time, your SLO is 99.95% uptime and your SLI is the actual measurement of your uptime. Maybe it’s 99.96%. maybe 99.99% or even 99.75% For the vendor to be compliant to the SLA, the SLI(s) must meet or exceed the SLOs within the SLA document.

Other common names: attainment, results, actual

Info-Tech Insight:

Web-posted SLAs that are not embedded within a signed MSA, can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 2

Understand SLA Elements

Phase 2

Create Requirements

Phase Steps

• 2.1 Create a list of your SLA criteria
• 2.2 Develop SLA policy & templates
• 2.3 Create a negotiation strategy
• 2.4 SLA overachieving discussion

Manage Obligations

2.1 Create a list of your SLA criteria

Principle Service Elements

With your understanding of the types of SLAs and the elements that comprise a well-written agreement

• The next step is to start to create a set of SLA criteria for service types that your organization outsources or may require in the future.
• This criteria should define the elements of the SLA with tolerance levels that will require the provider to meet your service expectations.
• Service levels, metrics/KPIs, associated remedies and reporting criteria. This criteria could be captured into table-like templates that can be referenced or inserted into service provider SLAs.
• Once you have defined minimum service-level criteria, we recommend that you do a deeper review of the various service provider types that your organization has in place. The goal of the review is to understand the objective of the service type and associated service levels and then compare them to your requirements for the service to meet your expectations. Service levels and KPIs should be no less than if your IT department was providing the service with its own resources and infrastructure.
• Most IT departments have service levels that they are required to meet with their infrastructure to the business units or organization, whether it’s App delivery, issue or problem resolution, availability etc. When any of these services are outsourced to an external service provider, you need to make all efforts to ensure that the service levels are equal to or better than the previous or existing internal expectations.
• Additionally, the goal is to identify service levels and metrics that don’t meet your requirements or expectations and/or service levels that are missing.

2.2 Develop SLA policies and templates

Contract-type Elements

After creating templates for minimum-service metrics & KPIs, reporting criteria templates, process, and timing, the next step should be to work on contract-type elements and additional service-level components. These elements should include:

• Reporting format, criteria, and timelines
• Monitoring requirements
• Minimum acceptable remedy or credits process; proactive by provider vs. reactive by customer
• Roles & responsibilities
• Acceptable exclusion details
• Termination language for persistent failure to meet SLOs

These templates or criteria minimums can be used as guidelines or policy when creating or negotiating SLAs with a service provider.

Start your initial element templates for your strategic vendors and most common service types: SaaS, IaaS, Service Desk, SecOps, etc. The goal of SLA templates is to create simple minimum guidelines for service levels that will allow you to meet your internal SLAs and expectations. Having SLA templates will show the service provider that you understand your requirements and may put you in a better negotiating position when reviewing with the provider.

When considering SLO metrics or KPIs consider the SMART guidance:

Simple: A KPI should be easy to measure. It should not be complicated, and the purpose behind recording it must be documented and communicated.

Measurable: A KPI that cannot be measured will not help in the decision-making process. The selected KPIs must be measurable, whether qualitatively or quantitatively. The procedure for measuring the KPIs must be consistent and well-defined.

Actionable: KPIs should contribute to the decision-making process of your organization. A KPI that does not make any such contributions serves no purpose.

Relevant: KPIs must be related to operations or functions that a security team seeks to assess.

Time-based: KPIs should be flexible enough to demonstrate changes over time. In a practical sense, an ideal KPI can be grouped together by different time intervals.

(Guide for Security Operations Metrics)

2.2.1 Activity: Review SLA Template & Metrics Reference Guide

1-2 hours

Input

• Service level metrics
• List of who is accountable for PPM decisions

Output

• SLO templates for service types
• SLA criteria that meets your organization’s requirements

Materials

• SLA Checklist
• SLA criteria list with SLO & credit values
• PPM Decision Review Workbook

Participants

• Vendor manager
• IT leadership
• Procurement or contract manager

1. Review the SLA Template and Metrics Reference Guide for common metrics & KPIs for the various service types. Each Service Type tab has SLA elements and SLO metrics typically associated with the type of service.
2. Some service levels have common or standard credits* that are typically associated with the service level or metric.
3. Use the SLA Template to enter service levels, metrics, and credits that meet your organization’s criteria or requirements for a given service type.

Download the SLA Template & Metrics Reference Guide

*Credit values are not standard values, rather general ranges that our research shows to be the typical ranges that credit values should be for a given missed service level

2.3 Create a negotiation strategy

Once you have created service-level element criteria templates for your organization’s requirements, it’s time to document a negotiation position or strategy to use when negotiating with service providers. Not all providers are flexible with their SLA commitments, in fact most are reluctant to change or create “unique” SLOs for individual customers. Particularly cloud vendors providing IaaS, SaaS, or PaaS, SLAs. ISP/Telcom, Co-Lo and DR/BU providers also have standard SLOs that they don’t like to stray far from. On the other hand, security ops (SIEM), service desk, hardware, and SOW/PS providers who are generally contracted to provide variable services are somewhat more flexible with their SLAs and more willing to meet your requirements.

• Service providers want to avoid being held accountable to SLOs, and their SLAs are typically written to reflect that.

The goal of creating internal SLA templates and policies is to set a minimum baseline of service levels that your organization is willing to accept, and that will meet their requirements and expectations for the outsourced service. Using these templated SLOs will set the basis for negotiating the entire SLA with the provider. You can set the SLA purpose, objectives, roles, and responsibilities and then achieve these from the service provider with solid SLOs and associated reporting and remedies.

Info-Tech Insight

Web-posted SLAs that are not embedded within a signed MSA can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

2.3.1 Negotiating strategy guidance

• Be prepared. Create a negotiating plan and put together a team that understands your organization’s requirements for SLA.
• Stay informed. Request provider’s recent performance data and negotiate SLOs to the provider’s average performance.
• Know what you need. Corporate SLA templates or policies should be positioned to service providers as baseline minimums.
• Show some flexibility. Be willing to give up some ground on one SLO in exchange for acceptance of SLOs that may be more important to your organization.
• Re-group. Have a fallback position or Plan B. What if the provider can’t or won’t meet your key SLOs? Do you walk?
• Do your homework. Understand what the typical standard SLOs are for the type of service level.

2.4 SLO overachieving incentive discussion

Monitoring & Reporting

• SLO overachieving metrics are seen in some SLAs where there is a high priority for a service provider to meet and or exceed the SLOs within the SLA. These are not common terms but can be used to improve the overall service levels of a provider. In these scenarios the provider is sometimes rewarded for overachieving on the SLOs, either consistently or on a monthly or quarterly basis. In some cases, it can make financial sense to incent the service provider to overachieve on their commitments. Incentives can drive behaviors and improved performance by the provider that can intern improve the benefits to your organization and therefore justify an incent of some type.
• Example: You could have an SLO for invoice accuracy. If not achieved, it could cost the vendor if they don’t meet the accuracy metric, however if they were to consistently overachieve the metric it could save accounts payable hours of time in validation and therefore you could pass on some of these measurable savings to the provider.
• Overachieving incentives can add complexity to the SLA so they need to be easily measurable and simple to manage.
• Overachieving incentives can also be used in provider performance improvement plans, where a provider might have poor trending attainment and you need to have them improve their performance in a short period of time. Incentives typically will motivate provider improvement and generally will cost much less than replacing the provider.
• There is another school of thought that you shouldn’t have to pay a provider for doing their job; however, others are of the opinion that incentives or bonuses improve the overall performance of individuals or teams and are therefore worth consideration if both parties benefit from the over performance.

Reduce Risk With Rock-Solid Service-Level Agreements

Phase 3

Understand SLA Elements

Create Requirements

Phase 3

Manage Obligations

Phase Steps

• 3.1 SLA monitoring and tracking
• 3.2 Reporting
• 3.3 Vendor SLA reviews & optimizing
• 3.4 Performance management

3.1 SLA monitoring, tracking, and remedy reconciliation

The next step to effective SLAs is the management component. It could be fruitless if you were to spend your time and efforts negotiating your required service levels and metrics and don’t have some level of managing the SLA. In that situation you would have no way of knowing if the service provider is attaining their SLOs.

There are several key elements to effective SLA management:

• SLO monitoring
• Simple, concise reporting
• SLO attainment tracking
• Score carding & trending
• Remedy reconciliation

SLA Management framework

SLA Monitoring → Concise Reporting → Attainment Tracking → Score Carding →Remedy Reconciliation

“A shift we’re beginning to see is an increased use of data and process discovery tools to measure SLAs,” says Borowski of West Monroe. “While not pervasive yet, these tools represent an opportunity to identify the most meaningful metrics and objectively measure performance (e.g., cycle time, quality, compliance). When provided by the client, it also eliminates the dependency on provider tools as the source-of-truth for performance data.” – Stephanie Overby

3.1 SLA management framework

SLA Performance Management

• SLA monitoring provides data for SLO reports or dashboards. Reports provide attainment data for tacking over time. Attainment data feeds scorecards and allows for trending analysis. Missed attainment data triggers remedies.
• All service providers monitor their systems, platforms, tickets, agents, sensors etc. to be able to do their jobs. Therefore, monitoring is readily available from your service provider in some form.
• One of the key purposes of monitoring is to generate data into internal reports or dashboards that capture the performance metrics of the various services. Therefore, service-level and metric reports are readily available for all of the service levels that a service provider is contracted or engaged to provide.
• Monitoring and reporting are the key elements that validate how your service provider is meeting its SLA obligations and thus are very important elements of an SLA. SLO report data becomes attainment data once the metric or KPI has been captured.
• As a component of effective SLA management, this attainment data needs to be tracked/recorded in an easy-to-read format or table over a period of time. Attainment data can then be used to generate scorecards and trending reports for your review both internally and with the provider as required.
• If attainment data shows that the service provider is meeting their SLA obligations, then the SLA is meeting your requirements and expectations. If on the other hand, attainment data shows that obligations are not being met, then actions must be taken to hold the service provider accountable. The most common method is through remedies that are typically in the form of a credit through a defined process (see Sec. 1.3). Any credits due for missed SLOs should also be tracked and reported to stakeholders and accounting for validation, reconciliation, and collection.

3.2 Reporting

Monitoring & Reporting

• Many SLAs are silent on monitoring and reporting elements and require that the customer, if aware or able, to monitor the providers service levels and attainment and create their own KPI and reports. Then if SLOs are not met there is an arduous process that the customer must go through to request their rightful credit. This manual and reactive method creates all kinds of risk and cost to the customer and they should make all attempts to ensure that the service provider proactively provides SLO/KPI attainment reports on a regular basis.
• Automated monitoring and reporting is a common task for many IT departments. There is no reason that a service provider can’t send reports proactively in a format that can be easily interpreted by the customer. The ideal state would be to capture KPI report data into a customer’s internal service provider scorecard.
• Automated or automatic credit posting is another key element that service providers tend to ignore, primarily in hopes that the customer won’t request or go through the trouble of the process. This needs to change. Some large cloud vendors already have automated processes that automatically post a credit to your account if they miss an SLO. This proactive credit process should be at the top of your negotiation checklist. Service providers are avoiding thousands of credit dollars every year based on the design of their credit process. As more customers push back and negotiate more efficient credit processes, vendors will soon start to change and may use it as a differentiator with their service.

3.2.1 Performance tracking and trending

What gets measured gets done

SLO Attainment Tracking

A primary goal of proactive and automated reporting and credit process is to capture the provider’s attainment data into a tracker or vendor scorecard. These tracking scorecards can easily create status reports and performance trending of service providers, to IT leadership as well as feed QBR agenda content.

Remedy Reconciliation

Regardless of how a credit is processed it should be tracked and reconciled with internal stakeholders and accounting to ensure credits are duly applied or received from the provider and in a timely manner. Tracking and reconciliation must also align with your payment terms, whether monthly or annually.

“While the adage, ‘You can't manage what you don't measure,’ continues to be true, the downside for organizations using metrics is that the provider will change their behavior to maximize their scores on performance benchmarks.” – Rob Lemos

3.2.1 Activity SLA Tracker and Trending Tool

1-2 hours setup

Input

• SLO metrics/KPIs from the SLA
• Credit values associated with SLO

Output

• Monthly SLO attainment data
• Credit tracking
• SLO trending graphs

Materials

• Service provider SLO reports
• Service provider SLA
• SLO Tracker & Trending Tool

Participants

• Contract or vendor managers
• Application or service managers
• Service provider

An important activity in the SLA management framework is to track the provider’s SLO attainment on a monthly or quarterly basis. In addition, if an SLO is missed, an associated credit needs to be tracked and captured. This activity allows you to capture the SLOs from the SLA and track them continually and provide data for trending and review at vendor performance meetings and executive updates.

Instructions: Enter SLOs from the SLA as applicable.

Each month, from the provider’s reports or dashboards, enter the SLO metric attainment.

When an SLO is met, the cell will turn green. If the SLO is missed, the cell will turn red and a corresponding cell in the Credit Tracker will turn green, meaning that a credit needs to be reconciled.

Use the Trending tab to view trending graphs of key service levels and SLOs.

Download the SLO Tracker and Trending Tool

3.3 Vendor SLA reviews and optimizing

Regular reviews should be done with providers

Collecting attainment data with scorecards or tracking tools provides summary information on the performance of the service provider to their SLA obligations. This information should be used for regular reviews both internally and with the provider.

Regular attainment reviews should be used for:

• Performance trending upward or downward
• Identifying opportunities to revise or improve SLOs
• Optimizing SLO and processes
• Creating a Performance Improvement Plan (PIP) for the service provider

Some organizations choose to review SLA performance with providers at regular QBRs or at specific SLA review meetings

This should be determined based on the criticality, risk, and strategic importance of the provider’s service. Providers that provide essential services like ERP, payroll, CRM, HRIS, IaaS etc. should be reviewed much more regularly to ensure that any decline in service is identified early and addressed properly in accordance with the service provider. Negative trending performance should also be documented for consideration at renewal time.

3.4 Performance management

Dealing with persistent poor performance and termination

Service providers that consistently miss key service level metrics or KPIs present financial and security risk to the organization. Poor performance of a service provider reflects directly on the IT leadership and will affect many other business aspects of the organization including:

• Ability to conduct day-to-day business activities
• Meet internal obligations and expectations
• Employee productivity and satisfaction
• Maintain corporate policies or industry compliance
• Meet security requirements

Communication is key. Poor performance of a service provider needs to be dealt with in a timely manner in order to avoid more critical impact of the poor performance. Actions taken with the provider can also vary depending again on the criticality, risk, and strategic importance of the provider’s service.

Performance reviews should provide the actions required with the goal of:

• Making the performance problems into opportunities
• Working with the provider to create a PIP with aggressive timelines and ramifications if not attained
• Non-renewal or termination consideration, if feasible including provider replacement options, risk, costs, etc.
• SLA renegotiation or revisions
• Warning notifications to the service provider with concise issues and ramifications

To avoid the issues and challenges of dealing with chronic poor performance, consider a Persistent or Chronic Failure clause into the SLA contract language. These clauses can define chronic failure, scenarios, ramifications there of, and defined options for the client including increased credit values, non-monetary remedies, and termination options without liability.

Info-Tech Insight

It’s difficult to prevent chronic poor performance but you can certainly track it and deal with it in a way that reduces risk and cost to your organization.

SLA Hall of Shame

Crazy service provider SLA content collection

• Excessive list of unreasonable exclusions
• Subcontractors’ behavior could be excluded
• Downtime credit, equal to downtime percent x the MRC
• Controllable FM events (internal labor issues, health events)
• Difficult downtime or credit calculations that don’t make sense
• Credits are not valid if agreement is terminated early or not renewed
• Customer is not current on their account, SLA or credits do not count/apply
• Total downtime = to prorated credit value (down 3 hrs = 3/720hrs = 0.4% credit)
• SLOs don’t apply if customer fails to report the issue or request a trouble ticket
• Downtime during off hours (overnight) do not count towards availability metrics
• Different availability commitments based on different support-levels packages
• Extending the agreement term by the length of downtime as a form of a remedy

SLA Dos and Don’ts

Dos

• Do negotiate SLOs to vendor’s average performance
• Do strive for automated reporting and credit processes
• Do right-size and create your SLO criteria based on risk mitigation
• Do review SLA attainment results with strategic service providers on a regular basis
• Do ensure that all key elements and components of an SLA are present in the document or appendix

Don'ts

• Don’t accept the providers response that “we can’t change the SLOs for you because then we’d have to change them for everyone”
• Don’t leave SLA preparation to the last minute. Give it priority as you negotiate with the provider
• Don’t create complex SLAs with numerous service levels and SLOs that need to be reported and managed
• Don’t aim for absolute perfection. Rather, prioritize which service levels are most important to you for the service

Summary of Accomplishment

Problem Solved

Knowledge Gained

• Understanding of the elements and components of an SLA
• A list of SLO metrics aligned to service types that meet your organization’s criteria
• SLA metric/KPI templates
• SLA Management process for your provider’s service objectives
• Reporting and tracking process for performance trending

Deliverables Completed

• SLA component and contract element checklist
• Evaluation or service provider SLAs
• SLA templates for strategic service types
• SLA tracker for strategic service providers

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.

workshops@infotech.com

1-888-670-8889

Related Info-Tech Research

Improve IT-Business Alignment Through an Internal SLA

• Understand business requirements, clarify current capabilities, and enable strategies to close service-level gaps.

Data center Co-location SLA & Service Definition Template

• In essence, the SLA defines the “product” that is being purchased, permitting the provider to rationalize resources to best meet the needs of varied clients, and permits the buyer to ensure that business requirements are being met.

Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

• Keep your information security risks manageable when leveraging the benefits of cloud computing.

Bibliography

Henderson, George. “3 Most Common Types of Service Level Agreement (SLA).” Master of Project Academy. N.d. Web.

“Guide to Security Operations Metrics.” Logsign. Oct 5, 2020. Web.

Lemos, Rob. “4 lessons from SOC metrics: What your SpecOps team needs to know.” TechBeacon. N.d. Web.

“Measuring and Making the Most of Service Desk Metrics.” Freshworks. N.d. Web.

Overby, Stephanie. “15 SLA Mistakes IT Leaders Still Make.” CIO. Jan 21, 2021.

Decide if You Are Ready for SAFe

Approach the Scaled Agile Framework (SAFe) with open eyes and an open wallet.

Analyst Perspective

Ensure that SAFe is the right move before committing.

Waterfall is dead. Or obsolete at the very least.

Organizations cannot wait months or years for product, service, application, and process changes. They need to embrace business agility to respond to opportunities more quickly and deliver value sooner. Agile established values and principles that have promoted smaller cycle times, greater connections between teams, improved return on investment (ROI) prioritization, and improved team empowerment.

Where organizations continue to struggle is matching localized Scrum teams with enterprise initiatives. This struggle is compounded by legacy executive planning cycles, which undermine Agile team authority. SAFe has provided a series of frameworks to help organizations deal with these issues. It combines enterprise planning and alignment with cross-team collaboration.

Don't rely on popularity or marketing to make your scaled Agile decision. SAFe is a highly disruptive transformation, and it requires extensive training, coaching, process changes, and time to implement. Without the culture shift to an Agile mindset at all levels, SAFe becomes a mirror of Waterfall processes dressed in SAFe names. Furthermore, SAFe itself will not fix problems with communication, requirements, development, testing, release, support, or governance. You will still need to fix these problems within the SAFe framework to be successful.

Hans Eckman
Principal Research Director, Applications Delivery and Management
Info-Tech Research Group

Executive Summary

Info-Tech Insight
SAFe is a highly disruptive enterprise transformation, and it won't solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and how fast you are willing to transform, and make sure that you have the right transformation and coaching partner in place. There is no right software development lifecycle (SDLC) or methodology. Find or create the methodology that best aligns to your needs and goals.

Agile's Four Core Values

"...while there is value in the items on the right, we value the items on the left more."
- The Agile Manifesto

STOP! If you're not Agile, don't start with SAFe.

Successful SAFe requires an Agile mindset at all levels.

Be aware of common myths around Agile and SAFe

SAFe does not...

1...solve development and communication issues.

2...ensure that you will finish requirements faster.

3...mean that you do not need planning and documentation.

"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)

Info-Tech Insight
Poor culture, processes, governance, and leadership will disrupt any methodology. Many drivers for SAFe could be solved by improving and standardizing development and release management within current methodologies.

Review the drivers that are motivating your organization to adopt and scale Agile practices

Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

If a group's specific needs and drivers are not addressed, its members may develop negative sentiments toward Agile development. These negative sentiments can affect their ability to see the benefits of Agile, and they may return to their old habits once the opportunity arises.

It is important to find opportunities in which both business objectives and functional group drivers can be achieved by scaling Agile development. This can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. It can also be used to justify activities that specifically address functional group drivers.

Examples of Motivating Drivers for Scaling Agile

• Improve artifact handoffs between development and operations.
• Increase collaboration among development teams.
• Reveal architectural and system risks early.
• Expedite the feedback loop from support.
• Improve capacity management.
• Support development process innovation.
• Create a safe environment to discuss concerns.
• Optimize value streams.
• Increase team engagement and comradery.

Don't start with scaled Agile!

Scaling Agile is a way to optimize product management and product delivery in application lifecycle management practices. Do not try to start with SAFe when the components are not yet in place.

Scale Agile delivery to improve cross-functional dependencies and releases

Top Business Concerns When Scaling Agile

1 Organizational Culture: The current culture may not support team empowerment, learning from failure, and other Agile principles. SAFe also allows top-down decisions to persist.

2 Executive Support: Executives may not dedicate resources, time, and effort into removing obstacles to scaling Agile because of lack of business buy-in.

3 Team Coordination: Current collaboration structures may not enable teams and stakeholders to share information freely and integrate workflows easily.

4 Business Misalignment: Business vision and objectives may be miscommunicated early in development, risking poorly planned and designed initiatives and low-quality products.

Extending collaboration is the key to success.

Uniting stakeholders and development into a single body is the key to success. Assess the internal and external communication flow and define processes for planning and tracking work so that everyone is aware of how to integrate, communicate, and collaborate.

The goal is to enable faster reaction to customer needs, shorter release cycles, and improved visibility of the project's progress with cross-functional and diverse conversations.

Advantages of successful SAFe implementations

Once SAFe is complete and operational, organizations have seen measurable benefits:

• Multiple frameworks to support different levels of SAFe usage
• Deliberate and consistent planning and coordination
• Coordinating dependencies within value streams
• Reduced time to delivery
• Focus on customers and end users
• Alignment to business goals and value streams
• Increased employee engagement

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Source: "Benefits," Scaled Agile, 2023

Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

Develop Your Agile Approach for a Successful Transformation

Source: Scaled Agile, Inc.

Info-Tech's IT Management & Governance Framework

Info-Tech Insight
SAFe is an enterprise, culture, and process transformation that impacts all IT services. Some areas of Info-Tech's IT Management & Governance Framework have higher impacts and require special attention. Plan to include transformation support for each of these topics during your SAFe implementation. SAFe will not fix broken processes on its own.

Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

Source: Scaled Agile, Inc.

Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

• Delivery Manager = Release Train Engineer
• Stakeholder/Sponsor = Product Manager
• Release = Release Train
• Project/Program = Project or Portfolio

SAFe isn't without risks or challenges

Risks and Causes of Failed SAFe Transformations

• SAFe conflicts with legacy cultures and delivery processes.
• SAFe promotes continued top-down decisions, undermining team empowerment.
• Scaled product families are required to define proper value streams.
• Team empowerment and autonomy are reduced.
• SAFe activities are poorly executed.
• There are high training and coaching costs.
• Implementation takes a long time.
• End-to-end delivery management tools aligned to SAFe are required.
• Legacy delivery challenges are not specifically solved with SAFe.
• SAFe is designed to work for large-scale development teams.

Challenges

• Adjusting to a new set of terms for common roles, processes, and activities
• Executing planning cycles
• Defining features and epics at the right level
• Completing adequate requirements
• Defining value streams
• Coordinating releases and release trains
• Providing consistent quality

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Focus on your core competencies instead

Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

Product Delivery

• Agile/DevOps Research Center
• Develop Your Agile Approach for a Successful Transformation
  • Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.
• Implement DevOps Practices That Work
  • Streamline business value delivery through the strategic adoption of DevOps practices.

Product Management

• Product Lifecycle Management Research Center
• Make the Case for Product Delivery
  • Align your organization on the practices to deliver what matters most.
• Deliver on Your Digital Product Vision
  • Build a product vision your organization can take from strategy through execution.
• Deliver Digital Products at Scale
  • Deliver value at the scale of your organization through defining enterprise product families.
• Introduce Program Management to Your Organization
  • Use programs to align projects to your strategic goals.
• Optimize IT Project Intake, Approval, and Prioritization
  • Decide which IT projects to approve and when to start them.
• Manage Requirements in an Agile Environment
  • Agile and requirements management are complementary, not competitors.
• Build a Software Quality Assurance Program
  • Build quality into every step of your SDLC.
• Automate Testing to Get More Done
  • Drive software delivery throughput and quality confidence by extending your automation test coverage.
• Application Portfolio Management Foundations
  • Ensure your application portfolio delivers the best possible return on investment.

"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
– "Agile at Scale," Harvard Business Review

Insight Summary

Overarching insight
SAFe is a highly disruptive enterprise transformation, and it will not solve your organizational delivery challenges by itself. Start with an open mind, and understand what is needed to support a multi-year cultural transition. Decide how far and fast you are willing to transform and make sure that you have the right transformation and coaching partner in place.

SAFe conflicts with core Agile principles.
The popularity of SAFe is largely due to its structural resemblance to enterprise portfolio and project planning with top-down prioritization and decision-making. This directly conflicts with Agile's purpose and principles of empowerment and agility.

SAFe and Agile will not solve enterprise delivery challenges.
Poor culture, processes, governance, and leadership will disrupt any methodology. Many issues with drivers for SAFe could be solved by improving development and release management within current methodologies.

Most organizations should not be using a pure SAFe framework
Few organizations are capable of, or should be, applying a pure SAFe framework. Successful organizations have adopted and modified SAFe frameworks to best fit their needs, teams, value streams, and maturity.

Without an Agile mindset, SAFe will be executed as Waterfall stages using SAFe terminology.
Groups that "Do Agile" are not likely to embrace the behavioral changes needed to make any scaled framework effective. SAFe becomes a series of Waterfall PIs using SAFe terminology.

Your transformation does not start with SAFe.
Start your transition to scaled Agile with a maturity assessment for current delivery practices. Fixing broken process, tools, and teams must be at the heart of your initiative.

Blueprint Deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Key Deliverable

SAFe Transformation Playbook

Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

Scaled Agile Readiness Assessment

Conduct the Agile readiness survey. Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

Case Study

Spotify's approach to Agile at scale

INDUSTRY: Digital Media
SOURCE: Unified Communications and Collaborations

Spotify's Scaling Agile Initiative

With rapid user adoption growth (over 15 million active users in under six years), Spotify had to find a way to maintain an Agile mindset across 30+ teams in three different cities, while maintaining the benefits of cross-functional collaboration and flexibility for future growth.

Spotify's Approach

Spotify found a fit-for-purpose way for the organization to increase team autonomy without losing the benefits of cross-team communication from economics of scale. Spotify focused on identifying dependencies that block or slow down work through a mix of reprioritization, reorganization, architectural changes, and technical solutions. The organization embraced dependencies that led to cross-team communication and built in the necessary flexibility to allow Agile to grow with the organization.

Spotify's scaling Agile initiative used interview processes to identify what each team depended on and how those dependencies blocked or slowed the team.

Squad refers to an autonomous Agile release team in this case study.

Case Study

Suncorp instilled dedicated communication streams to ensure cross-role collaboration and culture.

INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

Case Study

Nationwide embraces DevOps and improves software quality.

INDUSTRY: Insurance
SOURCE: Agile India, International Conference on Agile and Lean Software Development, 2014

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is one to four calls over the course of one to six weeks.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Supporting Your Agile Journey

Enable Product Agile Delivery Executive Workshop	Develop Your Agile Approach	Spread Best Practices with an Agile Center of Excellence	Implement DevOps Practices That Work	Enable Organization-Wide Collaboration by Scaling Agile
Align and prepare your IT leadership teams. Audience: Senior and IT delivery leadership Size: 8-16 people Time: 7 hours	Tune Agile team practices to fit your organization culture. Audience: Agile pilot teams and subject matter experts (SMEs) Size: 10-20 people Time: 4 days	Leverage Agile thought leadership to expand your best practices. Audience: Agile SMEs and thought leaders Size: 10-20 people Time: 4 days	Build a continuous integration and continuous delivery pipeline. Audience: Product owners (POs) and delivery team leads Size: 10-20 people Time: 4 days	Execute a disciplined approach to rolling out Agile methods. Audience: Agile steering team and SMEs Size: 3-8 people Time: 3 hours

Sample agendas are included in the following sections for each of these topics.

Your Product Transformation Journey

Phase 1

Determine if SAFe Is Right for Your Organization

Phase 1
1.1 Understand where SAFe fits into your delivery methodologies and SDLCs
1.2 Determine if you are ready for SAFe (fit for purpose)

This phase will walk you through the following activities:

• 1.1.1 Define your primary drivers for SAFe.
• 1.1.2 Create your own list of pros and cons of SAFe.
• 1.2.1 Assess your Agile readiness.
• 1.2.2 Define enablers and blockers for scaling Agile delivery.
• 1.2.3 Estimate your SAFe implementation risk.
• 1.2.4 Start your SAFe implementation plan.

This phase involves the following participants:

• Senior leadership
• IT leadership
• Project Management Office
• Delivery managers
• Product managers/owners
• Agile thought leaders and coaches
• Compliance teams leads

Step 1.1

Understand where SAFe fits into your delivery methodologies and SDLCs

Activities
1.1.1 Define your primary drivers for SAFe
1.1.2 Create your own list of pros and cons of SAFe

This step involves the following participants:

• IT leadership
• Delivery managers
• Project management office
• Product owners and managers
• Development team leads
• Portfolio managers
• Architects

Outcomes of this step:

• List of primary drivers for SAFe
• List of pros and cons of SAFe

Agile's Four Core Values

"...while there is value in the items on the right, we value the items on the left more."
– The Agile Manifesto

STOP! If you're not Agile, don't start with SAFe.

Successful SAFe requires an Agile mindset at all levels.

Be aware of common myths around Agile and SAFe

SAFe does not...

1...solve development and communication issues.

2...ensure that you will finish requirements faster.

3...mean that you do not need planning and documentation.

"Without proper planning, organizations can start throwing more resources at the work, which spirals into the classic Waterfall issues of managing by schedule."
– Kristen Morton, Associate Implementation Architect,
OneShield Inc. (Info-Tech Interview)

Info-Tech Insight
SAFe only provides a framework and steps where these issues can be resolved.

The importance of values and principles

Modern development practices (such as Agile, Lean, and DevOps) are based on values and principles. This supports the move away from command-and-control management to self-organizing teams.

Values

• Values represent your team's core beliefs and capture what you want to instill in your team.

Principles

• Principles represent methods for solving a problem or deciding.
• Given that principles are rooted in specifics, they can change more frequently because they are both fallible and conducive to learning.

Consider the guiding principles of your application team

Teams may have their own perspectives on how they deliver value and their own practices for how they do this. These perspectives can help you develop guiding principles for your own team to explain your core values and cement your team's culture. Guiding principles can help you:

• Enable the appropriate environment to foster collaboration within current organizational, departmental, and cultural constraints
• Foster the social needs that will engage and motivate your team in a culture that suits its members
• Ensure that all teams are driven toward the same business and team goals, even if other teams are operating differently
• Build organizational camaraderie aligned with corporate strategies

Info-Tech Insight
Following methodologies by the book can be detrimental if they do not fit your organization's needs, constraints, and culture. The ultimate goal of all teams is to deliver value. Any practices or activities that drive teams away from this goal should be removed or modified.

Review the drivers that are motivating your organization to adopt and scale Agile practices

Functional groups have their own drivers to adopt Agile development processes, practices, and techniques (e.g. to improve collaboration, decrease churn, or increase automation). Their buy-in to scaling Agile is just as important as the buy-in of stakeholders.

By not addressing a group's specific needs and drivers, the resulting negative sentiments of its members toward Agile development can affect their ability to see the benefits of Agile and they may return to old habits once the opportunity arises.

Find opportunities in which both business objectives and functional group drivers can be achieved with scaling Agile development. This alignment can motivate teams to continuously improve and adhere to the new environment, and it will maintain business buy-in. This assessment can also be used to justify activities that specifically address functional group drivers.

Examples of Motivating Drivers for Scaling Agile

• Improve artifact hand-offs between development and operations.
• Increase collaboration among development teams.
• Reveal architectural and system risks early.
• Expedite the feedback loop from support.
• Improve capacity management.
• Support development process innovation.
• Create a safe environment to discuss concerns.
• Optimize value streams.
• Increase team engagement and comradery.

Exercise 1.1.1 Define your primary drivers for SAFe

30 minutes

• Brainstorm a list of drivers for scaling Agile.
• Build a value canvas to help capture and align team expectations.
• Identify jobs or functions that will be impacted by SAFe.
• List your current pains and gains.
• List the pain relievers and gain creators.
• Identify the deliverable needed for a successful transformation.
• Complete your SAFe value canvas in your SAFe Transformation Playbook.

Enter the results in your SAFe Transformation Playbook.

SAFe Value Canvas Template

Case Study

A public utilities organization steadily lost stakeholder engagement, diminishing product quality.

INDUSTRY: Public Utilities
SOURCE: Info-Tech Expert Interview

Challenge

• The goal of a public utilities organization was to adopt Agile so it could quickly respond to changes and trim costs.
• The organization decided to scale Agile using a structured approach. It began implementation with IT teams that were familiar with Agile principles and leveraged IT seniors as Agile champions. To ensure that Agile principles were widespread, the organization decided to develop a training program with vendor assistance.
• As Agile successes began to be seen, the organization decided to increase the involvement of business teams gradually so it could organically grow the concept within the business.

Results

• Teams saw significant success with many projects because they could easily demonstrate deliverables and clearly show the business value. Over time, the teams used Agile for large projects with complex processing needs.
• Teams continued to deliver small projects successfully, but business engagement waned over time. Some of the large, complex applications they delivered using Agile lacked the necessary functionality and appropriate controls and, in some cases, did not have the ability to scale due to a poor architectural framework. These applications required additional investment, which far exceeded the original cost forecasts.

While Agile and product development are intertwined, they are not the same!

Delivering products does not necessarily require an Agile mindset. However, Agile methods help to facilitate the journey because product thinking is baked into them.

Recognize the difference between Scrum teams and the Scaled Agile Framework (SAFe)

SAFe provides a framework that aligns Scrum teams into coordinated release trains driven by top-down prioritization.

Develop Your Agile Approach for a Successful Transformation

Without adopting an Agile mindset, SAFe becomes Waterfall with SAFe terminology

Info-Tech Insight
When first implementing SAFe, organizations reproduce their organizational design and Waterfall delivery structures with SAFe terms:

• Delivery Manager = Release Train Engineer
• Stakeholder/Sponsor = Product Manager
• Release = Release Train
• Project/Program = Project or Portfolio

Advantages of successful SAFe implementations

Once SAFe is complete and operational, organizations have seen measurable benefits:

• Multiple frameworks to support different levels of SAFe usage
• Deliberate and consistent planning and coordination
• Coordinating dependencies within value streams
• Reduced time to delivery
• Focus on customers and end users
• Alignment to business goals and value streams
• Increased employee engagement

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023;
"Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Source: "Benefits," Scaled Agile, 2023

SAFe isn't without risks or challenges

Risks and Causes of Failed SAFe Transformations

• SAFe conflicts with legacy cultures and delivery processes.
• SAFe promotes continued top-down decisions, undermining team empowerment.
• Scaled product families are required to define proper value streams.
• Team empowerment and autonomy are reduced.
• SAFe activities are poorly executed.
• There are high training and coaching costs.
• Implementation takes a long time.
• End-to-end delivery management tools aligned to SAFe are required.
• Legacy delivery challenges are not specifically solved with SAFe.
• SAFe is designed to work for large-scale development teams.

Challenges

• Adjusting to a new set of terms for common roles, processes, and activities
• Executing planning cycles
• Defining features and epics at the right level
• Completing adequate requirements
• Defining value streams
• Coordinating releases and release trains
• Providing consistent quality

Sources: TechBeacon, 2019; Medium, 2020; "Benefits," Scaled Agile, 2023; "Pros and Cons," PremierAgile, n.d.; "Scaling Agile Challenges," PremierAgile, n.d.

Exercise 1.1.2 Create your own list of the pros and cons of SAFe

1 hour

Enter the results in your SAFe Transformation Playbook

Focus on your core competencies instead

Before undertaking an enterprise transformation, consider improving the underlying processes that will need to be fixed anyway. Fixing these areas while implementing SAFe compounds the effort and disruption.

Product Delivery

• Agile/DevOps Research Center
• Develop Your Agile Approach for a Successful Transformation
  • Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.
• Implement DevOps Practices That Work
  • Streamline business value delivery through the strategic adoption of DevOps practices.

Product Management

• Product Lifecycle Management Research Center
• Make the Case for Product Delivery
  • Align your organization on the practices to deliver what matters most.
• Deliver on Your Digital Product Vision
  • Build a product vision your organization can take from strategy through execution.
• Deliver Digital Products at Scale
  • Deliver value at the scale of your organization through defining enterprise product families.
• Introduce Program Management to Your Organization
  • Use programs to align projects to your strategic goals.
• Optimize IT Project Intake, Approval, and Prioritization
  • Decide which IT projects to approve and when to start them.
• Managing Requirements in an Agile Environment
  • Agile and requirements management are complementary, not competitors.
• Build a Software Quality Assurance Program
  • Build quality into every step of your SDLC.
• Automate Testing to Get More Done
  • Drive software delivery throughput and quality confidence by extending your automation test coverage.
• Application Portfolio Management Foundations
  • Ensure your application portfolio delivers the best possible return on investment.

"But big-bang transitions are hard. They require total leadership commitment, a receptive culture, enough talented and experienced agile practitioners to staff hundreds of teams without depleting other capabilities, and highly prescriptive instruction manuals to align everyone's approach."
- "Agile at Scale," Harvard Business Review

Step 1.2

Determine if you are ready for SAFe (fit for purpose)

Activities
1.2.1 Assess your Agile readiness
1.2.2 Define enablers and blockers for scaling Agile delivery
1.2.3 Estimate your SAFe implementation risk
1.2.4 Start your SAFe implementation plan

This step involves the following participants:

• IT leadership
• Delivery managers
• Project management office
• Product owners and managers
• Development team leads
• Portfolio managers
• Architects

Outcomes of this step:

• Agile Readiness Assessment results
• Enablers and blockers for scaling Agile
• SAFe implementation risk
• SAFe implementation plan

Use CLAIM to guide your Agile journey

Conduct the Agile Readiness Assessment Survey

Without an Agile mindset, SAFe will follow Waterfall or WaterScrumFall practices.

• Start your journey with a clear understanding of the level of Agile and product maturity throughout your organization.
• Each area that lacks strength should be evaluated further and added to your journey map.

Exercise 1.2.1 Assess your Agile readiness

1 hour

• Open and complete the Agile Readiness Assessment in your playbook or the Excel tool provided.
• Discuss each area's high and low scores to reach a consensus.
• Record your results in your SAFe Transformation Playbook.

Enter the results in Scaled Agile Readiness Assessment.

Exercise 1.2.2 Define enablers and blockers for scaling Agile delivery

1 hour

• Identify and mitigate blockers for scaling Agile in your organization.
  • Identify enablers who will support successful SAFe transformation.
  • Identify blockers who will make the transition to SAFe more difficult.
  • For each blocker, define at least one mitigating step.

Enter the results in your SAFe Transformation Playbook

Estimate your SAFe implementation risk

Exercise 1.2.3 Estimate your SAFe implementation risk

30 minutes

• Determine which description best matches your overall organizational state.
• Enter the results in your SAFe Transformation Playbook.
• Change the text to bold in the cell you selected to describe your current state and/or add a border around the cell.

Enter the results in SAFe Transformation Playbook.

Interpret your SAFe implementation risks

Analyze your highlighted selections and patterns in the rows and columns. Use these factors to inform your SAFe implementation steps and timing.

Build your implementation plan

Build a transformation and organizational change management plan to guide your transition. Define clear ownership for every critical step.

Plan your transformation.

• Align stakeholders and thought leaders.
• Select an implementation partner.
• Insert critical steps.

Build your SAFe framework.

• Define your target SAFe framework.
• Customize your SAFe framework.
• Establish SAFe governance and reporting.
• Insert critical steps.

Implement SAFe practices.

• Define product families and value streams.
• Conduct SAFe training for:
  • Executive leadership
  • Agile SAFe coaches
  • Practitioners
• Insert critical steps.

For additional help with OCM, please download Master Organizational Change Management Practices.

Exercise 1.2.4 Start your SAFe implementation plan

30 minutes

• Using the high-level SAFE implementation framework, begin building out the critical steps.
• Record the results in your SAFe Transformation Playbook.
• Your playbook is an evergreen document to help guide your implementation. It should be reviewed often.

Enter the results in your SAFe Transformation Playbook

Select an implementation partner

Finding the right SAFe implementation partner is critical to your transformation success.

• Using your previous assessment, align internal and external resources to support your transformation.
• Select a partner who has experience in similar organizations and is aligned with your delivery goals.
• Plan to transition support to internal teams when SAFe practices have stabilized and moved into continuous improvement.
• Augment your transformation partner with internal coaches.
• Plan for a multiyear engagement before SAFe benefits are realized.

Summary of Accomplishments

Your journey begins.

Implementing SAFe is a long, expensive, and difficult process. For some organizations, SAFe provides the balance of leadership-driven prioritization and control with shorter release cycles and time to value. The key is making sure that SAFe is right for you and you are ready for SAFe. Few organizations fit perfectly into one of the SAFe frameworks. Instead, consider fine-tuning and customizing SAFe to meet your needs and gradual transformation.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.

Below are sample activities that will be conducted by Info-Tech analysts with your team:

Scaled Agile Delivery Readiness Assessment
This assessment will help identify enablers and blockers in your organizational culture using our CLAIM+G organization transformation model.

SAFE Value Canvas
Use a value campus to define jobs, pains, gains, pain relievers, gain creators, and needed deliverables to help inform and guide your SAFe transformation.

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Bibliography

"6 Biggest SAFe Agile Implementation Mistakes to Avoid." Triumph Strategic Consulting, 27 July 2017.

"The 7 Must-Haves for Achieving Scaling Agile Success." The 7 Must-Haves for Achieving Scaling Agile Success.

Ageling, Willem-Jan. "11 Most Common Reasons to Use Scaled Agile Framework (SAFE) and How to Do This With Unscaled Scrum." Medium, Serious Scrum, 26 Jan. 2020.

Agile India, International Conference on Agile and Lean Software Development, 2014.

"Air France - KLM - Agile Adoption with SAFe." Scaled Agile, 28 Nov. 2022.

"Application Development Trends 2019 - Global Survey Report." OutSystems.

"Benefits of SAFe: How It Benefits Organizations." Scaled Agile, 13 Mar. 2023.

Berkowitz, Emma. "The Cost of a SAFe(r) Implementation: CPRIME Blog." Cprime, 30 Jan. 2023.

"Chevron - Adopting SAFe with Remote Workforce." Scaled Agile, 28 Nov. 2022.

"Cisco It - Adopting Agile Development with SAFe." Scaled Agile, 13 Sept. 2022.

"CMS - Business Agility Transformation Using SAFe." Scaled Agile, 13 Sept. 2022.

Crain, Anthony. "4 Biggest Challenges in Moving to Scaled Agile Framework (SAFe)." TechBeacon, 25 Jan. 2019.

"The Essential Role of Communications ." Project Management Institute .

Gardiner, Phil. "SAFe Implementation: 4 Tips for Getting Started." Applied Frameworks, 20 Jan. 2022.

"How Do I Start Implementing SAFe?" Agility in Mind, 29 July 2022.

"How to Masterfully Screw Up Your SAFe Implementation." Wibas Artikel-Bibliothek, 6 Sept. 2022.

"Implementation Roadmap." Scaled Agile Framework, 14 Mar. 2023.

Islam, Ayvi. "SAFe Implementation 101 - The Complete Guide for Your Company." //Seibert/Media, 22 Dec. 2020.

"Johnson Controls - SAFe Implementation Case Study." Scaled Agile, 28 Nov. 2022.

"The New Rules and Opportunities of Business Transformation." KPMG.

"Nokia Software - SAFe Agile Transformation." Scaled Agile, 28 Nov. 2022.

Pichler, Roman. "What Is Product Management?" Romanpichler, 2014.

"Product Documentation." ServiceNow.

"Pros and Cons of Scaled Agile Framework." PremierAgile.

"Pulse of the Profession Beyond Agility." Project Management Institute.

R, Ramki. "Pros and Cons of Scaled Agile Framework (SAFe)." Medium, 3 Mar. 2019.

R, Ramki. "When Should You Consider Implementing SAFe (Scaled Agile Framework)?" Medium, Medium, 3 Mar. 2019.

Rigby, Darrell, Jeff Sutherland, and Andy Noble. "Agile at Scale: How to go from a few teams to hundreds." Harvard Business Review, 2018.

"SAFe Implementation Roadmap." Scaled Agile Framework, Scaled Agile, Inc., 14 Mar. 2023.

"SAFe Partner Cprime: SAFe Implementation Roadmap: Scaled Agile." Cprime, 5 Apr. 2023.

"SAFe: The Good, the Bad, and the Ugly." Project Management Institute.

"Scaled Agile Framework." Wikipedia, Wikimedia Foundation, 29 Mar. 2023.

"Scaling Agile Challenges and How to Overcome Them." PremierAgile.

"SproutLoud - a Case Study of SAFe Agile Planning." Scaled Agile, 29 Nov. 2022.

"Story." Scaled Agile Framework, 13 Apr. 2023.

Sutherland , Jeff. "Scrum: How to Do Twice as Much in Half the Time." Tedxaix, YouTube, 7 July 2014.

Venema, Marjan. "6 Scaled Agile Frameworks - Which One Is Right for You?" NimbleWork, 23 Dec. 2022.

Warner, Rick. "Scaled Agile: What It Is and Why You Need It." High-Performance Low-Code for App Development, OutSystems, 25 Oct. 2019.

Watts, Stephen, and Kirstie Magowan. "The Scaled Agile Framework (SAFE): What to Know and How to Start." BMC Blogs, 9 Sept. 2020.

"What Is SAFe? The Scaled Agile Framework Explained." CIO, 9 Feb. 2021.

"Why Agile Transformations Fail: Four Common Culprits." Planview.

"Why You Should Use SAFe (and How to Find SAFe Training to Help)." Easy Agile.

Y., H. "Story Points vs. 'Ideal Days.'" Cargo Cultism, 19 Aug. 2010.

Bibliography

Enable Organization-Wide Collaboration by Scaling Agile

Ambler, Scott W. "Agile Architecture: Strategies for Scaling Agile Development." Agile Modeling, 2012.

- - -. "Comparing Approaches to Budgeting and Estimating Software Development Projects." AmbySoft.

- - -. "Agile and Large Teams." Dr. Dobb's, 17 Jun 2008.

Ambler, Scott W. and Mark Lines. Disciplined Agile Delivery: A Practitioner's Guide to Agile Software Delivery in the Enterprise. IBM Press, 2012.

Ambler, Scott W., and Mark Lines. "Scaling Agile Software Development: Disciplined Agility at Scale." Disciplined Agile Consortium White Paper Series, 2014.

AmbySoft. "2014 Agile Adoption Survey Results." Scott W. Ambler + Associates, 2014.

Bersin, Josh. "Time to Scrap Performance Appraisals?" Forbes Magazine, 5 June 2013. Accessed 30 Oct. 2013..

Cheese, Peter, et al. " Creating an Agile Organization." Accenture, Oct. 2009. Accessed Nov. 2013..

Croxon, Bruce, et al. "Dinner Series: Performance Management with Bruce Croxon from CBC's 'Dragon's Den.'" HRPA Toronto Chapter. Sheraton Hotel, Toronto, ON, 12 Nov. 2013. Panel discussion.

Culbert, Samuel. "10 Reasons to Get Rid of Performance Reviews." Huffington Post Business, 18 Dec. 2012. Accessed 28 Oct. 2013.

Denning, Steve. "The Case Against Agile: Ten Perennial Management Objections." Forbes Magazine, 17 Apr. 2012. Accessed Nov. 2013.

Estis, Ryan. "Blowing up the Performance Review: Interview with Adobe's Donna Morris." Ryan Estis & Associates, 17 June 2013. Accessed Oct. 2013.

Heikkila et al. "A Revelatory Case Study on Scaling Agile Release Planning." EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), 2010.

Holler, Robert, and Ian Culling. "From Agile Pilot Project to Enterprise-Wide Deployment: Five Sure-Fire Ways To Fail When You Scale." VersionOne, 2010.

Kniberg, Henrik, and Anders Ivarsson, "Scaling Agile @ Spotify," Unified Communications and Collaborations, 2012.

Narayan, Sriram. "Agile IT Organization Design: For Digital Transformation and Continuous Delivery." Addison-Wesley Professional, 2015.

Shrivastava, NK, and Phillip George. "Scaling Agile." RefineM, 2015.

Sirkia, Rami, and Maarit Laanti. "Lean and Agile Financial Planning." Scaled Agile Framework Blog, 2014.

Scaled Agile Framework (SAFe). "Agile Architecture." Scaled Agile Inc., 2015.

VersionOne. 9th Annual: State of Agile Survey. VersionOne, LLC, 2015.

Appendix A: Supporting Info-Tech Research

Transformation topics and supporting research to make your journey easier, with less rework

Supporting research and services

Improving IT Alignment

Build a Business-Aligned IT Strategy
Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.

Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.

Create an IT View of the Service Catalog
Unlock the full value of your service catalog with technical components.

Application Portfolio Management Foundations
Ensure your application portfolio delivers the best possible return on investment.

Shifting Toward Agile DevOps

Agile/DevOps Research Center
Access the tools and advice you need to be successful with Agile.

Develop Your Agile Approach for a Successful Transformation
Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

Implement DevOps Practices That Work
Streamline business value delivery through the strategic adoption of DevOps practices.

Perform an Agile Skills Assessment
Being Agile isn't about processes, it's about people.

Define the Role of Project Management in Agile and Product-Centric Delivery
Projects and products are not mutually exclusive.

Shifting Toward Product Management

Make the Case for Product Delivery
Align your organization on the practices to deliver what matters most.

Deliver on Your Digital Product Vision
Build a product vision your organization can take from strategy through execution.

Deliver Digital Products at Scale
Deliver value at the scale of your organization through defining enterprise product families.

Mature and Scale Product Ownership
Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

Build a Value Measurement Framework
Focus product delivery on business value- driven outcomes.

Improving Value and Delivery Metrics

Build a Value Measurement Framework
Focus product delivery on business value-driven outcomes.

Create a Holistic IT Dashboard
Mature your IT department by measuring what matters.

Select and Use SDLC Metrics Effectively
Be careful what you ask for, because you will probably get it.

Reduce Time to Consensus With an Accelerated Business Case
Expand on the financial model to give your initiative momentum.

Improving Governance, Prioritization, and Value

Make Your IT Governance Adaptable
Governance isn't optional, so keep it simple and make it flexible.

Maximize Business Value From IT Through Benefits Realization
Embed benefits realization into your governance process to prioritize IT spending and confirm the value of IT.

Drive Digital Transformation With Platform Strategies
Innovate and transform your business models with digital platforms.

Succeed With Digital Strategy Execution
Building a digital strategy is only half the battle: create a systematic roadmap of technology initiatives to execute the strategy and drive digital transformation.

Build a Value Measurement Framework
Focus product delivery on business value-driven outcomes.

Create a Holistic IT Dashboard
Mature your IT department by measuring what matters.

Improving Requirements Management and Quality Assurance

Requirements Gathering for Small Enterprises
Right-size the guidelines of your requirements gathering process.

Improve Requirements Gathering
Back to basics: great products are built on great requirements.

Build a Software Quality Assurance Program
Build quality into every step of your SDLC.

Automate Testing to Get More Done
Drive software delivery throughput and quality confidence by extending your automation test coverage.

Manage Your Technical Debt
Make the case to manage technical debt in terms of business impact.

Create a Business Process Management Strategy
Avoid project failure by keeping the "B" in BPM.

Build a Winning Business Process Automation Playbook
Optimize and automate your business processes with a user-centric approach.

Improving Release Management

Optimize Applications Release Management
Build trust by right-sizing your process using appropriate governance.

Streamline Application Maintenance
Effective maintenance ensures the long-term value of your applications.

Streamline Application Management
Move beyond maintenance to ensure exceptional value from your apps.

Optimize IT Change Management
Right-size IT change management to protect the live environment.

Manage Your Technical Debt
Make the case to manage technical debt in terms of business impact.

Improve Application Development Throughput
Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

Improving Business Relationship Management

Embed Business Relationship Management in IT
Show that IT is worthy of Trusted Partner status.

Mature and Scale Product Ownership
Strengthen the product owner role in your organization by focusing on core capabilities and proper alignment.

Improving Security

Build an Information Security Strategy
Create value by aligning your strategy to business goals and business risks.

Develop and Deploy Security Policies
Enhance your overall security posture with a defensible and prescriptive policy suite.

Simplify Identity and Access Management
Leverage risk- and role-based access control to quantify and simplify the identity and access management (IAM) process.

Improving and Supporting Business-Managed Applications

Embrace Business-Managed Applications
Empower the business to implement their own applications with a trusted business-IT relationship.

Enhance Your Solution Architecture Practices
Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

Satisfy Digital End Users With Low- and No-Code
Extend IT, automation, and digital capabilities to the business with the right tools, good governance, and trusted organizational relationships.

Build Your First RPA Bot
Support RPA delivery with strong collaboration and management foundations.

Automate Work Faster and More Easily With Robotic Process Automation
Embrace the symbiotic relationship between the human and digital workforce.

Improving Business Intelligence, Analytics, and Reporting

Modernize Data Architecture for Measurable Business Results
Enable the business to achieve operational excellence, client intimacy, and product leadership with an innovative, agile, and fit-for-purpose data architecture practice.

Build a Reporting and Analytics Strategy
Deliver actionable business insights by creating a business-aligned reporting and analytics strategy.

Build Your Data Quality Program
Quality data drives quality business decisions.

Design Data-as-a-Service
Journey to the data marketplace ecosystems.

Build a Robust and Comprehensive Data Strategy
Learn about the key to building and fostering a data-driven culture.

Build an Application Integration Strategy
Level the table before assembling the application integration puzzle or risk losing pieces.

Appendix B: SDLC Transformation Steps

Waterfall SDLC

Valuable product delivered at the end of an extended project lifecycle, frequently in years

• Business is separated from the delivery of technology it needs. Only one-third of the product is actually valuable (ITRG, N=40,000).
• In Waterfall, a team of experts in specific disciplines hand off different aspects of the lifecycle.
• Document sign-offs are required to ensure integration between silos (Business, Development, and Operations) and individuals.
• A separate change-request process lays over the entire lifecycle to prevent changes from disrupting delivery.
• Tools are deployed to support a specific role (e.g. BA) and seldom integrated (usually requirements <-> test).

Wagile/Agifall/WaterScrumFall SDLC

Valuable product delivered in multiple releases

• Business is more closely integrated by a business product owner, who is accountable for day-to-day delivery of value for users.
• The team collaborates and develops cross-functional skills as they define, design, build, and test code over time.
• Sign-offs are reduced but documentation is still focused on satisfying project delivery and operations policy requirements.
• Change is built into the process to allow the team to respond to change dynamically.
• Tools start to be integrated to streamline delivery (usually requirements and Agile work management tools).

Agile SDLC

Valuable product delivered iteratively: frequency depends Ops' capacity

• Business users are closely integrated through regularly scheduled demos (e.g. every two weeks).
• Team is fully cross-functional and collaborates to plan, define, design, build, and test the code, supported by specialists.
• Documentation is focused on future development and operations needs.
• Change is built into the process to allow the team to respond to change dynamically.
• Automation is explored for application development (e.g. automated regression testing).

Agile With DevOps SDLC

High frequency iterative delivery of valuable product (e.g. every two weeks)

• Business users are closely integrated through regularly scheduled demos.
• Development and operations teams collaborate to plan, define, design, build, test, and deploy code, supported by automation.
• Documentation is focused on supporting users, future changes, and operational support.
• Change is built into the process to allow the team to respond to change dynamically.
• Test, build, deploy process is fully automated. (Service desk is still separated.)

DevOps SDLC

Continuous integration and delivery

• Business users are closely integrated through regularly scheduled demos.
• Fully integrated DevOps team collaborates to plan, define, design, build, test, deploy, and maintain code.
• Documentation is focused on future development and use adoption.
• Change is built into the process to allow the team to respond to change dynamically.
• Development and operations toolchain are fully integrated.

Fully integrated product SDLC

Agile + DevOps + continuous delivery of valuable product on demand

• Business users are fully integrated with the teams through dedicated business product owner.
• Cross-functional teams collaborate across the business and technical life of the product.
• Documentation supports internal and external needs (business, users, operations).
• Change is built into the process to allow the team to respond to change dynamically.
• Toolchain is fully integrated (including service desk).

Appendix C: Understanding Agile Scrum Practices and Ceremonies

Cultural advantages of Agile

Agile* SDLC

With shared ownership instead of silos, we are able to deliver value at the end of every iteration (aka sprint)

Key Elements of the Agile SDLC

• You are not "one and done." There are many short iterations with constant feedback.
• There is an empowered product owner. This is a single authoritative voice who represents stakeholders.
• There is a fluid product backlog. This enables prioritization of requirements "just-in-time."
• There is a cross-functional, self-managing team. This team makes commitments and is empowered by the organization to do so.
• There is working, tested code at the end of each sprint: Value becomes more deterministic along sprint boundaries.
• Stakeholders are allowed to see and use the functionality and provide necessary feedback.
• Feedback is being continuously injected back into the product backlog. This shapes the future of the solution.
• There is continuous improvement through sprint retrospectives.
• The virtuous cycle of sprint-demo-feedback is internally governed when done right.

* There are many Agile methodologies to choose from, but Scrum is by far the most widely used (and is shown above).

Understand the Scrum process

The scrum process coordinates multiple stakeholders to deliver on business priorities.

Understand the ceremonies part of the scrum process

Scrum vs. Kanban: Key differences

Scrum vs. Kanban: When to use each

Scrum

Related or grouped changes are delivered in fixed time intervals.

Use when:

• Coordinating the development or release of related items
• Maturing a product or service
• Coordinating interdependencies between work items

Kanban

Independent items are delivered as soon as each is ready.

Use when:

• Completing work items from ticketing or individual requests
• Completing independent changes
• Releasing changes as soon as possible

Appendix D: Improving Product Management

Product delivery realizes value for your product family

While planning and analysis are done at the family level, work and delivery are done at the individual product level.

Manage and communicate key milestones

Successful product-delivery managers understand and define key milestones in their product-delivery lifecycles. These milestones need to be managed along with the product backlog and roadmap.

Info-Tech Best Practice
Product management is not just about managing the product backlog and development cycles. Teams need to manage key milestones, such as learning milestones, test releases, product releases, phase gates, and other organizational checkpoints.

A backlog stores and organizes product backlog items (PBIs) at various stages of readiness

A well-formed backlog can be thought of as a DEEP backlog:

Detailed Appropriately: PBIs are broken down and refined as necessary.

Emergent: The backlog grows and evolves over time as PBIs are added and removed.

Estimated: The effort that a PBI requires is estimated at each tier.

Prioritized: A PBI's value and priority are determined at each tier.

Source: Perforce, 2018

Backlog tiers facilitate product planning steps

Ranging from the intake of an idea to a PBI ready for development; to enter the backlog, each PBI must pass through a given quality filter.

Each activity is a variation of measuring value and estimating effort in order to validate and prioritize a PBI.

A PBI successfully completes an activity and moves to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.

Use quality filters to ensure focus on the most important PBIs

Expand the concepts of defining "ready" and "done" to include the other stages of a PBI's journey through product planning.

Info-Tech Best Practice
A quality filter ensures that quality is met and the appropriate teams are armed with the correct information to work more efficiently and improve throughput.

Define product value by aligning backlog delivery with roadmap goals

In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

Product roadmaps guide delivery and communicate your strategy

In "Deliver on Your Digital Product Vision," we demonstrate how a product roadmap is core to value realization. The product roadmap is your communicated path. As a product owner, you use it to align teams and changes to your defined goals, as well as your product to enterprise goals and strategy.

Info-Tech Insight
The quality of your product backlog - and your ability to realize business value from your delivery pipeline - is directly related to the input, content, and prioritization of items in your product roadmap.

Info-Tech's approach

Operationally align product delivery to enterprise goals

The Info-Tech Difference

Create a common definition of what a product is and identify the products in your inventory.

Use scaling patterns to build operationally aligned product families.

Develop a roadmap strategy to align families and products to enterprise goals and priorities.

Use products and families to assess value realization.

Establish Realistic IT Resource Management Practices

Holistically balance IT supply and demand to avoid overallocation.

Analyst perspective

Restore the right accountabilities for reconciling supply and demand.

"Who gets in trouble at the organization when too many projects are approved?

We’ve just exited a period of about 20-25 years where the answer to the above question was usually “nobody.” The officers of the corporation held nobody to account for the malinvestment of resources that comes from approving too many projects or having systemically unrealistic project due dates. Boards of directors failed to hold the officers accountable for that. And shareholders failed to hold boards of directors accountable for that.

But this is shifting right under our feet. Increasingly, PMOs are being managed with the mentality previously reserved for those in the finance department. In many cases, the PMOs are now reporting to the CFO! This represents a very simple and basic reversion to the concept of fiduciary duty: somebody will be held to account for the consumption of all those hours, and somebody should be the approver of projects who created the excess demand." – Barry Cousins Senior Director of Research, PMO Practice Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

• IT leaders who lack actionable evidence of a resource-supply, work-demand imbalance.
• CIOs whose departments struggle to meet service and project delivery expectations with given resources.
• Portfolio managers, PMO directors, and project managers whose portfolio and project plans suffer due to unstable resource availability.

This Research Will Help You:

• Build trustworthy resource capacity data to support service and project portfolio management.
• Develop sustainable resource management practices to help you estimate, and continually validate, your true resource capacity for services and projects.
• Identify the demands that deplete your resource capacity without creating value for IT.

This Research Will Also Assist:

• Steering committee and C-suite management who want to improve IT’s delivery of projects.
• Project sponsors that want to ensure their projects get the promised resource time by their project managers.

This Research Will Help Them:

• Ensure sufficient supply of time for projects to be successfully completed with high quality.
• Communicate the new resource management practice and get stakeholder buy-in.

Executive summary

Situation

• As CIO, you oversee a department that lacks the resource capacity to adequately meet organizational demand for new projects and services. As a result, project quality and timelines suffer, and service delivery lags.
• You need a resource management strategy to help bring balance to supply and demand in order to improve IT’s ability to deliver.

Complication

• The shift to matrix work structures has strained traditional methods of time tracking. Day-to-day demand is chaotic; staff are pulled in multiple directions by numerous people, making usable capacity data elusive.
• The executive team approves too many projects, but is not held to account for the overspend on time. Instead, the IT worker is made liable, expected to simply get things done under excessive demands.

Resolution

• Instill a culture of capacity awareness. For years, the project portfolio management (PPM) industry has helped IT departments report on demand and usage, but it has largely failed to make capacity part of the conversation. This research helps inject capacity awareness into project and service portfolio planning, enabling IT to get proactive about constraints before overallocation spirals, and project and service delivery suffers.
• Build a sustainable process. Efforts to get better at resource management often falter when you try to get too granular too quickly. Info-Tech’s approach starts at a high level, ensuring that capacity data is accurate and usable, and that IT’s process discipline is mature enough to maintain the data, before drilling down into greater levels of precision.
• Establish a capacity hub. You will ultimately need a tool to help provide ongoing resource visibility. Follow the advice in this blueprint to help with your tool selection and ensure the reporting needs of both your team and executives are met.

Info-Tech Insight

1. Take a realistic approach to resource management. New organizational realities have made traditional, rigorous resource projections impossible to maintain. Accept reality and get realistic about where IT’s time goes.
2. Make IT’s capacity perpetually transparent. The best way to ensure projects are approved and scheduled based upon the availability of the right teams and skills is to shine a light into IT’s capacity and hold decision makers to account with usable capacity reports.

The availability of staff time is rarely factored into IT project and service delivery commitments

As a result, a lot gets promised and worked on, and staff are always busy, but very little actually gets done – at least not within given timelines or to expected levels of quality.

Organizations tend to bite off more than they can chew when it comes to project and service delivery commitments involving IT resources.

While the need for businesses to make an excess of IT commitments is understandable, the impacts of systemically overallocating IT are clearly negative:

• Stakeholder relations suffer. Promises are made to the business that can’t be met by IT.
• IT delivery suffers. Project timelines and quality frequently suffer, and service support regularly lags.
• Employee engagement suffers. Anxiety and stress levels are consistently high among IT staff, while morale and engagement levels are low.

76% of organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to. (Cooper, 2014)

Almost 70% of workers feel as though they have too much work on their plates and not enough time to do it. (Reynolds, 2016)

Resource management can help to improve workloads and project results, but traditional approaches commonly fall short

Traditional approaches to resource management suffer from a fundamental misconception about the availability of time in 2017.

The concept of resource management comes from a pre-World Wide Web era, when resource and project plans could be based on a relatively stable set of assumptions.

In the old paradigm, the availability of time was fairly predictable, as was the demand for IT services, so there was value to investing time into rigorous demand forecasts and planning.

Resource projections could be based in a secure set of assumptions – i.e. 8 hour days, 40 hour weeks – and staff had the time to support detailed resource management processes that provided accurate usage data.

Old Realities

• Predictability. Change tended to be slow and deliberate, providing more stability for advanced, rigorous demand forecasts and planning.
• Fixed hierarchy. Tasks, priorities, and decisions were communicated through a fixed chain of command.
• Single-task focus. The old reality was more accommodating to sustained focus on one task at a time.

96% of organizations report problems with the accuracy of information on employee timesheets. (Dimensional, 2013)

Old reality resource forecasting inevitably falters under the weight of unpredictable demands and constant distractions

New realities are causing demands on workers’ time to be unpredictable and unrelenting, making a sustained focus on a specific task for any length of time elusive.

Part of the old resource management mythology is the idea that a person can do (for example) eight different one-hour tasks in eight hours of continuous work. This idea has gone from harmlessly mistaken to grossly unrealistic.

The predictability and focus have given way to more chaotic workplace realities. Technology is ubiquitous, and the demand for IT services is constant.

A day in IT is characterized by frequent task-switching, regular interruptions, and an influx of technology-enabled distractions.

Every 3 minutes and 5 seconds: How often the typical office worker switches tasks, either through self-directed or other-directed interruptions. (Schulte, 2015)

12 minutes, 40 seconds: The average amount of time in-between face-to-face interruptions in matrix organizations. (Anderson, 2015)

23 minutes, 15 seconds: The average amount of time it takes to become on task, productive, and focused again after an interruption. (Schulte, 2015)

759 hours: The average number of hours lost per employee annually due to distractions and interruptions. (Huth, 2015)

The validity of traditional, rigorous resource planning has long been an illusion. New realities are making the sustained focus and stable assumptions that old reality projections relied on all but impossible to maintain.

For resource management practices to be effective, they need to evolve to meet new realities

New organizational realities have exacerbated traditional approaches to time tracking, making accurate and usable resource data elusive.

The technology revolution that began in the 1990s ushered in a new paradigm in organizational structures. Matrix reporting structures, diminished supervision of knowledge workers, massive multi-tasking, and a continuous stream of information and communications from the outside world have smashed the predictability and stability of the old paradigm.

The resource management industry has largely failed to evolve. It remains stubbornly rooted in old realities, relying on calculations and rollups that become increasingly unsustainable and irrelevant in our high-autonomy staff cultures and interruption-driven work days.

New Realities

• Unpredictable. Technologies and organizational strategies change before traditional IT demand forecasts and project plans can be realized.
• Matrix management. Staff can be accountable to multiple project managers and functional managers at any given time.
• Multi-task focus. In the new reality, workers’ attentions are scattered across multiple tasks and projects at any given time.

87% of organizations report challenges with traditional methods of time tracking and reporting. (Dimensional, 2013)

40% of working time is not tracked or tracked inaccurately by staff. (actiTIME, 2016)

Poor resource management practices cost organizations dearly

While time is money, the statistics around resource visibility and utilization suggest that the vast majority of organizations don’t spend their available time all that wisely.

Research shows that ineffective resource management directly impacts an organization’s bottom line, contributing to such cost drains as the systemic late delivery of projects and increased project costs.

Despite this, the majority of organizations fail to treat staff time like the precious commodity it is.

As the results of a 2016 survey show, the top three pain points for IT and PMO leaders all revolve around a wider cultural negligence concerning staff time (Alexander, TechRepublic, 2016):

• Overcommitted resources
• Constant change that affects staff assignments
• An inability to prioritize shared resources

Top risks associated with poor resource management

Inability to complete projects on time – 52%

Inability to innovate fast enough – 39%

Increased project costs – 38%

Missed business opportunities – 34%

Dissatisfied customers or clients – 32%

12 times more waste – Organizations with poor resource management practices waste nearly 12 times more resource hours than high-performing organizations. (PMI, 2014)

The concept of fiduciary duty represents the best way to bring balance to supply and demand, and improve project outcomes

Unless someone is accountable for controlling the consumption of staff hours, too much work will get approved and committed to without evidence of sufficient resourcing.

Who is accountable for controlling the consumption of staff hours?

In many ways, no question is more important to the organization’s bottom line – and certainly, to the effectiveness of a resource management strategy.

Historically, the answer would have been the executive layer of the organization. However, in the 1990s management largely abdicated its obligation to control resources and expenditures via “employee empowerment.”

Controls on approvals became less rigid, and accountability for choosing what to do (and not do) shifted onto the shoulders of the individual worker. This creates a current paradigm where no one is accountable for the malinvestment…

…of resources that comes from approving too many projects. Instead, it’s up to individual workers to sink-or-swim, as they attempt to reconcile, day after day, seemingly infinite organizational demand with their finite supply of working hours.

If your organization has higher demand (i.e. approved project work) than supply (i.e. people’s time), your staff will be the final decision makers on what does and does NOT get worked on.

Effective time leadership distinguishes top performing senior executives

"Everything requires time… It is the one truly universal condition. All work takes place in time and uses up time. Yet most people take for granted this unique, irreplaceable and necessary resource. Nothing else, perhaps, distinguishes effective executives as much as their tender loving care of time." – Peter Drucker (quoted in Frank)

67% of employees surveyed believe their CEOs focus too much on decisions based in short-term financial results and not enough time on decisions that create a stable, positive workplace for staff. (2016 Edelman Trust Barometer)

Bring balance to supply and demand with realistic resource management practices

Use Info-Tech’s approach to resource management to capture an accurate view of where your time goes and achieve sustained visibility into your capacity for new projects.

Realistic project resource management starts by aligning demand with capacity, and then developing tactics to sustain alignment, even in the chaos of our fast-paced, rapidly changing, interruption-driven project environments.

This blueprint will help you develop practices to promote and maintain accurate resourcing data, while developing tactics to continually inform decision makers’ assumptions about how much capacity is realistically available for project work.

This research follows a three-phase approach to sustainable practices:

1. Take Stock of Organizational Supply and Demand
2. Design a Realistic Resource Management Process
3. Implement Sustainable Resource Management Practices

Info-Tech’s three-phase framework is structured around a practical, tactical approach to resource management. It’s not about what you put together as a one-time snapshot. It’s about what you can and will maintain every week, even during a crisis. When you stop maintaining resource management data, it’s nearly impossible to catch up and you’re usually forced to start fresh.

Info-Tech’s approach is rooted in our seven dimensions of resource management

Action the decision points across Info-Tech’s seven dimensions to ensure your resource management process is guided by realistic data and process goals.

Default project vs. non-project ratio

How much time is available for projects once non-project demands are factored in?

Reporting frequency

How often is the allocation data verified, reconciled, and reported for use?

Forecast horizon

How far into the future can you realistically predict resource supply?

Scope of allocation

To whom is time allocated?

Allocation cadence

How long is each allocation period?

Granularity of time allocation

What’s the smallest unit of time to allocate?

Granularity of work assignment

What is time allocated to?

This blueprint will help you make the right decisions for your organization across each of these dimensions to ensure your resource management practices match your current process maturity levels.

Once your framework is defined, we’ll equip you with a tactical plan to help keep supply and demand continually balanced

This blueprint will help you customize a playbook to ensure your allocations are perpetually balanced week after week, month after month.

Developing a process is one thing, sustaining it is another.

The goal of this research isn’t just to achieve a one-time balancing of workloads and expect that this will stand the test of time.

The true test of a resource management process is how well it facilitates the flow of accurate and usable data as workloads become chaotic, and fires and crises erupt.

• Info-Tech’s approach will help you develop a playbook and a “rebalancing routine” that will help ensure your allocations remain perpetually current and balanced.
• The sample routine to the right shows you an example of what this rebalancing process will look like (customizing this process is covered in Phase 3 of the blueprint).

Sample “rebalancing” routine

• Maintain a comprehensive list of the sources of demand (i.e. document the matrix).
• Catalog the demand.
• Allocate the supply.
• Forecast the capacity to your forecast horizon.
• Identify and prepare work packages or tasks for unsatisfied demand to ensure that supply can be utilized if it becomes free.
• Reconcile any imbalance by repeating steps 1-5 on update frequency, say, weekly or monthly.

Info-Tech’s method is complemented by a suite of resource management tools and templates

Each phase of this blueprint is accompanied by supporting deliverables to help plan your resource management strategy and sustain your process implementation.

Resource management depends on the flow of information and data from the project level up to functional managers, project managers, and beyond – CIOs, steering committees, and senior executives.

Tools are required to help plan, organize, and facilitate this flow, and each phase of this blueprint is centered around tools and templates to help you successfully support your process implementation.

Take Stock of Organizational Supply and Demand

Tools and Templates:

• Resource Management Supply-Demand Calculator (.xlsx)
• Time Audit Workbook (.xlsx)
• Time-Tracking Survey Email Template (.docx)

Design a Realistic Resource Management Process

Tools and Templates:

• Resource Management Playbook (.docx)
• PPM Solution Vendor Demo Script (.docx)
• Portfolio Manager Lite (.xlsx)

Implement Sustainable Resource Management Practices

Tools and Templates:

• Process Pilot Plan Template (.docx)
• Portfolio Analyst Job Description (.docx)
• Resource Management Communications Template (.pptx)

Use Info-Tech’s Portfolio Manager Lite to support your new process without a heavy upfront investment in tools

Spreadsheets can provide a viable alternative for organizations not ready to invest in an expensive tool, or for those not getting what they need from their commercial selections.

While homegrown solutions like spreadsheets and intranet sites lack the robust functionality of commercial offerings, they have dramatically lower complexity and cost-in-use.

Info-Tech’s Portfolio Manager Lite is a sophisticated, scalable, and highly customizable spreadsheet-based solution that will get your new resource management process up and running, without a heavy upfront cost.

Kinds of PPM solutions used by Info-Tech clients

Homemade – 46%

Commercial – 33%

No Solution – 21%

(Info-Tech Research Group (2016), N=433)

Samples of Portfolio Manager Lite's output and reporting tabs

Info-Tech’s approach to resource management is part of our larger project portfolio management framework

This blueprint will help you master the art of resource management and set you up for greater success in other project portfolio management capabilities.

Resource management is one capability within Info-Tech’s larger project portfolio management (PPM) framework.

Resource visibility and capacity awareness permeates the whole of PPM, helping to ensure the right intake decisions get made, and projects are scheduled according to resource and skill availability.

Whether you have an existing PPM strategy that you are looking to optimize or you are just starting on your PPM journey, this blueprint will help you situate your resource management processes within a larger project and portfolio framework.

Info-Tech’ s PPM framework is based on extensive research and practical application, and complements industry standards such as those offered by PMI and ISACA.

Realize the value that improved resource management practices could bring to your organization

Spend your company’s HR dollars more efficiently.

Improved resource management and capacity awareness will allow your organization to improve resource utilization and increase project throughput.

CIOs, PMOs, and portfolio managers can use this blueprint to improve the alignment between supply and demand. You should be able to gauge the value through the following metrics:

Near-Term Success Metrics (6 to 12 months)

• Increased frequency of currency (i.e. more accurate and usable resource data and reports).
• Improved job satisfaction from project resources due to more even workloads.
• Better ability to schedule project start dates and estimate end dates due to recourse visibility.

Long-Term Success Metrics (12 to 24 months)

• More projects completed on time.
• Reclaimed capacity for project work.
• A reduction in resource waste and increased resource utilization on productive project work.
• Ability to track estimated vs. actual budget and work effort on projects.

In the past 12 months, Info-Tech clients have reported an average measured value rating of $550,000 from the purchase of workshops based on this research.

Info-Tech client masters resource management by shifting the focus to capacity forecasting

CASE STUDY

Industry Education

Source Info-Tech Client

Situation

• There are more than 200 people in the IT organization.
• IT is essentially a shared services environment with clients spanning multiple institutions across a wide geography.
• The PMO identified dedicated resources for resource management.

Complication

• The definition of “resource management” was constantly shifting between accounting the past (i.e. time records), the present (i.e. work assignments), and the future (i.e. long term project allocations).
• The task data set (i.e. for current work assignments) was not aligned to the historic time records or future capacity.
• It was difficult to predict or account for the spend, which exceeded 30,000 hours per month.

“We’re told we can’t say NO to projects. But this new tool set and approach allows us to give an informed WHEN.” – Senior PMO Director, Education

Resolution

• The leadership decided to forecast and communicate their resource capacity on a 3-4 month forecast horizon using Info-Tech’s Portfolio Manager 2017.
• Unallocated resource capacity was identified within certain skill sets that had previously been assessed as fully allocated. While some of the more high-visibility staff were indeed overallocated, other more junior personnel had been systemically underutilized on projects.
• The high demand for IT project resourcing was immediately placed in the context of a believable, credible expression of supply.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Establish Realistic IT Resource Management Practices – project overview

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Phase 1

Take Stock of Organizational Resource Supply and Demand

Phase 1 Outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 1: Take Stock of Organizational Resource Supply and Demand

Proposed Time to Completion (in weeks): 1-2 weeks

Step 1.1: Analyze the current state

Start with an analyst kick-off call:

• Discuss the goals, aims, benefits, and challenges of resource management
• Identify who is currently accountable for balancing resource supply and demand

Then complete these activities…

• Assess the current distribution of accountabilities in resource management
• Delve into your current problems to uncover root causes
• Make a go/no-go decision on developing a new resource management practice

Step 1.2: Estimate your supply and demand

Review findings with analyst:

• Root causes of resource management
• Your current impression about the resource supply-demand imbalance

Then complete these activities…

• Estimate your resource capacity for each role
• Estimate your project/non-project demand on resources
• Validate the findings with a time-tracking survey

With these tools & templates:

• Resource Management Supply-Demand Calculator
• Time-Tracking Survey Email Template

Phase 1 Results & Insights:

A matrix organization creates many small, untraceable demands that are often overlooked in resource management efforts, which leads to underestimating total demand and overcommitting resources. To capture them and enhance the success of your resource management effort, focus on completeness rather than precision. Precision of data will improve over time as your process maturity grows.

Step 1.1: Set a resource management course of action

PHASE 1

1.1 Set a course of action

1.2 Estimate supply and demand

PHASE 2

2.1 Select resource management dimensions

2.2 Select resource management tools

2.3 Build process steps

PHASE 3

3.1 Pilot your process for viability

3.2 Plan stakeholder engagement

This step will walk you through the following activities:

• Determine your resource management process capability level
• Assess how accountability for resource management is currently distributed

This step involves the following participants:

• CIO / IT Director
• PMO Director/ Portfolio Manager
• Functional / Resource Managers
• Project Managers

Outcomes of this step

• Current distribution of accountability for resource management practice
• Root-cause analysis of resourcing challenges facing the organization
• Commitment to implementing a right-sized resource management practice

“Too many projects, not enough resources” is the reality of most IT environments

A profound imbalance between demand (i.e. approved project work and service delivery commitments) and supply (i.e. people’s time) is the top challenge IT departments face today..

In today’s organizations, the desires of business units for new products and enhancements, and the appetites of senior leadership to approve more and more projects for those products and services, far outstrip IT’s ability to realistically deliver on everything.

The vast majority of IT departments lack the resourcing to meet project demand – especially given the fact that day-to-day operational demands frequently trump project work.

As a result, project throughput suffers – and with it, IT’s reputation within the organization.

Info-Tech Insight

Where does the time go? The portfolio manager (or equivalent) should function as the accounting department for time, showing what’s available in IT’s human resources budget for projects and providing ongoing visibility into how that budget of time is being spent.

Resource management can help to even out staff workloads and improve project and service delivery results

As the results of a recent survey* show, the top three pain points for IT and PMO leaders all revolve around a wider cultural negligence concerning staff time:

• Overcommitted resources
• Constant change that affects staff assignments
• An inability to prioritize shared resources

A resource management strategy can help to alleviate these pain points and reconcile the imbalance between supply and demand by achieving the following outcomes:

• Improving resource visibility
• Reducing overallocation, and accordingly, resource stress
• Reducing project delay
• Improving resource efficiency and productivity

Top risks associated with poor resource management

Inability to complete projects on time – 52%

Inability to innovate fast enough – 39%

Increased project costs – 38%

Missed business opportunities – 34%

Dissatisfied customers or clients – 32%

12 times more waste – Organizations with poor resource management practices waste nearly 12 times more resource hours than high-performing organizations. (PMI, 2014)

Resource management is a core process in Info-Tech’s project portfolio management framework

Project portfolio management (PPM) creates a stable and secure infrastructure around projects.

PPM’s goal is to maximize the throughput of projects that provide strategic and operational value to the organization. To do this, a PPM strategy must help to:

If you don’t yet have a PPM strategy in place, or would like to revisit your existing PPM strategy before implementing resource management practices, see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

Effective resource management is rooted in a relatively simple set of questions

However, while the questions are rather simple, the answers become complicated by challenges unique to matrix organizations and other workplace realities in 2017.

To support the goals of PPM more generally, resource management must (1) supply quality work-hours to approved and ongoing projects, and (2) supply reliable data with which to steer the project portfolio.

To do this, a resource management strategy must address a relatively straightforward set of questions.

Key Questions

• Who assigns the resources?
• Who feeds the data on resources?
• How do we make sure it’s valid?
• How do we handle contingencies when projects are late or when availability changes?

Challenges

• Matrix organizations require project workers to answer to many masters and balance project work with “keep the lights on” activities and other administrative work.
• Interruptions, distractions, and divided attention create consistent challenges for workplace productivity.

"In matrix organizations, complicated processes and tools get implemented to answer the deceptively simple question “what’s Bob going to work on over the next few months?” Inevitably, the data captured becomes the focus of scrutiny as functional and project managers complain about data inaccuracy while simultaneously remaining reluctant to invest the effort necessary to improve quality." – Kiron Bondale

Determine your organization’s resource management capability level with a maturity assessment

1.1.1
10 minutes

Input

• Organizational strategy and culture

Output

• Resource management capability level

Materials

• N/A

Participants

• PMO Director/ Portfolio Manager
• Project Managers
• Resource Managers

Kick-off the discussion on the resource management process by deciding which capability level most accurately describes your organization’s current state.

If resources are poorly managed, they prioritize work based on consequences rather than on meeting demand

As a result, matrix organizations are collectively steered by each resource and its individual motives, not by managers, executives, or organizational strategy.

In a matrix organization, demands on a resource’s time come from many directions, each demand unaware of the others. Resources are expected to prioritize their work, but they typically lack the authority to formally reject demand, so demand frequently outstrips the supply of work-hours the resource can deliver.

When this happens, the resource has three options:

1. Work more hours, typically without compensation.
2. Choose tasks not to do in a way that minimizes personal consequences.
3. Diminish work quality to meet quantity demands.

The result is an unsustainable system for those involved:

1. Resources cannot meet expectations, leading to frustration and disengagement.
2. Managers cannot deliver on the projects or services they manage and struggle to retain skilled resources who are looking elsewhere for “greener pastures.”
3. Executives cannot execute strategic plans as they lose decision-making power over their resources.

Scope your resource management practices within a matrix organization by asking “who?”

Resource management boils down to a seemingly simple question: how do we balance supply and demand? Balancing requires a decision maker to make choices; however, in a matrix organization, identifying this decision maker is not straightforward:

Balance

• Who decides how much capacity should be dedicated to project work versus administrative or operational work?
• Who decides how to respond to unexpected changes in supply or demand?

Supply

• Who decides how much total capacity we have for each necessary skill set?
• Who manages the contingency, or redundancy, of capacity?
• Who validates the capacity supply as a whole?
• Who decides what to report as unexpected changes in supply (and to whom)?

Demand

• Who generates demand on the resource that can be controlled by their manager?
• Who generates demand on the capacity that cannot be controlled by their manager?
• Who validates the demand on capacity as a whole?
• Who decides what to report as unexpected changes in demand (and to whom)?

The individual who has the authority to make choices, and who is ultimately liable for those decisions, is an accountable person. In a matrix organization, accountability is dispersed, sometimes spilling over to those without the necessary authority.

To effectively balance supply and demand, senior management must be held accountable

Differentiate between responsibility and accountability to manage the organization’s project portfolio effectively.

Responsibility

The responsible party is the individual (or group) who actually completes the task.

Responsibility can be shared.

VS.

Accountability

The accountable person is the individual who has the authority to make choices, and is ultimately answerable for the decision.

Accountability cannot be shared.

Resources often do not have the necessary scope of authority to make resource management choices, so they can never be truly accountable for the project portfolio. Instead, resources are accountable for making available trustworthy data, so the right people can make choices driven by organizational strategy.

The next activity will assess how accountability for resource management is currently distributed in your organization.

Assess the current distribution of accountability for resource management practice

1.1.2
15 minutes

Input

• Organizational strategy and culture

Output

• Current distribution of accountabilities for resource management

Materials

• Whiteboard/flip chart
• Markers

Participants

• CIO
• PMO Director/ Portfolio Manager

Below is a list of tasks in resource management that require choices. Discuss who is currently accountable and whether they have the right authority and ability to deliver on that accountability.

Develop coordination between project and functional managers to optimize resource management

Because resources are invariably responsible for both project and non-project work, efforts to procure capacity for projects cannot exist in isolation.

IT departments need many different technical skill sets at their disposal for their day-to-day operations and services, as well as for projects. A limited hiring budget for IT restricts the number of hires with any given skill, forcing IT to share resources between service and project portfolios.

This resource sharing produces a matrix organization divided along the lines of service and projects. Functional and project managers provide respective oversight for services and projects. Resources split their available work-hours toward service and project tasks according to priority – in theory.

However, in practice, two major challenges exist:

1. Poor coordination between functional and project managers causes commitments beyond resource capacity, disputes about resource oversight, and animosity among management, all while resources struggle to balance unclear priorities.
2. Resources have a “third boss,” namely uncontrolled demands from the rest of the business, which lack both visibility and accountability.

Resource management processes must account for the numerous small demands generated in a matrix organization

Avoid going bankrupt $20 at a time: small demands add up to a significant chunk of work-hours.

Because resource managers must cover both projects and services within IT, the typical solution to allocation problems in matrix organizations is to escalate the urgency and severity of demands by involving the executive steering committee. Unfortunately, the steering committee cannot expend time and resources on all demands. Instead, they often set a minimum threshold for cases – 100-1,000 work-hours depending on the organization.

Under this resource management practice, small demands – especially the quick-fixes and little projects from “the third boss” – continue to erode project capacity. Eventually, projects fail to get resources because pesky small demands have no restrictions on the resources they consumed.

Realistic resource management needs to account for demand from all three bosses; however…

Info-Tech Insight

Excess project or service request intake channels lead to the proliferation of “off-the-grid” projects and tasks that lack visibility from the IT leadership. This can indicate that there may be too much red tape: that is, the request process is made too complex or cumbersome. Consider simplifying the request process and bring IT’s visibility into those requests.

Interrogate your resource management problems to uncover root causes

1.1.3
30 minutes to 1 hour

Input

• Organizational strategy and culture

Output

• Root causes of resource management failures

Materials

• Whiteboard/flip chart
• Sticky notes
• Markers

Participants

• CIO
• PMO Director/ Portfolio Manager
• Functional Managers
• Project Managers

1. Pick a starting problem statement in resource management. e.g. projects can’t get resource work-hours.
2. Ask the participants “why”? Use three generic headings – people, processes, and technology – to keep participants focused. Keep the responses solution-agnostic: do not jump to solutions. If you have a large group, divide into smaller groups and use sticky notes to encourage more participation in this brainstorming step.

3. Determine the root cause by iteratively asking “why?” up to five times, or until the chain of whys comes full circle. (i.e. Why A? B. Why B? C. Why C? A.) See below for an example.

1.1.2 Example of a root-cause analysis: people

The following is a non-exhaustive example:

Right-size your resource management strategy with Info-Tech’s realistic resource management practice

If precise, accurate, and complete data on resource supply and demand was consistently available, reporting on project capacity would be easy. Such data would provide managers complete control over a resource’s time, like a foreman at a construction site. However, this theoretical scenario is incompatible with today’s matrixed workplace:

• Sources of demand can lie outside IT’s control.
• Demand is generated chaotically, with little predictability.
• Resources work with minimal supervision.

Collecting and maintaining resource data is therefore nearly impossible:

• Achieving perfect data accuracy creates unnecessary overhead.
• Non-compliance by one project or resource makes your entire data set unusable for resource management.

This blueprint will guide you through right-sizing your resource management efforts to achieve maximum value-to-effort ratio and sustainability.

Choose your resource management course of action

Portfolio managers looking for a resource management solution have three mutually exclusive options:

Option A: Do Nothing

• Rely on expert judgment and intuition to make portfolio choices.
• Allow the third boss to dictate the demands of your resources.

Option B: Get Precise

• Aim for granularity and precision of data with a solution that may demand more capacity than is realistically available by hiring, outsourcing, or over-allocating people’s time.
• Require detailed, accurate time sheets for all project tasks.
• For those choosing this option, proceed to Info-Tech’s Select and Implement a PPM Solution.

Option C: Get Realistic

• Balance capacity supply and demand using abstraction.
• Implement right-sized resource management practices that rely on realistic, high-level capacity estimates.
• Reduce instability in data by focusing on resource capacity, rather than granular project demands and task level details.

This blueprint takes you through the steps necessary to accomplish Option C, using Info-Tech’s tools and templates for managing your resources.

Step 1.2: Create realistic estimates of supply and demand

PHASE 1

1.1 Set a course of action

1.2 Estimate supply and demand

PHASE 2

2.1 Select resource management dimensions

2.2 Select resource management tools

2.3 Build process steps

PHASE 3

3.1 Pilot your process for viability

3.2 Plan stakeholder engagement

This step will walk you through the following activities:

• Create a realistic estimate of project capacity
• Map all sources of demand on resources at a high level
• Validate your supply and demand assumptions by directly surveying your resources

This step involves the following participants:

• PMO Director / Portfolio Manager
• Project Managers (optional)
• Functional / Resource Managers (optional)
• Project Resources (optional)

Outcomes of this step

• A realistic estimate of your total and project capacity, as well as project and non-project demand on their time
• Quantitative insight into the resourcing challenges facing the organization
• Results from a time-tracking survey, which are used to validate the assumptions made for estimating resource supply and demand

Create a realistic estimate of your project capacity with Info-Tech’s Resource Management Supply-Demand Calculator

Take an iterative approach to capacity estimates: use your assumptions to create a meaningful estimate, and then validate with your staff to improve its accuracy.

Use Info-Tech’s Resource Management Supply-Demand Calculator to create a realistic estimate of your project capacity.

The calculator tool requires minimal upfront staff participation: you can obtain meaningful results with participation from even a single person, with insight on the distribution of your resources and their average work week or month. As the number of participants increases, the quality of analysis will improve.

The first half of this step guides you through how to use the calculator. The second half provides tactical advice on how to gather additional data and validate your resourcing data with your staff.

Download Info-Tech’s Resource Management Supply-Demand Calculator

Info-Tech Insight

What’s first, process or tools? Remember that process determines the quality of your data while data quality limits the tool’s utility. Without quality data, you cannot evaluate the success of the tool, so nail down your collection process first.

Break down your resource capacity into high-level buckets of time for each role

1.2.1
30 minutes - 1 hour

Input

• Staff resource types
• Average work week
• Estimated allocations

Output

A realistic estimate of project capacity

Materials

Resource Management Supply-Demand Calculator

Participants

• PMO Director
• Resource/Functional Managers (optional)

We define four high-level buckets of resource time:

• Absence: on average, a resource spends 14% of the year on vacation, statutory holidays, business holidays and other forms of absenteeism.
• Administrative: time spent on meetings, recordkeeping, etc.
• Operational: keeping the lights on; reactive work.
• Projects: time to work on projects; typically, this bucket of time is whatever’s left from the above.

Instructions for working through Tab 2 of the Resource Management Supply-Demand Calculator are provided in the next two sections. Follow along to obtain your breakdown of annual resource capacity in a pie chart.

Break down your resource capacity into high-level buckets of time for each role

1.2.1
Resource Management Supply-Demand Calculator, Tab 2: Capacity Supply

Discover how many work-hours are at your disposal by first accounting for absences.

1. Compile a list of each of the roles within your department.
2. Enter the number of staff currently performing each role.
3. Enter the number of hours in a typical work week for each role.
4. Enter the foreseeable out-of-office time (vacation, sick time, etc.) Typically, this value is 12-16% depending on the region.

Hours per Year represents your total resource capacity for each role, as well as the entire department. This column is automatically calculated.

Working Time per Year represents your total resource capacity minus time employees are expected to spend out of office. This column is automatically calculated.

Info-Tech Insight

Example for a five-day work week:

• 2 weeks (10 days) of statutory holidays
• 3 weeks of vacation
• 1.4 weeks (7 days) of sick days on average
• 1 week (5 days) for company holidays

Result: 7.4/52 weeks’ absence = 14.2%

Break down your resource capacity into high-level buckets of time for each role (continued)

1.2.1
Resource Management Supply-Demand Calculator, Tab 2: Capacity Supply

Determine the current distribution of your resources’ time and your confidence in whether the resources indeed supply those times.

5. Enter the percentage of working time across each role that, on an annual basis, goes toward administrative duties (non-project meetings, training, time spent checking email, etc.) and keep-the-lights-on work (e.g. support and maintenance work).

While these percentages will vary by individual, a high-level estimate across each role will suffice for the purposes of this activity.

6. Express how confident you are in each resource being able to deliver the calculated project work hours in percentages.

Another interpretation for supply confidence is “supply control”: estimate your current ability to control this distribution of working time to meet the changing needs in percentages.

Percentage of your working time that goes toward project work is calculated based upon what’s left after your non-project working time allocations have been subtracted.

Create a realistic estimate of the demand from your project portfolio with the T-shirt sizing technique

1.2.2
15 minutes - 30 minutes

Input

• Average work-hours for a project
• List of projects
• PPM Current State Scorecard

Output

A realistic estimate of resource demand from your project portfolio

Materials

Resource Management Supply-Demand Calculator

Participants

• PMO Director
• Project Managers (optional)

Quickly re-express the size of your project portfolio in resource hours required.

Estimating the resources required for a project in a project backlog can take a lot of effort. Rather than trying to create an accurate estimate for each project, a set of standard project sizes (often referred to as the “T-shirt sizing” technique) will be sufficiently accurate for estimating your project backlog’s overall demand.

Instructions for working through Tab 3 of the tool are provided here and in the next section.

1. For each type of project, enter the average number for work-hours.

Improve your estimate of demand from your project portfolio by accounting for unproductive capacity spending

1.2.2
Resource Management Supply-Demand Calculator, Tab 3: Project Demand

2. Using your list of projects, enter the number of projects for each appropriate field.

3. Enter your resource waste data from the PPM Current State Scorecard (see next section). Alternatively, enter your best guess on how much project capacity is spent wastefully per category.

Info-Tech Insight

The calculator estimates the project demand by T-shirt-sizing the work-hours required by projects to be delivered within the next 12 months and then adding the corresponding wasted capacity. This may be a pessimistic estimate, but it is more realistic because projects tend to be delivered late more than early.

Estimate how much project capacity is wasted with Info-Tech’s PPM Current State Scorecard

Call 1-888-670-8889 or contact your Account Manager for more information.

This step is highly recommended but not required.

Info-Tech’s PPM Current State Scorecard diagnostic provides a comprehensive view of your portfolio management strengths and weaknesses, including project portfolio management, project management, customer management, and resource utilization.

Use the wisdom-of-the-crowd to estimate resource waste in:

• Cancelled projects
• Inefficiency
• Suboptimal assignment of resources
• Unassigned resources
• Analyzing, fixing, and redeploying

50% of PPM resource is wasted on average, effectively halving your available project capacity.

Estimate non-project demand on your resources by role

1.2.3
45 minutes - 1 hour

Input

• Organizational chart
• Knowledge of staff non-project demand

Output

Documented non-project demands and their estimated degree of fluctuation

Materials

Resource Management Supply-Demand Calculator

Participants

• PMO Director
• Functional Managers (optional)

Document non-project demand that could eat into your project capacity.

When discussing project demands, non-project demands (administrative and operational) are often underestimated and downplayed – even though, in reality, they take a de facto higher priority to project work. Use Tab 4 of the tool to document these non-project demands, as well as their sources.

1. Choose a role using a drop-down list.

2. Enter the type and the source of the demand.

3. Enter the size and the frequency of the demand in hours.

4. Estimate how stable the non-project demands are for each role.

Examine and discuss your supply-demand analysis report

1.2.4
30 minutes - 1 hour

Input

Completed Resource Management Supply-Demand Calculator

Output

Supply-Demand Analysis Report

Materials

Resource Management Supply-Demand Calculator

Participants

• PMO Director
• Functional Managers
• Project Managers

Start a data-driven discussion on resource management using the capacity supply-demand analysis report.

Tab 5 of the calculator is a report that contains the following analysis:

1. Overall resource capacity supply and demand gap
2. Project capacity supply vs. demand gap
3. Non-project capacity supply vs. demand balance
4. Resource capacity confidence

Each analysis is described and explained in the following four sections. Examine the report and discuss the following among the activity participants:

1. How is your perception of the current resource capacity supply-demand balance affected by this analysis? How is it confirmed? Is it changed?
2. Perform a root-cause analysis of problems revealed by the report. For each observation, ask “why?” repeatedly – generally, you can arrive at the root cause in four iterations.
3. Refer back to Activity 1.1.2: current distribution of accountability for resource management. In your situation, how would you prioritize which resource management tasks to improve? Who are the involved stakeholders?

Examine your supply-demand analysis report: overall resource capacity gap

1.2.4
Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

1. Examine your resource capacity supply and demand gap.

The top of the report on Tab 5 shows a breakdown of your annual resource supply and demand, with resource capacity shown in both total hours and percentage of the total. For the purposes of the analysis, absence is averaged. If total demand is less than available resource supply, the surplus capacity will be displayed as “Free Capacity” on the demand side.

The Supply & Demand Analysis table displays the realistic project capacity, which is calculated by subtracting non-project supply deficit from the project capacity. This is based on the assumption that all non-project work must get done. The difference between the project demand and the realistic project capacity is your supply-demand gap, in work-hours.

If your supply-demand gap is zero, recognize that the project demand does not take into account the project backlog: it only takes into account the projects that are expected to be delivered within the next 12 months.

Examine your supply-demand analysis report: project capacity gap

1.2.4
Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

2. Examine your project capacity supply vs. demand gap.

The project capacity supply and demand analysis compares your available annual project capacity with the size of your project portfolio, expressed in work-hours.

The supply side is further broken down to productive vs. wasted project capacity. The demand side is broken down to three buckets of projects: those that are active, those that sit in the backlog, and those that are expected to be added within 12 months. Percentage values are expressed in terms of total project capacity.

A key observation here is the limitation to which reducing wasteful spending of resources can get to the project portfolio backlog. In this example, even a theoretical scenario of 100% productive project capacity will not likely result in net shrinkage of the project portfolio backlog. To achieve that, either the total project capacity must be increased, or less projects must be approved.

Note: the work-hours necessary for delivering projects that are expected to be completed within 12 months is not shown in this visualization, as they should be represented within the other three categories of projects.

Examine your supply-demand analysis report: non-project capacity gap

1.2.4
Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

3. Drill down on the non-project capacity supply-demand balance by each role.

The non-project capacity supply and demand analysis compares your available non-project capacity and their demands in a year, for each role, in work-hours.

With this chart, you can:

1. Observe which roles are “running hot,” (i.e. they have more demand than available supply).
2. Verify your non-project/project supply ratio assumptions in Tab 2 of the tool / Activity 1.2.1.

Tab 5 also provides similar breakdowns for administrative and keep-the-lights-on capacity supply and demand by each role.

Examine your supply-demand analysis report: resource capacity confidence (RCC)

1.2.4
Resource Management Supply-Demand Calculator, Tab 5: Supply-Demand Analysis

4. Examine your resource capacity confidence.

In our approach, we introduce a metric called Resource Capacity Confidence (RCC). Conceptually, RCC is defined as follows:

Resource Capacity Confidence = SC × DS × SDR

In this context, RCC can be defined as follows:

"Given the uncertainty that our resources can supply hours according to the assumed project/non-project ratio, the fluctuations in non-project demand, and the overall deficit in project capacity, there is about 50% chance that we will be able to deliver the projects we are expected to deliver within the next 12 months."

Case study: Non-project work is probably taking far more time than you might like

CASE STUDY

Industry Government

Source Info-Tech Client

"When our customers get a budget for a project, it’s all in capital. It never occurs to them that IT has a limited number of hours. "

Challenge

• A small municipal government was servicing a wide geographic area for information technology and infrastructure services.
• There was no meaningful division of IT resources between support and project work.
• Previous IT leadership tried a commercial PPM tool and stopped paying maintenance fees for it because of lack of adoption.
• Projects were tracked inconsistently in multiple places.

Solution

• New project requests were approved with IT involvement.
• Project approvals were entirely associated with the capital budget required and resourcing was never considered to be a constraint.
• The broad assumption was that IT time was generally available for project work.
• In reality, the IT personnel had almost no time for project work.

Results

• The organization introduced Info-Tech’s Grow Your Own PPM Solution template with minor modifications.
• They established delivery dates for projects based on available time.
• Time was allocated for projects based on person, project, percentage of time, and month.
• They prioritized project allocations above reactive support work.

Validate your resourcing assumptions with your staff by surveying their use of time

Embrace the reality of imperfect IT labor efficiency to improve your understanding of resource time spend.

Use Info-Tech’s time-tracking survey to validate your resourcing assumptions and get additional information to improve your understanding of resource time spent: imperfect labor efficiency and continuous partial attention.

Causes of imperfect IT labor inefficiency

• Most IT tasks are unique to their respective projects and contexts. A component that took 30 minutes to install last year might take two hours to install this year due to system changes that occurred since then.
• Many IT tasks come up unexpectedly due to the need to maintain and support systems implemented on past projects. This work is unpredictable in terms of specifics (what will break where, when, or how).
• Task switching slows people down and consumes time.
• Problem solving and solution design often requires unstructured time to think more openly. Some of the most valuable solutions are conceived or discovered when people aren’t regimented and focused on getting things done.

Info-Tech Insight

Part of the old resource management mythology is the idea that a person can do (for example) eight different one-hour tasks in eight hours of continuous work. This idea has gone from harmlessly mistaken to grossly unrealistic.

Constant interruptions lead to continuous partial attention that threatens real productivity

There’s a difference between being busy and getting things done.

“Working” on multiple tasks at once can often feel extremely gratifying in the short term because it distracts people from thinking about work that isn’t being done.

The bottom line is that continuous partial attention impedes the progress of project work.

Research on continuous partial attention

• A study that analyzed interruptions and their effects on individuals in the workplace found that that “41% of the time an interrupted task was not resumed right away” (Mark, 2015).
• Research has also shown that it can take people an average of 23 minutes to return to a task after being interrupted (Schulte, 2015).
• Delays following interruptions are typically due to switching between multiple other activities before returning to the original task. In many cases, those tasks are much lower priorities – and in some cases not even work-related.

Info-Tech Insight

It may not be possible to minimize interruptions in the workplace, as many of these are considered to be urgent at the time. However, setting guidelines for how and when individuals can be interrupted may help to limit the amount of lost project time.

"Like so many things, in small doses, continuous partial attention can be a very functional behavior. However, in large doses, it contributes to a stressful lifestyle, to operating in crisis management mode, and to a compromised ability to reflect, to make decisions, and to think creatively."

– Linda Stone, Continuous Partial Attention

Define the goals and the scope of the time-tracking survey

1.2.5
30 minutes

Input

Completed Resource Management Supply-Demand Calculator

Output

Survey design for the time-tracking survey

Materials

N/A

Participants

• PMO Director
• Functional Managers
• Project Managers

Discuss the following with the activity participants:

1. Define the scope of the survey
   • Respondents: Comprehensive survey of individuals vs. a representative sample using roles.
   • Granularity: decide how in-depth the questions will be and how often the survey will be delivered.
   • Data Collection: what information do you want to collect?
     • Proportion of project vs. non-project work.
     • Time spent on administrative tasks.
     • Prevalence and impact of distractions.
     • Worker satisfaction.
2. Determine the sample time period covered by the survey
   • Info-Tech recommends 2-4 weeks. Less than 2 weeks might not be a representative sample, especially during vacation seasons.
   • More than 4 weeks will impose unreasonable time and effort for diminishing returns; data quality will begin to deteriorate as participation declines.
3. Determine the survey method
   • Use your organization’s preferred survey distributor/online survey tool, or conduct one-on-one interviews to capture data.

1.2.5 continued - Refine the questionnaire to improve the relevance and quality of insights produced by the survey

Start with Info-Tech’s recommended weekly survey questions:

1. Estimate your daily average for number of hours spent on:
   1. Total work
   2. Project work
   3. Non-project work
2. How many times are you interrupted with “urgent” requests requiring immediate response in a given day?
3. How many people or projects did you complete tasks for this week?
4. Rate your overall satisfaction with work this week.
5. Describe any special tasks, interruptions, or requests that took your time and attention away from project work this week.

Customize these questions to suit your needs.

Info-Tech Insight

Maximize the number of survey responses you get by limiting the number of questions you ask. Info-Tech finds that participation drops off rapidly after five questions.

1.2.5 continued - Communicate the survey goals and steps, and conduct the survey

1. Communicate the purpose and goals of the survey to maximize participation and satisfaction.
   • Provide background for why the survey is taking place. Clarify that the intention is to improve working conditions and management capabilities, not to play “gotcha” or hold workers accountable.
2. Provide a timeline so expectations are clear about when possible next steps will occur, such as
   • Sharing and analyzing results
   • Making decisions
   • Taking action
3. Reiterate what people are required or expected to do and how much effort is required. Provide reasonable and realistic estimates of how much time and effort people should spend on audit participation.
4. Distribute the survey; collect and analyze the data.

Info-Tech Insight

Make sure that employees understand the purpose of the survey. It is important that they give honest responses that reflect the struggles they are encountering with balancing project and non-project work, not simply telling management what they want to hear.

Ensuring that employees know this survey is being used to help them, rather than scolding them for not completing work, will give you useful, insightful data on employee time.

Use Info-Tech’s Time-Tracking Survey Email Template for facilitating your communications.

Info-Tech Best Practice

Provide guidance to your resources with examples on how to differentiate project work vs. non-project work, administrative vs. keep-the-lights-on work, what counts as interruptions, etc.

Optimize your project portfolio to maintain continuous visibility into capacity

Now that you have a realistic picture of your realized project capacity and demand amounts, it’s time to use these values to tailor and optimize your resource management practices.

Based on desired outcomes for this phase, we have

1. Determined the correct course of action to resolve your supply/demand imbalances.
2. Assessed the overall project capacity of your portfolio.
3. Cataloged sources of project and non-project demands.
4. Performed a time audit to create an accurate and realistic picture of the time spent on different types of work.

In the next phase, we will:

1. Wireframe a resource management process.
2. Choose a resource management tool.
3. Define data collection, analysis, and reporting steps within a sustainable resource management process.

Screenshots from tab 6 of the Time Audit Workbook.

Info-Tech Insight

The validity of traditional, rigorous resource planning has long been an illusion because the resource projections were typically not maintained. New realities such as faster project cycles, matrix organizations, and high-autonomy staff cultures have made the illusion impossible to maintain.

If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

Book a workshop with our Info-Tech analysts:

• To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
• Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
• Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

1.1.2 Assess the current distribution of accountability for resource management practice

Discuss who is currently accountable for various facets of resource management, and whether they have the right authority and ability to deliver on that accountability.

1.2.1 Create realistic estimates of supply and demand using Info-Tech’s Supply-Demand Calculator

Derive actionable, quantitative insight into the resourcing challenges facing the organization by using Info-Tech’s methodology that prioritizes completeness over precision.

Phase 2

Design a Realistic Resource Management Process

Phase 2 Outline

Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

Guided Implementation 2: Draft a Resource Management Process

Proposed Time to Completion (in weeks): 3-6 weeks

Step 2.1: Determine the dimensions of resource management

Start with an analyst kick-off call:

• Introduce the seven dimensions of resource management
• Trade-off between granularity and utility of data

Then complete these activities…

• Decide on the seven dimensions
• Examine the strategy’s cost-of-use

With these tools & templates:

Resource Management Playbook