Prepare for the Upgrade to Windows 11

The upgrade is inevitable, but you have time, and you have options.

Analyst Perspective

Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

“You hear that Mr. Anderson? That is the sound of inevitability.” ("The Matrix Quotes" )

The fictitious Agent Smith uttered those words to Keanu Reeves’ character, Neo, in The Matrix in 1999, and while Agent Smith was using them in a very sinister and figurative context, the words could just as easily be applied to the concept of upgrading to the Windows 11 operating system from Microsoft in 2022.

There have been two common, recurring themes in the media since late 2019. One is the global pandemic and the other is cyber-related crime. Microsoft is not in a position to make an impact on a novel coronavirus, but it does have the global market reach to influence end-user technology and it appears that it has done just that. Windows 11 is a step forward in endpoint security and functionality. It also solidifies the foundation for future innovations in end-user operating systems and how they are delivered. Windows-as-a-Service (WAAS) is the way forward for Microsoft. Windows 10 is living on borrowed time, with a defined end of support date of October 14, 2025. Upgrading to Windows 11 is easy, and while it should be properly investigated and planned, it should absolutely be an activity you undertake.

It is inevitable!

P.J. Ryan

Research Director, Infrastructure & Operations

Info-Tech Research Group

Executive Summary

Your Challenge

• Windows 10 is going EOL in 2025. That is closer than you think.
• Many of your endpoints are not eligible for the Windows 11 upgrade. You can’t afford to replace all your endpoints this year. How do you manage this Microsoft-initiated catastrophe?
• You want to stay close to the leading edge of technology and services, but how do you do that while keeping your spending in check and within budget?

Common Obstacles

• The difference between Windows 10 and Windows 11 is not clear. Windows 11 looks like Windows 10 with some minor changes, mostly cosmetic. Many online users don’t see the need. Why upgrade? What are the benefits?
• The cost of upgrading devices just to be eligible for Windows 11 is high.
• Your end users don’t like change. This is not going to go over well!

Info-Tech's Approach

• Spend wisely. Space out your endpoint replacements and upgrades over several years. You do not have to upgrade everything right away.
• Be patient. Windows 11 contained some bugs when it was initially released. Microsoft fixed most of the issues through monthly quality updates, but you should ensure that you are comfortable with the current level of functionality before you upgrade.
• Use the upgrade ring approach. Test your applications with a small group first, and then stage the rollout to increasingly larger groups over time.

Info-Tech Insight

There is a lot of talk about Windows 11, but this is only an operating system upgrade, and it is not a major one. Understand what is new, what is added, and what is missing. Check your devices to determine how many are eligible and ineligible. Many organizations will have to spend capital on endpoint upgrades. Solid asset management practices will help.

Insight summary

Windows 11 is a step forward in security, which is one of the primary reasons for the release of the new operating system.

Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

Many organizations will have to spend capital on endpoint upgrades.

Microsoft now insists that modern hardware is required for Windows 11 for not only security but also for improved stability. That same hardware requirement will mean that many devices that are only three or four years old (as well as older ones) may not be eligible for Windows 11.

Windows 11 is a virtualization challenge for some providers.

The hardware requirements for physical devices are also required for virtual devices. The TPM module appears to be the biggest challenge. Oracle VirtualBox and Citrix Hypervisor as well as AWS and Google are unable to support Windows 11 virtual devices as of the time of writing.

Windows 10 will be supported by Microsoft until October 2025.

That will remove some of the pressure felt due to the ineligibility of many devices and the need to refresh them. Take your time and plan it out, keeping within budget constraints. Use the upgrade ring approach for systems that are eligible for the Windows 11 upgrade.

New look and feel, and a center screen taskbar.

Corners are rounded, some controls look a little different, but overall Windows 11 is not a dramatic shift from Windows 10. It is easier to navigate and find features. Oh, and yes, the taskbar (and start button) is shifted to the center of the screen, but you can move them back to the left if desired.

The education industry gets extra attention with the release of Windows 11.

Windows 11 comes with multiple subscription-based education offerings, but it also now includes a new lightweight SE edition that is intended for the K-8 age group. Microsoft also released a Windows 11 Education SE specific laptop, at a very attractive price point. Other manufacturers also offer Windows 11 SE focused devices.

Why Windows 11?

Windows 10 was supposed to be the final desktop OS from Microsoft, wasn’t it?

Maybe. It depends who you ask.

Jerry Nixon, a Microsoft developer evangelist, gained notoriety when he uttered these words while at a Microsoft presentation as part of Microsoft Ignite in 2015: “Right now we’re releasing Windows 10, and because Windows 10 is the last version of Windows, we’re all still working on Windows 10,” (Hachman). Microsoft never officially made that statement. Interestingly enough, it never denied the comments made by Jerry Nixon either.

Perhaps Microsoft released a new operating system as a financial grab, a way to make significant revenue?

Nope.

Windows 11 is a free upgrade or is included with any new computer purchase.

Market share challenges?

Doubtful.

It’s true that Microsoft's market share of desktop operating systems is dropping while Apple OS X and Google Chrome OS are rising.

In fact, Microsoft has relinquished over 13% of the market share since 2012 and Apple has almost doubled its market share. BUT:

Microsoft is still holding 75.12% of the market while Apple is in the number 2 spot with 14.93% (gs.statcounter.com).

The market share is worth noting for Microsoft but it hardly warrants a new operating system.

New look and feel?

Unlikely

New start button and taskbar orientation, new search window, rounded corners, new visual look on some controls like the volume bar, new startup sound, new Windows logo, – all minor changes. Updates could achieve the same result.

Security?

Likely the main reason.

Windows 11 comes with a list of hardware requirements that enable the use of tools and features that, when combined, will reduce malware infections.

The hardware requirements for Windows 11 enable security features such as password-less logon, disk encryption, increased startup protection with secure boot, and virtualization-based security.

The features are available on all Windows 11 physical devices, due to the common hardware requirements.

Windows 11 hardware-based security

These hardware options and features were available in Windows 10 but not enforced. With Windows 11, they are no longer optional. Below is a description and explanation of the main features.

How do all the hardware-based security features work?

This scenario explains how a standard boot up and login should happen.

You turn on your computer. Secure Boot authorizes the processes and UEFI hands over control to the operating system. Windows Hello works with TPM and uses a pin to authenticate the user and the operating systems gives you access to the Windows environment.

Now imagine the same process with various compromised scenarios.

You turn on your computer. Secure Boot does not recognize the signature presented to it by the second process in the boot sequence. You will be presented with a “Secure Boot Violation” message and an option to reboot. Your computer remains protected.

You boot up and get past the secure boot process and UEFI passes control over to the Windows 11 operating system. Windows Hello asks for your pin, but you cannot remember the pin and incorrectly enter it three times before admitting temporary defeat. Windows Hello did not find a matching pin on the TPM and will not let you proceed. You cannot log in but in the eyes of the operating system, it has prevented an unauthorized login attempt.

You power up your computer, log in without issue, and go about your morning routine of checking email, etc. You are not aware that malware has infiltrated your system and modified a page in system memory to run code and access the operating system kernel. VBS and HVCI check the integrity of that code and detect that it is malicious. The code remains isolated and prevented from running, protecting your system.

TPM, Hello, UEFI with Secure Boot, VBS and HVCI all work together like a well-oiled machine.

“Microsoft's rationale for Windows 11's strict official support requirements – including Secure Boot, a TPM 2.0 module, and virtualization support – has always been centered on security rather than raw performance.” – Andrew Cunningham, arstechnica.com

“Windows 11 raises the bar for security by requiring hardware that can enable protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. These features in combination have been shown to reduce malware by 60% on tested devices.” – Steven J. Vaughan-Nichols, Computerworld

Can any device upgrade to Windows 11?

In addition to the security-related hardware requirements listed previously, which may exclude some devices from Windows 11 eligibility, Windows 11 also has a minimum requirement for other hardware components.

Windows 7 and Windows 10 were publicized as being backward compatible and almost any hardware would be able to run those operating systems. That changed with Windows 11. Microsoft now insists that modern hardware is required for Windows 11 for not only security but also improved stability.

Software Requirement

You must be running Windows 10 version 2004 or greater to be eligible for a Windows 11 upgrade (“Windows 11 Requirements”).

Complete hardware requirements for Windows 11

• 1 GHz (or faster) compatible 64-bit processor with two or more cores
  • Not all processors are compatible; compatible processors are listed in this link: “Windows Processor Requirements”
• 4 GB RAM
• 64 GB or more of storage space
• Compatible with DirectX 12 or later with WDDM 2.0 driver
  • DirectX connects the hardware in your computer with Windows. It allows software to display graphics using the video card or play audio, as long as that software is DirectX compatible. Windows 11 requires version 12 (“What are DirectX 12 compatible graphics”).
  • WDDM is an acronym for Windows Display Driver Model. WDDM is the architecture for the graphics driver for Windows (“Windows Display Driver Model”).
  • Version 2.0 of WDDM is required for Windows 11.
• 720p display greater than 9" diagonally with 8 bits per color channel
• UEFI Secure Boot capable
• TPM 2.0 chip

(“Windows 11 Requirements”)

Windows 11 may challenge your virtual environment

When Windows 11 was initially released, some IT administrators experienced issues when trying to install or upgrade to Windows 11 in the virtual world.

The Challenge

The issues appeared to be centered around the Windows 11 hardware requirements, which must be detected by the Windows 11 pre-install check before the operating system will install.

The TPM 2.0 chip requirement was indeed a challenge and not offered as a configuration option with Citrix Hypervisor, the free VMware Workstation Player or Oracle VM VirtualBox when Windows 11 was released in October 2021, although it is on the roadmap for Oracle and Citrix Hypervisor. VMware provides alternative products to the free Workstation Player that do support a virtual TPM. Oracle and Citrix reported that the feature would be available in the future and Windows 11 would work on their platforms.

Short-Term Solutions

VMware and Microsoft users can add a vTPM hardware type when configuring a virtual Windows 11 machine. Microsoft Azure does offer Windows 11 as an option as a virtual desktop. Citrix Desktop-As-A-Service (DAAS) will connect to Azure, AWS, or Google Cloud and is only limited by the features of the hosting cloud service provider.

Additional Insight

According to Microsoft, any VM running Windows 11 must meet the following requirements (“Virtual Machine Support”):

• It must be a generation 2 VM, and upgrading a generation 1 VM to Windows 11 (in-place) is not possible
• 64 GB of storage or greater
• Secure Boot capable with the virtual TPM enabled
• 4 GB of memory or greater
• 2 or more virtual processors
• The CPU of the physical computer that is hosting the VM must meet the Windows 11 (“Windows Processor Requirements”)

What’s new or updated in Windows 11?

The following two slides highlight some of the new and updated features in Windows 11.

Security

The most important change with Windows 11 is what you cannot see – the security. Windows 11 adds requirements and controls to make the user and device more secure, as described in previous slides.

Taskbar

The most prominent change in relation to the look and feel of Windows 11 is the shifting of the taskbar (and Start button) to the center of the screen. Some users may find this more convenient but if you do not and prefer the taskbar and start button back on the left of your screen, you can change it in taskbar settings.

Updated Apps

Paint, Photos, Notepad, Media Player, Mail, and other standard Windows apps have been updated with a new look and in some cases minor enhancements.

User Interface

The first change users will notice after logging in to Windows 11 is the new user interface – the look and feel. You may not notice the additional colors added to the Windows palette, but you may have thought that the startup sound was different, and the logo also looks different. You would be correct. Other look-and-feel items that changed include the rounded corners on windows, slightly different icons, new wallpapers, and controls for volume and brightness are now a slide bar. File explorer and the settings app also have a new look.

Microsoft Teams

Microsoft Teams is now installed on the taskbar by default. Note that this is for a personal Microsoft account only. Teams for Work or School will have to be installed separately if you are using a work or school account.

What’s new or updated in Windows 11?

Snap Layouts

Snap layouts have been enhanced and snap group functionality has been added. This will allow you to quickly snap one window to the side of the screen and open other Windows in the other side. This feature can be accessed by dragging the window you wish to snap to the left or right edge of the screen. The window should then automatically resize to occupy that half of the screen and allow you to select other Windows that are already open to occupy the remaining space on the screen. You can also hover your mouse over the maximize button in the upper right-hand corner of the window. A small screen with multiple snap layouts will appear for your selection. Multiple snapped Windows can be saved as a “Snap Group” that will open together if one of the group windows are snapped in the future.

Widgets

Widgets are expanding. Microsoft started the re-introduction of widgets in Windows 10, specifically focusing on the weather. Widgets now include other services such as news, sports, stock prices, and others.

Android Apps

Android apps can now run in Windows 11. You will have to use the Amazon store to access and install Android apps, but if it is available in the Amazon store, you can install it on Windows 11.

Docking

Docking has improved with Windows 11. Windows knows when you are docked and will minimize apps when you undock so they are not lost. They will appear automatically when you dock again.

This is not intended to be an inclusive list but does cover some of the more prominent features.

What’s missing from Windows 11?

The following features are no longer found in Windows 11:

• Backward compatibility
  • The introduction of the hardware requirements for Windows 11 removed the backward compatibility (from a hardware perspective) that made the transition from previous versions of Windows to their successor less of a hardware concern. If a computer could run Windows 7, then it could also run Windows 10. That does not automatically mean it can also run Windows 11.
• Internet Explorer
  • Internet Explorer is no longer installed by default in Windows 11. Microsoft Edge is now the default browser for Windows. Other browsers can also be installed if preferred.
• Tablet mode
  • Windows 11 does not have a "tablet" mode, but the operating system will maximize the active window and add more space between icons to make selecting them easier if the 2-in-1 hardware detects that you wish to use the device as a tablet (keyboard detached or device opened up beyond 180 degrees, etc.).
• Semi-annual updates
  • It may take six months or more to realize that semi-annual feature updates are missing. Microsoft moved to an annual feature update schema but continued with monthly quality updates with Windows 11.
• Specific apps
  • Several applications have been removed (but can be manually added from the Microsoft Store by the user). They include:
    • OneNote for Windows 10
    • 3D Viewer
    • Paint 3D
    • Skype
• Cortana (by default)
  • Cortana is missing from Windows 11. It is installed but not enabled by default. Users can turn it on if desired.

Microsoft included a complete list of features that have been removed or deprecated with Windows 11, which can be found here Windows 11 Specs and System Requirements.

Windows 11 editions

• Windows 11 is offered in several editions:
  • Windows 11 Home
  • Windows 11 Pro
  • Windows 11 Pro for Workstations
  • Windows 11 Enterprise Windows 11 for Education
  • Windows 11 SE for Education
• Windows 11 hardware requirements and security features are common throughout all editions.
• The new look and feel along with all the features mentioned previously are common to all editions as well.
• Windows Home
  • Standard offering for home users
• Pro versus Pro for Workstations
  • Windows 11 Pro and Pro for Workstations are both well suited for the business environment with available features such as support for Active Directory or Azure Active Directory, Windows Autopilot, OneDrive for Business, etc.
  • Windows Pro for Workstations is designed for increased demands on the hardware with the higher memory limits (2 TB vs. 6 TB) and processor count (2 CPU vs. 4 CPU).
  • Windows Pro for Workstations also features Resilient File System, Persistent Memory, and SMB Direct. Neither of these features are available in the Windows 11 Pro edition.
  • Windows 11 Pro and Pro for Workstations are both very business focused, although Pro may also be a common choice for non-business users (Home and Education).
• Enterprise Offerings
  • Enterprise licenses are subscription based and are part of the Microsoft 365 suite of offerings.
  • Windows 11 Enterprise is Windows 11 Pro with some additional addons and functionality in areas such as device management, collaboration, and security services.
  • The level of the Microsoft 365 Enterprise subscription (E3 or E5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the E5 subscription.

Windows 11 Education Editions

With the release of a laptop targeted specifically at the education market, Microsoft must be taking notice of the Google Chrome educational market penetration, especially with headlines like these.

“40 Million Chromebooks in Use in Education” (Thurrott)

“The Unprecedented Growth of the Chromebook Education Market Share” (Carklin)

“Chromebooks Gain Market Share as Education Goes Online” (Hruska)

“Chromebooks Gain Share of Education Market Despite Shortages” (Mandaro)

“Chromebook sales skyrocketed in Q3 2020 with online education fueling demand” (Duke)

• Education licenses are subscription based and are part of the Microsoft 365 suite of offerings. Educational pricing is one benefit of the Microsoft 365 Education model.
• Windows 11 Education is Windows 11 Pro with some additional addons and functionality similar to the Enterprise offerings for Windows 11 in areas such as device management, collaboration, and security services. Windows 11 Education also adds some education specific settings such as Classroom Tools, which allow institutions to add new students and their devices to their own environment with fewer issues, and includes OneNote Class Notebook, Set Up School PCs app, and Take a Test app.
• The level of the Microsoft 365 Education subscription (A3 or A5) would dictate the additional features and functionality, such as the complete Microsoft Defender for Endpoint suite or the Microsoft phone system and Audio Conferencing, which are only available with the A5 subscription.
• Windows 11 SE for Education:
  • A cloud-first edition of Windows 11 specifically designed for the K-8 education market.
  • Windows 11 SE is a light version of Windows 11 that is designed to run on entry-level devices with better performance and security on that hardware.
  • Windows 11 SE requires Intune for Education and only IT admins can install applications.
• Microsoft and others have come out with Windows SE specific devices at a low price point.
  • The Microsoft Surface Laptop SE comes pre-loaded with Windows 11 SE and can be purchased for US$249.00.
  • Dell, Asus, Acer, Lenovo, and others also offer Windows 11 SE specific devices (“Devices for Education”).

Initial Reactions

Below you can find some actual initial reactions to Windows 11.

Initial reactions are mixed, as is to be expected with any new release of an operating system. The look and feel is new, but it is not a huge departure from the Windows 10 look and feel. Some new features are well received such as the snap feature.

The shift of the taskbar (and start button) is the most popular topic of discussion online when it comes to Windows 11 reactions. Some love it and some do not. The best part about the shift of the taskbar is that you can adjust it in settings and move it back to its original location.

The best thing about reactions is that they garner attention, and thanks in part to all the online reactions and comments, Microsoft is continually improving Windows 11 through quality updates and annual feature releases.

“My 91-year-old Mum has found it easy!” Binns, Paul ITRG

“It mostly looks quite nice and runs well.” Jmbpiano, Reddit user

“It makes me feel more like a Mac user.” Chang, Ben Info-Tech

“At its core, Windows 11 appears to be just Windows 10 with a fresh coat of paint splashed all over it.” Rouse, Rick RicksDailyTips.com

“Love that I can snap between different page orientations.” Roberts, Jeremy Info-Tech

“I finally feel like Microsoft is back on track again.” Jawed, Usama Neowin

“A few of the things that seemed like issues at first have either turned out not to be or have been fixed with patches.” Jmbpiano, Reddit user

“The new interface is genuinely intuitive, well-designed, and colorful.” House, Brett AnandTech

“No issues. Have it out on about 50 stations.” Sandrews1313, Reddit User

“The most striking change is to the Start menu.” Grabham, Dan pocket-lint.com

How do I upgrade to Windows 11?

The process is very similar to applying updates in Windows 10.

• Windows 11 is offered as an upgrade through the standard Windows 10 update procedure. Windows Update will notify you when the Windows 11 upgrade is ready (assuming your device is eligible for Windows 11).
  • Allow the update (upgrade in this case) to proceed, reboot, and your endpoint will come back to life with Windows 11 installed and ready for you.
• A fresh install can be delivered by downloading the required Windows 11 installation media from the Microsoft Software Download site for Windows 11.
• Business users can control the timing and schedule of the Windows 11 rollout to corporate endpoints using Microsoft solutions such as WSUS, Configuration Manager, Intune and Endpoint Manager, or by using other endpoint management solutions.
• WSUS and Configuration Manager will have to sync the product category for Windows 11 to manage the deployment.
• Windows Update for Business policies will have to use the target version capability rather than using the feature update referrals alone.
• Organizations using Intune and a Microsoft 365 E3 license will be able to use the Feature Update Deployments page to select Windows 11.
• Other modern endpoint management solutions may also allow for a controlled deployment.

Info-Tech Insight

The upgrade itself may be a simple process but be prepared for the end-user reactions that will follow. Some will love it but others will despise it. It is not an optional upgrade in the long run, so everyone will have to learn to accept it.

When can I upgrade to Windows 11?

You can upgrade right now BUT there is no need to rush. Windows 11 was released in October 2021 but that doesn’t mean you have to upgrade everyone right away. Plan this out.

• Build deployment rings into your Windows 11 upgrade approach: This approach, also referred to as Canary Releases or deployment rings, allows you to ensure that IT can support users if there's a major problem with the upgrade. Instead of disrupting all end users, you are only disrupting a portion of end users.
  • Deploy the initial update to your test environment.
  • After testing is successful or changes have been made, deploy Windows 11 to your pilot group of users.
  • After the pilot group gives you the thumbs up, deploy to the rest of production in phases. Phases are sometimes by office/location, sometimes by department, sometimes by persona (i.e. defer people that don't handle updates well), and usually by a combination of these factors.
  • Increase the size of each ring as you progress.
• Always back up your data before any upgrade.

Deployment Ring Example

Pilot Ring - Individuals from all departments - 10 users

Ring #1 - Dev, Finance - 20 Users

Ring #2 - Research - 100 Users

Ring #3 - Sales, IT, Marketing - 500 Users

Upgrade your eligible devices and users to Windows 11

Build Windows 11 Deployment Rings

Instructions:

1. Identify who will be in the pilot group. Use individuals instead of user groups.
2. Identify how many standard rings you need. This number will be based on the total number of employees per office.
3. Map groups to rings. Define which user groups will be in each ring.
4. Allow some time to elapse between upgrades. Allow the first group to work with Windows 11 and identify any potential issues that may arise before upgrading the next group.
5. Track and communicate. Record all information into a spreadsheet like the one on the right. This will aid in communication and tracking.

What are my options if my devices cannot upgrade to Windows 11?

Don’t rush out to replace all the ineligible endpoint devices. You have some time to plan this out. Windows 10 will be available and supported by Microsoft until October 2025.

Use asset management strategies and budget techniques in your Windows 11 upgrade approach:

• Start with current inventory and determine which devices will not be eligible for upgrade to Windows 11.
• Prioritize the devices for replacement, taking device age, the role of the user the device supports, and delivery times for remote users into consideration.
• Take this opportunity to review overall device offerings and end-user compute strategy. This will help decide which devices to offer going forward while improving end-user satisfaction.
• Determine the cost for replacement devices:
  • Compare vendor offerings using an RFP process.
• Use the hardware asset management planning spreadsheet on the next slide to budget for the replacements over the coming months leading up to October 2025.

Leverage Info-Tech research to improve your end-user computing strategy and hardware asset management processes:

New to End User Computing Strategies? Start with Modernize and Transform Your End-User Computing Strategy.

New to IT asset management? Use Info-Tech’s Implement Hardware Asset Management blueprint.

Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

Build a Windows 11 Device Replacement Budget

The link below will open up a hardware asset management (HAM) budgeting tool. This tool can easily be modified to assist in developing and justifying the budget for hardware assets for the Windows 11 project. The tool will allow you to budget for hardware asset refresh and to adjust the budget as needed to accommodate any changes. Follow the instructions on each tab to complete the tool.

A sample of a possible Windows 11 budgeting spreadsheet is shown on the right, but feel free to play with the HAM budgeting tool to fit your needs.

HAM Budgeting Tool

Related Info-Tech Research

Modernize and Transform Your End-User Computing Strategy

This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

Implement Hardware Asset Management

This project will help you analyze the current state of your HAM program, define assets that will need to be managed, and build and involve the ITAM team from the beginning to help embed the change. It will also help you define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

Bibliography

aczechowski, et al. “Windows 11 Requirements.” Microsoft, 3 June 2022. Accessed 13 June 2022.

Binns, Paul. Personal interview. 07 June 2022.

Butler, Sydney. “What Is Trusted Platform Module (TPM) and How Does It Work?” Help Desk Geek, 5 August 2021. Accessed 18 May 2022.

Carklin, Nicolette. “The Unprecedented Growth of the Chromebook Education Market Share.” Parallels International GmbH, 26 October 2021. Accessed 19 May 2022.

Chang, Ben. Personal interview. 26 May 2022.

Cunningham, Andrew. “Why Windows 11 has such strict hardware requirements, according to Microsoft.” Ars Technica, 27 August 2021. Accessed 19 May 2022.

Dealnd-Han, et al. “Windows Processor Requirements.” Microsoft, 9 May 2022. Accessed 18 May 2022.

“Desktop Operating Systems Market Share Worldwide.” Statcounter Globalstats, June 2021–June 2022. Accessed 17 May 2022.

“Devices for education.” Microsoft, 2022. Accessed 13 June 2022.

Duke, Kent. “Chromebook sales skyrocketed in Q3 2020 with online education fueling demand.” Android Police, 16 November 2020. Accessed 18 May 2022.

Grabham, Dan. “Windows 11 first impressions: Our initial thoughts on using Microsoft's new OS.” Pocket-Lint, 24 June 2021. Accessed 3 June 2022.

Hachman, Mark. “Why is there a Windows 11 if Windows 10 is the last Windows?” PCWorld, 18 June 2021. Accessed 17 May 2022.

Howse, Brett. “What to Expect with Windows 11: A Day One Hands-On.” Anandtech, 16 November 2020. Accessed 3 June 2022.

Hruska, Joel. “Chromebooks Gain Market Share as Education Goes Online.” Extremetech, 26 October 2020. Accessed 19 May 2022.

Jawed, Usama. “I am finally excited about Windows 11 again.” Neowin, 26 February 2022. Accessed 3 June 2022.

Jmbpiano. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

Lumunge, Erick. “UEFI and Legacy boot.” OpenGenus, n.d. Accessed 18 May 2022.

Bibliography

Mandaro, Laura. “Chromebooks Gain Share of Education Market Despite Shortages.” The Information, 9 September 2020. Accessed 19 May 2022.

Murtaza, Fawad. “What Is Virtualization Based Security in Windows?” Valnet Inc, 24 October 2021. Accessed 17 May 2022.

Roberts, Jeremy. Personal interview. 27 May 2022.

Rouse, Rick. “My initial thoughts about Windows 11 (likes and dislikes).” RicksDailyTips.com, 5 September 2021. Accessed 3 June 2022.

Sandrews1313. “Windows 11 - What are our initial thoughts and feelings?” Reddit, 22 November 2021. Accessed 3 June 2022.

“The Matrix Quotes." Quotes.net, n.d. Accessed 18 May 2022.

Thurrott, Paul.” Google: 40 Million Chromebooks in Use in Education.” Thurrott, 21 January 2020. Accessed 18 May 2022.

Vaughan-Nichols, Steven J. “The real reason for Windows 11.” Computerworld, 6 July 2021, Accessed 19 May 2022.

“Virtual Machine Support.” Microsoft,3 June 2022. Accessed 13 June 2022.

“What are DirectX 12 compatible graphics and WDDM 2.x.” Wisecleaner, 20 August 2021. Accessed 19 May 2022.

“Windows 11 Specs and System Requirements.” Microsoft, 2022. Accessed 13 June 2022.

“Windows Display Driver Model.” MiniTool, n.d. Accessed 13 June 2022.

Build a Data Classification MVP for M365

Kickstart your governance with data classification users will actually use!

Executive Summary

Info-Tech Insight

• Creating an MVP gets you started in data governance
  Information protection and governance are not something you do once and then you are done. It is a constant process where you start with the basics (a minimum-viable product or MVP) and enhance your schema over time. The objective of the MVP is reducing obstacles to establishing an initial governance position, and then enabling rapid development of the solution to address a variety of real risks, including data loss prevention (DLP), data retention, legal holds, and data labeling.
• Define your information and protection strategy
  The initial strategy is to start looking across your organization and identifying your customer data, regulatory data, and sensitive information. To have a successful data protection strategy you will include lifecycle management, risk management, data protection policies, and DLP. All key stakeholders need to be kept in the loop. Ensure you keep track of all available data and conduct a risk analysis early. Remember, data is your highest valued intangible asset.
• Planning and resourcing are central to getting started on MVP
  A governance plan and governance decisions are your initial focus. Create a team of stakeholders that include IT and business leaders (including Legal, Finance, HR, and Risk), and ensure there is a top-level leader who is the champion of the governance objective, which is to ensure your data is safe, secure, and not prone to leakage or theft, and maintain confidentiality where it is warranted.

Executive Summary

Info-Tech Insight

Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.

Questions you need to ask

Four key questions to kick off your MVP.

Classification tiers

Build your schema.

Info-Tech Insight

Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.

Microsoft MIP Topology

Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insight

Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

MVP RACI Chart

Data governance is a "takes a whole village" kind of effort.

Clarify who is expected to do what with a RACI chart.

What and where your data resides Data types that require classification.

M365 Workload Containers
Email Attachments	Site Collections, Sites	Sites	Project Databases
Contacts	Teams and Group Site Collections, Sites	Libraries and Lists	Sites
Metadata	Libraries and Lists	Documents Versions	Libraries and Lists
Teams Conversations	Documents Versions	Metadata	Documents Versions
Teams Chats	Metadata	Permissions Internal Sharing External Sharing	Metadata
	Permissions Internal Sharing External Sharing	Files Shared via Teams Chats	Permissions Internal Sharing External Sharing

Info-Tech Insight

Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.

Discover and classify on- premises files using AIP

AIP helps you manage sensitive data prior to migrating to Office 365: Use discover mode to identify and report on files containing sensitive data. Use enforce mode to automatically classify, label, and protect files with sensitive data. Can be configured to scan: SMB files SharePoint Server 2016, 2013

Map your network and find over-exposed file shares. Protect files using MIP encryption. Inspect the content in file repositories and discover sensitive information. Classify and label file per MIP policy.

Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data.

Info-Tech Insight

Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.

Understanding governance

Microsoft Information Governance

Retention and backup policy decision

Retention is not backup.

Understand retention policy

What are retention policies used for? Why you need them as part of your MVP?

Do not confuse retention labels and policies with backup.

Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).

E-discovery tool retention policies are not turned on automatically.

Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.

“Data retention policy tools enable a business to:

• “Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
• “Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
• “Apply a single policy to the entire organization or specific locations or users.
• “Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users. […] ‘Retention Policies’ are different than ‘Retention Label Policies’ – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label.

“It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)

Definitions

Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.

Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.

Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.

Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.

Data examples for MVP classification

• Examples of the type of data you consider to be Confidential, Internal, or Public.
• This will help you determine what to classify and where it is.

New container sensitivity labels (MIP)

New container sensitivity labels

What users will see when they create or label a Team/Group/Site

(Source: Microsoft, “Microsoft Purview compliance portal”)

Info-Tech Insights

• Manage privacy of Teams Sites and M365 Groups
• Manage external user access to SPO sites and teams
• Manage external sharing from SPO sites
• Manage access from unmanaged devices

Data protection and security baselines

Info-Tech Insights

• Controls are already in place to set data protection policy. This assists in the MVP activities.
• Finally, you need to set your security baseline to ensure proper permissions are in place.

Prerequisite baseline

Security MFA or SSO to access from anywhere, any device Banned password list BYOD sync with corporate network

Users Sign out inactive users automatically Enable guest users External sharing Block client forwarding rules

Resources Account lockout threshold OneDrive SharePoint

Controls Sensitivity labels, retention labels and policies, DLP Mobile application management policy

Building baselines

Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential

Microsoft 365 Collaboration Protection Profiles

Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)

Info-Tech Insights

• Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly.
• Sensitivity labels are a way to classify your organization's data in a way that specifies how sensitive the data is. This helps you decrease risks in sharing information that shouldn't be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.

MVP activities

ACME Company MVP for M/O365

Related Blueprints

Govern Office 365

Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

Migrate to Office 365 Now

Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.

Microsoft Teams Cookbook

IT Governance, Risk & Compliance

Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.

Bibliography

“Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.

“Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.

“Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.

Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.

“Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.

“Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.

Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.

“Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.

M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.

Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.

“Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.

“Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.

“Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.

“Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.

“Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.

Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.

Document and Maintain Your Disaster Recovery Plan

Put your DRP on a diet – keep it fit, trim, and ready for action.

ANALYST PERSPECTIVE

The traditional disaster recovery plan (DRP) “red binder” is dead. It takes too long to create, it’s too hard to maintain, and it’s not usable in a crisis.

“This blueprint outlines the following key tactics to streamline your documentation effort and produce a better result:

• Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.
• Use flowcharts, checklists, and diagrams over traditional manuals. This drives documentation that is more concise, easier to maintain, and effective in a crisis.
• Create your DRP in layers to get tangible results faster, starting with a recovery workflow that outlines your DR strategy, and then build out the specific documentation needed to support recovery.”

This project is about DRP documentation after you have clarified your DR strategy; create these necessary inputs first

These artifacts are the cornerstone for any disaster recovery plan.

• Business Impact Analysis
• DR Roles and Responsibilities
• Recovery Workflow

Missing a component? Start here. ➔ Create a Right-Sized Disaster Recovery Plan

This blueprint walks you through building these inputs.
Our approach saves clients on average US$16,825.22. (Clients self-reported an average saving of US$16,869.21 while completing the Create a Right-Sized Disaster Recovery Plan blueprint through advisory calls, guided implementations, or workshops (Info-Tech Research Group, 2017, N=129).)

How this blueprint will help you document your DRP

This Research is Designed For:

• IT managers in charge of disaster recovery planning (DRP) and execution.
• Organizations seeking to optimize their DRP using best-practice methodology.
• Business continuity professionals that are involved with disaster recovery.

This Research Will Help You:

• Divide the process of creating DR documentation into manageable chunks, providing a defined scope for you to work in.
• Identify an appropriate DRP document management and distribution strategy.
• Ensure that DR documentation is up to date and accessible.

This Research Will Also Assist:

• IT managers preparing for a DR audit.
• IT managers looking to incorporate components of DR into an IT operations document.

This Research Will Help Them:

• Follow a structured approach in building DR documentation using best practices.
• Integrate DR into day-to-day IT operations.

Executive summary

Situation

• DR documentation is often driven by audit or compliance requirements, rather than aimed at the team that would need to execute recovery.
• Traditional DRPs are text-heavy, 300+ page manuals that are simply not usable in a crisis.
• Compounding the problem, DR documentation is rarely updated, so it’s just shelf-ware.

Complication

• DRP is often given lower priority as day-to-day IT projects displace DR documentation efforts.
• Inefficient publishing strategies result in your DRP not being accessible during disasters or key staff not knowing where to find the latest version.
• Organizations that create traditional DRPs end up with massive manuals that are difficult to maintain, so they quickly become unreliable.

Resolution

• Create visual and concise DR documentation that strips out unnecessary content and is written for an IT audience – the team that would actually be executing the recovery. Your business leaders can take the same approach to create separate business response plans – don’t mix the two into an all-in-one plan that is not effective for either audience.
• Determine a documentation distribution strategy that supports ease of maintenance and accessibility during a disaster.
• Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

Info-Tech Insight

1. DR documentation fails when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s too long, too hard to maintain, and ends up being little more than shelf-ware.
2. Using flowcharts, checklists, and diagrams aimed at an IT audience is more concise and effective in a disaster, quicker to create, and easier to maintain.
3. Create your DRP in layers to keep the work manageable. Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

An effective DRP that mitigates a wide range of potential outages is critical to minimizing the impact of downtime

The criticality of having an effective DRP is underestimated.

Cost of Downtime for the Fortune 1000

• Cost of unplanned apps downtime per year: $1.25B to $2.5B
• Cost of critical apps failure per hour: $500,000 to $1M
• Cost of infrastructure failure per hour: $100,000
• 35% reported to have recovered within 12 hours.
• 17% of infrastructure failures took more than 24 hours to recover.
• 13% of application failures took more than 24 hours to recover.

Size of Impact Increasing Across Industries

• The cost of downtime is rising across the board and not just for organizations that traditionally depend on IT (e.g. e-commerce).
• Downtime cost increase since 2010:
  • Hospitality: 129% increase
  • Transportation: 108% increase
  • Media organizations: 104% increase

Potential Lost Revenue

The impact of downtime increases significantly over time, not just in terms of lost revenue (as illustrated here) but also goodwill/reputation and health/safety. An effective DR solution and overall resiliency that mitigate a wide range of potential outages are critical to minimizing the impact of downtime.

Without an effective DRP, your organization is gambling on being able to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks – and substantial impact.

Only 38% of those with a full or mostly complete DRP believe their DRPs would be effective in a real crisis

Organizations continue to struggle with creating DRPs, let alone making them actionable.

Why are so many living with either an incomplete or ineffective DRP? For the same reasons that IT documentation in general continues to be a pain point:

• It is an outdated model of what documentation should be – the traditional manual with detailed (lengthy) descriptions and procedures.
• Despite the importance of DR, low priority is placed on creating a DRP and the day-to-day SOPs required to support a recovery.
• There is a lack of effective processes for ensuring documentation stays up to date.

(Source: Info-Tech Research Group, N=165)

(Source: Info-Tech Research Group, N=69 (includes only those who indicated DRP is mostly completed or completed))

Improve usability and effectiveness with visual-based and more-concise documentation

Choose flowcharts over process guides, checklists over lengthy procedures, and diagrams over descriptions.

If you need a three-inch binder to hold your DRP, imagine having to flip through it to determine next steps during a crisis.

DR documentation needs to be concise, scannable, and quickly understood to be effective. Visual-based documentation meets these requirements, so it’s no surprise that it also leads to higher DR success.

DR success scores are based on:

• Meeting recovery time objectives (RTOs).
• Meeting recovery point objectives (RPOs).
• IT staff’s confidence in their ability to meet RTOs/RPOs.

“Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow.” (Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management)

Maintainability is another argument for visual-based, concise documentation

There are two end goals for your DR documentation: effectiveness and maintainability. Without either, you will not have success during a disaster.

Organizations using a visual-based approach were 30% more likely to find that DR documentation is easy to maintain.	➔	“Easy to maintain” leads to a 46% higher rate of DR success.

Not only are visual-based disaster recovery plans more effective, but they are also easier to maintain.

Overcome documentation inertia with a tiered model that allows you to eat the elephant one bite at a time

Start with a recovery workflow to at least ensure a coordinated response. Then use that workflow to determine required supporting documentation.

Recovery Workflow: Starting the project with overly detailed documentation can slow down the entire process. Overcome planning inertia by starting with high-level incident response plans in a flowchart format. For examples and additional information, see XMPL Medical’s Recovery Workflows.

Recovery Procedures (Systems Recovery Playbook): For each step in the high-level flowchart, create recovery procedures where necessary using additional flowcharts, checklists, and diagrams as appropriate. Leverage Info-Tech’s Systems Recovery Playbook example as a starting point.

Additional Reference Documentation: Reference existing IT documentation, such as network diagrams and configuration documents, as well as more detailed step-by-step procedures where necessary (e.g. vendor documentation), particularly where needed to support alternate recovery staff who may not be as well versed as the primary system owners.

Info-Tech Insight

Organizations that use flowcharts, checklist, and diagrams over traditional, dense DRP manuals are far more likely to meet their RTOs/RPOs because their documentation is more usable and easier to maintain.

Use a DRP summary document to satisfy executives, auditors, and clients

Stakeholders don’t have time to sift through a pile of paper. Summarize your overall continuity capabilities in one, easy-to-read place.

DRP Summary Document

• Summarize BIA results
• Summarize DR strategy (including DR sites)
• Summarize backup strategy
• Summarize testing and maintenance plans

Follow Info-Tech’s methodology to make DRP documentation efficient and effective

Follow XMPL Medical’s journey through DR documentation

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

Outline of the Disaster Recovery Plan

XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

Resulting Disaster Recovery Plan

XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

Disaster Recovery Plan

• Recovery Workflow
• Business Impact Analysis
• DRP Summary
• System Recovery Checklists
• Communication, Assessment, and Disaster Declaration Plan

Info-Tech Best Practice

XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

Model your disaster recovery documentation off of our example

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Recovery Workflow:

• Recovery Workflows (PDF, VSDX)

Recovery Procedures (Systems Recovery Playbook):

• DR Notification, Assessment, and Disaster Declaration Plan
• Systems Recovery Playbook
• Network Topology Diagrams

Additional Reference Documentation:

• DRP Workbook
• Business Impact Analysis
• DRP Summary Document

Use Info-Tech’s DRP Maturity Scorecard to evaluate your progress

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Document and Maintain Your Disaster Recovery Plan – Project Overview

	1. Streamline DRP Documentation	2. Select the Optimal DRP Publishing Strategy	3. Keep Your DRP Relevant
Best-Practice Toolkit	1.1 Start with a recovery workflow 1.2 Create supporting DRP documentation 1.3 Write the DRP summary	2.1 Create Committee Profiles	3.1 Build Governance Structure Map 3.2 Create Committee Profiles
Guided Implementations	Review Info-Tech’s approach to DRP documentation. Create a high-level recovery workflow. Create supporting DRP documentation. Write the DRP summary.	Identify criteria for selecting a DRP publishing strategy. Select a DRP publishing strategy. Optional: Select requirements for a BCM tool and issue an RFP. Optional: Review responses to RFP.	Learn best practices for integrating DRP maintenance into day-to-day IT processes. Learn best practices for DRP-focused reviews.
Onsite Workshop	Module 1: Streamline DRP documentation	Module 2: Select the optimal DRP publishing strategy	Module 3: Learn best practices for keeping your DRP relevant
	Phase 1 Outcome: A complete end-to-end DRP	Phase 2 Outcome: Selection of a publishing and management tool for your DRP documentation	Phase 3 Outcome: Strategy for maintaining your DRP documentation

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Workshop Goal: Learn how to document and maintain your DRP.

Use these icons to help direct you as you navigate this research

Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

Phase 1: Streamline DRP Documentation

Step 1.1: Start with a recovery workflow

This step will walk you through the following activities:

• Review a model DRP.
• Review your recovery workflow.
• Identify documentation required to support the recovery workflow.

This step involves the following participants:

• DRP Owner
• System SMEs
• Alternate DR Personnel

Outcomes of this step

• Understanding the visual-based, concise approach to DR documentation.
• Creating a recovery workflow that provides a roadmap for coordinating incident response and identifying required supporting documentation.

Info-Tech Insights

A DRP is a collection of procedures and supporting documents that allow an organization to recover its IT services to minimize system downtime for the business.

1.1 — Start with a recovery workflow to ensure a coordinated response and identify required supporting documentation

The recovery workflow clarifies your DR strategy and ensures the DR team is on the same page.

“We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management.” (Assistant Director-IT Operations, Healthcare Industry)

Review business impact analysis (BIA) results to plan your recovery workflow

The BIA defines system criticality from the business’s perspective. Use it to guide system recovery order.

Specifically, review the following from your BIA:

• The list of tier 1, 2, and 3 applications. This will dictate the recovery order in your recovery workflow.
• Application dependencies. This will outline what needs to be included as part of an application recovery workflow.
• The recovery time objective (RTO) and recovery point objective (RPO) for each application. This will also guide the recovery, and enable you to identify gaps where the recovery workflow does not meet RTOs and RPOs.

CASE STUDY: The XMPL DRP documentation is based on this Business Impact Analysis Tool.

Haven’t conducted a BIA? Use Info-Tech’s streamlined approach.

Info-Tech’s publication Create a Right-Sized Disaster Recovery Plan takes a very practical approach to BIA work. Our process gives IT leaders a mechanism to quickly get agreement on system recovery order and DR investment priorities.

Conduct a tabletop planning exercise to determine your recovery workflow

1.1.1 Tabletop Planning Exercise

1. Define a scenario to drive the tabletop planning exercise:
   • Use a scenario that forces a full failover to your DR environment, so you can capture an end-to-end recovery workflow.
   • Avoid scenarios that impact health and safety such as tornados or a fire. You want to focus on IT recovery.
   • Example scenarios: Burst water pipe that causes data-center-wide damage or a gas leak that forces evacuation and power to be shut down for at least two days.

Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

Info-Tech Insight

Use scenarios to provide context for DR planning, and to test your plans, but don’t create a separate plan for every possibility.

The high-level recovery plan will be the same whether the incident is a fire, flood, or tornado. While there might be some variances and outliers, these scenarios can be addressed by adding decision points and/or separate, supplementary instructions.

Walk through the scenario and capture the recovery workflow

2. Capture the following information for tier 1, tier 2, and tier 3 systems:
   1. On white cue cards, record the steps and track start and end times for each step (where 00:00 is when the incident occurred).
   2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
   3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

Note:

• Ensure the language is sufficiently genericized (e.g. refer to events, not specifically a burst water pipe).
• Review isolated failures (e.g. hardware, software). Typically, the recovery procedure documented for individual systems covers the essence of the recovery workflow whether it’s just the one system that failed or it’s part of a site-wide recovery.

Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

Document your current-state recovery workflow based on the results of the tabletop planning

After you finish the tabletop planning exercise, the steps on the set of cue cards define your recovery workflow. Capture this in a flowchart format.

Use the sample DRP to guide your own flowchart. Some notes on the example are:

• XMPL’s Incident Management to DR flowchart shows the connection between its standard Service Desk processes and DR processes.
• XMPL’s high-level workflows outline its recovery of tier 1, 2, and 3 systems.
• Where more detail is required, include links to supporting documentation. In this example, XMPL Medical includes links to its Systems Recovery Playbook.

This sample flowchart is included in XMPL Recovery Workflows.

Step 1.2: Create Supporting DRP Documentation

This step will walk you through the following activities:

• Create checklists for your playbook.
• Document more complex procedures with flowcharts.
• Gather and/or write network topology diagrams.
• Compile a contact list.
• Ensure there is enough material for backup personnel.

This step involves the following participants:

• DRP Owner
• System SMEs
• Backup DR Personnel

Outcomes of this step

• Actionable supporting documentation for your disaster recovery plan.
• Contact list for IT personnel, business personnel, and vendor support.

1.2 — Create supporting documentation for your disaster recovery plan

Now that you have a high-level incident response plan, collect the information you need for executing that plan.

Info-Tech Insight

Write for your audience. The playbook is for IT; include only the information they need to execute the plan. DRP summaries are for executives and auditors; do not include information intended for IT. Similarly, your disaster recovery plan is not for business units; keep BCP content out of your DRP.

Use checklists to streamline step-by-step procedures

Checklists are ideal when staff just need a reminder of what to do, not how to do it.

XMPL Medical used its high-level flowcharts as a roadmap for creating its Systems Recovery Playbook.

• Since its Playbook is intended for experienced IT staff, the writing style in the checklists is concise. XMPL includes links to reference material to support recovery, especially for alternate staff who might need additional instruction.
• XMPL includes key parameters (e.g. IP addresses) rather than assume those details would be memorized, especially in a stressful DR scenario.
• Similarly, include links to other useful resources such as VM templates.

Included in the XMPL Systems Recovery Playbook are checklists for recovering XMPL’s virtual desktop infrastructure, mission-critical applications, and core infrastructure components.

Use flowcharts to document processes with concurrent tasks not easily captured in a checklist

Recovery procedures can consist of flowcharts, checklists, or both, as well as diagrams. The main goal is to be clear and concise.

• XMPL Medical created a flowchart to capture its phone services recovery procedure to capture concurrent tasks.
• Additional instructions, where required, could still be captured in a Playbook checklist or other supporting documentation.
• The flowchart could have also included key settings or other details as appropriate, particularly if the DR team chose to maintain this recovery procedure just in a flowchart format.

Included in the XMPL DR documentation is an example flowchart for recovering phone systems. This flowchart is in Recovery Workflows.

Reference this blueprint for more SOP flowchart examples: Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

Use topology diagrams to capture network layout, integrations, and system information

Topology diagrams, key checklists, and configuration settings are often enough for experienced networking staff to carry out their DR tasks.

• XMPL Medical includes these diagrams with its DRP. Instead of recreating these diagrams, the XMPL Medical DR Manager asked their network team for these diagrams:
  • Primary data center diagram
  • DR site diagram
  • High-level network diagrams
• Often, organizations already have network topology diagrams for reference purposes.

“Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them.” (Assistant Director-IT Operations, Healthcare Industry)

You can download a PDF and a VSD version of these Data Center and Network Diagrams from Info-Tech’s website.

Create a list of organizational, IT, and vendor contacts that may be required to assist with recovery

If there is something strange happening to your IT infrastructure, who you gonna call?

Many DR managers have their team on speed dial. However, having the contact info of alternate staff, BCP leads, and vendors can be very helpful during a disaster. XMPL Medical lists the following information in its DRP Workbook:

• The DR Teams, SMEs critical to disaster recovery, their backups, and key contacts (e.g. BC Management team leads, vendor contacts) that would be involved in:
  • Declaring a disaster.
  • Coordinating a response at an organizational level.
  • Executing recovery.
• The people that have authority to declare a disaster.
• Each person’s spending authority.
• The rules for delegating authority.
• Primary and alternate staff for each role.

Confirm with your DR team that you have all of the documentation that you need to recover during a disaster

DISCUSS: Is there enough information in your DRP for both primary and backup DR personnel?

• Is it clear who is responsible for each DR task, including notification steps?
• Have alternate staff for each role been identified?
• Does the recovery workflow capture all of the high-level steps?
• Is there enough documentation for alternate staff (e.g. network specs)?

Step 1.3: Write the DRP Summary

This step will walk you through the following activities:

• Write a DRP summary document.

This step involves the following participants:

• DRP Owner

Outcomes of this step

• High-level outline of your DRP capabilities for stakeholders such as executives, auditors, and clients.

Summarize your DR capabilities using a DRP summary document

1.3.1 DRP Summary Document

The sample included on Info-Tech’s website is customized for the XMPL Medical Case Study – use the download as a starting point for your own summary document.

• Business Impact Analysis
• DRP Recovery Workflows
• Supporting Documentation
• Outputs from Reduce Costly Downtime Through DR Testing

DRP Summary Document

XMPL’s DRP Summary is organized into the following categories:

• DR requirements: This includes a summary of scope, business impact analysis (BIA), risk assessment, and high-level RTOs and achievable RTOs.
• DR strategy: This includes a summary of XMPL’s recovery procedures, DR site, and backup strategy.
• Testing and maintenance: This includes a summary of XMPL’s DRP testing and maintenance strategy.

Be transparent about existing business risks in your DRP summary

The DRP summary document is business facing. Include information of which business leaders (and other stakeholders) need to be aware.

• Discrepancies between desired and achievable RTOs? Organizational leadership needs to know this information. Only then can they assign the resources and budget that IT needs to achieve the desired DR capabilities.
• What is the DRP’s scope? XMPL Medical lists the IT components that will be recovered during a disaster, and components which will not. For instance, XMPL’s DRP does not recover medical equipment, and XMPL has separate plans for business continuity and emergency response coordination.

The above table to is a snippet from the XMPL DR Summary Document (section 2.1.3.2).

In the example, the DR team is unable to recover tier 1, 2, and 3 systems within the desired RTO. As such, they clearly communicate this information in the DRP summary, and include action items to address these gaps.

Phase 2: Select the Optimal DRP Publishing Strategy

Step 2.1: Select a DRP Publishing Strategy

This step will walk you through the following activities:

• Select criteria for assessing DRP tools.
• Evaluate categories for DRP tools.
• Optional: Write an RFP for a BCM tool.

This step involves the following participants:

• DRP Owner

Outcomes of this step

• Identified strategies for publishing your DRP (i.e. making it available to your DR team).

Info-Tech Insights

Diversify your publishing strategy to ensure you can access your DRP in a disaster. For example, if you are using a BCM tool or SharePoint Online as your primary documentation repository, also push the DRP to your DR team’s smartphones as a backup in case the disaster affects internet access.

2.1 — Select a DR publishing and document management strategy that fits your organization

Publishing and document management considerations:

Portability/External Access: Assume your primary site is down and inaccessible. Can you still access your documentation? As shown in this chart, traditional strategies of either keeping a copy at another location (e.g. at the failover site) or with staff (e.g. on a USB drive) still dominate, but these aren’t necessarily the best options.	➔	Note: Percentages total more than 100% due to respondents using more than one portability strategy. (Source: Info-Tech Research Group, N=118)
Maintainability/Usability: How easy is it to create, update, and use the documentation? Is it easy to link to other documents as shown in the flowchart and checklist examples? Is there version control? Lack of version control can create a maintenance nightmare as well as issues in a crisis if staff are questioning whether they have the right version.
Cost/Effort: Is the cost and effort appropriate? For example, a large enterprise may need a formal solution (e.g. DRP tools or SharePoint), but the cost might be hard to justify for a smaller company.

Pros and cons of potential strategies

This section will review the following strategies, their pros and cons, and how they meet publishing and document management requirements:

• DRP tools (e.g. eBRP, Recovery Planner, LDRPS)
• In-house solutions combining SharePoint and MS Office (or equivalent)
• Wiki site
• “Manual” approaches such as storing documents on a USB drive

Avoid 42 hours of downtime due to a non-diversified publishing strategy

CASE STUDY

Industry Municipality
Source Interview

Situation

• A municipal government has recently completed an end-to-end disaster recovery plan.
• The team is feeling good about the fact that they were able to identify:
  • Relative criticality of applications.
  • Dependencies for each application.
  • Incident response plans for the current state and desired state.
  • System recovery procedures.

Challenge

• While the DR plan itself was comprehensive, the team only published the DR onto the government’s network drives.
• A power generation issue caused power to be shut down, which in turn cascaded into downtime for the network.
• Once the network was down, their DRP was inaccessible.

Insights

• Each piece of documentation that was created could have contributed to recovery efforts. However, because they were inaccessible, there was a delayed response to the incident. The result was 42 hours of downtime for end users.
• Having redundant publishing strategies is just like having redundant IT infrastructure. In the event of downtime, not only do you need to have DR documentation, but you also need to make sure that it is accessible.

Decide on a DR publishing strategy by looking at portability, maintainability, cost, and required effort

Use the information included in Step 2.1 to guide your analysis of DRP publishing solutions.

The tool enables you to compare two possible solutions based on these key considerations discussed in this section:

• Portability/external access
• Maintainability/usability
• Cost
• Effort

The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on.

For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to manage consistent DRP distribution.

The DRP Publishing and Management Solution Evaluation Tool helps you to evaluate the tools included in this section.

Don’t think of a business continuity management (BCM) tool as a silver bullet; know what you’re getting out of it

Portability/External Access:

• Pros: Typically a SaaS option provides built-in external access with appropriate security and user administration to vary access rights.
• Cons: Degree of external access is often dependent on the vendor.

Maintainability/Usability:

• Pros: Built-in templates encourage consistency and guide initial content development by indicating what details need to be captured.
• Pros: Built-in document management (e.g. version control, metadata support), centralized access/navigation to required documents, and some automation (e.g. update contacts throughout the system).
• Cons: Not a silver bullet. You still have to do the work to define and capture your processes.
• Cons: Requires end-user and administrator training.

Cost/Effort:

• Pros: For large enterprises, the convenience of built-in document management and templates can outweigh the cost.
• Cons: Expect leading DRP tools to cost $20K or more per year.

About this approach:
BCM tools are solutions that provide templates, tools, and document management to create BC and DR documentation.

Info-Tech Insight

The business case for a BCM tool is built by answering the following questions:

• Will the BCM tool solve an unmet need?
• Will the tool be more effective and efficient than an in-house solution?
• Will the solution provide enhanced capabilities that an in-house solution cannot provide?

If you cannot get a satisfactory answer to each of these questions, then opt for an in-house solution.

“We explored a DRP tool, and it was something we might have used, but it was tens of thousands of pounds per year, so it didn’t stack up financially for us at all.” (Rik Toms, Head of Strategy – IP and IT, Cable and Wireless Communications)

For in-house solutions, leverage tools such as SharePoint to provide document management capabilities

Portability/External Access:

• Pros: SharePoint is commonly web-enabled and supports external access with appropriate security and user administration.
• Cons: Must be installed at redundant sites or be cloud-based to be effective in a crisis that takes down your primary data center.

Maintainability/Usability:

• Pros: Built-in document management (e.g. version control, metadata support) as well as centralized access/navigation to required documents.
• Pros: No tool learning curve – SharePoint and MS Office would be existing solutions already used on a daily basis.
• Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: Using existing tools, so this is a sunk cost in terms of capex.
• Cons: Additional effort required to create templates and manage the documentation library.

About this approach:
DRPs and SOPs most often start as MS Office documents, even if there is a DRP tool available. For organizations that elect to bypass a formal DRP tool, and most do, the biggest gap they have to overcome is document management.

Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for DR documentation and day-to-day SOPs.

For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instances at multiple in-house locations, or using a cloud-based SharePoint solution.

“Just about everything that a DR planning tool does, you can do yourself using homegrown solutions or tools that you're already familiar with such as Word, Excel, and SharePoint.” (Allen Zuk, President and CEO, Sierra Management Consulting)

A healthcare company uses SharePoint as its DRP and SOP documentation management solution

CASE STUDY Healthcare

• This organization is responsible for 50 medical facilities across three states.
• It explored DRP tools, but didn’t find the right fit, so it has developed an in-house solution based in SharePoint. While DRP tools have improved, the organization no longer needs that type of solution. Its in-house solution is meeting its needs.
• It has SharePoint instances at multiple locations to ensure availability if one site is down.

Documentation Strategy

• Created an IT operations library in SharePoint for DR and SOPs, from basic support to bare-metal restore procedures.
• SOPs are linked from SharePoint to the virtual help desk for greater accessibility.
• Where practical, diagrams and flowcharts are used, e.g. DR process flowcharts and network services SOPs dominated by diagrams and flowcharts.

Management Strategy

• Directors and the CIO have made finishing off SOPs their performance improvement objective for the year. The result is staff have made time to get this work done.
• Status updates are posted monthly, and documentation is a regular agenda item in leadership meetings.
• Regular tabletop testing validates documentation and ensures familiarity with procedures, including where to find required information.

Results

• Dependency on a few key individuals has been reduced. All relevant staff know what they need to do and where to access required documentation.
• SOPs are enabling DR training as well as day-to-day operations training for new staff.
• The organization has a high confidence in its ability to recovery from a disaster within established timelines.

Explore using a wiki site as an inexpensive alternative to SharePoint and other content management solutions

Portability/External Access:

• Pros: Wiki sites can support external access as with any web solution.
• Cons: Must be installed at redundant sites, hosted, or cloud-based to be effective in a crisis that takes down your primary data center.

Maintainability/Usability:

• Pros: Built-in document management (version control, metadata support, etc.) as well as centralized access/navigation to required information.
• Pros: Authorized users can make updates dynamically, depending on how much restriction you have on the site.
• Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
• Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.

Cost/Effort:

• Pros: An inexpensive option compared to traditional content management solutions such as SharePoint.
• Cons: Learning curve if wikis are new to your organization.

About this approach:
Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.

While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.

Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:

• Modernize Communications and Collaboration infrastructure
• Vendor Landscape: Collaboration Platforms

Info-Tech Insight

If your organization is not already using wiki sites, this technology can introduce a culture shock. Start slow by using a wiki site within a specific department or for a particular project. Then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to our collaboration strategy research for additional guidance.

For small IT shops, distributing documentation to key staff (e.g. via a USB drive) can still be effective

Portability/External Access:

• Pros: Appropriate staff have the documentation with them; there is no need to log into a remote site or access a tool to get at the information.
• Cons: Relies on staff to be diligent about ensuring they have the latest documentation and keep it with them (not leave it in their desk drawer).

Maintainability/Usability:

• Pros: With this strategy, MS Office (or equivalent) is used to create and maintain the documentation, so there is no learning curve.
• Pros: Simple, straightforward methodology – keep the master on a network drive, and download a copy to your USB drive.
• Cons: No built-in automation (e.g. automated updates to contact information) or document management (e.g. version control).
• Cons: Consistency depends on creating templates and implementing rigid processes for document updates, review, and approval.

Cost/Effort:

• Pros: Little to no cost and no tool management required.
• Cons: “Manual” document management requires strict attention to process for version control, updates, approvals, and distribution.

About this approach:
With this strategy, your ERT and key IT staff keep a copy of your DRP and relevant documentation with them (e.g. on a USB drive). If the primary site experiences a major event, they have ready access to the documentation.

Fifty percent of respondents in our recent survey use this strategy. A common scenario is to use a shared network drive or a solution such as SharePoint as the master centralized repository, but distribute a copy to key staff.

Info-Tech Insight

This approach can have similar disadvantages as using hard copies. Ensuring the USB drives are up to date, and that all staff who might need access have a copy, can become a burdensome process. More often, USB drives are updated periodically, so there is the risk that the information will be out of date or incomplete.

Avoid extensive use of paper copies of DR documentation

DR documents need to be easy to update, accessible from anywhere, and searchable. Paper doesn’t meet these needs.

Portability/External Access:

• Pros: Does not rely on technology or power.
• Cons: Requires all staff who might be involved in a DR to have a copy, and to have it with them at all times, to truly have access at any time from anywhere.

Maintainability/Usability:

• Pros: In terms of usability, again there is no dependence on technology.
• Cons: Updates need to be printed and distributed to all relevant staff every time there is a change to ensure staff have access to the latest, most accurate documentation if a disaster occurred. You can’t schedule disasters, so information needs to be current all the time.
• Cons: Navigation to other information is manual – flipping through pages, etc. No searching or hyperlinks.

Cost/Effort:

• Pros: No technology system to maintain, aside from what you use for printing.
• Cons: Printing expenses are actually among the highest incurred by organizations, and this adds to it.
• Cons: Labor intensive due to need to print and physically distribute documentation updates.

About this approach:
Traditionally DRPs are printed and distributed to managers and/or kept in a central location at both the primary site and a secondary site. In addition, wallet cards are distributed that contain key information such as contact numbers.

A wallet card or even a few printed copies of your high-level DRP for general reference can be helpful, but paper is not a practical solution for your overall DR documentation library, particularly when you include SOPs for recovery procedures.

One argument in favor of paper is there is no dependency on power during a crisis. However, in a power outage, staff can use smartphones and potentially laptops (with battery power) to access electronically stored documentation to get through first response steps. In addition, your DR site should have backup power to be an appropriate recovery site.

Optional: Partial list of BCM tool vendors

The list is only a partial list of BCM tool vendors. The order in which vendors are presented, and inclusion in this list, does not represent an endorsement.

Optional: Use our list of requirements as a foundation for selecting and reviewing BCM tools

If a BCM tool is the best option for your environment, expedite the evaluation process with our BCM Tool – RFP Selection Criteria.

Through advisory services, workshops, and consulting engagements, we have created this BCM Tool Requirements List. The featured requirements includes the following categories:

1. Integrations
2. Planning and Monitoring
3. Administration
4. Architecture
5. Security
6. Support and Training

This BCM Tool – RFP Selection Criteria can be appended to an RFP. You can leverage Info-Tech’s RFP Template if your organization does not have one.

Info-Tech can write full RFPs

As part of a consulting engagement, Info-Tech can write RFPs for BCM tools and provide a customized scoring tool based on your environment’s unique requirements.

Phase 3: Keep Your DRP Relevant Through Maintenance Best Practices

Step 3.1: Integrate DRP maintenance into core IT processes

This step will walk you through the following activities:

• Integrate DRP maintenance with Project Management.
• Integrate DRP considerations into Change Management.
• Integrate with Performance Management.

This step involves the following participants:

• DRP Owner
• Head of Project Management Office
• Head of Change Advisory Board
• CIO

Outcomes of this step

• Updated project intake form.
• Updated change management practice.
• Updated performance appraisals.

3.1 — Incorporate DRP maintenance into core IT processes

Focusing on these three processes will help ensure that your plan stays current, accurate, and usable.

Info-Tech Best Practice

Prioritize quick wins that will have large benefits. The advice presented in this section offers easy ways to help keep your DRP up to date. These simple solutions can save a lot of time and effort for your DRP team as opposed to more intricate changes to the processes above.

Assess how new projects impact service criticality and DR requirements upfront during project intake

Understand the RTO/RPO requirements and IT impacts for new or enhanced services to ensure appropriate provisioning and overall DRP updates.

• Have submitters include service continuity requirements. This information can be inserted into your business impact analysis. Use similar language that you use in your own BIA.
  • The submitter should know how critical the resulting project will be. Any items that the submitter doesn’t know, the Project Steering Committee should investigate.
• Have IT assess the impact on the DRP. The submitter will not know how the DRP will be impacted directly. Ask the project committee to consider how DRP documentation and the DR environment will need to be changed due to the project under consideration.

Note: The goal is not to make DR a roadblock, but rather to ensure project requirements will be met – including availability and DR requirements.

This Project Intake Form asks the submitter to fill out the availability and criticality requirements for the project.

Leverage your change management process to identify required DRP updates as they occur

Avoid the year-end rush to update your DRP. Keeping it up to date as changes occur saves time in the long run and ensures your plan is accurate when you need it.

• As part of your change management process, identify potential updates to:
  • System documentation (e.g. configuration settings).
  • Recovery procedures (e.g. if a system has been virtualized, that changes the recovery procedure).
  • Your DR environment (e.g. system configuration updates for standby systems).
• Keep track of how often a system has changed. Relevant DRP documentation might be due for a deeper review:
  • After a system has been changed ten times (even from routine changes), notify your DRP Manager to flag the relevant DRP documentation for review.
  • As part of formal DRP reviews, pay closer attention to DRP documentation for the flagged systems.

This template asks the submitter to fill out the availability and criticality requirements for the project.

For change management best practices beyond DRP considerations, please see Optimize Change Management.

Integrate documentation into performance measurement and performance management

Documentation is a necessary evil – few like to create it and more immediate tasks take priority. If it isn’t scheduled and prioritized, it won’t happen.

“Our directors and our CIO have tied SOP work to performance evaluations, and SOP status is reviewed during management meetings. People have now found time to get this work done.” (Assistant Director – IT Operations, Healthcare Industry)

Step 3.2: Conduct an Annual Focused Review

This step will walk you through the following activities:

1. Identify components of your DRP to refresh.
2. Identify organizational changes requiring further focus.
3. Test your DRP and identify problems.
4. Correct problems identified with DRP.

This step involves the following participants:

• DRP Owner
• System SMEs
• Backup DR Personnel

Outcomes of this step

• An actionable, up-to-date DRP.

Info-Tech Insight

Testing is a waste of time and resources if you do not fix what’s broken. Tabletop testing is effective at uncovering gaps in your DR processes, but if you don’t address those gaps, then your DRP will still be unusable in a disaster.

Set up a safety net to capture changes that slipped through the cracks with a focused review process

Evaluate documentation supporting high-priority systems, as well as documentation supporting IT systems that have been significantly changed.

• Ideally you’re maintaining documentation as you go along. But you need to have an annual review to catch items that may have slipped through.
• Don’t review everything. Instead, review:
  • IT systems that have had 10+ changes: small changes and updates can add up over time. Ensure:
    • The plans for these systems are updated for changes (e.g. configuration changes).
    • SMEs and backup personnel are familiar with the changes.
  • Tier 1 / Gold Systems: Ensure that you can still recover tier 1 systems with your existing DRP documentation.
• Track documentation issues that you discovered with your ticketing system or service desk tool to ensure necessary documentation changes are made.

1. Annual Focused Review
2. Tier 1 Systems
3. Significantly Changed Systems
4. Organizational Changes

Identify larger changes, both organizational and within IT, that necessitate DRP updates

During your focused review, consider how organizational changes have impacted your DRP.

The COBIT 5 Enablers provide a foundation for this analysis. Consider:

• Changes in regulatory requirements: Are there new requirements for IT that are not reflected in your DRP? Is the organization required to comply with any additional regulations?
• Changes to organizational structures, business processes, and how employees work: Can employees still be productive once tier 1 services are restored or have RTOs changed? Has organizational turnover impacted your DRP?
• SMEs leaving or changing roles: Can IT still execute your DRP? Are there still people for all the key roles?
• Changes to IT infrastructure and applications: Can the business still access the information they need during a disaster? Is your BIA still accurate? Do new services need to be considered tier 1?

Info-Tech Best Practice

COBIT 5 Enablers
What changes need to be reflected in your DRP?

Create a plan during your annual focused review to test your DRP throughout the year

Regardless of your documentation approach, training and familiarity with relevant procedures is critical.

• Start with tabletop exercises and progress to technology-based testing (simulation, parallel, and full-scale testing).
• Ask staff to reference documentation while testing, even if they do not need to. This practice helps to confirm documentation accuracy and accessibility.
• Incorporate cross-training in DR testing. This gives important experience to backup personnel and will further validate that documents are complete and accurate.
• Track any discovered documentation issues with your ticketing system or project tracking tools to ensure necessary documentation changes are made.

Example Test Schedule:

1. Q1: Tabletop testing shadowed by backup personnel
2. Q2: Tabletop testing led by backup personnel
3. Q3: Technology-based testing
4. Annual Focused Review: Review Results

Reference this blueprint for guidance on DRP testing plans: Reduce Costly Downtime Through DR Testing

Appendix A: XMPL Case Study

Follow XMPL Medical’s journey through DR documentation

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

Outline of the Disaster Recovery Plan

XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

Resulting Disaster Recovery Plan

XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

Disaster Recovery Plan

• Recovery Workflow
• Business Impact Analysis
• DRP Summary
• System Recovery Checklists
• Communication, Assessment, and Disaster Declaration Plan

Info-Tech Best Practice

XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

Model your disaster recovery documentation off of our example

CASE STUDY

Industry Healthcare
Source Created by amalgamating data from Info-Tech’s client base

Recovery Workflow:

• Recovery Workflows (PDF, VSDX)

Recovery Procedures (Systems Recovery Playbook):

• DR Notification, Assessment, and Disaster Declaration Plan
• Systems Recovery Playbook
• Network Topology Diagrams

Additional Reference Documentation:

• DRP Workbook
• Business Impact Analysis
• DRP Summary Document

Use our structure to create your practical disaster recovery plan.

Appendix B: Summary, Next Steps, and Bibliography

Insight breakdown

Use visual-based documentation instead of a traditional DRP manual.

• Flowcharts, checklists, and diagrams are more concise, easier to maintain, and more effective in a crisis.
• Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.

Create your DRP in layers to keep the work manageable.

• Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

Prioritize quick wins to make DRP maintenance easier and more likely to happen.

• Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

Summary of accomplishment

Knowledge Gained

• How to create visual-based DRP documentation
• How to integrate DRP maintenance into core IT processes

Processes Optimized

• DRP documentation creation
• DRP publishing tool selection
• DRP documentation maintenance

Deliverables Completed

• DRP documentation
• Strategy for publishing your DRP
• Modified project-intake form
• Change management checklist for DR considerations

Project step summary

Client Project: Document and Maintain Your Disaster Recovery Plan

• Create a recovery workflow.
• Create supporting DRP documentation.
• Write a summary for your DRP.
• Decide on a publishing strategy.
• Incorporate DRP maintenance into core IT processes.
• Conduct an annual focused review.

Info-Tech Insight

This project has the ability to fit the following formats:

• Onsite workshop by Info-Tech Research Group consulting analysts.
• Do-it-yourself with your team.
• Remote delivery (Info-Tech Guided Implementation).

Related Info-Tech research

Create a Right-Sized Disaster Recovery Plan
Close the gap between your DR capabilities and service continuity requirements.

Reduce Costly Downtime Through DR Testing
Improve the accuracy of your DRP and your team’s ability to efficiently execute recovery procedures through regular DR testing.

Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

Prepare for a DRP Audit
Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

Bibliography

A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000. The Association of Insurance and Risk Managers, Alarm: The Public Risk Management Association, and The Institute of Risk Management, 2010.

“APO012: Manage Risk.” COBIT 5: Enabling Processes. ISACA, 2012.

Bird, Lyndon, Ian Charters, Mel Gosling, Tim Janes, James McAlister, and Charlie Maclean-Bristol. Good Practice Guidelines: A Guide to Global Good Practice in Business Continuity. Global ed. Business Continuity Institute, 2013.

COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, 2012.

“EDM03: Ensure Risk Optimisation.” COBIT 5: Enabling Processes. ISACA, 2012.

Risk Management. ISO 31000:2009.

Rothstein, Philip Jan. Disaster Recovery Testing: Exercising Your Contingency Plan. Rothstein Associates: 1 Oct. 2007.

Societal Security – Business continuity management systems – Guidance. ISO 22313:2012.

Societal Security – Business continuity management systems – Requirements. ISO 22301:2012.

Understanding and Articulating Risk Appetite. KPMG, 2008.

IT Talent Trends 2022

The last two years have been a great experiment … but it’s not over yet.

Incorporate new ways of working into your business to build and keep the best team.

Over the past two years, organizations have ventured into unprecedented ways of working and supporting their employees, as they tried to maintain productivity through the pandemic. This experiment has made lasting changes to both business models and employee expectations, and these effects will continue to be seen long after we return to a “new normal.”

While the pandemic forced us to work differently for the past two years, looking forward, successful organizations will incorporate new ways of working into their business models – beyond simply having a remote work policy.

How we work, source roles, and develop talent continue to evolve as we navigate a different world with employees being more vocal in their desires, and leaders continue to play a key role.

The IT talent market will never be the same, and organizations must reevaluate their employee experience from the bottom up to successfully weather the shift to the new normal.

IT Talent Trends 2022

The pandemic has clarified employees’ needs and amplified their voices

If 2021 was about beginning to act on employee needs, 2022 will be about strategically examining each trend to ensure that the actions taken by the organization are more than lip service.

Employees have always been able to see through disingenuous attempts to engage them, but in 2022 the stakes are higher due to increased talent mobility.

Trends that were just starting to come into focus last year have established themselves as critical determinants of the employee experience in 2022.

2021			DEI: A Top Talent Objective	Remote Work Is Here to Stay	Uncertainty Unlocks Performance	A Shift in Skills Priorities	A Greater Emphasis on Wellbeing
2022	Strategic Recruiting Finds Good Talent Finding talent in a strained talent market requires a marketing approach. Posting a job description isn’t enough.	The (Not So) Great Resignation IT is faring better than other functions; however, specific industries need to pay attention.	Grow Your DEI Practices Into Meaningful Actions Good intentions are not enough.	Remote Work Is Here – Can Your Culture Adapt? The Great Experiment is over. Are leaders equipped to capitalize on its promises?		Management Skills Drive Success in a Remote World Despite the need for remote team management training, it is still not happening.

What employees are looking for is changing

Superficial elements of traditional office culture were stripped away by the quick shift to a remote environment, giving employees the opportunity to reevaluate what truly matters to them in a job.

The biggest change from 2019 (pre-pandemic) to today is increases in the importance of culture, flexible/remote work, and work-life balance.

Organizations that fail to keep up with this shift in priorities will see the greatest difficulty in hiring and retaining staff.

As an employee, which of the following would be important to you when considering a potential employer?

	2019		2021
Flexible Work	n=275		n=206
Work-Life Balance	n=277		n=206
Culture	n=277		n=206
Source: Info-Tech Talent Trends Survey data collected in 2019 and 2021	Very Important Somewhat Important Not at All Important

IT’s top talent priorities in 2022

IT Talent Trends 2022

Look beneath the surface of the trends to navigate them successfully

Above Ground Focusing on what you see 'Above the line" won't solve the problem. Talent isn't a checklist.	Strategic Recruiting Finds Good Talent Finding talent in a strained talent market requires a marketing approach. Posting a job description isn't enough. The number of job openings increased to 11.4 million on the last business day of October, up from 10.6 million in September (US Bureau of Labor Statistics, Dec. 2021)	The (Not So) Great Resignation IT is faring better than other functions; however, specific industries need to pay attention. In September, in the US, 4.4 million people left their jobs. That number dropped to 4.2 million in October. (US Labor Stats, Dec. 2021) 30% of workers will likely switch jobs if they have to return to the office full time. (McKinsey, Dec. 2021)	Grow Your DEI Practices Into Meaningful Actions Good intentions are not enough. 95% of organizations are focusing on DEI. (2022 HR Trends Report) 48% of IT departments have delivered training on DEI over the past year.	Remote Work is Here. Can Your Culture Adapt? The Great Experiment is over. Are you equipped to capitalize on its promises? 85% of organizations saw the same or higher productivity during the pandemic. 91% of organizations are continuing remote work.	Management Skills Drive Success in a Remote World Despite the need for remote team management training, it is still not happening. 72% of IT departments report high effectiveness at managing remote staff. Learning and development is IT's top priority.
Beneath the Surface For each trend, a strategic approach to get "under the line" will help form your response. Talent needs a holistic approach, as under the line everything is connected. If you are experiencing challenges in one area, analyzing data (e.g. engagement, exit surveys, effectiveness of DEI program and leader training) can help drive overall experience.	100% of job seekers cite culture as somewhat to very important. Only 40% of employers advertise culture in job postings.	70% of IT departments state voluntary turnover is less than 10% Top reasons for resignation are salary, development, and opportunity for innovative work. Resignation rates were higher in fields that had experienced extreme stress due to the pandemic (HBR, Dec. 2021)	Senior leadership is overestimating their own commitment to DEI. Most IT departments are not driving their own DEI initiatives. Without effectively measuring DEI practices, organizations will see 1.6x more turnover. (2022 HR Trends Report)	Senior leadership is not open to remote work in 23% of organizations. Without leadership support, employees will not buy into remote work initiatives. A remote work policy will not bring organizational benefits without employee buy-in.	75% of senior managers believe remote team management is highly effective, but only 60% of frontline staff agree. Training focuses on technical skills, to the exclusion of soft skills, including management and leadership.
Solutions Recommendations depending on your department's maturity level.	Attention is required for candidate experience underpinned by a realistic employee value proposition.	Gather and review existing data (e.g. early retirements, demographics) to understand your turnover rate.	Use employee engagement tools to gauge employee sentiment among impacted groups and build out an engagement strategy to meet those needs.	Conduct a cultural assessment to reveal hidden biases that may stand in the way of remote work efficacy.	Provide management training on performance management and development coaching.

This report is based on organizations just like yours

Survey timeline = October 2021
Total respondents = 245 IT professionals

01	United States	45%	08	Middle East	2%
02	Canada	23%	09	Other (Asia)	2%
03	Africa	8%	10	Germany	1%
04	Great Britain	6%	11	India	1%
05	Latin America, South America or Caribbean	4%	12	Netherlands	1%
06	Other (Europe)	4%	13	New Zealand	1%
07	Australia	2%			(N-245)

(n=191)

This report is based on organizations just like yours

Industry

Info-Tech IT Maturity Model

(n=225)

Innovator – Transforms the Business Reliable Technology Innovation Business Partner – Expands the Business Effective Execution Projects, Strategic Use of Analytics and Customer Technology Trusted Operator – Optimizes Business Effective Fulfillment of Work Orders, Functional Business Applications, and Reliable Data Quality Firefighter – Supports the Business Reliable Infrastructure and IT Service Desk Unstable – Struggles to Support Inability to Provide Reliable Business Services

This report is based on people just like you

Which of the following ethnicities (ethnicity refers to a group with a shared or common identity, culture, and/or language) do you identify with? Select all that apply.	What gender do you identify most with?
(N=245)	(n=228)

This report is based on people just like you

What is your sub-department of IT?	Which title best describes your position?
(n=227)	(N=245)

IT Talent Trends 2022

Each trend is introduced with key questions you can ask yourself to see how your department fares in that area.

The report is based on statistics from a survey of 245 of your peers.

It includes recommendations of next steps and a key metric to track your success.

It lists Info-Tech resources that you, as a member, can leverage to begin your journey to improve talent management in your department.

The report is based on data gathered from Info-Tech Research Group’s 2022 IT Talent Trends Survey. The data was gathered in September and October of 2021.

Strategic Recruiting Finds Good Talent

Trend 1 | The Battle to Find and Keep Talent

As the economy has stabilized, more jobs have become available, creating a job seeker’s market. This is a clear sign of confidence in the economy, however fragile, as new waves of the pandemic continue.

Info-Tech Point of View

Recruiting tactics are an outcome of a well-defined candidate experience and employee value proposition.

Introduction

	During our interviews, members that focused on sharing their culture with a strong employee value proposition were more likely to be successful in hiring their first-choice candidates.
	Questions to ask yourself Do you have a well-articulated employee value proposition? Are you using your job postings to market your company culture? Have you explored multiple channels for posting jobs to increase your talent pool of candidates?

47% of respondents are hiring external talent to fill existing gaps, with 40% using external training programs to upgrade current employees. (Info-Tech IT Talent Trends 2022 Survey)

In October, the available jobs (in the USA) unexpectedly rose to 11 million, higher than the 10.4 million experts predicted. (CNN Business, 2021)

Where has all the talent gone?

IT faces multiple challenges when recruiting for specialized talent

Talent scarcity is focused in areas with specialized skill sets such as security and architecture that are dynamic and evolving faster than other skill sets.

“It depends on what field you work in,” said ADP chief economist Nela Richardson. “There were labor shortages in those fields pre-pandemic and two years forward, there is even more demand for people with those skills” (CNBC, 19 Nov. 2021).

37% of IT departments are outsourcing roles to fill internal skill shortages. (Info-Tech Talent Trends 2022 Survey)

Roles Difficult to Fill

(Info-Tech Talent Trends 2022 Survey)

Case Study: Using culture to drive your talent pool

This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.

Recruiting at NASA

Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.

NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.

Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.

Rural location and no flexible work options add to the complexity of recruiting

The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.

“Looking for a Talent Unicorn; a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”

Steve Thornton
Acting Division Chief, Solutions Division,
Goddard Space Flight Center, NASA

Case Study: Using culture to drive your talent pool

A good brand overcomes challenges

Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.

NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.

The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.

Interview with Robert Leahy
Chief Information Officer
Goddard Space Flight Center, NASA

“Making sure we have the tools and mechanisms are two hiring challenges we are going to face in the future as how we work evolves and our work environment changes. What will we need to consider with our job announcements and the criteria for selecting employees?”

Liteshia Dennis,
Office Chief, Headquarter IT Office, Goddard Space Flight Center, NASA

The ability to attract and secure candidates requires a strategy

Despite prioritizing recruiting, IT departments see candidate experience as THE last Priority, either not focusing on it or relegating it to HR

Candidate experience is listed as one of the bottom IT challenges, but without a positive experience, securing the talent you want will be difficult.

Candidate experience starts with articulating your unique culture, benefits, and opportunities for development and innovative work as well as outlining flexible working options within an employer brand. Defining an employee value proposition is key to marketing your roles to potential employees.

81% of respondents' rate culture as very important when considering a potential employer. (Info-Tech IT Talent Trends 2022 Survey)

Tactics Used in Job Postings to Position the Organization Favorably as a Potential Employer

(Info-Tech IT Talent Trends 2022 Survey)

Case Study: Increasing talent pool at Info-Tech Research Group

Strong sales leads to growth in operation capacity

Info-Tech Research Group is an IT research & advisory firm helping IT leaders make strategic, timely, and well-informed decisions. Our actionable tools and analyst guidance ensure IT organizations achieve measurable results.

The business has grown rapidly over the last couple of years, creating a need to recruit additional talent who were highly skilled in technical applications and approaches.

In response, approval was given to expand headcount within Research for fiscal year 2022 and to establish a plan for continual expansion as revenue continues to grow.

Looking for deep technical expertise with a passion for helping our members

Hiring for our research department requires talent who are typically subject matter experts within their own respective IT domains and interested in and capable of developing research and advising clients through calls and workshops.

This combination of skills, experience, and interest can be challenging to find, especially in an IT labor market that is more competitive than ever.

Interview with Practice Lead Tracy-Lynn Reid

Focus on Candidate Experience increases successful hire rate

The senior leadership team established a project to focus on recruiting for net-new and open roles. A dedicated resource was assigned and used guidance from our research to enhance our hiring process to reduce time to hire and expand our candidate pool. Senior leaders stayed actively involved to provide feedback.

The hiring process was improved by including panel interviews with interview protocols and a rubric to evaluate all candidates equitably.

The initial screening conversation now includes a discussion on benefits, including remote and flexible work offerings, learning and development budget, support for post-secondary education, and our Buy-a-Book program.

As a result, about 70% of the approved net-new headcount was hired within 12 weeks, with recruitment ongoing.

Mergers & Acquisitions: The Sell Blueprint

For IT leaders who want to have a role in the transaction process when their business is engaging in an M&A sale or divestiture.

EXECUTIVE BRIEF

Analyst Perspective

Don’t wait to be invited to the M&A table, make it.

Brittany Lutes
Research Analyst,
CIO Practice
Info-Tech Research Group

Ibrahim Abdel-Kader
Research Analyst,
CIO Practice
Info-Tech Research Group

IT has always been an afterthought in the M&A process, often brought in last minute once the deal is nearly, if not completely, solidified. This is a mistake. When IT is brought into the process late, the business misses opportunities to generate value related to the transaction and has less awareness of critical risks or inaccuracies.

To prevent this mistake, IT leadership needs to develop strong business relationships and gain respect for their innovative suggestions. In fact, when it comes to modern M&A activity, IT should be the ones suggesting potential transactions to meet business needs, specifically when it comes to modernizing the business or adopting digital capabilities.

IT needs to stop waiting to be invited to the acquisition or divestiture table. IT needs to suggest that the table be constructed and actively work toward achieving the strategic objectives of the business.

Executive Summary

Your Challenge

There are four key scenarios or entry points for IT as the selling/divesting organization in M&As:

• IT can suggest a divestiture to meet the business objectives of the organization.
• IT is brought in to strategy plan the sale/divestiture from both the business’ and IT’s perspectives.
• IT participates in due diligence activities and complies with the purchasing organization’s asks.
• IT needs to reactively prepare its environment to enable the separation.

Consider the ideal scenario for your IT organization.

Common Obstacles

Some of the obstacles IT faces include:

• IT is often told about the transaction once the deal has already been solidified and is now forced to meet unrealistic business demands.
• The business does not trust IT and therefore does not approach IT to define value or reduce risks to the transaction process.
• The people and culture element is forgotten or not given adequate priority.

These obstacles often arise when IT waits to be invited into the transaction process and misses critical opportunities.

Info-Tech's Approach

Prepare for a sale/divestiture transaction by:

• Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
• Creating a standard strategy that will enable strong program management.
• Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

Info-Tech Insight

As the number of merger, acquisition, and divestiture transactions continues to increase, so too does IT’s opportunity to leverage the growing digital nature of these transactions and get involved at the onset.

The changing M&A landscape

Businesses will embrace more digital M&A transactions in the post-pandemic world

• When the pandemic occurred, businesses reacted by either pausing (61%) or completely cancelling (46%) deals that were in the mid-transaction state (Deloitte, 2020). The uncertainty made many organizations consider whether the risks would be worth the potential benefits.
• However, many organizations quickly realized the pandemic is not a hindrance to M&A transactions but an opportunity. Over 16,000 American companies were involved in M&A transactions in the first six months of 2021 (The Economist). For reference, this had been averaging around 10,000 per six months from 2016 to 2020.
• In addition to this transaction growth, organizations have increasingly been embracing digital. These trends increase the likelihood that, as an IT leader, you will engage in an M&A transaction. However, it is up to you when you get involved in the transactions.

The total value of transactions in the year after the pandemic started was $1.3 billion – a 93% increase in value compared to before the pandemic. (Nasdaq)

71% of technology companies anticipate that divestitures will take place as a result of the COVID-19 pandemic. (EY, 2020)

Your challenge

IT is often not involved in the M&A transaction process. When it is, it’s often too late.

• The most important driver of an acquisition is the ability to access new technology (DLA Piper), and yet 50% of the time, IT isn’t involved in the M&A transaction at all (IMAA Institute, 2017).
• Additionally, IT’s lack of involvement in the process negatively impacts the business:
  • Most organizations (60%) do not have a standardized approach to integration (Steeves and Associates), let alone separation.
  • Two-thirds of the time, the divesting organization and acquiring organization will either fail together or succeed together (McKinsey, 2015).
  • Less than half (47%) of organizations actually experience the positive results sought by the M&A transaction (Steeves and Associates).
• Organizations pursuing M&A and not involving IT are setting themselves up for failure.

Only half of M&A deals involve IT (Source: IMAA Institute, 2017)

Common Obstacles

These barriers make this challenge difficult to address for many organizations:

• IT is rarely afforded the opportunity to participate in the transaction deal. When IT is invited, this often happens later in the process where separation will be critical to business continuity.
• IT has not had the opportunity to demonstrate that it is a valuable business partner in other business initiatives.
• One of the most critical elements that IT often doesn’t take the time or doesn’t have the time to focus on is the people and leadership component.
• IT waits to be invited to the process rather then actively involving themselves and suggesting how value can be added to the process.

In hindsight, it’s clear to see: Involving IT is just good business.

47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion. (Source: IMAA Institute, 2017)

“Solutions exist that can save well above 50 percent on divestiture costs, while ensuring on-time delivery.” (Source: SNP)

Info-Tech's approach

Acquisitions & Divestitures Framework

Acquisitions and divestitures are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

1. The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
2. Transactions that are driven by digital motivations, requiring IT’s expertise.
3. A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
4. There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.

The business’ view of IT will impact how soon IT can get involved

There are four key entry points for IT

1. Innovator: IT suggests a sale or divestiture to meet the business objectives of the organization.
2. Business Partner: IT is brought in to strategy plan the sale/divestiture from both the business’ and IT’s perspective.
3. Trusted Operator: IT participates in due diligence activities and complies with the purchasing organization’s asks.
4. Firefighter: IT needs to reactively prepare its environment in order to enable the separation.

Merger, acquisition, and divestiture defined

Merger

A merger looks at the equal combination of two entities or organizations. Mergers are rare in the M&A space, as the organizations will combine assets and services in a completely equal 50/50 split. Two organizations may also choose to divest business entities and merge as a new company.

Acquisition

The most common transaction in the M&A space, where an organization will acquire or purchase another organization or entities of another organization. This type of transaction has a clear owner who will be able to make legal decisions regarding the acquired organization.

Divestiture

An organization may decide to sell partial elements of a business to an acquiring organization. They will separate this business entity from the rest of the organization and continue to operate the other components of the business.

Info-Tech Insight

A true merger does not exist, as there is always someone initiating the discussion. As a result, most M&A activity falls into acquisition or divestiture categories.

Selling vs. buying

The M&A process approach differs depending on whether you are the selling or buying organization

This blueprint is only focused on the sell side:

• Examples of sell-related scenarios include:
  • Your organization is selling to another organization with the intent of keeping its regular staff, operations, and location. This could mean minimal separation is required.
  • Your organization is selling to another organization with the intent of separating to be a part of the purchasing organization.
  • Your organization is engaging in a divestiture with the intent of:
    • Separating components to be part of the purchasing organization permanently.
    • Separating components to be part of a spinoff and establish a unit as a standalone new company.
• As the selling organization, you could proactively seek out suitors to purchase all or components of your organization, or you could be approached by an organization.

The buy side is focused on:

• More than two organizations could be involved in a transaction.
• Examples of buy-related scenarios include:
  • Your organization is buying another organization with the intent of having the purchased organization keep its regular staff, operations, and location. This could mean minimal integration is required.
  • Your organization is buying another organization in its entirety with the intent of integrating it into your original company.
  • Your organization is buying components of another organization with the intent of integrating them into your original company.
• As the purchasing organization, you will probably be initiating the purchase and thus will be valuating the selling organization during due diligence and leading the execution plan.

For more information on acquisitions or purchases, check out Info-Tech’s Mergers & Acquisitions: The Buy Blueprint.

Core business timeline

For IT to be valuable in M&As, you need to align your deliverables and your support to the key activities the business and investors are working on.

Info-Tech’s methodology for Selling Organizations in Mergers, Acquisitions, or Divestitures

Metrics for each phase

IT's role in the selling transaction

And IT leaders have a greater likelihood than ever of needing to support a merger, acquisition, or divestiture.

1. Reduced Risk

   IT can identify risks that may go unnoticed when IT is not involved.

2. Increased Accuracy

   The business can make accurate predictions around the costs, timelines, and needs of IT.

3. Faster Integration

   Faster integration means faster value realization for the business.

4. Informed Decision Making

   IT leaders hold critical information that can support the business in moving the transaction forward.

5. Innovation

   IT can suggest new opportunities to generate revenue, optimize processes, or reduce inefficiencies.

The IT executive’s critical role is demonstrated by:

• Reduced Risk

  47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion (IMAA Institute, 2017).

• Increased Accuracy

  Sellers often only provide 15 to 30 days for the acquiring organization to decide (Forbes, 2018), increasing the necessity of accurate pricing.

• Faster Integration

  36% of CIOs have visibility into only business unit data, making the divestment a challenge (EY, 2021).

• Informed Decision Making

  Only 38% of corporate and 22% of private equity firms include IT as a significant aspect in their transaction approach (IMAA Institute, 2017).

• Innovation

  Successful CIOs involved in M&As can spend 70% of their time on aspects outside of IT and 30% of their time on technology and delivery (CIO).

Playbook benefits

IT Benefits

• IT will be seen as an innovative partner to the business, and its suggestions and involvement in the organization will lead to benefits, not hindrances.
• Develop a streamlined method to prepare the IT environment for potential carve-out and separations, ensuring risk management concerns are brought to the business’ attention immediately.
• Create a comprehensive list of items that IT needs to do during the separation that can be prioritized and actioned.

Business Benefits

• The business will get accurate and relevant information about its IT environment in order to sell or divest the company to the highest bidder for a true price.
• Fewer business interruptions will happen, because IT can accurately plan for and execute the high-priority separation tasks.
• The business can obtain a high-value offer for the components of IT being sold and can measure the ongoing value the sale will bring.

Insight summary

Overarching Insight

IT controls if and when it gets invited to support the business through a purchasing growth transaction. Take control of the process, demonstrate the value of IT, and ensure that separation of IT environments does not lead to unnecessary and costly decisions.

Proactive Insight

CIOs on the forefront of digital transformation need to actively look for and suggest opportunities to acquire or partner on new digital capabilities to respond to rapidly changing business needs.

Discovery & Strategy Insight

IT organizations that have an effective M&A program plan are more prepared for the transaction, enabling a successful outcome. A structured strategy is particularly necessary for organizations expected to deliver M&As rapidly and frequently.

Due Diligence & Preparation Insight

IT often faces unnecessary separation challenges because of a lack of preparation. Secure the IT environment and establish how IT will retain employees early in the transaction process.

Execution & Value Realization Insight

IT needs to demonstrate value and cost savings within 100 days of the transaction. The most successful transactions are when IT continuously realizes synergies a year after the transaction and beyond.

Blueprint deliverables

Key Deliverable: M&A Sell Playbook

The M&A Sell Playbook should be a reusable document that enables your IT organization to successfully deliver on any divestiture transaction.

M&A Sell One-Pager

See a one-page overview of each phase of the transaction.

M&A Sell Case Studies

Read a one-page case study for each phase of the transaction.

M&A Separation Project Management Tool (SharePoint)

Manage the separation process of the divestiture/sale using this SharePoint template.

M&A Separation Project Management Tool (Excel)

Manage the separation process of the divestiture/sale using this Excel tool if you can’t or don’t want to use SharePoint.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 6 to 10 calls over the course of 2 to 4 months.

Proactive Phase

• Call #1: Scope requirements, objectives, and your specific challenges.

Discovery & Strategy Phase

• Call #2: Determine stakeholders and business perspectives on IT.
• Call #3: Identify how M&A could support business strategy and how to communicate.

Due Diligence & Preparation Phase

• Call #4: Establish a transaction team and divestiture/sale strategic direction.
• Call #5: Create program metrics and identify a standard separation strategy.
• Call #6: Prepare to carve out the IT environment.
• Call #7: Identify the separation program plan.

Execution & Value Realization Phase

• Call #8: Establish employee transitions to retain key staff.
• Call #9: Assess IT’s ability to deliver on the divestiture/sale transaction.

The Sell Blueprint

Phase 1

Proactive

This phase will walk you through the following activities:

• Conduct the CEO-CIO Alignment diagnostic
• Conduct the CIO Business Vision diagnostic
• Visualize relationships among stakeholders to identify key influencers
• Group stakeholders into categories
• Prioritize your stakeholders
• Plan to communicate
• Valuate IT
• Assess the IT/digital strategy
• Determine pain points and opportunities
• Align goals to opportunities
• Recommend reduction opportunities

This phase involves the following participants:

• IT and business leadership

What is the Proactive phase?

Embracing the digital drivers

As the number of merger, acquisition, or divestiture transactions driven by digital means continues to increase, IT has an opportunity to not just be involved in a transaction but actively seek out potential deals.

In the Proactive phase, the business is not currently considering a transaction. However, the business could consider one to reach its strategic goals. IT organizations that have developed respected relationships with the business leaders can suggest these potential transactions.

Understand the business’ perspective of IT, determine who the critical M&A stakeholders are, valuate the IT environment, and examine how it supports the business goals in order to suggest an M&A transaction.

In doing so, IT isn’t waiting to be invited to the transaction table – it’s creating it.

Goal: To support the organization in reaching its strategic goals by suggesting M&A activities that will enable the organization to reach its objectives faster and with greater-value outcomes.

Proactive Prerequisite Checklist

Before coming into the Proactive phase, you should have addressed the following:

• Understand what mergers, acquisitions, and divestitures are.
• Understand what mergers, acquisitions, and divestitures mean for the business.
• Understand what mergers, acquisitions, and divestitures mean for IT.

Review the Executive Brief for more information on mergers, acquisitions, and divestitures for selling organizations.

Proactive

Step 1.1

Identify M&A Stakeholders and Their Perspective of IT

Activities

• 1.1.1 Conduct the CEO-CIO Alignment diagnostic
• 1.1.2 Conduct the CIO Business Vision diagnostic
• 1.1.3 Visualize relationships among stakeholders to identify key influencers
• 1.1.4 Group stakeholders into categories
• 1.1.5 Prioritize your stakeholders
• 1.16 Plan to communicate

This step involves the following participants:

• IT executive leader
• IT leadership
• Critical M&A stakeholders

Outcomes of Step

Understand how the business perceives IT and establish strong relationships with critical M&A stakeholders.

Business executives' perspectives of IT

Leverage diagnostics and gain alignment on IT’s role in the organization

• To suggest or get involved with a merger, acquisition, or divestiture, the IT executive leader needs to be well respected by other members of the executive leadership team and the business.
• Specifically, the Proactive phase relies on the IT organization being viewed as an Innovator within the business.
• Identify how the CEO/business executive currently views IT and where they would like IT to move within the Maturity Ladder.
• Additionally, understand how other critical department leaders view IT and how they view the partnership with IT.

Misalignment in target state requires further communication between the CIO and CEO to ensure IT is striving toward an agreed-upon direction.

Info-Tech’s CIO Business Vision (CIO BV) diagnostic measures a variety of high-value metrics to provide a well-rounded understanding of stakeholder satisfaction with IT.

Business Satisfaction and Importance for Core Services

The core services of IT are important when determining what IT should focus on. The most important services with the lowest satisfaction offer the largest area of improvement for IT to drive business value.

1.1.1 Conduct the CEO-CIO Alignment diagnostic

Input: IT organization expertise and the CEO-CIO Alignment diagnostic

Output: An understanding of an executive business stakeholder’s perception of IT

Materials: M&A Sell Playbook, CEO-CIO Alignment diagnostic

Participants: IT executive/CIO, Business executive/CEO

1. The CEO-CIO Alignment diagnostic can be a powerful input. Speak with your Info-Tech account representative to conduct the diagnostic. Use the results to inform current IT capabilities.
2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret and draw conclusions from the results.
3. Examine the results of the survey and note where there might be specific capabilities that could be improved.
4. Determine whether there are any areas of significant disagreement between the you and the CEO. Mark down those areas for further conversations. Additionally, take note of areas that could be leveraged to support transactions or support your rationale in recommending transactions.

Download the sample report.

Record the results in the M&A Sell Playbook.

1.1.2 Conduct the CIO Business Vision diagnostic

2 weeks

Input: IT organization expertise, CIO BV diagnostic

Output: An understanding of business stakeholder perception of certain IT capabilities and services

Materials: M&A Buy Playbook, CIO Business Vision diagnostic

Participants: IT executive/CIO, Senior business leaders

1. The CIO Business Vision (CIO BV) diagnostic can be a powerful tool for identifying IT capability focus areas. Speak with your account representative to conduct the CIO BV diagnostic. Use the results to inform current IT capabilities.
2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret the results and draw conclusions from the diagnostic.
3. Examine the results of the survey and take note of any IT services that have low scores.
4. Read through the diagnostic comments and note any common themes. Especially note which stakeholders identified they have a favorable relationship with IT and which stakeholders identified they have an unfavorable relationship. For those who have an unfavorable relationship, identify if they will have a critical role in a growth transaction.

Download the sample report.

Record the results in the M&A Sell Playbook.

Create a stakeholder network map for M&A transactions

Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

Example:

Legend
• Black arrows indicate the direction of professional influence
• Dashed green arrows indicate bidirectional, informal influence relationships

Info-Tech Insight

Your stakeholder map defines the influence landscape that the M&A transaction will occur within. This will identify who holds various levels of accountability and decision-making authority when a transaction does take place.

Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

1.1.3 Visualize relationships among stakeholders to identify key influencers

1-3 hours

Input: List of M&A stakeholders

Output: Relationships among M&A stakeholders and influencers

Materials: Flip charts, Markers, Sticky notes, M&A Sell Playbook

Participants: IT executive leadership

1. The purpose of this activity is to list all the stakeholders within your organization that will have a direct or indirect impact on the M&A transaction.
2. Determine the critical stakeholders, and then determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
4. Construct a diagram linking stakeholders and their influencers together.
   • Use black arrows to indicate the direction of professional influence.
   • Use dashed green arrows to indicate bidirectional, informal influence relationships.

Record the results in the M&A Sell Playbook.

Categorize your stakeholders with a prioritization map

A stakeholder prioritization map helps IT leaders categorize their stakeholders by their level of influence and ownership in the merger, acquisition, or divestiture process.

There are four areas in the map, and the stakeholders within each area should be treated differently.

Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

1.1.4 Group stakeholders into categories

30 minutes

Input: Stakeholder map, Stakeholder list

Output: Categorization of stakeholders and influencers

Materials: Flip charts, Markers, Sticky notes, M&A Sell Playbook

Participants: IT executive leadership, Stakeholders

1. Identify your stakeholders’ interest in and influence on the M&A process as high, medium, or low by rating the attributes below.
2. Map your results to the model to the right to determine each stakeholder’s category.

Level of Influence

• Power: Ability of a stakeholder to effect change.
• Urgency: Degree of immediacy demanded.
• Legitimacy: Perceived validity of stakeholder’s claim.
• Volume: How loud their “voice” is or could become.
• Contribution: What they have that is of value to you.

Level of Interest

How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

Record the results in the M&A Sell Playbook.

Prioritize your stakeholders

There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How significant is that stakeholder to the M&A or divestiture process?

These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

1.1.5 Prioritize your stakeholders

30 minutes

Input: Stakeholder matrix

Output: Stakeholder and influencer prioritization

Materials: Flip charts, Markers, Sticky notes, M&A Sell Playbook

Participants: IT executive leadership, M&A/divestiture stakeholders

1. Identify the level of support of each stakeholder by answering the following question: How significant is that stakeholder to the M&A transaction process?
2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

Record the results in the M&A Sell Playbook.

Define strategies for engaging stakeholders by type

Info-Tech Insight

Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying stakeholder groups, the IT executive leader can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of Mediators and Players are met.

1.1.6 Plan to communicate

30 minutes

Input: Stakeholder priority, Stakeholder categorization, Stakeholder influence

Output: Stakeholder communication plan

Materials: Flip charts, Markers, Sticky notes, M&A Sell Playbook

Participants: IT executive leadership, M&A/divestiture stakeholders

The purpose of this activity is to make a communication plan for each of the stakeholders identified in the previous activities, especially those who will have a critical role in the M&A transaction process.

1. In the M&A Sell Playbook, input the type of influence each stakeholder has on IT, how they would be categorized in the M&A process, and their level of priority. Use this information to create a communication plan.
2. Determine the methods and frequency of communication to keep the necessary stakeholder satisfied and maintain or enhance IT’s profile within the organization.

Record the results in the M&A Sell Playbook.

Proactive

Step 1.2

Assess IT’s Current Value and Method to Achieve a Future State

Activities

• 1.2.1 Valuate IT
• 1.2.2 Assess the IT/digital strategy

This step involves the following participants:

• IT executive leader
• IT leadership
• Critical stakeholders to M&A

Outcomes of Step

Identify critical opportunities to optimize IT and meet strategic business goals through a merger, acquisition, or divestiture.

How to valuate your IT environment

And why it matters so much

• Valuating your current organization’s IT environment is a critical step that all IT organizations should take, whether involved in an M&A or not, to fully understand what it might be worth.
• The business investments in IT can be directly translated into a value amount. For every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
• Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT is so critical.
• There are three ways a business or asset can be valuated:
  • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
  • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
  • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.
(Source: “Valuation Methods,” Corporate Finance Institute)

Four ways to create value through digital

1. Reduced costs
2. Improved customer experience
3. New revenue sources
4. Better decision making
(Source: McKinsey & Company)

1.2.1 Valuate IT

1 day

Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

Output: Valuation of IT

Materials: Relevant templates/tools listed on the following slides, Capital budget, Operating budget, M&A Sell Playbook

Participants: IT executive/CIO, IT senior leadership

The purpose of this activity is to demonstrate that IT is not simply an operational functional area that diminishes business resources. Rather, IT contributes significant value to the business.

1. Review each of the following slides to valuate IT’s data, applications, infrastructure and operations, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount.
2. Input the financial amounts identified for each critical area into a summary slide. Use this information to determine where IT is delivering value to the organization.

Info-Tech Insight

Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

Record the results in the M&A Sell Playbook.

Data valuation

Data valuation identifies how you monetize the information that your organization owns.

Create a data value chain for your organization

When valuating the information and data that exists in an organization, there are many things to consider.

Info-Tech has two tools that can support this process:

1. Information Asset Audit Tool: Use this tool first to take inventory of the different information assets that exist in your organization.
2. Data Valuation Tool: Once information assets have been accounted for, valuate the data that exists within those information assets.

Instructions

1. Using the Data Valuation Tool, start gathering information based on the eight steps above to understand your organization’s journey from data to value.
2. Identify the data value spectrum. (For example: customer sales service, citizen licensing service, etc.)
3. Fill out the columns for data sources, data collection, and data first.
4. Capture data analysis and related information.
5. Then capture the value in data.
6. Add value dimensions such as usage, quality, and economic dimensions.
   • Remember that economic value is not the only dimension, and usage/quality has a significant impact on economic value.
7. Collect evidence to justify your data valuation calculator (market research, internal metrics, etc.).
8. Finally, calculate the value that has a direct correlation with underlying value metrics.

Application valuation

Calculate the value of your IT applications

When valuating the applications and their users in an organization, consider using a business process map. This shows how business is transacted in the company by identifying which IT applications support these processes and which business groups have access to them. Info-Tech has a business process mapping tool that can support this process:

• Enterprise Integration Process Mapping Tool: Complete this tool first to map the different business processes to the supporting applications in your organization.

Instructions

1. Start by calculating user costs. This is the multiplication of: (# of users) × (% of time spent using IT) × (fully burdened salary).
2. Identify the revenue per employee and divide that by the average cost per employee to calculate the derived productivity ratio (DPR).
3. Once you have calculated the user costs and DPR, multiply those total values together to get the application value.

User Costs			Total User Costs	Derived Productivity Ratio (DPR)		Total DPR	Application Value
# of users	% time spent using IT	Fully burdened salary	Multiply values from the 3 user costs columns	Revenue per employee	Average cost per employee	(Revenue P.E) ÷ (Average cost P.E)	(User costs) X (DPR)



4. Once the total application value is established, calculate the combined IT and business costs of delivering that value. IT and business costs include inflexibility (application maintenance), unavailability (downtime costs, including disaster exposure), IT costs (common costs statistically allocated to applications), and fully loaded cost of active (full-time equivalent [FTE]) users.
5. Calculate the net value of applications by subtracting the total IT and business costs from the total application value calculated in step 3.

IT and Business Costs				Total IT and Business Costs	Net Value of Applications
Application maintenance	Downtime costs (include disaster exposure)	Common costs allocated to applications	Fully loaded costs of active (FTE) users	Sum of values from the four IT and business costs columns	(Application value) – (IT and business costs)

(Source: CSO)

Infrastructure valuation

Assess the foundational elements of the business’ information technology

The purpose of this exercise is to provide a high-level infrastructure valuation that will contribute to valuating your IT environment.

Calculating the value of the infrastructure will require different methods depending on the environment. For example, a fully cloud-hosted organization will have different costs than a fully on-premises IT environment.

Instructions:

1. Start by listing all of the infrastructure-related items that are relevant to your organization.
2. Once you have finalized your items column, identify the total costs/value of each item.
   • For example, total software costs would include servers and storage.
3. Calculate the total cost/value of your IT infrastructure by adding all of values in the right column.

For additional support, download the M&A Runbook for Infrastructure and Operations.

Risk and security

Assess risk responses and calculate residual risk

The purpose of this exercise is to provide a high-level risk assessment that will contribute to valuating your IT environment. For a more in-depth risk assessment, please refer to the Info-Tech tools below:

1. Risk Register Tool
2. Security M&A Due Diligence Tool

Instructions

1. Review the probability and impact scales below and ensure you have the appropriate criteria that align to your organization before you conduct a risk assessment.
2. Identify the probability of occurrence and estimated financial impact for each risk category detail and fill out the table on the right. Customize the table as needed so it aligns to your organization.

Probability of Risk Occurrence	Occurrence Criteria (Classification; Probability of Risk Event Within One Year)
Negligible	Very Unlikely; ‹20%
Very Low	Unlikely; 20 to 40%
Low	Possible; 40 to 60%
Moderately Low	Likely; 60 to 80%
Moderate	Almost Certain; ›80%

Note: If needed, you can customize this scale with the severity designations that you prefer. However, make sure you are always consistent with it when conducting a risk assessment.

1.2.2 Assess the IT/digital strategy

4 hours

Input: IT strategy, Digital strategy, Business strategy

Output: An understanding of an executive business stakeholder’s perception of IT, Alignment of IT/digital strategy and overall organization strategy

Materials: Computer, Whiteboard and markers, M&A Sell Playbook

Participants: IT executive/CIO, Business executive/CEO

The purpose of this activity is to review the business and IT strategies that exist to determine if there are critical capabilities that are not being supported.

Ideally, the IT and digital strategies would have been created following development of the business strategy. However, sometimes the business strategy does not directly call out the capabilities it requires IT to support.

1. On the left half of the corresponding slide in the M&A Sell Playbook, document the business goals, initiatives, and capabilities. Input this information from the business or digital strategies. (If more space for goals, initiatives, or capabilities is needed, duplicate the slide).
2. On the other half of the slide, document the IT goals, initiatives, and capabilities. Input this information from the IT strategy and digital strategy.

For additional support, see Build a Business-Aligned IT Strategy.

Record the results in the M&A Sell Playbook.

Proactive

Step 1.3

Drive Innovation and Suggest Growth Opportunities

Activities

• 1.3.1 Determine pain points and opportunities
• 1.3.2 Align goals with opportunities
• 1.3.3 Recommend reduction opportunities

This step involves the following participants:

• IT executive leader
• IT leadership
• Critical M&A stakeholders

Outcomes of Step

Establish strong relationships with critical M&A stakeholders and position IT as an innovative business partner that can suggest reduction opportunities.

1.3.1 Determine pain points and opportunities

1-2 hours

Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade

Output: List of pain points or opportunities that IT can address

Materials: Computer, Whiteboard and markers, M&A Sell Playbook

Participants: IT executive/CIO, IT senior leadership, Business stakeholders

The purpose of this activity is to determine the pain points and opportunities that exist for the organization. These can be external or internal to the organization.

1. Identify what opportunities exist for your organization. Opportunities are the potential positives that the organization would want to leverage.
2. Next, identify pain points, which are the potential negatives that the organization would want to alleviate.
3. Spend time considering all the options that might exist, and keep in mind what has been identified previously.

Opportunities and pain points can be trends, other departments’ initiatives, business perspectives of IT, etc.

Record the results in the M&A Sell Playbook.

1.3.2 Align goals with opportunities

1-2 hours

Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade, List of pain points and opportunities

Output: An understanding of an executive business stakeholder’s perception of IT, Foundations for reduction strategy

Materials: Computer, Whiteboard and markers, M&A Sell Playbook

Participants: IT executive/CIO, IT senior leadership, Business stakeholders

The purpose of this activity is to determine whether a growth or separation strategy might be a good suggestion to the business in order to meet its business objectives.

1. For the top three to five business goals, consider:
   1. Underlying drivers
   2. Digital opportunities
   3. Whether a growth or reduction strategy is the solution
2. Just because a growth or reduction strategy is a solution for a business goal does not necessarily indicate M&A is the way to go. However, it is important to consider before you pursue suggesting M&A.

Record the results in the M&A Sell Playbook.

1.3.3 Recommend reduction opportunities

1-2 hours

Input: Growth or separation strategy opportunities to support business goals, Stakeholder communication plan, Rationale for the suggestion

Output: M&A transaction opportunities suggested

Materials: M&A Sell Playbook

Participants: IT executive/CIO, Business executive/CEO

The purpose of this activity is to recommend a merger, acquisition, or divestiture to the business.

1. Identify which of the business goals the transaction would help solve and why IT is the one to suggest such a goal.
2. Leverage the stakeholder communication plan identified previously to give insight into stakeholders who would have a significant level of interest, influence, or support in the process.

Info-Tech Insight

With technology and digital driving many transactions, leverage your organizations’ IT environment as an asset and reason why the divestiture or sale should happen, suggesting the opportunity yourself.

Record the results in the M&A Sell Playbook.

By the end of this Proactive phase, you should:

Be prepared to suggest M&A opportunities to support your company’s goals through sale or divestiture transactions

Key outcome from the Proactive phase

Develop progressive relationships and strong communication with key stakeholders to suggest or be aware of transformational opportunities that can be achieved through sale or divestiture strategies.

Key deliverables from the Proactive phase

• Business perspective of IT examined
• Key stakeholders identified and relationship to the M&A process outlined
• Ability to valuate the IT environment and communicate IT’s value to the business
• Assessment of the business, digital, and IT strategies and how M&As could support those strategies
• Pain points and opportunities that could be alleviated or supported through an M&A transaction
• Sale or divestiture recommendations

The Sell Blueprint

Phase 2

Discovery & Strategy

This phase will walk you through the following activities:

• Create the mission and vision
• Identify the guiding principles
• Create the future-state operating model
• Determine the transition team
• Document the M&A governance
• Create program metrics
• Establish the separation strategy
• Conduct a RACI
• Create the communication plan
• Assess the potential organization(s)