Share This Article
Guided Insights helps global project teams speed time to
results through better collaboration across time zones, cultures and other boundaries. Special areas of focus are remote team leadership, facilitation skills, virtual team collaboration, project jumpstart workshops and design and facilitation of virtual
Does Constant Change Equal Constant Risk in Your Enterprise?
Constant change means constant risk to the enterprise architecture unless it's planned and governed correctly.
IT planning takes place in a rapidly changing business environment and involves an overwhelming volume of data -- hundreds of applications and many thousands of artifacts in multiple locations. Complex interdependencies between distributed specialists, critical business processes, IT support services and the underlying technical infrastructure can be significantly disrupted by isolated actions and incidents.
Constant change -- organizational, technology (e.g. SOA, cloud computing), processes - means that the IT landscape and interrelationships between business, information and technical architecture layers are undergoing constant transformation. Without centralized planning, things can quickly go very wrong putting the enterprise under unnecessary and sometimes unlawful risk.
To make matters worse, many organizations struggle to meet the IT planning challenge with Microsoft Office tools. Subject matter experts own fragments of technical information while organizational and functional data is maintained in ad hoc databases that lack the GUI and visualization tools needed to show relationships between data classes (business, technical and financial information). An EA (Enterprise Architecture) inventory that provides a one-world and up-to-date view about the constantly changing current, future and planned landscape for all stakeholders involved in the planning process significantly mitigates the risk of ill-informed decision-making.
This article examines three situations in which organizations may be at particularly high risk:
A section follows each scenario EA best practices on how to mitigate risk during those times.
Scenario One Risk: Project Approval Process
Given these risks, it is crucial that organizations find a means to prevent them. This requires architecture health and risk checks and setting milestones at which the project receives a "go" or "no go." Processes should be put into place to ensure that a project business plan is completed and is comparable. All stakeholders should be involved in the process and the individuals with approval power should be mandated to carry out due diligence. Such due diligence should be transparent to others so that it is clear why a solution was chosen over another.
Best practices in other industries, such as manufacturing, demonstrate that a key success factor is transparency and comparability of the information from suppliers and partners. In IT this implies comparability not just in terms of deliverables and business benefits but also in terms of its architectural fit with the existing IT landscape. A centralized planning system allows for competing solutions to be proposed and cross-compared on level playing terms in terms of criteria such as their architectural risk and standards compliance.
The biggest issue during project approval processes is that individuals typically underestimate time, costs and effort. Often times, they don't look at the impact a new project has on other existing or planned IT implementations. For example, a new solution being reviewed might use a technology that your organization plans to take out of lifecycle in two years. Is that acceptable? Or another project might include technology that conflicts with your existing data warehousing strategy. If so, you might not be able to analyze that information or it could cost a good deal more money to do so. In fact, the biggest cost incurred is often when project managers have to pay for the development and maintenance of interfaces required for disparate systems to communicate with one another.
By documenting portfolio decisions and the decision process behind them, organizations can better determine which approved projects are priorities in an organization's business strategy. This avoids pet projects getting forced through because sponsors must defend decisions in a logical manner.
An example of a company that has a good handle on projects is a well-known financial services firm. Its CIO Office oversees project costs, architecture conformity, IT security and business case and relevance. Since initiating its enterprise architecture management program, if these factors aren't up to standard, projects don't proceed. One of its priorities has been to reduce the number of interfaces between applications and so it has standardized on certain applications. As a result, it has cut costs and implementation time sharply.
Scenario Two Risk: Compliance with Regulations
Many companies have gone through several years in a row of needing to comply with one or more standards or regulations but have yet to establish a formal IT compliance program. Because of this, their short term big-bang "fixes" are not repeatable and are very effort-intensive. Rather than treat compliance systematically, they treat it as an annual distraction. Thus, their reporting and control is still not transparent and they spend too much simply trying to comply each year. To address this, companies should address regulatory, commercial and organizational compliance demands on IT in a comprehensive manner enterprise-wide as part of their EA management processes. This involves defining controls in a central, auditable system and automating control checking, consolidation and reporting of feedback. Ultimately, this leads to a clear definition of the roles and responsibilities required for regulatory compliance.
Consider SOX, for example. The SOX regulation obligates a company to have a thorough understanding of its business processes. This includes knowing how they are executed (manually and/or IT supported), understanding how they are interrelated with each other and realizing the impact of changes to business processes. The outcome allows a company to identify and stem possible areas of risk. It also obligates a company to be in complete control of its business processes, define and document the as-is state, establish a change management process, ensure communication among all stakeholders and monitor results - with the goal of detecting non-compliant activity.
Master Planning, a key strategic EA planning discipline, can support an enterprise's SOX compliance efforts by relating the business architecture with those of the application architecture. It is a visualization technique as well as a planning platform enabling quick comprehension of the impact of change in the IT environment. For example, Master Planning allows companies to identify that a key financial process (SOX-relevant) will be affected by the introduction of a new order-taking application. Such on-going analyses are necessary management mechanisms. By unveiling the weaknesses of the architecture, threats to the enterprise can be identified and improvements instigated in the form of new standards. EA management is essential for developing standards for enterprise IT. Enterprise architects channel reform programs into IT as standards and guidelines for the development of local solutions and service offerings.
In order to achieve compliance, large organizations should design SOX checkpoints. The most efficient means is to have them integrated into the enterprise architecture planning process, using a system that supports automation of compliance maintenance. By doing so, organizations will ensure that they can proactively identify areas of concern, while maintaining a more controlled IT environment.
Scenario Three Risk: Mergers & Acquisitions
Without a well-thought-out and effectively managed roadmap, the IT department risks an incomplete integration, business frustration with its capabilities, loss of critical staff, higher costs and an unnecessarily complex environment. If CIOs needed another reason to invest in Enterprise Architecture Management (EAM), then an imminent M&A provides one. During the M&A due diligence phase, it is imperative for IT to gather detailed inventory of the IT assets - systems, processes and people - of the target company to understand how they support the business model and to develop accurate estimates for schedule and costs necessary for planning. A transparent overview of both companies' IT baseline is imperative to be able to understand where synergies, cost saving consolidation and operational risk lies.
Moreover, organizations that have an established EAM are better positioned to be successful at M&A integration simply because the integration work, while substantial, can be folded into existing strategic planning, governance and execution processes. Key decisions around which applications, infrastructure and IT processes are needed and what transformations are required to create the new IT organization can be quickly taken with minimal disruption. While IT management focuses on completion of integration projects and on achieving operational stability, business management looks for revenue and profitability synergies. These different criteria can cause impatience and frustration. Implementing EAM processes provides IT and the business with a common vision of the combined company end state and a collaborative planned process for getting to it.
© Copyright 2008 Auerbach Publications