IT Performance Improvement

IT Performance Improvement

IT Today

Auerbach Publications

Book Catalog

Archives

Author Guidelines


Share This Article


New Books

Best Practices in Business Technology Management

The Business Value of IT: Managing Risks, Optimizing Performance and Measuring Results

Enterprise Architecture A to Z: Frameworks, Business Process Modeling, SOA, and Infrastructure Technology


Partners

Guided Insights helps global project teams speed time to results through better collaboration across time zones, cultures and other boundaries. Special areas of focus are remote team leadership, facilitation skills, virtual team collaboration, project jumpstart workshops and design and facilitation of virtual meetings.


Subscribe to IT Performance Improvement





Powered by VerticalResponse

 

Does Constant Change Equal Constant Risk in Your Enterprise?

Erik Masing

Constant change means constant risk to the enterprise architecture unless it's planned and governed correctly.

IT planning takes place in a rapidly changing business environment and involves an overwhelming volume of data -- hundreds of applications and many thousands of artifacts in multiple locations. Complex interdependencies between distributed specialists, critical business processes, IT support services and the underlying technical infrastructure can be significantly disrupted by isolated actions and incidents.

Constant change -- organizational, technology (e.g. SOA, cloud computing), processes - means that the IT landscape and interrelationships between business, information and technical architecture layers are undergoing constant transformation. Without centralized planning, things can quickly go very wrong putting the enterprise under unnecessary and sometimes unlawful risk.

To make matters worse, many organizations struggle to meet the IT planning challenge with Microsoft Office tools. Subject matter experts own fragments of technical information while organizational and functional data is maintained in ad hoc databases that lack the GUI and visualization tools needed to show relationships between data classes (business, technical and financial information). An EA (Enterprise Architecture) inventory that provides a one-world and up-to-date view about the constantly changing current, future and planned landscape for all stakeholders involved in the planning process significantly mitigates the risk of ill-informed decision-making.

This article examines three situations in which organizations may be at particularly high risk:

  1. During the project approval process
  2. When dealing with regulatory compliance
  3. During mergers and acquisitions.

A section follows each scenario EA best practices on how to mitigate risk during those times.

Scenario One Risk: Project Approval Process
The typical project approval process is fraught with risks. Here are some common mistakes that increase these risks:

  • The lack of correct process in place leads to projects that are approved with no certainty over the financial costs of the project.
  • Not having the right architectural governance within the organization increases the risk of project failure.
  • The lack of transparency and due process in selecting project portfolios means that decisions are sometimes made based on whether a project is favored rather than whether it is business critical.

Given these risks, it is crucial that organizations find a means to prevent them. This requires architecture health and risk checks and setting milestones at which the project receives a "go" or "no go." Processes should be put into place to ensure that a project business plan is completed and is comparable. All stakeholders should be involved in the process and the individuals with approval power should be mandated to carry out due diligence. Such due diligence should be transparent to others so that it is clear why a solution was chosen over another.

Best practices in other industries, such as manufacturing, demonstrate that a key success factor is transparency and comparability of the information from suppliers and partners. In IT this implies comparability not just in terms of deliverables and business benefits but also in terms of its architectural fit with the existing IT landscape. A centralized planning system allows for competing solutions to be proposed and cross-compared on level playing terms in terms of criteria such as their architectural risk and standards compliance.

The biggest issue during project approval processes is that individuals typically underestimate time, costs and effort. Often times, they don't look at the impact a new project has on other existing or planned IT implementations. For example, a new solution being reviewed might use a technology that your organization plans to take out of lifecycle in two years. Is that acceptable? Or another project might include technology that conflicts with your existing data warehousing strategy. If so, you might not be able to analyze that information or it could cost a good deal more money to do so. In fact, the biggest cost incurred is often when project managers have to pay for the development and maintenance of interfaces required for disparate systems to communicate with one another.

By documenting portfolio decisions and the decision process behind them, organizations can better determine which approved projects are priorities in an organization's business strategy. This avoids pet projects getting forced through because sponsors must defend decisions in a logical manner.

An example of a company that has a good handle on projects is a well-known financial services firm. Its CIO Office oversees project costs, architecture conformity, IT security and business case and relevance. Since initiating its enterprise architecture management program, if these factors aren't up to standard, projects don't proceed. One of its priorities has been to reduce the number of interfaces between applications and so it has standardized on certain applications. As a result, it has cut costs and implementation time sharply.

Scenario Two Risk: Compliance with Regulations
A number of compliance issues such as Sarbanes-Oxley (SOX), Information Technology Infrastructure Library (ITIL) and International Organization for Standardization (ISO) have created havoc within organizations. They've created risks such as the following:

  • There is a risk that auditors may not sign-off on compliance and processes that are not repeatable. This results in high cost to mitigate the risk and to get an auditor to sign-off.
  • In addition, the annual extra effort and stress de-motivates and burns-out staff and incurs high over-time costs.

Many companies have gone through several years in a row of needing to comply with one or more standards or regulations but have yet to establish a formal IT compliance program. Because of this, their short term big-bang "fixes" are not repeatable and are very effort-intensive. Rather than treat compliance systematically, they treat it as an annual distraction. Thus, their reporting and control is still not transparent and they spend too much simply trying to comply each year. To address this, companies should address regulatory, commercial and organizational compliance demands on IT in a comprehensive manner enterprise-wide as part of their EA management processes. This involves defining controls in a central, auditable system and automating control checking, consolidation and reporting of feedback. Ultimately, this leads to a clear definition of the roles and responsibilities required for regulatory compliance.

Consider SOX, for example. The SOX regulation obligates a company to have a thorough understanding of its business processes. This includes knowing how they are executed (manually and/or IT supported), understanding how they are interrelated with each other and realizing the impact of changes to business processes. The outcome allows a company to identify and stem possible areas of risk. It also obligates a company to be in complete control of its business processes, define and document the as-is state, establish a change management process, ensure communication among all stakeholders and monitor results - with the goal of detecting non-compliant activity.

Master Planning, a key strategic EA planning discipline, can support an enterprise's SOX compliance efforts by relating the business architecture with those of the application architecture. It is a visualization technique as well as a planning platform enabling quick comprehension of the impact of change in the IT environment. For example, Master Planning allows companies to identify that a key financial process (SOX-relevant) will be affected by the introduction of a new order-taking application. Such on-going analyses are necessary management mechanisms. By unveiling the weaknesses of the architecture, threats to the enterprise can be identified and improvements instigated in the form of new standards. EA management is essential for developing standards for enterprise IT. Enterprise architects channel reform programs into IT as standards and guidelines for the development of local solutions and service offerings.

In order to achieve compliance, large organizations should design SOX checkpoints. The most efficient means is to have them integrated into the enterprise architecture planning process, using a system that supports automation of compliance maintenance. By doing so, organizations will ensure that they can proactively identify areas of concern, while maintaining a more controlled IT environment.

Scenario Three Risk: Mergers & Acquisitions
When a firm embarks upon a merger or acquisition (M&A), even if it's to gain market share or acquire products, it is seeking synergies that translate into shareholder value. But few if any synergies are possible without IT being tightly involved in the planning and transformation process. Thus, organizations many times are left with the following risks:

  • Following organizational change, there will likely be incomplete integration between the systems.
  • The lack of integration will likely cause business frustration, loss of critical staff and increase integration costs.

Without a well-thought-out and effectively managed roadmap, the IT department risks an incomplete integration, business frustration with its capabilities, loss of critical staff, higher costs and an unnecessarily complex environment. If CIOs needed another reason to invest in Enterprise Architecture Management (EAM), then an imminent M&A provides one. During the M&A due diligence phase, it is imperative for IT to gather detailed inventory of the IT assets - systems, processes and people - of the target company to understand how they support the business model and to develop accurate estimates for schedule and costs necessary for planning. A transparent overview of both companies' IT baseline is imperative to be able to understand where synergies, cost saving consolidation and operational risk lies.

Moreover, organizations that have an established EAM are better positioned to be successful at M&A integration simply because the integration work, while substantial, can be folded into existing strategic planning, governance and execution processes. Key decisions around which applications, infrastructure and IT processes are needed and what transformations are required to create the new IT organization can be quickly taken with minimal disruption. While IT management focuses on completion of integration projects and on achieving operational stability, business management looks for revenue and profitability synergies. These different criteria can cause impatience and frustration. Implementing EAM processes provides IT and the business with a common vision of the combined company end state and a collaborative planned process for getting to it.

Conclusion
Because of a myriad of risks, organizations should examine enterprise architecture management options. Prior to starting the architectural effort, organizations should perform a high-level risk assessment and a strategic security vision of the enterprise architecture and agree to a method to formalize the enterprise architecture. Next, they should ensure that security and enterprise architect staff work hand in hand, because neither can do the job alone. The CISO and chief architect should develop and implement the security architecture process, ensuring that the same data models, processes and security issues are considered. By sharing the same view of the world, architects and security staff can work hand in hand on overlapping areas to ensure they are addressed properly. This will lead to a transparent and accurate window into the as-is landscape for every IT project and planning exercise. In addition, information security specialists and enterprise architects can work together with a common methodology, approach and tools, as well as a domain expertise. The result will be lower costs, better compliance, improved staff morale and retention and -ultimately - reduced risks.

About the Author

Erik Masing is CEO of alfabet, Inc., a software provider of strategic IT planning and enterprise architecture management solutions.

© Copyright 2008 Auerbach Publications