ISACA IT GRC Conference 2008 Creating Business Value by means of Stakeholder and Requirements Management
Upcoming SlideShare
Loading in...5
×
 

ISACA IT GRC Conference 2008 Creating Business Value by means of Stakeholder and Requirements Management

on

  • 1,369 views

In marketing a saying goes: “The Customer does not exist” this recognizes that each customer is unique in its desires and requirements and there is no such thing as a one size fits all. In analogy ...

In marketing a saying goes: “The Customer does not exist” this recognizes that each customer is unique in its desires and requirements and there is no such thing as a one size fits all. In analogy this session sets out with the statement that “The business does not exist”. An enterprise is a unique combination of central or de-central, task, geography, goal and/ or skills oriented divisions and departments. All these stakeholders have individual needs and requirements that might be met or supported by the services offered by the Enterprise IT Domain. To offer a one size fits all solution (per service) in response to this multitude of desires is to reuse the line of though from Henry Ford: “They can have any color they like as long as it is black”. This approach was very useful to help build the company into the global enterprise it is today. Yet at some point in the growth of the organization it was abandoned in favor of more variation of choice as a trip to the ford dealer will tell you. Even a standard product like a McDonalds hamburger varies to suite the (taste) requirements in different parts of the world.

How can the IT Domain of an enterprise growing in complexity, size, geographical presence etc. strategically prepare to deal with this complexity and ensure it will (keep) deliver(ing) maximum value in the eyes of the individual stakeholder (groups)?

Statistics

Views

Total Views
1,369
Views on SlideShare
1,359
Embed Views
10

Actions

Likes
1
Downloads
102
Comments
0

3 Embeds 10

http://www.linkedin.com 7
http://www.lmodules.com 2
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ISACA IT GRC Conference 2008 Creating Business Value by means of Stakeholder and Requirements Management ISACA IT GRC Conference 2008 Creating Business Value by means of Stakeholder and Requirements Management Document Transcript

  • My name is Arno Kapteyn and I am a Managing Consultant at Capgemini based in The Netherlands. My field of expertise is primarily IT Governance with a secondary focus of IT Risk, IT Compliance, IT Security, IT Service Management and IT architecture. In the course of my professional career I gained hands-on experience in using models such as: -ITIL (V2 and V3) -CobiT -COSO -ValIT -ISO 17799/ 27000 -CMMi The use of these models helped to address topics amongst which: -(IT) Process Improvement -Risk Management -Value Management -Business – IT Alignment -Control Framework Design (to meet Security, Financial and other Compliance requirements) -IT Performance Management 1
  • Do you know who said this? It was Henry Ford when he described his ideas about product diversity at the time he introduced the Ford model-T. It was part of the corporate philosophy when he started the Ford Motor Company. This helped build the company into the Global Company it is today. Yet when you walk into a Ford dealer today and read the leaflet of any of the Ford models you will find you can get any of a range of models in many different colours. So somewhere in its development and growth into a world-wide enterprise the Ford Motor Company dropped the “One size fits all” philosophy in favour of a more diverse product portfolio. 2
  • Company growth is a goal for most companies and many C-level executives dream of giving their enterprises a placing in the top Fortune Global 500. But that position is not achieved over night. The road to the top is long and results in many changes. Some of those can have a fundamental impact on the corporate values and culture. In each stage of the journey to the top IT will have to check what the needs of the business are and ensure that their Services offer optimal value with respect to those needs. 3
  • So the challenge for IT is: How can IT help the business to create value? To even further complicating this question the business keeps changing! However the answer remains very simple: Produce the services the business needs. To ensure IT produces what the business needs so business can create maximum value with a minimum use of resources we call “Business-IT Alignment”. As stated at the beginning of this slide this would mean the first goal for IT is to prepare for change. 4
  • If we zoom in on Business - IT Alignment the first thing you noticed is that it is not a new field of interest. With so many people out there expressing opinions about Business – IT Alignment there is bound to be a lot of confusion of terminology, Goals, approaches, benefits. Interesting to notice that only Business – IT Alignment is such a hot topic. The other corporate functions do not seem to think so much about alignment with business. Some further investigation revealed that of the topics listed above only Business-IT Alignment is a topic on Wikipedia. The others do not even have a placeholder. So there seems to be room for consults to establish expertise in any of these other fields. 5
  • Here you see the classical views of Business – IT Alignment: Business on top, deciding on the corporate strategy. Next the CIO talks to the CEO to understand corporate strategy. Based on that understanding IT develops the IT strategy in alignment with the Corporate strategy For Example: The corporate goal of a electricity company might be to reduce CO2 emissions. The resulting IT Strategy might be to create Power Saving Services. Would you consider this Value creation for business? I would not. Gartner states: “Stop worrying about the business value of IT; instead, get recognition for IT's contribution to business success by tracking business process and corporate performance metrics and demonstrating how IT contributes to those metrics.” (How to Stop Worrying About the Business Value of IT, 26 may 2006, ID Number: G00138957). When we look at that statement the questions that come to mind are: •How many CFO’s are actively working on the balance sheets as part of the financial close process? •How many manufacturing directors are active on the assembly line as part of the production process? An example: For Walmart the core-business process is distribution. The complete focus of this company (including IT) is on creating an efficient distribution mechanism. IT offers a mechanism that tracks in store availability of product by taking stock information combining it with sales information from the Sales Registers and informing the shipping and purchase departments to re-fill when required. That is the value created using these systems is clear! An other example this about the Dutch company Alex, a Internet Stockbroker. The Value IT helps to generate starts the moment the customer enters its purchase information via the Internet. The automated systems validate the purchase order, check if they are within the customers limits and automatically transfer the order to the trading floor for fulfillment thus saving handling cost and time. There is no discussion how IT contributes to the Business value there. Bottom-line: Value is created on the work-floor! 6
  • So Alignment for the purpose of Value creation is not about Business-IT Alignment. It is about HR-IT Alignment AND Shipping-IT Alignment AND Sales-IT Alignment AND Etc…… The challenge however is that each of these functions is unique in their requirements. For example: -The Finance Department might be subject to Sox -The HR Department on the other hand might need to comply with Data Privacy regulations. - The Finance requires their systems to be available during the financial close period (Monthly, Quarterly or Yearly) - For the trading department system availability during the market opening hours might be vital. An example of the latter: When a Dutch financial company started a service were customers could call in their stock-orders via the telephone they learned this the hard way. The system used by the call center to book the order and transfer it to the trading floor initially was unstable. As a result in some instances there was a substantial delay in fulfillment of orders. So orders were not completed against the prices as expected by the customers. If this was in the advantage of the customer nobody complaint but if the customer got a worse price than expected he would complain. To ensure the credibility of their new service the bank decided to honor all complaints by refunding the difference thus paying for the difference between expected purchase price and actual purchase price out of its own pockets. 7
  • When the company grows into a multi national this complicates the picture even further: For example in different countries different laws are applicable: EC regulations prohibits the export of personal data outside the EC boundaries unless strict rules are met. So if IT wishes to offer a service to HR for the storage of all Employee Data world wide they should take this into account when deciding the place for the physical datacenter. An other example. Besides the time zones to consider when offering IT Support, different cultures have different working weeks. In the Middle East the weekend starts Thursday afternoon and people start working again on Saturday. A Saudi Arabian sales person for a multi-national company would expect to receive IT Support if his systems fails on Saturday Morning when he returns to the office. As a result, to offer Office-hour support for a globally provided IT Service effectively means the IT Department has to set-up 24x7 hour support! 8
  • So how do we handle all this complexity? First we should set-up stakeholder management. The primary goal of which is to create Stakeholder groups. A Stakeholder group is a subgroup of the Business sharing one or more characteristics that cause them to have similar product needs. The ideal Stakeholder Group meets the following criteria: -it is distinct from other segments (heterogeneity across segments), -it is homogeneous within the segment (exhibits common attributes); -It is recognizable and approachable (it can be represented by a mandated representation) When creating these groups there are no absolutes, each choice is a trade-off between advantages and disadvantages. There is no textbook implementation each solution is as unique as the organization it is created for. 9
  • When we engage in this exercise the first question is how many Stakeholder Groups should we aim for? The answer: It depends. This differs per enterprise, first of all the variation of requirements is an important factor here. Furthermore the corporate culture is important. Enterprises that have a culture of product standardization such as Mc Donalds and Microsoft are more likely to accept a standardization approach from there internal Service provider than a company more used to customization like Capgemini or Starbucks. 10
  • The second question is what does the business architecture of the organization look like? To ensure Stakeholder Groups are recognizable both for IT and Business alike it is often best not to deviate to far from this structure. However the goal is to create a breakdown that IT can use to create service offerings, to ensure the result is fit for purpose IT might need to deviate from the organizational structure as described by business. This example shows how the Upstream Division of an Oil Company is segmented according to the business as opposed to the way IT segmented the same division. You will noticed it looks similar but not the same. It is important to notice that these kind of differences, though useful, can be the source much miscommunication and misunderstanding. The result of the Business breakdown of IT should therefore be communicated and discussed with the different stakeholders to minimise this risk. 11
  • If the organization is segmented into regions it is wise to adopt the same regions unless there are clear reasons not to. For example in case of an Oil Company the regions are described as displayed. One of the Services IT offers the Business is a system that stores the proven Oil Reserves per region/ country and the production figures. As recent history proofed Oil is a strategic resource, countries are willing to go to war over it. As you can imagine in areas were tensions are high leaders of the countries involved have very strict rules about storage and use of this information. In turn this service is offered on a country by country bases. In the case of a financial institute business considered Western-Europe one geographic region. However for the back-office processes (especially those handling the customer financial data) IT found they could not create a single Data centre Service because the banking laws of tax havens like Luxembourg prohibited the export of customer account information. These examples already show that different Services may lead to different Stakeholder segmentation. This further adds to the complexity of the exercise. Since the organization is also subject to continues change as mentioned earlier Stakeholder Management is a continues process that should periodically evaluate and tune the stakeholder grouping. 12
  • Once we established the stakeholder groups the next step is to build the Governance structure to engage with these groups and capture their needs. Needs are defined as “everything that would help business in its effort to create value”. At this stage it is not important if IT can offer a service to meet the need, the impossibility of today might be the possibility of tomorrow. Again an example, about 10 years ago the regional distribution department of a global printer manufacturer based in the Netherlands had a communication need to there foreign Distributors. In particular when looking at the distribution business to Africa they encountered issues. The telephone service (including fax) in a number of African countries was so bad at times the department had to send their product offers via postal mail. The turn around time for these offers to reach the distributor and for the resulting orders to return to the Dutch suppliers office was such that often could not meet the orders because often the offers had already expired. Effectively this made sustained distribution business in these countries impossible. At the time the need could not be met. Only when E-mail came along IT could build a service ensuring faster delivery of written information over long distance with an acceptable degree of certainty of actual delivery. So meeting business needs helps business create value. Needs however are high level, un-quantified, sometimes impossible to meet. Not nearly specific enough for the IT Department to translate into service offerings. To help with the with the more detailed specification first of all we introduce features: Features represent the high-level outline of the possible solution. For example: If the need is long distance transport the feature might be a plane or a car and if we have a general notion about the amount of material we want to transport we might have an idea if the feature should be a car or a lorry. This high-level feature will help to decide who should be involved in designing and creating the final solution. In the example, the feature is a plane then there is no need to walk into a car dealer. At this level the questions is answered if the IT Department should be involved at all. 13
  • Continued… By further looking at the details of the need we start identifying more and more detailed requirements which helps us to reduce the number of possible features. This brings us to requirements management: Requirements Management is the process responsible for gathering and managing all requirements connected to a need. The requirements will help decide which feature is most applicable and than help to transform that feature into the detailed solution to the need. Requirements managements ensures that IT receives all specifications needed to create, run and maintain IT services to meet business needs. Key word here is all specifications, not just the functional specifications of the system that might become part of the service. Also: -the information about applicable law and the resulting compliance requirements -Applicable risks and the resulting control requirements that apply to the service -Support requirements -Financial requirements -Etc. etc. Rule of thumb: Any aspect possibly used to measure the quality of the service during delivery should be quantified in the form of requirements. 14
  • The two cars shown above meet the same need of long distance transportation yet changes in technology and environment mean that both cars are build against fundamentally different sets of requirements. The T-ford was build to meet the requirements at the time and subsequently the model was modified to meet changing requirements. Eventually the model could no longer be adjusted and was retired to be replaced by a new model car which re-started the cycle. This example describes the basic Lifecycle of a product or service. In each stage of the lifecycle it is important to know and understand the Service original Needs, Features and Requirements and the way they evolved over time. Changes in the environment call for adjustments of the Service to be able to make the correct decisions on topics such as adjust or replace it is important to understand the history of the service. Example stages in Full lifecycle management (including the run & maintain) A. The Need is identified yet no technology to respond to the need. (For instance the finance department needs a book keeping method) B. Technology becomes available, requirements are captured and the Service is designed (Peoplesoft introduces its software. IT recognizes the software as the potential feature that meets the need. They contact the finance department come to a basic understanding to develop a solution based on the feature. IT and Business establish the requirement set and build the Service based on the feature) C. Service goes into operation and is delivered to the business (The business starts working with the implementation of Peoplesoft, replacing the paper based system) D. Adjustment of the need results in adjustments of the requirements set. This triggers a change of the service. (The business expands operations from Europe into the United States, the financial department needs to comply with the American Gaap next to the European standards. Furthermore adjustments to the support model are required since the US Finance Department is in a different time-zone). E. Changes in the environment trigger additional requirements to be added to the set. (The introduction of the Sox law triggers additional Control Requirements for the Service. Both application embedded controls and controls regarding the support of the system need to be reviewed and at times adjusted). F. New technology comes to market better meeting the needs of business the investment decision is made to replace the current Service. (Oracle comes with a new solution with improved functionality which offers the finance department more possibilities to automate business process controls thus reducing cost of operation.) 15
  • Continued Knowing needs makes IT pro-active: IT can match new technology against needs & requirements that change over time. The example used is fairly straight forward but let us now assume that during the expansion to the United States (as mentioned in D) it is found that the current system can not be adjusted for US GAAP. This might result in a new Stakeholder Group, a second requirements set and a separate service. Now assume that the new technology from Oracle does have the functionality to handle multiple accounting methods. As a result we can now combine the requirements from all stakeholders into one service offering. This effectively combines the two stakeholder groups into one. The capability to handle those kind of changes effectively and efficiently qualify are a measure of Agility. 16
  • As the quote from John Thorp shows Val IT addresses the same topic: IT supporting business in its effort to create Value. And indeed when working with the Dutch Oil company we used Val IT as one of the industry standards used to create the IT Operating model. 17
  • Hopefully you will recognize the image as the 4 fundamental questions Val IT helps to answer. Stakeholder and requirements management are primary focused on the question: Are we doing the right things (the question in the top left corner). Furthermore it helps to define the benefits that we are checking for in the upper right corner. The Oil company mentioned earlier is currently (Re)-designing their Enterprise IT Governance and operating models CobiT is used as the starting point to define the Processes and Control Objectives that form an integral part of these models. To improve the focus in Business-IT Alignment and value creation the concepts of Val IT were used. When doing so we found Val IT very useful but it did not help us meet the diversity in requirements we encountered in this enterprise. It is when we compared notes with colleagues working other multi national enterprises on similar issues that we came to recognize the value of Stakeholder and Requirements management. It helped us enhance the value of the CobiT and ValIT frameworks. 18
  • The strength of ITIL has always been as a process model for the Run and Maintain departments of IT. With ITIL v3 they expand their views and recognize the issue of Business-IT Alignment and the need to have a clear and complete understanding of the business requirements to ensure the Services offered match those requirements. However ITIL offers little help in designing a structure to ensure timely availability of those requirements. Our approach on the other hand sets out to ensure we know what business requires but does not address how we should create and deliver the response in the form of IT-Services offered. Stakeholder and Requirements management work very well in cooperation with ITIL (Any version but especially Version 3) 19
  • ITIL Version 3 pushes the concept of Catalogue Management and IT Service Portfolio Management. IT offers ideas both for creating these processes and the supporting systems. Stakeholder and Requirements Management help structure the Demand Side of such system and ensure timely and up-to-date availability of the Requirements from Business. 20
  • Both Service Oriented Architecture (SOA) & Service oriented Enterprise (SOE) are currently hot topics. When talking to IT People they primarily think about design of IT Systems in re-usable objects & communication contracts. For the purpose of this presentation on Value creation they miss the point. Reusing components to build services instead of offering the functionality of an application achieves SERVICE ORIENTATION. When we look at the definition of a service according to Wikipedia we find: “A service is a set of benefits delivered from the accountable service provider…” So if we focus on this part of the statement you come to the conclusion that “Service Oriented” leads to “Benefits oriented”. The benefit of SOA is in what it offers: flexibility of functionality at lower cost because of re-use of components. That what we wanted, flexibility of functionality. Stakeholder & Requirements Management helps to pin-point where this added flexibility would assist business most in creating value! The following example: A car manufacturer identifies three types of customers based on the primary question they have when looking for a car: •How fast is it? •How fuel economical is the model? •How spacious is the interior? (The customer is looking for a Family car) To ensure the product offered meets the requirements of each group in the best way the manufacturer could decide to design three different models from scratch. Though it would ensure each groups requirements are met it is not very efficient and as a result not very economical. The solution most car makers apply to: Three different versions of the same base model (one with a power engine, another with a fuel economy engine and a third one as a station car), re-using most of the components. Not only for different types of the same model but even for different models. I guess that makes the automotive industry inventors of SOA! 21
  • Many of the ideas concepts and quotes we used when building the approach and this subsequent presentation can also be found in business-to-business marketing. The fundamental goal of marketing as articulated by Philip Kotler are exactly those goals IT hopes to meet with its focus on supporting business in its effort to delivery value. So instead of running the risk of re-inventing the wheel IT would be well advised to take notice of and learn from the findings of Business-to-business marketing. In particular knowledge on topics like Market segmentation (Stakeholder-grouping) and Needs identifications could easily be re-used. The fact that I have never encountered a marketeer working for the IT department suggests there is room for improvement! 22
  • When looking at the question of which size company should take notice let start with a rule of thumb: •You don’t need a dedicated manager unless you have an organization of at least 20 people. •You do not need formal governance structures until you have at least 10 managers. Therefore IT Governance only becomes a topic of interest when the organization has an IT Department of at least 200 people. If one in 50 personal is in IT this would result in a company size of at least 10.000 employees. So does that mean that each representative of a smaller organization just wasted his time on this session? If your organization has no intention to grow maybe, for all others if you do not wish to be surprised in the wrong spot without a clue how you got there mark the words of Wayne. The examples used are mostly taken from larger corporations since they are easily recognised. However IT Diversity as Gartner calls it starts from the moment the company has more than one employee. It is a gliding path of constant change for the IT Department. To be considered truly agile they need to be able to recognize and react to each next step in the growing complexity of IT Requirements. Signs of this growing complexity are for instance: -Creation of function departments -Addition of Divisions -International expansion -Transcontinental expansion -Creation of Service Centres -Etc. 23
  • And once you are truly focused on understanding and meeting the needs of business there is always the alternative view. For the best of reasons forces within the IT Domain might try to distract you from “the path of enlightenment”. A warning from Gartner, in their article named “Trends driving increased IT Diversity” they state: Demand for IT Diversity has been growing for years, furthermore it is expected to grow for the next 10 years. If IT does not react with differentiated services and technologies to meet this development Business will find alternative sources. This will most likely result IT losing the control over the IT Environment. In turn that might easily result in unwanted exposure to unknown and/ or uncontrolled risks. 24
  • So the last remaining question is can the benefit of the approach be quantified in any way? The search to answer this question lead to an Article in the MIT Sloan Management Review called “Avoid the alignment trap in IT”. This article describes the research investigating 453 to position them according to their level of IT Alignment (on the vertical Axe) and the effectiveness of IT (On the horizontal axe). For each of the companies the research rated each of the companies of their spend of IT as a percentage of revenue (against the baseline set in the maintenance zone) and the average business growth (also against the baseline set in the Maintenance zone). The following results were note worthy: -A high level of alignment with business of a less effective IT Domain leads to above average IT Spend but a below average business growth. The underpinning explanation could be that at a high level of alignment will lead to a high diversity in Service Offerings. A department which is challenged to meat its commitment will have even more issues of the diversity of the services offered increases. - Highly Effective but IT Departments with a lower alignment level can more easily engage in cost savings which will result in a below average IT Spend (15%). Since the IT department is effectively meeting the (limited variation) in Business demands for business this does translate in an above average Business Growth. - When IT starts looking for more business IT Alignment while it is capable of effectively delivering on its promises we see that the IT Spend remains below average but not as significant as in the Well-oiled IT quadrant (the complexity of the services offered will increase the IT Spend). But the resulting additional Business Value (measured in Business Growth) is formidable (35% above average versus 11% for less aligned companies. The overall conclusions from this research: -Before increasing IT-Business alignment for the purpose Value creation make sure the IT Department is operating effectively so it can actually meet the higher level of Service Complexity. -If this requirements is met increased Business-IT Alignment can lead to significantly high Value created by business. 25
  • Questions? 26
  • 27