Sometimes the best defense is deletion – CSO Online – Security and Risk Reply

Sometimes the best defense is deletion – CSO Online – Security and Risk.

data mining. big dataThe point is prescient.  In these early days of Big Data awareness the battle between information management v. store now/analyse later can obfuscate other issues:  Cost and Necessity.

ONE BIG POT

Is there really the practical technology that an organisation can actually move away from structured databases and just stick all its information into one big ‘pot’, to be mined for gold nuggets at a later date?

Storing information (as opposed to just letting stuff pile up) is a costly business and the decision to store information usually comes from people on higher pay bands.  The decision of where to locate is often a manual decision which not only has a significant management overhead of its own but also involves co-ordination from other high pay bands.

THE COMPLEXITY OF INFORMATION

Picture1

Add to this dilemma the complexities of  ‘legal hold’ on material and the identification of ‘discoverable’ items.  Suddenly information management looks a lot harder and the siren song of Big Data seems a lot more alluring.  The problem is that information that is not valuable to some is valuable to others.  Who is qualified to make that decision?  Should all information be held given that it will likely have some enterprise value?  The battle is between cost and necessity:

  1. Cost:  Deciding what to keep and what to get rid of takes management time and effort that costs money.  The problem is that it is neither cost effective nor good policy to to push hold/delete decision making down to the lowest clerical level. The secret is to have those decisions made by more senior case-workers but only within their limited remit.
  2. Necessity:  The secret is to categorise management information to determine necessity.  Use a workflow to cascade and delegate (not to avoid) work.  As it moves it accumulates metadata.  No metadata means no necessity and therefore it should be disposed of automatically (eschewing arguments of regulatory compliance).

THE ANSWER

The answer is to automate the deletion of information (other than ‘Legal Hold’).  Once a document/question has reached the end of the workflow without accumulating any metadata then the information should be disposed of automatically.  Case-Workers make the decisions to act on the document/question and metadata is attached by more clerical staff (on lower pay bands) as the item moves through the workflow.  If no metadata is attached it can be assumed that the item is not important and is therefore disposed of.  Cost is minimised by letting case-workers make decisions of relevance within their own sphere of expertise without the additional management overhead for de-confliction/meetings etc.   In this way, the enterprise makes a collective decision of importance and stores the information accordingly thus answering the issue of necessity.

Will CIOs Really Focus on the Business in 2013? Reply

“Whilst CIOs are predominantly drawn from the infrastructure segment of ICT there is unlikely to be a shift in focus towards proactive business initiatives.”

The CIO’s commercial prerogatives largely stem from CEO directives as they tally with other recent CEO surveys from McKinsey & Co etc.  It is likely, however, that need to increase services to corporate clouds through a myriad of new/personal devices during these times of severe cost pressures will keep CIOs occupied for the next year, at least.

Looking to the future, until business schools focus their corporate decision making modules on information management and technology enablers the dearth of IM savvy senior executives will continue and thereby the pull-through into the CIO role.  The solution is likely to come in one of two ways, namely:

  1. A cost/complexity inflection point will be reached.  Medium sized businesses will begin to outsource not only their IT but also their IM.  As better IM begins to solve business problems some people will naturally be pulled through into corporate CIO roles at FTE.
  2. Alternately, clever CEOs will shift the accounting of their IT departments towards Profit Centres.  CIOs will be forced to come up with innovative chargeback models and new services in order to compete beyond storage  for non-essential services.  The good will survive and the bad will move back to being small, in-house IT departments.

 

Gartner Executive Program Survey of More Than 2,000 CIOs Shows Digital Technologies Are Top Priorities in 2013 Reply

“The survey showed that CIO IT budgets have been flat to negative ever since the dot-com bust of 2002. For 2013, CIO IT budgets are projected to be slightly down, with a weighted global average decline of 0.5%.”

Gartner Executive Program Survey of More Than 2,000 CIOs Shows Digital Technologies Are Top Priorities in 2013.

The survey clearly shows that projections of huge IT spend increases are fanciful.  CIOs are not only being asked to do more with less but are also being asked to help innovate and expand with less.  New investments will need to show a clear ROIC if they are to be approved. 

Ideas for innovative technological support to the business will not be the problem.  CIOs will need create new ways of measuring the value they deliver to the business.  In developing business cases for MIS they will need to move away from NPV analysis and start to measure the net increases in managerial decision making and knowledge capital.  It is only then that IT departments can start to pull through emerging technology quickly to create corporate value faster.

EA as Strategic Planning: I’m Still Not Convinced Reply

Business and TechnologyA recent blog entitled: “EA is Strategic Planning” highlights a sentiment by many enterprise architects (a widely abused moniker) that what they are doing is new, ingenious and necessary.  I’m still not convinced.  Whilst one cannot decry the skills, expertise, knowledge and ability of many enterprise architects I am yet to see a cogent argument that what they do is either cost effective or necessary.

Heresy?  Hardly.

The enterprise has done remarkably well since the Dutch East India Company was granted its royal license in 1600.  The rise of the  enterprise has not abated and diversified companies such as Du Pont and ITT have shown that complexity and size are no obstacle to good, valuable shareholder growth. 

IS EA JUST GOOD IT?

I am in two minds:  (i) EA has certainly helped the IT community with complexity by bringing a portfolio view ICT programs, but(ii) EA has added no significant value to a listed company (beyond just good sense, well delivered IT programs) or reduced its risk to such an extent that would warrant dedicated EA. 

EA has likely been the product of a traditional lack of the requisite skills to translate the social value of collaborative software into corporate monetary value.  It is worth noting that embedded systems (such as robotics) and operational systems (systems that a given corporation simply cannot perform its operations without) are not included in this assessment as their value to the business can be calculated in a simple NPV assessment of projects, i.e. the system will directly result in higher discounted cash flows.  That this should be the job of a programmer is nonsense.  That large commercial enterprises are only beginning to adopt social media systems (which people have been using for years) highlights the general inability of enterprises to grasp the financial value of subtle and complex ICT.

SO WHAT DOES EA OFFER?

Enterprise architecture is not strategic planning.  As much as I like David Robertson’s book “Enterprise Architecture as Strategy”, it is farcical to suggest that the structure of an organisation should either come first or drive (other than the broad parameters)  the functional design of the business model.  If EA is to deliver value to the organisation then it must reach beyond large, complex IT.  To add real value it must be the the function which is capable of reaching across the business siloes to solve the problems which the corporation does not even yet know it has.

ENTERPRISE ARCHITECTURE AS A SEPARATE DISCIPLINE

Enterprise architecture must grow out of its humble ICT beginnings if it is to have the boardroom caché and intellectual gravitas necessary to drive strategy.  EA must develop beyond it systems engineering fundamentals and extend its validity into the statistical relationships between technology structures, information performance and shareholder return.  Only in this way will EA be able to communicate the financial return which subtle and complex MIS systems can add to a company.  Whatever enterprise architects believe they can do they will not get the opportunity to display their value, beyond simple tenders, unless they can convince the finance function.

The Efficiency vs. Effectiveness – customer focus is the key | LinkedIn Reply

The Efficiency vs. Effectiveness Debate Continues | LinkedIn.

efficiency versus effectiveness. targetEfficiency is a key enabler of effectiveness.  Effectiveness goes towards value whereas efficiency goes towards cost.  Ask the question:  “if the enterprise was less efficient would it still be effective?’  The answer will give you an idea of just how important effectiveness is to the enterprise (i.e. government or corporate).

Efficiency is more critical depending on how far removed the task/issue is from the customer.  The customer does not care one jot how efficient your processes are.  The customer has not the slightest concern whether your systems are efficient.  Whether a corporate customer or recipient of government services, they want effectiveness.  Whether they will pay a premium for that will determine the price.

For back-office functions, however, efficiency is critical.  In the treasury-2-cash process the result should always be the same.  In procure-2-pay the result should always be the same.  Effectiveness is not an issue:  it must be effective and therefore efficiency is critical.

In a recent project with the good folk at Glentworth the team looked at Disaster Management and concluded that the key failing of disaster management was not the efficiency of the Emergency Services but rather the effectiveness of the function across the entire value chain.  Efficiency was the critical attribute of emergency response but that effectiveness was the missing ingredient in the current approach to Disaster Management.  In the 2010 floods in Queensland, the Interim Report by the Floods Commission Inquiry made (inadvertently) a good distinction between effectiveness and efficiency.  To paraphrase the Commission, they noted:

‘. . . of the 37 people who died, 22 of them would still be dead even if the Emergency Services had been as efficient as possible.’

VALUE CHAIN ANALYSIS

Efficiency is critical but as the above quote demonstrates it must work in tandem to deliver what Peter Drucker noted was the real purpose – Value.  Efficiency should be pursued where business units can be structured as modular units and deliver repeatable processes which are removed from the customer.  In customer facing activity it is vital, however, to ensure that effectiveness is the key.

ORGANISE INFORMATION FUNCTIONALLY NOT STRUCTURALLY

In order to achieve this businesses and government services need to manage activities right across their Value Chains (and possibly across their extended value nets as well).  Much like Disaster Management, it is good for businesses to achieve operational efficiency but fairly pointless if the product or service is ineffectively delivered or ineffective in the hands of the customer.   The structure of government highlights this point.  Government departments, like most businesses, act structurally not functionally.  Teams and departments are forced into ineffective outcomes through rigid structures which enforce inefficient workflows.

In days of yore this has not mattered but with the ubiquity of smart devices and with easier access to a more competitive array of services the need for a greater focus on effectiveness is becoming more apparent.  Recent articles on the move to a customer-centric focus highlights this.  In order to achieve the best possible blend of effectiveness and efficiency governments and businesses need to manage customer interactions functionally to achieve the best possible outcomes.  Both types of enterprise should structure their delivery business units modularly and manage workflows using experienced caseworkers.  This does not mean that work should be managed on a costly case-by-case basis but rather by exception.  

There should be no debate between effectiveness and efficiency.  Both are critical but to paraphrase Drucker it is only with the right blend that enterprises can achieve value.

2013: Not The Year Of The CIO – Yet Reply

It is highly unlikely that this will be the year of the CIO.  Tom Curran is entirely correct that CIOs need to get closer to business units to prove their value.  After years of uncontrolled IT budgets and then recent vicious cost reduction programs CIOs need to prove that they are more than email, storage and security.  CIOs need to be proactive in supporting the cost of businesses and that means developing capability.

Firstly, there are 3 types of business tech: (i) embedded systems such as robotics, (ii) operational systems such as customer ordering systems, and (iii) management information systems  such as email, ERPs, ERMs, collaboration tools etc.  The first two are largely accounted for in the cost-of-goods-sold but the latter is usually accounted for as overhead in SG&A.  Although their worth is unquestionable (could a large company really do without email these days?), it is these MIS systems which are notoriously hard to prove the value of.

There is still little evidence that MIS directly increase profitability.  Corporate IT spending largely increases in accordance with SG&A costs which tells us 2 things: (a) that as companies grow and increase their revenue they increase their management commensurately, and (b) IT is bought to connect this management.  There is not some inflection point where systems are bought, magic happens and companies become organised.  Organisation is the job of the business but enabling that by bringing distributed human communities together through electronic communications is the primary purpose of MIS.

Picture1

In order to become the critical enabler that it has always wanted to be IT needs to focus on capability and not just costs.  Although Tom suggests that this will be achieved through in-house architects I would suggest that in-house capability is too hard and costly to maintain at the requisite level to actually analyse and build business capability.  The only function that should be retained and honed, in-house, is information mangement.  Businesses need to be absolutely certain about exactly what information (at an atomic level) actually makes them money  – and how.  Outsiders without the context, peripheral information, subtext and political insight cannot adequately contribute to this role.  Only once the business understands its financial the anatomy of its fianancial dependencies can it adequately source architectural support in order to build business capability.  The business which misses the point and only develops architecture is just gilding the lily and will just be rewarded with a higher overhead burden which they need to chargeback to disgruntled internal customers.

Is this achievable in 2013?  The likelihood of this belies my underlying assumption that CIOs do not belong in the C-Suite.  As critical as technology and information is to business it is only a critical enabler and not a separate function in itself.  Due to the radically different skills which the technical community possess I do not believe that they will ever be able to set the agenda in non-digital industries.  Putting CIOs in the C-Suite merely overemphasises the importance of technology as an end and not merely the means.  It is here I think that standard operations should stop abdicating its responsibility and start setting the technical agenda and this will certainly not happen in 2013.

Visual Search: don’t get too excited Reply

https://www.linkedin.com/today/post/article/20130116062041-50510-a-great-day-for-human-computer-information-retrieval

visual searchVisual search is not new and it’s so obvious that it hardly seems something to get too excited about.  In well understood, discrete systems visual search is an excellent means to share and develop multi-disciplinary, cross-functional information without the need for complex ontological integration or the tedious and often futile process of trying to agree on corporate taxonomies.  If there is no visual boundary to the relevant information then creating contextual diagrams will hinder the retrieval of information.

The military have used visual information storage and visual representations of information in counter-terrorism generally and within intelligence systems in particular.  “Starlight” by PNNL and I2 (Analyst Notebook) both use various methods to visualise terrorist networks and their contexts.  Nimbus Control has used this technique for a number of years.  By building a simple graphical representation of a company’s process (eg, Carphone Warehouse etc) which then links to SharePoint file stores in corporate repositories allows various functions to collaborate around a common visual understanding.

In a recent blog I wrote about the utility of visual search (and its limitations) in managing corporate information.   It doesn’t matter if information overlaps but those intersections need to be link back to the relevant file systems.  The beauty of visual search is that visual representations are more easily understood so long as the user communities are not too disparate.  Moreover, they are more cost effective because they require less UI consultation and design as well as lower Change Management budgets.   In summ, there needs to be a purpose and the ability to draw a boundary around a discrete area of information and companies should limit visual systems in order to coral common understanding.

The Failure of Risk: lessons from the GFC Reply

risk management. hop scotchWe live in uncertain times. The failures in risk management which lead to the global financial crisis have created an unprecedented set of circumstances. Not only are regulators imposing heavier compliance burdens but shareholders and investors are demanding greater reporting and higher levels of information transparency. On top of all this operational costs are too tight to carry the overhead of separate risk and assurance functions.

When the analysis is done there are 6 key lessons to learn from the global financial crisis:

  1. Integrate G, R & C.  In medium and large corporations isolated risk management practices actively work against the business.  Technical and operational experts will identify risk from experience and create risk slush-funds to mitigate them.  These increase the cost of business and in many cases price the company out of the market.  In an integrated GRC system the firm is able to manage risks across business units so that the risk funds are held centrally and do not add a premium to initial project costs.  Risk identification and analysis percolates from the bottom up but governance is driven from the top down.  In an integrated system they both to work within the business lifecycle to add the right mix of checks and balances so that no additional drag is added to investment/project approvals.
  2. Make Passive GRC Active.  Systems need to be active.  They need to hunt out risk, define it, quantify it and measure the dependencies of the risk.  Then, those same systems need to bring it to the attention of the executives so that they may make informed investment decisions.  In the end, humans follow the law of least effort:  employees will follow the path of least resistance in designing and gaining approval for their projects.   GRC must not follow a system of honour & audit but rather one of  active assurance.  When GRC systems are passive the business lifecycle becomes clogged with nugatory and useless program reviews that turn into technical sales pitches by design teams.  Such events and practices only serve to affirm the belief that GRC is a legal burden and one which only serves to satisfy the needs of regulatory compliance.  Raytheon, for instance, have an excellent system of governance-by-exception.   Their Integrated Product Design System (IPDS) has active governance measures and allows Raytheon to manage a pipeline of thousands of critical projects dynamically and by exception.GRC
  3. Get Granular.  When projects fail it is not usually because the risks have not been adequately managed.  The primary problems in risk practices are the failures of risk identification and analysis.  Managers are simply unable to deal with risks at a granular level and then weigh them up on a per project basis.   This is largely because the technical skills needed to do so are not within the standard sets of most executives (but they are within the more mathematical ones of the FS&I industry).   Where this disparity exists then businesses need to develop separate Red Teams or Assurance Teams, either from the existing PMO of from hand picked executives.
  4. Bottom Up & Top Down.  Risk management is bottom-up but governance is top-down.  The technical skills and software reliance involved in effective risk management mean that the entire practice usually percolates from the bottom of a business, upwards.  Consequently, unless it fits within a comprehensive governance framework it will be open to being gamed by senior executives.  This is why major projects which are seen as must-win are often approved with little or no governance or assurance.
  5. Risk Ownership.  Risks need to be owned at the lowest responsible level.  This is to say that when things go wrong the person at the lowest level who has the greatest amount of operational responsibility must be able to take charge to mitigate all aspects of the risk.  It is vital that the person owning the risk be able to recognise the variables which may see the risk realised.  It is also critical that the risk owner understand the corporate decision points, i.e. the points at which the contingency plans should be triggered.
  6. Invest in the Right Type of Risk Culture.  Risk should not be a dirty word.  Risks are inherent in every project and balancing them quantitatively and qualitatively is an essential skill for all senior executives.  Risk should be as much about seizing opportunity as it is about guarding profitability.  Businesses need to invest in top talent in order to drive good risk practices from the top.  Effective, Active-GRC involves a complex array of tools, practices, structures and processes which need an experienced senior executive to drive them constantly and consistently in the business.  The softer side of risk management cannot be neglected.  The nature of risk forces people onto the defensive as they attempt to justify all aspects of their project designs.  CROs need to help executives understand that all projects must balance risk if they are to attempt to push profitability.  Otherwise, risk cultures will mire companies in conservative, risk averse cultures which only act to add friction and reduce profitability.

Risk practices need to work together inside a single, comprehensive risk framework that goes beyond simple probabilistic modelling and disjointed regulatory compliance.   Businesses need to implement processes which not only integrate the business lifecycle but actively increase both liquidity and opportunity for risk to be seen to add real value to the company.   Only once this is achieved can risk management cease to be an operational drag for the business and become a value-adding proposition which works actively to increase the profit and performance of a company.

 

Is it really OK to bash HR? Reply

In a recent article in Forbes magazine online, Ron Ashkenas wrote a heartfelt piece on how essential the Human Resources function is in response to recent HR bashing.  He wove a lovely story of  how critical the function is, how deeply misunderstood its people are and how we should all band together to help this function succeed.

HR Survey. Mckinsey

The idea that we should all club together to support a non-operational function outside both our remit and remunerative motivation is farcical.  The truth is twofold:  (i) Firstly, bad hires come from bad specifications.  HR cannot be blamed for finding the wrong person that a business unit specified.  (ii) Secondly, HR needs to force the various business units to communicate their needs proactively and pre-emptively.

There is often a lot of subtext, contextual knowledge and peripheral information which comes along with requests for a new hire.  Internal HR managers need to get analytical if they are going to remain relevant and not cede their function.  If they fail to grasp the cost and revenue interdependencies of various roles then external boutique consultancies will thrive.  These companies will analyse, assess and source the best talent.  There will be a premium on this cost and it will ultimately be funded by removing more internal HRs.

Soccer TeamThe research tells a story.  In a recent survey by Mckinsey, CEOs identified the top 8 barriers to talent acquisition and management.  At the top of the list was the failure of senior management to spend enough time on HR.  This is not HR’s fault but that the blame lies with HR is topical.  Another factor was perceived to be the failure of managers to understand that good people are good for good business.  Good people execute strategy well.    The secret to this is understanding (a) the structural roles which people satisfy that are vital to the effective functioning of the business, and (b) the functional knowledge which is inherent in executing those roles.

In a recent post I wrote about the likely demise of internal HR and the rise of boutique consultancies which had the skills to analyse, assess and source talent.  Internal HR is better placed to deliver this role better and more cost effectively.  They should know and understand the people, they should understand the dependencies, they should have a clear understanding of contextual knowledge and they should also be able to bolster the role specs with additional peripheral information. Critically, managers need to know which position which their staff play.  Without this understanding businesses looks like an under-12 soccer team where everyone is chasing the ball.

 

Top 5 Benefits of Effective Risk Management 1

risk management.little menBENEFITS OF AN INTEGRATED “ACTIVE GRC” FRAMEWORK

After the failure of risk management during the recent (and ongoing) financial crisis one could be forgiven for thinking that risk management – as we know it – is dead.  However, effective risk management is the only means which businesses have to:  (i) assess and compare investment decisions, (ii) seize subtle opportunities, and (iii) ensure regulatory compliance.  Risk management has greater utility beyond these obvious benefits.  Listed below are 5 of the top financial benefits of effective risk management:

1.  IMPROVED LIQUIDITY

When managers cannot identify or mitigate complex risks they create risk contingency slush funds and pad their accounts with excessive risk premiums. This is not an efficient allocation of capital and it can even price a business out of the market. Precise identification of risk premiums removes these slush funds and creates greater firm liquidity and the ability to allocate capital where it is needed.

2.  BETTER PROJECT PERFORMANCE

The best methods for risk identification and analysis of risk in projects are through the quantitative analysis of cost models and project schedules. However, these methods are only useful where such models are in enough detail. Good risk management leads to greater collaboration by cross-functional teams to optimise cost and schedule performance.

3.  BETTER OPPORTUNITY MANAGEMENT

With greater liquidity comes the ability to seize emerging opportunities. Not only can the company use this capital across portfolios to manage risks but it can also seize opportunities for M&A, talent acquisition, share buybacks, increased dividends, employee bonuses or increased project funding/investment.

4.  CONSENSUAL MANAGEMENT CULTURE

As managers work across the business to calibrate cost models with the project schedules; the contract and commercials with the technical architecture, the business is forced to adopt a more consensual, multi-disciplinary approach. Where GRC is implemented as part of a high-performance business initiative the culture is more likely to stick rather than one imposed from the top-down.

5.  IMPROVED REPORTING & DECISION MAKING

An active GRC process which is fully integrated with the business relies on the quantitative analysis of core artifacts (cost models, project schedules and technical architectures and contracts). A quantitative culture coupled with regular, detailed analytical outputs also greatly improves the standard of financial and operational reporting and therefore the possibility for improved investment decision making.