Taking compliance to the next level Latest news from (my website): Bizzdesign

Internal regulations governance has become more and more critical both because of exogenous pressures (e.g. an ever-changing legislative environment, increased scrutiny from regulatory institutions) as well as endogenous ones (e.g. frequent organizational changes and corporate acquisitions). A company’s own regulatory framework consists of various sorts of documents. Some have merely an informative purpose, others regulate operational activities, while others still focus on the internal control system.

Internal regulations are as follows: policies, manuals, organizational communications, organizational and management models, ethical codes, information notes, service orders, procedures, operating instructions, operating manuals, function charts, job descriptions etc. We’re still far from universally adopted reference standards, so each company creates its own terminology. For example, those who adopt a quality system will most likely use terms such as “manual”, “procedure” and “operating instructions”. But despite the certifying bodies and industry guidelines, in each company each document will have a slightly different connotation, with significantly different purposes, content type, and level of detail.

In everyday experience, we are all well aware that the complexity of regulations is layered over time. The difficulty of accessing and using information can give rise to situations where employees adopt operational practices that are a far cry from official ones. These are often based on word of mouth, which can result in conduct that does not comply with current legislation and exposes the company to high risks.

A bit of history of internal regulation in Italian banks
An important innovation boost to the entire documenting system linked to internal regulation took place in the banking sector towards the end of the nineties and the beginning of the new millennium. Mergers and acquisitions in previous years had greatly increased the size of banks. An undesirable consequence of this consolidation process was the emergence of difficulties in coordinating and controlling these new structures.

In those years, the first revision initiatives started, with the result being that regulations were rewritten using BPA (Business Process Analysis) tools. Although those efforts were far from perfect, one cannot deny that they achieved surprising results. A large banking group, as a result of the merger of three different companies, managed to reduce the number of documents to do with regulation from 27,000 to just 2,800. Other banking groups achieved even more surprising results to do with reclassifying and updating content.

The negative inheritance, beyond a few virtuous examples, was above all to cement the idea of a passive repository (of processes and regulations), into which the contents were fed retrospectively once the design already existed. That is because BPA tools were not used for process improvement by experienced analysts, but simply for documenting the ‘as is’. In practice, it reduced work to “taking minutes” of existing activities and practices.

Today, business process analysts are turning their tools towards their primary role, that of analysis, while those who used them exclusively for documentation are abandoning them. Thanks to those experiences, the drafting of regulatory content as well as the way it gets approved is changing. Specifically, by taking advantage of the most modern collaborative and social platforms, such as Bizzdesign HoriZZon, in an environment that is becoming increasingly integrated with existing systems while continuing its path to the cloud.

Internal regulations today
The regulatory management process in medium and large companies is very varied depending on industry sectors and business complexity. Digitization is a need felt by all businesses, but Word and email are still the most used tools today. When it comes to designing internal regulations, many organizations use Word for the drafting phase, while the publication takes place through the corporate intranet. We can see that the degree of digitization is particularly low compared to the potential expressed by the process.

The most interesting aspect concerns the sharing and dissemination of rules, which nevertheless remain documents (albeit electronic). The transition of the standard from a “document” to a set of “content”, which began in the 2000s, has only partially been completed. The improvement of use and legibility is entrusted above all to search features, able to provide direct access to the paragraphs of interest and navigability between the different sections.

In my experience working with customers, I believe that it is possible to achieve better results by working upstream on the initial design of the document structure and their drafting process. Current technologies allow the application of methods of rationalization to regulatory content. This has been proven to be effective in overcoming the technological and cultural limits that historically resulted in subpar use of BPA tools, while at the same time preserving their integration. These methods and technologies also greatly improve the use, facilitating the introduction of chatbots and allowing the integration of FAQs.

All digitization projects share objectives such as the reduction of low-value-added manual activities and the traceability of activities. In addition, a digital transformation project in this area must be measured by the ability to implement, and therefore not only describe, the desired changes in the shortest possible time. Further benefits can be achieved by breaking away from the ineffective practices of ‘record keeping’. Since internal regulation describes the functioning of a company, its governance is an integral part of the broader change management process.

This will be a key success factor in the future, both because of its ability to adapt quickly to new design regulations and to respond quickly to market changes. And this chameleon-like ability will only be further stimulated thanks to the integration between the world of regulation, risk management, and enterprise architecture.  After all, is managing the internal regulation not part of Enterprise Architecture?

The post Taking compliance to the next level appeared first on Bizzdesign

Address regulatory compliance in Financial Services with Enterprise Architecture Latest news from (my website): Bizzdesign

Introduction

Regulatory compliance is a core business fact of life for the financial services industry today. Compliance is not only about combating financial crimes such as money laundering, fraud, and tax evasion. But also about operating in a prudent and responsible manner and being able to prove that you have the policies, procedures and processes in place to do it reliably – covering everything from capital and corporate governance to data privacy, disclosures and diversity. Compliance plays an essential role in helping to preserve the integrity and reputation of a bank.

The last two decades have seen thousands of new regulations being introduced by various regulatory bodies for the financial services sector. The most prominent ones are the Patriot Act and the Dodd-Frank Act in the USA, and GDPR and PSD2 in Europe, with consequences for institutions outside these regions as well. The General Data Protection Regulation (GDPR), probably the most talked-about regulation, provides a set of rights to EU residents around their consent when it comes to organizations using their data. Since banks are handling a large quantity of personal data, the regulation considerably impacts how data is stored, processed, shared, and secured.

In the wake of rapid digitalization and increasing dependency on partners for providing business services, new regulations are also being proposed. One such consultation, on Operational Resilience, i.e. the ability of financial institutions to rapidly adapt their business and continue critical operations in the event of disruptive business events, is being carried out in the UK as a top priority by the Bank of England (the Bank), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA). Many financial institutions are already providing operational resilience reporting to UK regulators. This covers the processes, third parties, data and technology on which critical business services depend, and is aimed at supporting resilience analysis and risk-based mitigation and remediation planning.

What causes regulatory compliance overheads?

• Increasing compliance workforce costs: Rapidly growing and changing regulations is making the compliance function more demanding. It requires an army of compliance staff just to digest these regulatory changes.
• Complicated compliance reporting: Since every jurisdiction has different compliance requirements and reporting standards, in practice this results in a plethora of reporting types and associated underlying data sets. This makes compliance reporting efforts complex and laborious. In many cases, supporting documentation for these reports cuts across many dimensions of the business and requires input from a wide range of process and system owners who may not always have the up-to-date information at their disposal. Often, this results in repeated “data calls” where resources have to go hunting for data to refresh out-of-date reports, and increasingly complex reporting ‘point solutions’ that struggle to keep up with the business logic of combining multiple inputs in a coherent model.
• Process and application proliferation: As regulations get addressed individually in ‘point solutions’, the compliance processes and supporting applications often proliferate, resulting in duplication of effort, functionality, and data, as well as increasing complexity in the IT estate and technical debt.

What happens when regulatory compliance risks become real?

The compliance process should be a holistic, enterprise-wide effort that relies on real-time data to make informed decisions. While complying with regulations certainly incurs compliance costs, not abiding by them may threaten to destroy your organization altogether.

One such cyber incident involving the violation of the GDPR involved a major British airline. This incident, believed to have begun in June 2018, had user traffic to the British Airways website diverted to a fraudulent site. Through the site, details of around 500,000 customers were harvested by the attackers. The International Commissioner’s Office (ICO) held British Airways responsible for the poor security arrangements at the company including login, payment card, and travel booking details as well as name and address information, and proposed a £183.39 million^[1] fine under GDPR.

In another incident, a US-based credit reporting agency, found records that its 147 million^[2] customers’ data had been stolen in 2017. The Federal Trade Commission (FTC) slapped a fine of almost $700^[2] million on the agency for its failure to take effective steps to secure its network, which had led to the breach.

As per the FTC, the agency failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their credit data. Besides, the agency failed to segment its database servers to block access to other parts of the network once one database was breached and also failed to install robust intrusion detection protection for its legacy databases. When the internal IT department of the agency ran a series of scans that were supposed to identify unpatched systems, none of the vulnerable systems were flagged or patched. The vulnerability was soon after exploited by hackers to break into the systems and steal data, which ultimately cost the company almost a billion dollars in penalties and jeopardized its reputation.

How does enterprise architecture benefit FSIs in dealing with compliance challenges?

We all understand that complying with regulations is a complex, cross-functional effort. It can’t just be limited to the domain of the Chief Compliance Officer or the cybersecurity department. Compliance should be a joined-up, enterprise-wide effort that brings together relevant business and IT stakeholders, all having a critical part to play in the planning, implementation, and maintenance of the process and IT infrastructure of the organization.

Enterprise architecture models provide a foundational single source of truth on which a variety of compliance reports can be generated using the connected models that join together disparate data sets covering multiple dimensions of the organization, e.g. people, processes, data, applications, technology and third parties. This streamlines the compliance function, improves efficiency and effectiveness, and reduces complexity and technical debt.

ALSO READ: Master Enterprise Architecture Management with our wiki

It also enables effective data management of the information used for compliance reporting. This ensures ongoing data quality in the form of completeness, correctness and currency of information, everything operationalized into business-as-usual processes. The result is that the enterprise enjoys transparency, objectivity and accountability of data quality – which is of keen interest to the regulators assessing the maturity and effectiveness of compliance.

Gaining enterprise-wide visibility and keeping costs down

Global enterprises have thousands of processes, applications, and services scattered across several business units, making the whole IT landscape complex and poorly accessible for manual strategic analysis. This complexity creates the need for modern data-driven EA tools that can bring together the people, process, and technology aspects of an organization and collect comprehensive, real-time data on these entities.

The data is organized and structured through flexible and coherent data models. It can also be further processed and used to build intuitive visual dashboards of the IT landscape concerning the existing business capabilities and processes (see Figure 1). It allows for easier identification of abnormalities and capability gaps, as well as drives stakeholder collaboration towards informed decision making. Since full compliance reporting requires connecting all the relevant dots in the organization, this visibility ensures that compliance reporting does not suffer from any unintended exclusion of processes or IT systems. What’s more, it takes away the manual effort required to create these reporting artifacts and saves precious resources and time for the organization.

Improving operational resilience and containing outages

One of the primary reasons for disruption in business services is the inability of the IT infrastructure to meet SLAs, caused by technology failures and other operational incidents. The abundance of unsupported, obsolete technologies makes the IT systems susceptible to low performance, outages, and data breaches. This ultimately has repercussions for compliance, operational resiliency, and the organization’s brand perception.

Enterprise architecture assists companies in keeping track of the lifecycle of technologies (identifying dependencies between applications, processes etc.) and determining the optimal course of action for managing obsolescence. These actions may encompass purchasing extended support, panning system migrations, or decommissioning the affected application altogether.

Ensuring regulatory compliance with data security regulations

Preventing data security breaches is the top priority for compliance and risk management staff at major financial organizations. GDPR requirements push compliance teams to regularly monitor the location and health of their data centers, the health of the systems which are storing and processing the personal data and tracking related actions of those systems’ owners. By making this information readily available, enterprise architecture becomes critical for planning and getting the right data security measures implemented across the enterprise.

Furthermore, in the wake of any personal data breach, enterprise architecture can help identify the source(s) and affected applications, and provides a platform for stakeholders to collaborate on designing appropriate measure to contain the fallout. With the PSD2 implementation, organizations need to monitor the data transfer and performance of several internal and external APIs. By providing a blueprint showcasing the interconnected services and APIs, EA helps businesses to locate external APIs, which probably would require additional layers of security to defend against any cyberattack.

Summary

The regulatory challenges are both significant and growing for financial institutions. However, with the right set of approaches and tools, it is possible to build a dynamic architecture of the organization and leverage it to identify key insights that assist with compliance reporting, risk management and ongoing optimization. To help your organization in establishing a solid enterprise architecture function, Bizzdesign offers a mature platform and associated services that center around value creation and getting early wins fast.

Horizzon is a leading business design platform that uses a data-driven architectural approach to deliver compelling business intelligence artifacts, which effectively guide and assist executives in their decision making process. Importantly, Horizzon is a leader in open standards and frameworks support, providing users with a wide set of industry-approved best practices and reference models such as BIAN (Banking Industry Architecture Network), ACORD (Association for Cooperative Operations Research and Development), Panorama 360 and SABSA (Sherwood Applied Security Architecture) for building a strong financial services compliance value chain.

To learn more about Bizzdesign and how we can help your organization meet its compliance challenges and strengthen its overall operational resiliency, don’t hesitate to contact us. 

References

1. https://edpb.europa.eu/news/national-news/2019/ico-statement-intention-fine-british-airways-ps18339m-under-gdpr-data_en/
2. https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related

About the author:

Nick Reed

Chief Strategy Officer at Bizzdesign

Nick is responsible for value proposition development, building strategic partnerships, and driving innovation topics, including executing Bizzdesign’s ‘buy & build’ acquisition strategy. He has over 25 years of experience in B2B enterprise software and SaaS, dedicating 15 years to enterprise architecture and portfolio management.

The post Address regulatory compliance in Financial Services with Enterprise Architecture appeared first on Bizzdesign

Looking Beyond Covid-19 to the Future Latest news from (my website): Bizzdesign

Covid-19 – a trying chapter not the end of the story

As Covid-19 continues to put huge pressure on health systems and markets all over the world, it is important to remember that it too will pass. It may seem difficult to acknowledge that fact in the present moment, when we’re dealing with so many disruptions to our normal lives, but it’s the truth. The important question, therefore, is what can organizations do now that will help them have a quick and clean recovery once the pandemic has run its course?

As with any challenge, the opportunity to turn things around lies within the problem itself. Many institutional actors will slash costs, stop innovation projects, and look exclusively inwards. The more future-oriented ones, however, will seek to distance themselves from the fearful pack. Today we look at what these more insightful organizations ought to consider as they seek to come out of these trying times stronger and more resilient.

The opportunity within the crisis

The time to act is now, though. Here is what to keep an eye out for.

1. Will Covid-19 change your industry sector, and how?

In order to not get caught unprepared by the future, you need to address it ahead of time. Have you given good thought to what Covid-19 might mean for the market you’re in? Make no mistake, the pandemic will pass, yes, but much like a river that’s overflowed, once it retreats back into its banks the landscape will be a little changed. Lots of silt everywhere, but also nutrient-rich sediments.

Some of these changes will present business development opportunities. Try to identify the best way to leverage them. If you head an organization, get your leadership team together and start identifying what these changes might be. Some will be obvious, some less so. Some will be more similar in nature to plucking ripe fruit, others will require more substantial investment to make feasible. Will the returns justify it? The results in this case might range from a new line of business to perhaps a new business model even.

Moreover, summon an innovation team and have them give serious thought to the opportunities that are out there, dormant. What product or service is emerging as a constant in the new Covid-19 reality? What ways to enter new markets or reach new customers are emerging in this increasingly digital-first economy? By thinking of ways of actively supporting growth instead of just cutting cost, you lay out the foundation for not only a solid recovery path, but actual expansion and market share gains at the expense of your conservative competitors.

What is important to realize is that overly fast decision making on new investments doesn’t mean rushed. Given the huge uncertainties today, any investment decision is a significant bet. Do your due diligence, ask enterprise-wide experts to analyze the impact and level of compatibility (with future strategic direction, with the current technology stack etc.) so that you maximize the odds of it paying off.

2. How are you making agility a part of your DNA?

Is it fair to say that this global pandemic has shown beyond the shadow of a doubt that enterprise agility is an absolute must-have, not a mere nice-to-have? We believe that should be obvious at this point. So considering that, how is your organization pursuing greater agility? In an increasingly more volatile marketplace, having the right change capabilities in place can make the difference between business as usual or out of business.

Being able to pivot according to new developments relies on an agile institutional mindset; agile processes; a loosely coupled, highly modular technology stack. For most organizations, migrating towards this state of affairs entails a serious discussion with stakeholders across the enterprise landscape. As change touches on all aspects of the business, it’s not simply business leaders that ought to brainstorm for the best way to move closer to these goals, but enterprise architects too. As we’ve said before, EAs can and must play a critical role in planning and operationalizing complex change in order to ensure that projects and investments actively support business goals.

Especially at a difficult time like this, when the loudest voices and panic may monopolize strategic decisions, having a fact-based approach is invaluable. Take a systemized approach towards the strategy identified by the company’s leadership. Ask the EA team for input regarding the plans drawn up and get the certainty that’s needed. Are you investing in the technology that supports agility, that is conducive to value in the future, that supports building towards the possibly new business model/lines of business identified before? How should investments be prioritized to ensure the biggest impact for money spent? A structured view would save businesses considerably by eliminating low-value initiatives and minimizing risk.

3. Does your talent strategy continue to support the business throughout this period?

Let’s be honest. Apart from innovation initiatives and investments, personnel is another area that gets the ax very quickly when the economic environment sours. But as we were explaining recently, slashing costs by making people redundant en masse is a crude tool for helping a company’s finances. A better approach would be to identify how these roles support the business, how important they are to business continuity, and be very targeted in your letting people go, if indeed you must let people go.

As far as current employees go, identify whether your current team makeup makes sense when compared against the plans for the future. Once you have a vision for what and how you want to achieve post-Covid-19, analyze if can you operationalize it. Do you have the people that know how to do deliver that future state? If anything, hiring is still on the menu, you may just be changing your order.

As for talent acquisition, let’s say perhaps your talent strategy was geared towards a great expansion you were planning. That doesn’t have to be wholesale binned. Try to see if dialing it down is not an option. Express to new arrivals and prospects that for the time being you’ll tread water, yes, but there is a plan to rev the engines and get to the really interesting work once things pick up. Their talents and skills will undoubtedly get their time to shine – in the meantime, however, can they apply themselves to a different area? Can they support getting back sooner?

Suggest to them laying the foundation of the next chapter, with less people and flash, to be sure. But that is still important work for the enterprise. Many will take up on the challenge. This way, you will have the people you need – seasoned, even! – when the recovery starts. So don’t stop hiring, but do take extra precaution to hire the right people.

Keep looking ahead

It may seem like battening down the hatches and turning one’s back on outside developments is the best strategy in this time of vulnerability. But that would only seal this time period as a ‘lost era’. We believe that instead of ignoring the future, organizations would do well to consider initiatives carefully and keep their strategic development avenues open. By investing in the future at a time when most of the market is busy focusing solely on the present, they stand a good chance to leave their competition behind and accelerate on their trajectory once the crisis is over.

The post Looking Beyond Covid-19 to the Future appeared first on Bizzdesign

An EA Response to the Pandemic: CSL Behring Latest news from (my website): Bizzdesign

CSL Behring is part of CSL Limited, the world’s third largest biotech company. CSL has over 25,000 employees with operations in more than 35 countries and annual revenues close to $9 billion. When COVID-19 started to grow into a worldwide pandemic, as an organization, CSL Behring reacted in a globally-coordinated manner to ensure that any negative impact to their business would be minimized.

Answering the crisis

This was an enterprise-wide resilience initiative, owned by a pandemic response taskforce, headed by the Head of Enterprise Security. As part of the program, there were active communications reaching all employees, and the taskforce kept a close eye on what was happening across the supply chain and across the enterprise.

The challenge for the Enterprise Architecture team

From an IT perspective, the IT Leadership Team entrusted the Enterprise Architecture team with a clear mission – the Head of Enterprise Architecture was to collaborate with other IT Leaders, establish a taskforce and define an effective pandemic response plan for the business technology (IT) organization. The team embraced the opportunity and before long, they came up with three well-defined work streams.

Remote working

The first one was remote working. As part of the “Work From Home” initiative, the team focused on creating capacity. Some of the questions that were addressed included: Do we have enough network capacity? Do we have enough VPN capacity? Do we have enough IT inventory to meet everyone’s needs? Also, since there were many people working from home, the company considered carefully whether the service desk would cope with the significant spike in activity that was expected, and the Service Desk leaders had to figure out how to accommodate that as well.

Business continuity

The second workstream that was identified was centered on business continuity. The EA team along with the Enterprise Applications team analyzed the enterprise application portfolio, and identified about 100 applications that were deemed business critical. Out of those, some 20 to 25 were further highlighted, which were deemed of ultimate importance for their ability to operate as a business. Once the team had these on the radar, they focused on making absolutely sure that CSL Behring employees would have access to these in their homes, under any and all circumstances.

CSL Behring also operates a private data center, leading to a significant on-premise footprint. That was yet another area for which the Data Services Leader had to ensure uptime and create adequate contingency plans. And again, the organization saw no negative business impact, which speaks to the speed and depth of their preparation.

To further safeguard against negative scenarios, CSL Behring also revisited their Disaster Recovery plans, Business Continuity plans, and Standard Operating Procedures, to ensure no disruption to business whatsoever. Even now, at the time of this being written, they continuously monitor the situation in order to ensure they’re addressing the dynamic needs of this difficult and fluid situation the right way.

Successful communication

The third work stream that was defined was around appropriate communication. The EA team recognized that maintaining proper contact during these special circumstances was vital, so they created a dedicated workstream and aimed their attention towards creating useful guides for the Work From Home audience. The Communications workstream lead worked with cross-functional team members as to what employees’ needs might be in this area, and what collaboration platforms they’re using so they produced content addressing the most likely needs. These guides addressed how to maximize the functionality of certain software, how to connect home infrastructure to their work machines (printers, for example) and so on. This was very welcome by everyone for obvious reasons.

It’s worth noting that they also developed communications addressing the cybersecurity needs of a large enterprise in the 21st century. After all, cyberattacks are becoming increasingly more problematic, so CSL Behring created specific communications guides on raising awareness around phishing attempts, under the guidance of the organization’s Cybersecurity leaders, making it clear to end-users what the risks are, what behavior to avoid, how to make certain they are not sharing private information, etc.

Keeping things under control

By collaborating effectively across several cross-functional teams, the EA team created a practical pandemic response plan from the business technology (IT) perspective. As a result, CSL Behring didn’t suffer any significant loss in productivity and as it stands currently, they are well-prepared for the type of challenges that one might expect during these times of social distancing.

The post An EA Response to the Pandemic: CSL Behring appeared first on Bizzdesign

An EA Response to the Pandemic: What Enterprise Architects Can Do in This Time of Crisis Latest news from (my website): Bizzdesign

These are strange times and for many of us the world has been turned upside-down by the Covid-19 pandemic. Enterprise architects, used to a medium- and long-term focus, suddenly and urgently need to contribute to the very survival of their organizations in the immediate term. This requires a thorough rethink of what we do, but we won’t have time to sit back and contemplate the EA discipline. We need to take action now and with this blog post I want to give you some concrete ideas on this.

Clearly, the current situation requires a strong emphasis on business continuity and cost control.

Much of the benefit of EA is in cost avoided (by preventing the wrong decisions) but that doesn’t directly help you today. So as an EA team in an organization in existential crisis you have to show you respond directly to that crisis, and not just to some longer-term goals, since without short-term survival there won’t be a longer term. If you don’t show value now, your senior management might even be tempted to save cost by firing the EA team altogether, since it may appear in the short term they won’t need you.

Fortunately, our methods and models have much to offer in this context of crisis. Architects have a unique understanding of the connections and dependencies in their enterprises, both vertical (between strategy, operations, and implementation) and lateral (e.g. between stages in your value stream, dependencies between capabilities, or the flow of information through your application landscape). A few months ago you may have used that understanding to work on issues like the digital transformation of your organization, supporting your company strategy by improving business agility, streamlining operations in your supply chains, or rolling out new IT infrastructure to support the digital workplace. Today, you can use the same deep and broad knowledge of the inner workings of your enterprise to support urgent demands such as scaling down (or up) certain operations, enabling your digital workforce, mending broken supply chains, fixing logistic problems, et cetera.

In discussions with several of our customers and based on our own experience, we have identified a number of key questions that you as an architect can use to guide your response to this crisis and help your organization deal with it:

1. Which business capabilities are critical to your products and services?

Most organizations nowadays have some kind of capability map, linked to their value streams and business outcomes. Which of these capabilities are absolutely critical for your organization to survive? What do you need to fulfill your mission and produce the requisite outcomes (e.g. essential business services) for your customers and other stakeholders? And which capabilities are just nice-to-haves? For a bank, for instance, capabilities like payments, accounts management, ATM services, and risk management are absolutely critical, whereas perhaps loan and mortgage applications are important but not business-critical in the short term, and marketing or product development are less critical still. In such an analysis, you may also consider capabilities you possess but never actively used in this way before. For example, various manufacturing companies now pivot to producing medical devices like ventilators or personal protective equipment, because their manufacturing capabilities can be reconfigured for this purpose. Keep thinking outside the box, don’t let the crisis make you put the blinkers on. Your creativity is needed now more than ever.

2. What are the business impacts of disruption to these capabilities?

By analyzing the connections between capabilities and the value streams that rely on them, you can assess what would happen if, say, a certain capability is no longer available or has to be scaled down due to a shortage of resources. Which essential outcomes (e.g. critical services to key customers) cannot be guaranteed? Perhaps you need to reassign resources then, or scale of certain operations that can no longer be sustained.

3. What are the people, processes, applications and third party suppliers that these capabilities depend on?

Imagine, for example, that a substantial percentage of your workforce falls ill, or a key supplier goes out of business. What would be the impact on your key capabilities? Identifying what is absolutely business-critical helps management to focus their attention (and budget) and avoids them being swamped by less important day-to-day problems.

4. Where do we have risks identified for these people, processes, applications and third parties?

This is of course the next question. You may already have done such a risk analysis. If not, you may need to quickly fill in some of these gaps to have a sufficient understanding of the overall risk to your business-critical capabilities.

5. What is the aggregate risk for each capability?

The aggregate risk for each capability, based on the previous analysis, helps you focus your mitigation efforts. Combine this risk with the criticality of your capabilities mentioned above, and visualize this in the form of a capability heat map. This gives you a ‘battlefield plan’ that everyone can huddle around (in keeping with the requisite social distancing) and use as a common basis for understanding and planning further action. The example below, from an energy company, uses colors to show the operational risk of capabilities, and highlights those that are business-critical (in the short term). This immediately calls attention to capabilities such as Customer Service, which in this example turns out to be insufficiently dimensioned to deal with large numbers of customer calls in case of a major emergency.

6. Which risks are acceptable and which risks require mitigation or avoidance?

In particular for the business-critical, high-risk capabilities, you may need to take additional measures to deal with these risks. This will typically also include identifying and collaborating with responsible business owners who need to take action here.

7. What are our risk mitigation plans, business continuity plans and disaster recovery plans for these capabilities?

Of course we all have our plans in place, right? Well, some of us do, but are they really adapted to a situation where most of your staff works from home, key personnel falls ill, or key suppliers are no longer in business? You’d better check whether these plans are still current. And your architecture knowledge can be very helpful in all kinds of scenarios, for example to decide in which order to scale down, or recover, certain capabilities, based on the various dependencies in your architecture; you don’t want to inadvertently switch off something that takes down your entire operation or leads to damaging ripple effects in your supply chain.

8. What are the bottlenecks in our IT infrastructure to support remote work?

Zooming in on your business-critical IT resources, very practical and concrete questions come up. Many companies now have a general work-from-home policy, but their infrastructure may not always be prepared for that. Where are the bottlenecks and who should be prioritized, given e.g. their role in critical business processes?

9. Which business-critical applications are difficult or impossible to access remotely?

You may have applications running in environments that can only be accessed on-site. Or take the example I recently heard from one of our customers, a utility company: they have a set of highly business-critical applications that can only be accessed via a secure environment that allows just one remote login at the same time. The operators of these applications were inadvertently kicking each other off this environment when they tried to log on, greatly complicating their operations. Analyzing and fixing such bottlenecks is key.

10. What are our recovery time objectives (RTO) for these applications?

If such a business-critical application has a short RTO, you may need to ensure some form of on-site staff presence, despite a general work-from-home policy. If your organization runs critical infrastructure like the utilities company I mentioned, you will of course be well aware of this. Nevertheless, you may be caught unawares by limitations like this single login issue.

Of course, this is not intended as the one-and-all of EA in crisis mode, but to inspire you to define your own course of action as an architecture team. The above is an example of the short-term perspective that architects can assume.

Moreover, the economic impact of this crisis will reverberate for a long time to come. This will undoubtedly lead to new rounds of cost savings, reconfiguring supply chains, but also speeding up the digitization journey that many organizations had embarked upon anyway. Listen for example to the podcast by Kirk Keller about how the University of Missouri completely transitioned to an online environment, greatly speeding up their digital transformation.

Business as usual won’t return anytime soon and smart organizations are already planning for this ‘new abnormal’. We don’t know where this sea change will take us but by investigating possible scenarios we can try to be prepared for whatever may come. Architects are well-positioned to assess the impact of such scenarios and help build a resilient enterprise that knows how to respond.

The post An EA Response to the Pandemic: What Enterprise Architects Can Do in This Time of Crisis appeared first on Bizzdesign

Business Priorities During Covid-19 Latest news from (my website): Bizzdesign

As we now realize, the effects of Covid-19 on work and home life have focused our efforts on learning to navigate a new normal. The personal and business impacts of this are evident. On the personal side, we are all learning how to be “Alone, Together” and some of us are adjusting to new WFH colleagues.

On the professional side, organizations who once thought that things like detailed business continuity planning, creating more efficient business models and ensuring good quality data in a central repository would be “nice to have” items, are now waking up to the fact that they are in fact essential. The need to accelerate objective decision making while maintaining risk tolerance and alignment to long-term business goals should be a priority. The pandemic has made it very clear that if an enterprise is to survive over a long arc of time, operating in the most efficient and agile ways is not optional but imperative.

Recent discussions I’ve had with clients, prospects and colleagues have all concentrated on the new challenges they are facing. These discussions have revealed how they are leveraging Bizzdesign Horizzon during critical business decisions in order to successfully pivot and re-prioritize their initial project plans. Some key areas of focus include:

• An IT Resilience Dashboard, which will be a useful tool used to monitor the IT services companies provide as working from home steadily becomes the new normal.
• The security and quality of critical software assets.
• Identifying business processes that need to become remote and less dependent on travel or in-person visits.
• Assessment and prioritization of digital processes that enable your organization to continue to deliver and sell where possible as a result of pandemic shifts.
• Cost containment.
• Portfolio management.
• Application modernization.
• Supply Chain assessment and improvement.
• Project prioritization – keep key projects moving forward, pause others.
• HR plans – creating efficiencies in the way work is done will lead to people decisions, both onboarding and reductions.
• Cloud migration.
• Assess and course correct digital transformation strategies – by accelerating business transformation efforts now, some organizations will be in a better position after the pandemic passes.

This is the CIO and IT executive career opportunity of a lifetime, as executives are in a prime position to mitigate the damage caused by Covid-19. In uncertain times, having your eyes on the future means figuring out a way to help your organization come out the other end in as strong a strategic position as possible. Companies that take a pro-investment approach now are bound to have a lead when the economy rebounds.

It’s critical that CIOs not let Covid-19 stop them from pursuing their IT strategies in support of digital business growth. As sharply as organizations have learned to pivot as needed, we ought to apply the same get-it-done approach to digital transformation initiatives and focus on building key long-term IT and business capabilities. Those that do, will find themselves in a better shape than those that don’t.

We’d love to learn more about what you are working on and help, so drop us a line here and let’s stay connected so that we may all come out of this stronger and more resilient than before.

The post Business Priorities During Covid-19 appeared first on Bizzdesign

“Get Rid of All Contractors by Friday”: A Real (Crisis) Story – Part 2 Latest news from (my website): Bizzdesign

In Part 1, we anonymized the narrative of one of our large manufacturing customers. Forced to protect the company in the face of the COVID-19 pandemic, the CEO decided to let all the contractors go and in Part 1 we presented the first of two possible scenarios as to how this might take place. In that initial scenario, the company fell in the trap of decisive, but hasty action.

In this Part 2, we’ll be looking at the second scenario. This time the company takes an extra look before it leaps and ensures measures are driven by evidence and factual insights into the enterprise. Let’s see how this scenario might play out.

SCENARIO 2: FULL LINE OF SIGHT. SURGICAL ACTION. MAXIMUM IMPACT

Before starting to pull on the wires, find out what they are connected to

In this scenario, upon learning the news, the COO and the CIO get together and discuss the best way to go about it. They decide to co-opt the help of the enterprise architecture team since contractors, it turns out, represent a fairly heterogenous group with a hard-to-predict impact on the business should they be eliminated. Contractors are found in virtually every department of the company and they occupy the full range of positions from junior to senior and everything in the middle. What’s more, some very cutting-edge R&D work is being done in collaboration with domain experts who are hired – you guessed it – as contractors. Simply letting everyone go who might be hired under a ‘contractor’ tag might have serious unintended consequences

They take this up with the Head of EA and before long a battle plan is formulated. The solution they settle on is business capability mapping. This is an enterprise architecture technique that can help assess the risks associated with such blanket decisions and provide insights that assist in fine-tuning the outcomes in order to maximize cost reduction while also minimizing risk. How does this work?

Using business capability mapping to start connecting the dots (and critical dependencies)

Business capabilities describe “What” an organization does at its core. This differs from “How” things are done, “Where” they are done, or “Who” is doing them. And business capabilities not only make sense to the business, since they are stated in the language of the business, but they provide a connection point to business stakeholders. This is critical as these stakeholders have the power to make decisions and direct funding in order to change the enterprise and achieve targeted business outcomes, e.g. cost and risk reduction, which in our scenario would really come in handy.

So, the EA team gets to work identifying how the organization’s business capabilities are supported by lower level concepts like people, processes, applications and technologies. In other words, they start working on the “What” of the company, untangling the different components that come together to enable the “What” to take place. As architects grind away at this, it becomes increasingly clearer that a blanket measure would have caused significant and costly disruption to daily operations. A blanket contractor elimination plan would have evidently eliminated resources that are required to support the critical things that the organization does. This includes day-to-day processes, new product development, and so on.

And ensuring no critical capabilities are inadvertently put at risk

Fortunately, the systematic approach proposed by the Head of EA and approved by the COO and the CIO starts bearing fruit. Within a week’s time, the EA team already have findings related to

applications’ required support levels. By connecting the dots from each business capability to the underlying applications and then quickly assessing each application for a) criticality, b) degree of expertise required to support the application and c) degree of expertise comprised by related employee and contractor support team members, a clear landscape of cross-layer dependencies emerges. This delivers an invaluable perspective on which business capabilities would be at risk if the company eliminated contractors from supporting critical applications.

The dots that are connected from application to those in IT who are responsible for each application allows relevant stakeholders to quickly have a discussion around the criticality and support levels/staff requirements of each application. Furthermore, the connection between each business capability and the responsible business stakeholders makes it possible to address the capabilities that will be at risk, based on support member elimination where reduced support members will no longer possess sufficient enough skill to provide required support levels, hence increasing operational risk.

To present this important finding to the executives, the architects create a business capability model and make the Level-3 capabilities glow red if they rely on critical and unsupported applications. This makes conveying the information to the business stakeholders easy and straightforward, which fosters intelligent conversation with the business stakeholders on the topic of at-risk capabilities and the contractor elimination decision.

Here’s a depiction of the dots that can quickly be connected in order to achieve this level of guidance, discussion and risk avoidance:

Conclusion: Providing financial relief while protecting critical company capabilities

Business Capabilities allowed the EA team to connect the dots between business and supporting applications in this instance, highlighting areas of interest, need, concern. Naturally, with more time on their hands, their analysis could have been even more comprehensive and perhaps include processes etc.

However, what we presented here in the second scenario was a real actionable plan that could have made the difference between the fiasco presented in Part 1, and a genuinely reasonable lay-offs plan. In Part 1, business disruption is compounded by the move to let all contractors go whereas today we saw how a business outcome-oriented EA department was able to help formulate a plan that provided financial relief all the while safeguarding the enterprise’s key business capabilities. Better insights, better decision making – isn’t that ultimately the promise of enterprise architecture?

Thank you for making it to the end and remember to keep yourselves and your families indoors as much as possible and out of harm’s way!

The post “Get Rid of All Contractors by Friday”: A Real (Crisis) Story – Part 2 appeared first on Bizzdesign

“Get Rid of All Contractors by Friday”: A Real (Crisis) Story – Part 1 Latest news from (my website): Bizzdesign

(The following is a true story that was shared with us by a current Bizzdesign client. All details have been changed to protect the anonymity of the source.)

It’s a morning like any other morning sometime in mid-March and the COO of a large automaker is on his way to work. All of a sudden, the silence in his car is broken by a text message. “Get rid of all contractors by Friday”, it says. “More at 10am meeting”. It’s a simple enough message sent by his friend and boss, the company’s CEO.

Get rid of all contractors? By Friday? That’s… one way to start the week.

As you may have guessed, this is happening during the COVID-19 pandemic of 2020 and things are getting very serious, very quickly. What started off like a distant nuisance, grew into a problem, then a global crisis and now, with the company’s stock diving 47% in two days, the organization is faced with an existential challenge. In fact, the whole economy seems to be going south and with everyone panicking the potential for even more downside is real.

As it stands, revenues are drying up and organizations are desperately seeking ways to keep the ship afloat. This is the situation that the automaker’s CEO finds himself in at the start of our story. Naturally, with sales dropping due to general uncertainty, the only other lever that he and other executives have left to operate is cost reduction, the other side of the profit equation. Well, contractor costs (IT contractor costs in particular) are rightfully the first thought to enter any decision maker’s mind when faced with the need to slash all non-critical costs. After all, that’s the main benefit of hiring contractors for staff augmentation, right? You can expand or contract as demand dictates.

It is bad enough to have to do it. Worse if you don’t do it right.

The automaker’s CEO would agree wholeheartedly, which is why during their weekly 10am meeting he instructs the COO to work double time on offloading this financial burden by the end of the week. “It’s unfortunate but there’s absolutely no way around it. We have to eliminate all contractors immediately”, he concludes. This is a junction point in our narrative, so please imagine the story splitting into two parallel universes.

1. Scenario 1: Acting in haste. In the first scenario, the story is defined by what feels decisive, but is in fact driven by panic and hasty action;
2. Scenario 2: Informed, fact-based decision-making. In the second scenario, action is taken just as fast, but it’s facts and informed decision-making that decide what happens.

So let’s see how it all unravels.

SCENARIO 1: A CASCADE OF UNINTENDED CONSEQUENCES

Decisive, blanket cuts across the organization

Upon receiving the directive from the CEO, the COO and the apparatus supporting him spring into action at once. Across the world, the heads of all lines of business, the regional directors, the middle managers who keep everything running smoothly and on schedule – everyone – is told that they are to inform the contractors who report to them that they are relieved of their duties effective immediately. Due to the uncertain times ahead, the company is forced to minimize its liability and as a result personnel cuts have to be enforced.

Trigger a vicious downward spiral due to ignored interdependencies

Naturally, for the people losing their job this comes as a huge blow. However, there’s another demographic that’s disheartened by the news, and that’s the people who either reported to or expected reports from contractors. A plethora of team leaders and senior developers are now left holding a gun that’s shooting blanks. After all, if you’re heading up a team that’s working on the electrical cabling for a new model and your team just lost 30% of its members (perhaps the best ones, too), then are you realistically going to be delivering what you’re supposed to deliver when you’re supposed to deliver it? Probably not.

Across the organization, from the UK to North America and Singapore, everyone is wondering what this will do to the day-to-day, but also to key ongoing projects. They don’t have to wonder for long. Internally, key value-added processes are affected by the reduced personnel. There is an immediate drop in pace, but the initial drop is not the worst of it. As the days and weeks pass, deadlines come and go with projects not reaching their milestones. What was a simple canceled meeting one week is now a trend in week three, with stakeholders at all levels finding it increasingly difficult to push the ball forward without important feedback.

And compounds company’s challenges

Interestingly, the company may have only fired part of its workforce but even those who remain find their productivity slumping. Critical initiatives are of course delayed. These concern the company’s future products, innovation and research programs – many valuable assets were working on cutting edge initiatives and they are now gone due to the blanket measure. In other words, people are worried and oftentimes overworked etc. Additionally, and not that it needed further reasons to decline, the company’s stock declines even more as the market raises big questions on whether or not the company will be able to achieve its strategic goals.

Conclusion: Company resilience weakened rather than strengthened

The result is that while these decision may have saved the company some money, it really did nothing to increase it’s the company’s ability to better navigate the rough times ahead. By simply chopping off a part of the organization that represented a discretionary – and therefore eliminable – cost, the company in fact critically disrupted the remaining components and hurt the enterprise. When all is said and done in this imagined timeline, in addition to the already formidable challenges that is faces, the organization will have created a host of additional and avoidable current problems due to its rash decision, or rather the indiscriminate manner in which it was executed.

Tune back in next week when we’ll go over the second scenario!

The post “Get Rid of All Contractors by Friday”: A Real (Crisis) Story – Part 1 appeared first on Bizzdesign

An EA Response to the Pandemic, Part 1: University of Missouri Latest news from (my website): Bizzdesign

With the COVID-19 pandemic in full swing, it seems hard to imagine that so little time ago everything was business as usual. For most of the world, 2020 started like any other year. Now compare that to what’s going on today. Governments are authorizing disaster relief assistance, national and international travel is crippled, and whole cities are under special quarantine measures. What’s more, the economy is grinding to a halt as revenue streams – and in some cases even production capabilities – dry up.

Listen to Kirk Keller on the Bizzdesign podcast.

Whole industries have transitioned to a short-term remote work environment. Some suggest that the pandemic’s impact to the economy is such that, even after quarantine measures are lifted, many industries may continue with remote work environments in some context.

Higher education has also been disrupted by the pandemic. The traditional campus-based experience of higher education has been replaced by remote learning and remote work. Just as in the for-profit sector, there is some question about how, now that these remote capabilities are in use, the genie can be put back into the bottle.

Can these challenges to higher education provide any food for thought to those in the commercial sector? I believe they can. In this sense, higher education institutions can be thought of as service industry with students as our primary customers and education and career preparation being the provided service. Traditional college campuses further provide a college experience. The life and experiences of a college student on campus provides an experience unique in the lives of many and often factors into a prospective student’s decision on where to pursue a college degree. In that sense, higher education institutions share much with service industries tied to physical location and experience such as restaurants or tourist industries.

As I’m working from home these days, I thought I’d take a moment to reflect on how the University of Missouri is dealing with the challenges presented by COVID-19 and possibly provide some insights on how enterprise architecture may be able to help higher education as well as service industries with a relatable service and customer experience model.

The University of Missouri System is composed of four universities with campuses in Columbia, Kansas City, St. Louis and Rolla. In 2017, we had 72,000 students enrolled as well as 6000 faculty and 1700 staff, including around 800 employed in IT. Lastly, we’re a land-grant university which means we have a responsibility to the citizens of Missouri as well as our students. By most measures, we are a large, complex organization.

Dealing with Covid-19

The Covid-19 pandemic has had a significant effect on our operations. As I write this, our campuses are empty except for essential employees. In the space of roughly two week, we’ve transitioned not only to an online remote workforce, but an online learning institution.. The result of this transition is that, today, everything the organization does is dependent on IT. This includes every faculty interaction with students, every piece of homework that is turned in etc.

One reason why we were able to transition so quickly is that over the past few years we were taking measures to address the trend for online higher education. This was a trend in which we had a direct interest – much like a commercial entity would keep an eye on up and coming competitors. So, we had set up productivity tools capabilities; we were just in the process of finalizing a deal for enterprise web communications. The University System had also hired a Director of Online Learning, to coordinate online learning strategy and use of technology. Therefore, a lot of technology and processes were already in place.

Nonetheless, the pandemic has greatly accelerated the timeline of that process for us. Whereas beforehand we thought it was a given that cultural change would take a while to happen, the health crisis actually gave us a clear mandate to enforce everything quickly. We had to make it happen in a two-week timeframe. Fortunately, we did have actual, real plans to carry out these changes so when the time came to address the problem of students being unable to attend class, we knew exactly where to look and didn’t have to scramble finding our next step.

Challenges of accelerated change

Naturally, the large-scale change also meant that we had to play catch up in some instances. Some faculty members had difficulty adjusting to the new way of working, which led to some technology problems for us. For example, even though we had adopted cloud storage systems several years ago, we still had people continuing to use network file shares which could only be remotely accessed via VPN. As such, we had to significantly increase our VPN capabilities to accommodate this segment of our user base.

In addition, this discovery told us where the cultural shift towards using new technology had been much slower than previously thought. The technology was in place, but people hadn’t transitioned, which revealed to us where further adoption efforts were necessary. All in all it could be said the pandemic precipitated the adoption of plans that were already in the works but over a much longer arc of time.

Throughout this planning and adoption, enterprise architecture played a role in identifying current online learning architectures so that transformation plans could be formulated. Rapid transition to cloud solutions to aid faculty was monitored by an IT compliance process to ensure that new solutions continued to protect student information and provide accessibility accommodations.

Looking to the future

The COVID-19 pandemic has resulted in one truism in higher education. We are all online institutions at this point and, in that sense, are on an equal footing. The question now is: How will we differentiate in the future? When life has returned to normal, what will have changed about the way – we, in the education sector, and other organizations across all sectors – approach things like digital transformation, or operational resilience? How will the traditional physical-based college experience change or return to normal? Is it possible to replicate the customer experience of life on a physical campus with any sort of online offering?

One thing is clear. Today, higher education has a significant dependency on well-funded and well-architectured technology. Technology is the infrastructure that’s allowing us to still carry on our business, albeit in a slightly altered format. Any industry employing remote work or customer service is in the same situation. This should give leadership pause as we come out of the over side of COVID-19 and have to decide where to invest and cut spending. COVID-19 has exposed the dependency of industries on technology. Technology, then, will likely play a pivotal role in how industries, and higher education, can differentiate themselves from their competitors. In a time of spending cuts, leaders should be considering spending increases in good technology and IT workers.

A second thing to consider is this: The shift to remote learning already has students asking themselves fundamental questions about the value of higher education and the role of the traditional campus experience. The past week’s news cycle has seen stories of universities that are seeing students demand partial refunds because they’re not getting the kind of experience that they paid for due to the quarantine measures. They’re not wrong. Yet at the same time they are, day after day, slowly but surely earning a degree. The question Why do I need to physically attend lectures anyway? will start popping up in everyone’s mind in the future. Which then kickstarts the larger discussion revolving around what it is to attend a higher education institution.

What does it mean to attend university? And if from now on such a digital/online paradigm becomes more mainstream, how can we give that experience, which by definition will be more detached, the burden of significance that it has enjoyed up to this point? Because I think we’ll have to find ways to make it more meaningful, and more enjoyable if we are to remain attractive to applicants and also to differentiate from other educational institutions. My guess is that technology will be key to ensuring that idea cross-pollination still occurs, even if students no longer share the same physical location. It’s a complicated, philosophic issue, and touches on the very raison d’être of our sector.

Lastly, one has to wonder what the economic downturn will mean for universities in terms of funding. I think it’s safe to assume that we’ll see a decrease in the number of grants and, generally speaking, in the amount of money spent on education. This scenario, of course, is unfortunate. But it’s also a great opportunity for enterprise architects and the IT function as a whole to play a vital role in supporting the business as it is busy tackling new challenges like finding new sources of revenue, new ways to receive grants etc. Again, remember, that in this new world, technology will likely provide the way for an industry to differentiate itself from its competitors.

IT is often regarded as a utility of sorts. The same way pipes underground carry water, IT delivers technology. However, what we’ve been doing here over the past several years (in general) and weeks (in particular) shows that IT, far from being just a useful utility, can provide a core differentiation in higher education.

Conclusion

What the recent transformation caused by Covid-19 at the University of Missouri shows is that good EA planning and a business value-oriented IT department can elevate the business just as much as anything. In our particular circumstance we were able to completely transition to an online experience and still ensure that business goes on as usual. Faculty and staff continue doing their jobs, students are receiving an education, and business continuity is safeguarded. That’s a powerful testimony for technology.

The post An EA Response to the Pandemic, Part 1: University of Missouri appeared first on Bizzdesign

The Value of Architecture Models for Agile Organizations Latest news from (my website): Bizzdesign

In the past, I have written extensively on the combination of enterprise architecture and agile development, most recently about the notion of intentional architecture. It is clear that for any organization or system of some size, a solid architecture practice is needed next to agile ways of working.

On the one hand, for true business agility you need to take care of much more than ‘working software’ as the sole measure of progress (as advocated by the original Agile Manifesto). This starts from a solid understanding of the business at hand, the challenges that need to be answered, various constraints ranging from resources, cost and risk to regulatory compliance and competitive pressures, and much more.

Moreover, you need to ensure that the results developed (working software but also organizational structure, capabilities, business processes, possibly down to physical infrastructure) are also flexible and not ‘instant legacy’ that will be hard to change in the future. These aspects of understanding the broader context and impact are where enterprise and solution architecture and models thereof add real value.

Design models in software development

As mentioned in my previous blog, I see a decline in the use of formalized (UML) models of software under the influence of agile development. Creating and maintaining such models is a substantial effort and often duplicates what is already visible in the software code, just represented in a different way. This is no surprise, since the main aim of such models is to provide a complete specification of the design that can be translated into working code. This was also the goal of the Object Management Group’s Model-Driven Architecture, which envisaged a sequence of transformations from high-level to detailed models and eventually generating software code.

In practice, however, this turned out to be rather cumbersome. What is the value of a detailed UML class diagram if the code itself contains exactly the same details? Of course, there are software tools that can (more or less) keep these in sync, but the issue remains that these models often do not add much to the knowledge you can gain from looking at the code itself. Moreover, specifying the behavior of software in a model turns out to be at least as much work as simply writing the algorithm in code. There are some specialized use cases that analyze models, for example for formal verification, but most developers that I meet (including my software development colleagues at BiZZdesign) rarely create detailed UML models anymore. Sketches on whiteboards are the main way to start and discuss a design, and then it quickly moves into code. So detailed models of software are often not very useful in agile.

A different direction is taken by low-code platforms. These facilitate rapid application development by a combination of simple models and visual, drag-and-drop development on top of a smart platform, often without any coding involved. Again, no detailed models of software design are created here but models are key, for example using BPMN to specify the application’s behavior. The focus is still on the application itself though, and not the broader architecture around it.

Architecture models for business agility

To understand this broader context mentioned above, architecture models are extremely useful, and I would argue even more so in a fast-moving agile organization. I see three key issues standing in the way of true business agility:

1. Ensuring that the people involved have a shared understanding of the direction of the enterprise and work together to achieve their goals. The faster you want to change, the more important this becomes. In a slow-moving organization, there may be time for the ‘stragglers’ to catch up and for the rest of the organization to compensate, but when time is of the essence you cannot afford misunderstandings about goals and direction.
2. Understanding the (side-)effects of changes to avoid nasty surprises. All too often, I have seen mishaps when some system was changed or replaced because a connection to another system wasn’t known or documented sufficiently. In a fast-changing and highly automated world, you don’t want these kinds of failures and roll-backs, as well as all the delays they cause.
3. Balancing short- and long-term changes and making considered decisions about these. This is where a narrow focus on agile software development instead of true business agility is most harmful. Yes, software can be changed more easily than physical infrastructure, but a major redesign necessitated by a lack of understanding of context and constraints is still costly and time-consuming. Worst case, if you don’t consider this broader context sufficiently, you may paint yourself into a corner without enough time to escape before some competitor beats you in the marketplace.

These three issues are where architecture models have much to contribute to business agility. Whereas software models capture all the details needed to create code, architecture models focus on communicating the essence of context, direction and intention of the enterprise, and on the coherence between its various bits and pieces. Understanding these connections is crucial in fostering business agility. Using such models, you can for example:

• analyze the contribution of change initiatives to the enterprise’s strategic goals and prioritize investments accordingly
• understand possible business benefits of technology innovation
• optimize your customers’ experience by having a 360-degree view of their customer journey and what affects it
• define an architectural backbone or ‘runway’ that speeds up future developments and ensures long-term agility
• ensure that agile teams are aware of the dependencies between their work
• analyze where Personally Identifiable Information (PII) is used to ensure regulatory compliance
• address the business continuity impact of IT risks and define mitigating measures

And the list could go on and on. All of this would be impossible to do with just textual documents or sketches on whiteboards (let alone by just looking at software code).

Such models are explicitly not some big, up-front design created by a small team of experts in an ivory tower. Rather, they should be built and owned collectively by everyone involved in change in the enterprise. Different roles contribute their parts and can see how these are connected to the bits of others. This shared understanding then greatly facilitates the agility and speed any adaptive enterprise needs. And as I mentioned in my previous blog referred to above, ArchiMate, with its lean and mean nature focusing on the bare essentials, is ideally suited for use in an agile environment.

Of course, you’ll need a solid platform for this shared space. If you want to know how our HoriZZon product supports this, you can watch our webinar or request a demo.

The post The Value of Architecture Models for Agile Organizations appeared first on Bizzdesign

5 Questions CEOs Should Ask Themselves in 2020 – Part 1 Latest news from (my website): Bizzdesign

As we embark on this new journey that is the 2020’s, CEOs ought to acknowledge the crossroads that’s ahead of them, and the choice they need to make. As fast-moving as the last decade seemed, the next one will likely shatter that perception. Whatever discoveries and advances were made in the last ten years or so, they’re now bound to hit mainstream adoption. That means an even lower barrier to entry, higher consumer expectations, as well as new niches opening up and being filled by newcomers. What’s also important to mention here is the ‘winner-takes-all’ effect that we’ll see being augmented in many markets. This means the need to be the first (in order to become the fastest growing) will further intensify.

5 Questions for the CEO

Here are our 5 questions that CEOs need to ask (themselves, their executive team – everybody) in 2020:

1. What is our relationship with technology?

The first question focuses on an organization’s relationship with technology. That’s because as technology’s role in delivering value (in virtually all fields) increases, companies and their management teams need to acknowledge its importance and treat it as the core function that it is. Let’s take a look at some of the things that this question shines a spotlight on.

To begin with, IT needs to be recognized as a key business value creator within the organization. As such, it must have sufficient resources allocated in order to ensure it functions at a high level and delivers on the promised benefits. Second, what is the relationship between business and IT? Because if IT is not an integral part of the business, it’s hard to imagine everyone pulling in the same direction, avoiding waste and possible conflicts of interest along the way. Third, technology should be unifying the organization, not helping to develop silos. If something works really well in one area of the business, implement it in all areas, if possible.

Also, you need to identify to what degree the IT function can facilitate (intra- and interdepartmental) collaboration. In a highly collaborative environment, it should be straightforward to quickly find out someone’s ideas on a topic. Finally, when it comes to integrating tech into the fabric of a company, one of the most effective ways to do this is promoting people with a technical background into positions of responsibility. This ensures that during high-level meetings there is always a technology perspective that can balance out the narrative and indeed help to properly get the message across to other members, e.g. by leveraging personal relationships.

2. How agile are we as an organization?

Agility in a dynamic marketplace is an important predictor of success, as this suggests a high level of adaptability. Here is Marc Lankhorst on the topic – there is a wealth of information in that talk. And if you’re after a shorter version, this is a good introduction. Agility is not just about software development: “doing Scrum” doesn’t necessarily make you agile as an enterprise. If you’re pouring concrete in an agile way, the end result still won’t be very flexible. Rather, agility has multiple aspects – process agility, business agility, system agility – and it’s easy to dismiss or downplay its role in ensuring the organization performs well. This is particularly the case in ‘freeze frame’ scenarios where a company may (seem to) be doing OK at a specific moment in time.

However, when analyzed across a longer arc of time, problems start cropping up and the deviation from optimal performance grows significantly. This is analogous to a broken clock showing the correct time twice a day. Basically, just because you may be among the best at delivering a certain service in the present, doesn’t mean you should stop trying to come up with a new service/product altogether, or making investments that promote your ability to easily course correct. Here is a short clip of Jeff Bezos addressing this in 2018:

So how can the CEO address this? First, understand your relationship with agility – does it play an important role in your business at the moment? For instance, has the management team given agility any thought, invested any resources, hired any people that are conducive to the organization being able to quickly and effectively undergo change? If you’re thinking “Such as…?”, well ask yourself whether you’ve created any team whose goal is to future-proof the company; or started a strategic partnership with another institution; or streamlined and decoupled the IT stack.

Such actions as mentioned above have the potential to bring substantial benefits. And if the answer is no – well, there’s your starting point. Undergoing change in an efficient manner can yield great results. For example, replacing part of the IT landscape in a fast and secure manner; identifying key market trends and leveraging them before the competition; steering clear of regulatory problems through wise tech investments. But this all starts by recognizing the strategic importance of agility.

Then, start addressing things like agile working methods and creating flexible results. Confront tech leaders in the organization and get a good grasp on whether your IT function is at the forefront of change or lagging behind the business. And if indeed it’s constantly playing catch up with the rest of the business, what are the reasons for this – is superior staffing required, is it to do with legacy systems? After all, what this effectively means is your company itself is (or undoubtedly will be) playing catch up with the market. When you have a good understanding of your level of agility you can start formulating a solution.

Thanks for making it to the end. This is it for Part 1 of the ‘5 Questions CEOs Should Ask Themselves in 2020’ series. Be sure to check out the second part next time, when we’ll address the remaining three questions!

The post 5 Questions CEOs Should Ask Themselves in 2020 – Part 1 appeared first on Bizzdesign

Standards of Security for EA Vendors Latest news from (my website): Bizzdesign

We’ve spoken about security on this blog before. We addressed how you can build a better protected organization with the help of enterprise architecture, for instance, and also collated our thoughts on improving cybersecurity with EA in a whitepaper (have a read if you haven’t already). That’s because we are genuinely preoccupied with the topic and we make it our business to not only adhere to high security standards ourselves, but also create awareness within our industry around this important subject.

Today’s post is related to security from a slightly different angle. We mentioned in a previous blog post that security is one of the important capabilities of a solid architecture platform. We’d now like to explain what we meant by that and actually go into some specifics using ourselves as a case study.

Security certifications

Here at Bizzdesign we make security a priority, and as such we are an ISO 27001 certified company. This is a widely acknowledged standard that ensures we have implemented an Information Security Management System (ISMS), which is up to date and functions as it’s supposed to. The certification alone doesn’t mean that a vendor’s software or development process are secure, just that a documented ISMS with adequate rules and policies is in place.

More importantly, Bizzdesign is also ISAE 3402 SOC 2 compliant, which stands for Service Organization Control 2. This is a considerably more stringent – and as a result more difficult to obtain – security attestation. During the process of getting certified, an organization’s ISMS is scrutinized and its policies are evaluated to determine whether they are fit for purpose or not. What’s more, auditors determine on a regular basis if the rules have been followed as specified in the documentation or not, with the obvious consequence that a failure to do so would attract a disqualification.

We’re quite proud of this achievement. That’s because whereas most companies only receive a SOC 2 attestation for the Security and Availability criteria, BiZZdesign’s SOC 2 report also covers Confidentiality, which is arguably the most important item for enterprises looking for a cloud-hosted EA solution. Together, the ISO 27001 and SOC 2 attestations form a gold standard for information security but in case anyone is wondering, yes, we are also GDPR compliant.

A culture of information security

So that’s the ‘outside-in’ half of the story when it comes to our commitment to security, whereby we sought and indeed achieved best practice certifications as defined by the industry. Now, moving on to the other, ‘inside-out’ half, we’d like to focus on three things, the first of which being the concept of having a culture of information security. We believe Bizzdesign can speak on good authority when it comes to displaying an enterprise-wide preoccupation with this subject. For instance, there is a body within our organization called the Information Security Group, which manages the ISMS and, in our case, actually comprises all our C-level executives.

This means we aren’t relegating all security-related operations and tasks to some unfortunate team member in IT, we in fact have the company’s management team closely involved in the realities and decision making that pertain to the topic of information security. Again, we are genuinely preoccupied with this. Furthermore, we have a standard screening process for all new employees and in fact conduct extra screening steps before assigning people to roles that allow access to systems containing confidential data. All employees have their machines encrypted.

Secure software development

The second item we’d like to mention is our software development process. It’s staged, it assigns clear responsibilities, and revolves around a peer-review method. This makes it impossible for any one developer to insert malicious code into our product, especially when you consider that it includes extensive tests and static code analysis. Also, it’s noteworthy that we employ infrastructure-as-code for our hosting environments to eliminate manual interactions, with that code undergoing a peer review process as well. By the way, since we get asked this regularly, we want to make clear that as part of our practices we never use customer data to test our software.

Active and proactive security measures

Finally, the third item is that we power our SaaS offering via Amazon Web Services (AWS) using the most ironclad security features and running a wide range of active and proactive safeguarding methods. So, for example, we engage in activities such as regular penetration and disaster recovery tests. We implement access controls in order to effectively disseminate responsibility and eliminate single points of failure (e.g. the team managing the code cannot deploy it, ever). Additionally, we make our support team available to customers 24/7/365 for security issues as part of our standard SLA.

But what about the security and availability of the hosting servers you ask? AWS conforms to the same ISO 27001 and SOC 2 standards, and has several additional certifications relevant to their services such as ISO 27017 (security controls for cloud services). On top of that we perform encryption of data at rest and in transit, and carry out our deployments across multiple AWS data centers. In fact, we even make daily geo-redundant data backups and for the most stringent of industries we offer optional extra-secure connectivity options – get in touch if you want to learn more. As you can see, we take the security of our customers’ data seriously. All these procedures and precautions are aimed at catering to any security requirement a customer might have and give them the peace of mind that their information is always out of harm’s reach.

Conclusion

In conclusion, we expect it’s obvious by now that at Bizzdesign we prioritize security and treat it as an integral part of our offering. Apart from a brilliant enterprise architecture platform and associated EA-related services, we also bring other important elements to the table. In today’s blog post we addressed one of those elements – security. We hope this post gave you a better understanding of what it means to do business with a secure partner and what actively investing in safeguarding customers’ data looks like. Please keep this in mind next time you’re selecting business software, like an EA management platform.

The post Standards of Security for EA Vendors appeared first on Bizzdesign

EA and Security Latest news from (my website): Bizzdesign

How can Enterprise Architecture help your organization become more secure, reliable, and compliant?

This is a topic of great interest as organizations deal with increasingly more information about their customers while at the same time security threats are becoming more sophisticated. EA brings a broad scope to the table. Its integral and coherent view of the organization is key in developing a solid enterprise risk and security management strategy. To get more information on this subject, we talked to Marc Lankhorst, Managing Consultant and Chief Technology Evangelist here at BiZZdesign.

In his response he touches on questions such as:

• What is the best way to spend your security budget?
• How do you develop a solid Enterprise Security Strategy?
• How does Enterprise Architecture benefit security architects and other associated roles?
• Below you can listen to his thoughts on how EA and Security work together. Enjoy!

The post EA and Security appeared first on Bizzdesign

How to Mitigate Risk without Slowing Down Digital Transformation Latest news from (my website): Bizzdesign

Cybersecurity is one of the key issues the business world has to deal with, and its importance will only rise. As technology steadily evolves to take over increasingly more aspects of business (and personal) life, the need for security is being made pressingly apparent by incidents such as the breaches at Yahoo and Experian, or the WannaCry ransomware attack. Every year, a huge number of companies are hacked. Here are just some of the most famous cases to give you an idea. The result? Countless people worldwide being affected, with the cost of poor cybersecurity easily running in the millions.

All in on security?

When you consider all that, it would then only make sense for an organization to throw everything they’ve got at this problem. Right? Well, though it may sound non-intuitive, the answer is no. The fact is that a company’s ultimate goal is not to be an impenetrable digital fortress but to (deliver value to its customers in order to) stay in business.

This staying in business imperative is actually harder to realize than ever due to how quickly the playing field is changing these days – think technology advancements, changing regulation etc. As such, solely focusing on one aspect of business is a sure recipe for irrelevance. Innovation, service delivery level, customer satisfaction, regulatory compliance, corporate citizenship – these are just some of the other things an organization needs to be mindful of in order to be successful.

Therefore, we believe the best thing for a company that’s serious about its cybersecurity strategy is to operate in a high accuracy, high impact manner. This means acknowledging that blanket measures are doing just as much damage as good, through opportunity cost, user inconvenience, and downright waste. It’s not realistic to expect everything to be 100% secure. There’s a law of diminishing returns at play that ensures you can’t get there, not even if you had all the time and resources in the world at your disposal, which in any case you won’t. So, deliberate action expertly aimed at critical weaknesses is the most reasonable path – that’s why a high accuracy, high impact mindset is key.

Accurately targeting security vulnerabilities

Understand the context

To be able to operate ‘surgically’ you first need to have a clear image of the current capabilities. Our collaborative business design platform, HoriZZon, together with its modeling environment, Enterprise Studio, are perfectly equipped to assist with this. Using our suite, users can build accurate digital models of their business and technology landscapes, they can practice capability-based planning, and link the various capabilities to applications, infrastructure, or processes in order to develop an extensive understanding of their organization. As you can imagine, this enables a security-by-design approach because it allows for the embedding of an enterprise risk and security management process into the actual architecture and design processes of the enterprise.

Apart from the digital modeling capabilities that let you explore all aspects of the enterprise, the platform also helps to foster best practice adherence and security compliance. Horizzon supports a wide range of security standards and frameworks, and offers solid content governance features. Mainstream standards such as ISO/IEC 27001, NIST 800-53, CSA, Open FAIR, SABSA and others provide structure, guidance as well as appropriate metrics for users looking to build up a solid security and risk management practice. Indeed, they provide the perfect methodology for identifying, assessing, and prioritizing security objectives and operations. With best practices and a clear big-picture view of the enterprise (and its ecosystem), you are optimally positioned to start a security risk assessment.

Run a security assessment

Because perfect security is an unachievable goal, the emphasis at this point ought to fall on the most effective way of spending security funds. When analyzing risks, threats, opportunities or performance goals, a risk-based approach offers the structure needed to consistently connect and address overlapping concerns. Developing a risk-aware culture within the organization is a crucial component of a successful enterprise risk management program.

At Bizzdesign our approach to risk and security management combines several open standards. If you’d like to learn more, you can download our How to Improve Cyber Security with EA white paper, but for now suffice it to say that the main steps of this assessment stage are: Analyze vulnerabilities, Assess threats, and Calculate risk.

Our platform empowers security professionals to effectively plan, implement and mature enterprise risk management practices within their enterprise. We have even compiled a comprehensive list of vulnerabilities and threats that will prove useful in during the analysis phase. A straightforward way of running a risk assessment is to use the formula Risk = Value x Probability, whereby a higher risk will require more efforts to mitigate against it. At the end of this stage, you should have a good understanding of the risk landscape your enterprise faces. Here is an example of how we would go about such an analysis using Enterprise Studio, HoriZZon’s modeling environment.

The lower part of the model shows the infrastructure and the asset you want to protect (‘Encrypted payment record’). The upper part shows:

• Two vulnerabilities (‘Insecure transmission channel’ and ‘Weak encryption of payment data’)
• The threat agent (‘Cyber criminal’)
• A threat event (‘Man-in-the-middle attack’)
• A potential loss event resulting from this threat (‘Unauthorized payments’)
• The resulting risk (‘Financial loss’)

Example of risk analysis

The traffic lights show various parameters, such as the asset value, vulnerability level and the resulting risk level. All these are connected, and our risk analysis algorithm calculates the results, i.e., increasing the risk level if you increase the asset value or threat capability.

Develop and implement risk-mitigating measures

After the assessment stage outline above, the next step is to come up with control measures and deploy them. With an unhindered view of where the weaknesses are, as well as what the consequences of a breach would be, the goal is to devise efficient measures. The structure we recommend is to first consider policies, followed by defining control objectives, then creating control measures, and finally implementing them. Leveraging the enterprise architecture and/or portfolio management output will come in handy again here, because security recommendations can be tied to actual vulnerable elements in the infrastructure layer, for example, or vital business capabilities.

As part of this stage, you should calculate the cost of security measures and compare this with the risks they mitigate. Is that money well-spent? Management is bound to take a report more serious if it is explicit in the benefits that it will deliver. One last recommendation is to relate with decision making figures on a personal level. For instance, you could point to the fact that there is a trend towards personal liability of responsible management in the event of a breach or non-compliant business practice. The EU’s General Data Protection Regulation is one such regulatory framework that is pushing the boundary and piling pressure on not just data processors but also data controllers, who formerly didn’t share any of the responsibility. By steering away from costly blanket measures and attacking the most pressing security issues with precision, an organization stands a better chance of safeguarding against threats but also thriving in the long run.

Conclusion

With companies finding themselves in possession of increasingly more of their customers’ data, and malicious actors doubling up their efforts, cybersecurity is more relevant than ever. Given these circumstances, it’s easy for companies to take an all-out defensive stance and ‘draw the bridge’ on innovation as well as the rest of the elements that contribute towards lasting success. However, this would be a strategic misstep.

That’s because with increased control and prudence you also lower flexibility and agility, which diminishes a business’ overall competitiveness in an era that rewards the ability to adapt quickly. The solution, we believe, is to develop a clear understanding of the enterprise’s risk profile and then develop and deploy mitigating controls in areas that are most at risk. Being able to digitally actualize the enterprise and then run risk assessments on top of real-time models affords great opportunities for improvement.

To learn more about cybersecurity and how enterprise architecture can play a role in creating a solid cybersecurity strategy please download our How to Improve Cyber Security with EA white paper.

The post How to Mitigate Risk without Slowing Down Digital Transformation appeared first on Bizzdesign

Building a Digital Twin of Your Organization Latest news from (my website): Bizzdesign

In previous blogs, we have written about the combination of structure and data to create novel insights into your enterprise, and about how this can support creating a Digital Twin of your Organization. To reiterate, a digital twin is a digital representation of a real-world entity or system.

Such a model enables all kinds of advanced analytics, for example for:

• Predictive maintenance
• Resource optimization
• Flow control
• Product development

Digital twins are used in all kinds of settings in the physical world, for example:

• Aircraft engines, trucks, locomotives, cars: For example, Tesla has a digital twin for each car they build, and if a driver has a rattle in a door, it can be fixed by downloading software that tweaks the hydraulics of that particular door [Source].
• Wind turbines, oil rigs, power plants, smart factories, Industry 4.0
• Smart buildings, smart homes
• Personalized patient models in healthcare

And the Internet of Things technology will enable many more use cases. A Digital Twin of your Organization (DTO) is exactly the same, a digital model that shows how your enterprise is constructed, operates and evolves. Now this idea is not exactly new, even though the term was coined by Gartner only recently. The enterprise models we at Bizzdesign have been supporting in our products for many years are of course such digital representations of your organization!

There are some new developments, however. In the past, such models were designed and maintained separately from the business-in-operation. Nowadays, we can integrate live operational data into our models, from many different sources. As argued in the first blog mentioned at the top, this offers a whole range of new possibilities.

Creating a Digital Twin of your Organization

But how do you go about building such a digital twin? We use a five-step iterative process, shown below.

1. Model your enterprise

The first step in creating a DTO is of course to use formalized models of your:

• Strategic direction and business models
• Current and desired assets & capabilities
• Organization & processes
• IT & other technology that supports your operations
• Change initiatives that evolve and transform your enterprise

In many different blog posts and whitepapers, we have explained these kinds of models, so we will not elaborate on those here. One important thing to note, however, is that increasingly, you can use automation to speed up modeling the current state of your enterprise. For example, you can import information from workflow tools, process mining, CMDBs, et cetera, and generate models instead of building them manually.

Of course, the expertise of architects and other designers is still essential in creating the necessary abstractions that help you see the forest for the trees: deciding what to abstract from, where to generalize and which details are irrelevant is not something we can easily automate. Moreover, designing the future of your enterprise cannot be automated either.

This is not based on one monolithic, all-encompassing model-of-everything. Rather, different aspects are captured in different models, maintained by different (but collaborating) communities and disciplines. And all these various models are interconnected to form a coherent backbone that offers a line of sight between the strategic direction, operations, and change of the enterprise.

2. Add data to your enterprise models

The second step in creating a DTO is to add relevant operational data from the live enterprise to your integrated models. This can include, for example:

• Data on your product portfolio (market share, revenue etc.)
• Customer experience data (e.g. user satisfaction, net promoter score)
• Performance data (process throughput, productivity, availability, etc.)
• Cost of resources (e.g. personnel, licenses, maintenance, infrastructure)
• Technology lifecycle (business & technical value, end-of-life, etc.)
• Project performance (time, budget, value created, etc.)

Of course, these are just some examples, and the specifics of your own enterprise will determine what kinds of data are available and useful. There may be some battles to fight within your organization to gain access to certain data sources, but that is beyond the scope of this blog.

More importantly, data quality is key: garbage in, garbage out. So before adding any data to your model, you should evaluate that data according to common quality attributes, such as:

• Accuracy: Does the data correctly represent the world it describes?
• Precision: What is the level of detail of the data?
• Completeness: Is the data available for relevant parts of your model?
• Currency: is the data current with the world it describes?
• Timeliness: Is the data available on time?
• Consistency: Is the data consistent with other data sets?
• Lineage: Do you know where the data comes from (e.g. a trusted source)?

You can aggregate and integrate the data you added in many different ways. The picture below, for example, shows a cost calculation model for applications, where the different cost drivers are added up according to volume, resource usage et cetera. The aggregated cost per application can in turn be distributed to, for example, the business units of the organization based on the intensity of their use in the various business processes.

Our Horizzon platform offers excellent data integration capabilities. You can import information from all kinds of sources, ranging from Excel files and SQL databases to sources such as ServiceNow, Technopedia, and many more. The underlying high-performance streaming platform provides the foundation for integrating real-time and high-volume data.

3. Visualize and analyze your enterprise

Once you have enriched your models with relevant data, you can use this to perform various kinds of analyses. Think of aspects such as:

• Business model scenarios
• Financial parameters, cost allocation, investment priorities
• Product portfolio performance, market share, revenue
• Capability maturity and growth
• Business continuity, dependencies, risks
• Customer experience and satisfaction
• Process performance, bottlenecks, failure rates, utilization
• Security & compliance, data usage, vulnerabilities
• Application portfolio, IT lifecycle

And this is just a small set. Our whitepaper on analysis techniques may be an inspiration here.

To convey the right message and create a solid understanding of your enterprise, suitable visualizations are also key. This may range from simple tables and lists via ‘classical’ models in languages like ArchiMate and BPMN, to colorful heatmaps, charts, and interactive dashboards.

Below you see a landscape map in which the applications supporting certain business capabilities (the vertical axis) for certain information domains (the horizontal axis) are plotted, colored according to their lifecycle advice (click to zoom): blue = tolerate, green = invest, yellow = migrate, red = eliminate. This advice is based on a typical ‘TIME’ application portfolio analysis, based on different business value and technical value metrics of these applications (see our Application Portfolio Management e-book for more on this). That data, in turn, comes from a number of external sources, ranging from user surveys to call logs from the service management department, and from automated code analysis to vendor data from a source like Technopedia.

As you can see, this figure integrates a lot of useful information in one diagram, giving you an overview of the potential impact of, say, replacing an application on the business capabilities supported and the data domains involved.

In the next figure you see another example, an interactive dashboard in HoriZZon. You can select an element (say the very high-risk applications) and the rest of the dashboard adapts and filters to only show those applications in all charts. This way, you can drill down into the salient issues of your enterprise and support decision-making.

Our whitepaper on enterprise views to improve strategy execution shows some examples of views that may support a management audience, the key stakeholders of the next step.

4. Control and change your enterprise

This is where the rubber meets the road. Based on the analyses and visualizations from the previous steps, decision makers at all levels of the organization can use the information to direct, control and change the enterprise. This may range from simple parameter optimizations in a production process by domain experts on the ‘shop floor’ to major business transformations initiated by C-level management. Since all the information is connected in a coherent model space, any change can be evaluated up-front as part of a holistic picture. Vice versa, changes in relevant data from the outside world can be fed into the Digital Twin in order to assess their impact on the enterprise.

Key in changing your enterprise is analyzing the impact of changes and planning those changes in a smart way. We do not advocate a ‘big up-front design’ approach, with huge, rigid multi-year transformation plans. Rather, in an increasingly volatile business world you need to use an interactive approach where your plans are updated regularly to match changing circumstances, typically in an agile manner. The figure below shows a simple example of dependencies between a series of changes, depicted with the pink boxes. A delay in ‘P428’ causes problems in the schedule, since ‘P472’ depends on it. Moreover, since the two changes overlap in scope (shown in the right-hand table), they could potentially be in each other’s way when they also overlap in time. This information is calculated from the combination of project schedule and architecture information, a clear example of the value of integrating this kind of structure and data in a Digital Twin.

This is of course just one example of managing change in your enterprise. In other publications, we have shown many more of these kinds of analyses. Or just get in touch with us for a demonstration if you want to see more.

5. Improve your models

Finally, you have to close the loop. As George Box famously said: “All models are wrong but some are useful.” Your model is never a complete picture of reality, but you should keep improving it. First of all, you should check their quality: Are your models technically sound? Are they consistent? Are they understood? Second, you need to make sure that your models don’t deviate from reality too much. Do they still represent the real world accurately enough? What has changed out there? Do you need to recalibrate?

Moreover, you can enhance your models by adding more data sources. Building a DTO is not a one-shot exercise; it is a journey, not a destination. You gradually add more and more information, finetuning and enriching your model over time. Finally, to improve the quality of your models, you need to make sure that this feedback loop is fast enough. That way you can prevent your models from becoming outdated.

The post Building a Digital Twin of Your Organization appeared first on Bizzdesign