Monthly Archives: November 2011

What does developing an IT Strategy mean?

By Serge Thorn, Architecting the Enterprise

I have observed many situations where a c-level person was supposed to document an IT Strategy in a short period of time, in order to prepare the following year’s annual budget. Very often, they lack much supporting documented business information in order to achieve this task. The result is a weak strategy, sometimes ignored by the user’s community, the key stakeholders.

A weak IT strategy can be costly and wasteful, especially for resource-constrained organizations that operate with minimal budget, tools, knowledge and people.  It also implies that organizations cannot respond to changing business requirements rapidly enough. The absence of strategic anticipation causes organizations to be inefficiently reactive, forcing them to work in a constant state of catch-up.

An IT Strategy should answer the following questions:

  • Are we doing the right things with technology to address the organization’s most important business priorities and continuously deliver value to the clients?
  • Are we making the right technology investments?
  • Do we measure what is the real value to the organization derived from that technology?
  • Is our current Information Technology agile enough; flexible to continuously support a successful organization?
  • Is our Information Technology environment properly managed, maintained, secured, able to support the clients, and is it cost effective?
  • Can our strategy support current and future business needs?

Quite often the first thing we should consider when writing such a document is the targeted audience and its content. Different people with varying roles and responsibilites may read an IT Strategy within a company, so the document may need to serve several different purposes.  It is not easy to pitch a strategy to different levels in the hierarchy within an organization, and at the appropriate level of detail. Sometimes it is too detailed and does not always match the stakeholder’s needs.

An IT Strategy is an iterative process to align IT capabilities with the business strategy and requirements:

  • It is a documented and approved process (part of the organization’s governance framework)
  • It is iterative (it needs to be frequently be revisited). Traditionally, IT strategies are updated and communicated on an annual basis, usually to meet budget cycles. This should be considered the minimum review period. If an emerging technology surfaces that has the potential to enhance the business, it should be investigated and communicated to the business as soon as possible. A one-year cycle may  be too late.
  • It  is a strong alignment of business and IT capabilities rather than designing IT solutions to support business requirements
    • Assuming  that both business and IT capabilities drive each other
    • Assuming that business drives IT and not the other way around
  • The IT Strategy sets future direction for IT function in the organization
    • Ensuring that the IT budget is spent on value creation activities for the business
    • Creating shareholder value
    • Helping to maximize the return on IT investments
  • The IT Strategy may include sub-elements such as:
    • Infrastructure strategy
    • Application strategy
    • Integration strategy
    • Service strategy
    • Sourcing strategy
    • Innovation strategy

This pyramid diagram can be used to illustrate the IT strategy and vision, and how the technology and business strategies are totally aligned. At the top of the pyramid is the enterprise overarching vision. Aligned below that is how IT supports the vision by becoming a premier IT organization in creating competitive advantage for the clients. The IT vision is in turn supported by three pillars: integration, improvement, and innovation.

To deliver this, the business strategy should clearly be articulated and documented taking into account some IT aspects. There are different ways of gathering these business inputs.

The first approach is a very classical one where you develop a questionnaire in business terms which asks each business unit to identify their future requirements for infrastructure growth, taking into account capacity and availability requirements. This extracts the data you need for business driven strategy.

This questionnaire may include some of the following examples of questions:

  1. What are your top 5 business “pain” points? These are things that you wish you had a solution for
  2. What are your top 5 business objectives? These can be short term or long term, can be driven by revenue, cost, time, time to market, competitive advantage, risk or various other reasons
  3. How do you plan to achieve these objectives?
  4. What will we gain by leveraging IT Capabilities across the business?
  5. What is in the way of achieving your business imperatives?
  6. Can IT help achieve your business imperatives?
  7. How much do you spend on IT capabilities?
  8. What is your technology ROI?
  9. Does your company have a plan for technology?
  10. Does your business plan include a technology plan?
  11. Where is IT being used across your business unit?

The second approach would be the use of Enterprise Architecture that I will explain later on.

With this input you may now start to consider the structure of your document. It may look similar to this example below:

An executive summary

  • An introduction
    • The purpose
    • The background
    • The Business drivers
    • The Organizational drivers
    • The IT drivers
  • The Business and IT aspects
    • The Business Goals and Objectives
    • The IT approaches and principles
  • The IT components
    • Business application systems
    • IT infrastructure
    • Security and IT Service continuity
  • Structure, organization and management
    • IT Governance
    • Skills, knowledge and education
    • IT Financial management
    • KPIS, measurement and metrics, balance scorecards
  • Technologies opportunities
  • Key issues

And this is where Enterprise Architecture may have to play an important and even crucial role. Some companies I have encountered have an Enterprise Architecture team, and in parallel, somebody called an IT Strategist. Frequently the connection is non-existing or quite weak.  Other organizations may also have a Strategic Planning unit, again without any connection with the Enterprise Architecture team.

An Enterprise Architecture must play the important role of assessing; existing IT assets, architecture standards and the desired business strategy to create a unified enterprise-wide environment – where the core hardware and software systems are standardised and integrated across the entire organisation’s business processes, to greatly enhance competitive advantage and innovation. The IT Strategy details the technologies, application and the data foundation needed to deliver the goals of the corporate strategy, while Enterprise Architecture is the bridge between strategy and execution; providing the organising logic to ensure the integration and standardisation of key processes that drive greater agility, higher profitability, faster time to market, lower IT costs, improved access to shared customer data and lower risk of mission-critical systems failures.

As a real example, TOGAF 9 is perfect way to produce that IT Strategy document during the Phase F: Migration Planning.

Below you will find the relationship between some phases of the ADM and the structure of the above document. It needs to be said that we should probably use a Strategic architecture level to deliver a first version of the document, which then could be reviewed with Segment or Capability architectures.

Content Examples Enterprise Architecture and TOGAF
An executive summary
An introduction (This document must be business oriented)
Content Examples Enterprise Architecture and TOGAF
The purpose Key elements of the scope, audience, time horizon The Preliminary phase is about defining ‘‘where, what, why, who, and how” Enterprise Architecture will be done and will provide all information. It also creates the conditions and context for an Architecture Capability
The background Business problems, constraints (financial, resources, IT, legal, etc.) This is covered by the Phase A: Architecture Vision. An Architecture Visionsets stage for each iteration of ADM cycle.-Provides high-level, aspirational view of target the sponsor uses to describe how business goals are met and stakeholder concerns are addressed
-Provides an executive summary version of full Architecture
-Drives consensus on desired outcomeThe Business Scenarios is used to discover and document business requirements, identify constraints, etc.
The Business drivers Market conditions, competition, consumer trends, new customers, products sales, costs savings, incremental services revenues, drivers related to the IT function In the Phase A: Architecture Vision, we:Identify business goals and strategic drivers-Ensure that descriptions used are current-Clarify any areas of ambiguityDefine constraints-Enterprise-wide constraints

-Architecture project-specific constraints

The Organizational drivers Profitability, financial performance, change in strategic objectives, end of the product development life cycle, mergers and acquisitions, staffs, risks
The IT drivers New or obsolete technologies, updates Considering that IT is part of the Business, these drivers should also be considered in that phase
The Business and IT aspects
The Business Goals and Objectives Market growth, entering new markets, addressing manufacturing capacities In the Phase A: Architecture Vision, we:Identify business goals and strategic drivers
-Ensure that descriptions used are current
-Clarify any areas of ambiguity
-Define constraints
-Enterprise-wide constraints
-Architecture project-specific constraints
The IT approaches and principles IT standards, development, implementation, delivery, testing, consolidation, maturity, best practices Standards should be documented in the SIB (Standard Information Base)When we define the Architecture Governance Framework during the Preliminary Phase, we identy the various touch points with existing other frameworks in the organization
IT principles should have already have been defined by the IT department
The IT components
Business application systems Baseline (main applications: ERP, CRM, customers facing systems). Future plans, concerns, time period, priorities) This will be addressed by Phase C: Information Systems based on the Statement of Architecture Work, output from the Phase A
IT infrastructure Baseline (servers, network , middleware, technical services) This will be addressed by Phase D: Technology Architecture based on the Statement of Architecture Work, output from the Phase A
Security and IT Service continuity Issues, challenges, opportunities related to security, security principles, controls Security concerns are addressed during all phases of the ADM
Structure, organization and management
IT Governance Best practices, frameworks, management and monitoring, resource management, portfolio management, vendors management, IT service management, project management, etc. IT Governance will be considered when the Architecture Governance Framework is defined. There will obviously be touch points between the ADM and some other best practices used by the organization. IT Governance is defined outside of the Enterprise Architecture programme
Skills, knowledge and education Skills, knowledge and education Enterprise Architecture skills will have to be addressed by the Architecture Capability Framework. Other skills may also be identified independently of the Enterprise Architecture programme
IT Financial management IT budget, costs structures, measurement and metrics, targets, areas needing investments, etc. This is addressed is outside of the Enterprise Architecture programme
KPIS, measurement and metrics, balance scorecards IT performance measurements on SMART objectives ((Specific, Measurable, Achievable, Realistic, & Time bound) Every governance frameworks may have its own KPIs. Enterprise Architecture KPIs may be added to that list.
Technologies opportunities Emerging technologies, business related benefits This can be done in parallel of the Enterprise Architecture programme
Key issues and initiatives Summary or link to the IT Project portfolio This can be done in parallel of the Enterprise Architecture programme
Color legend
Direct relationship with Enterprise Architecture
Indirect relationship with Enterprise Architecture
Produced somewhere else

The next step would be the review of the IT Strategy document by the main stakeholders who would accept or reject technology opportunities. This could also be used as an important source of information for the Strategic Planning exercise (please refer to another article for additional information:  “How Strategic Planning relates to Enterprise Architecture?“).

Once the IT Strategy has been reviewed, amended and authorised (which should in reality already be approved, as it is the result of various ADM cycles and the output of Phase F: Migration planning), the multi-disciplinary programme team for the implementation during Phase G: Implementation Governance, will deliver the solutions to the business.

As already mentioned previously, the outline strategies will be refined and expanded with a low level of detail when addressing Segment and Capability architectures. This is the part that meets the first challenge described above, where we need different levels of detail for different stakeholders. The documents should be hierarchical, with the ability to drill down to lower levels as more detail is required.

One of the main reasons for developing an Enterprise Architecture with TOGAF 9 is to support the business by providing the fundamental technology and process structure for an IT Strategy.  Enterprise Architecture is the superset that represents both Business and IT Strategy; this is reflected in Enterprise Architecture’s basic structure of strategy, business architecture and technology/information architecture. One can certainly do an IT Strategy without Enterprise Architecture, but Enterprise Architecture cannot be done without an IT Strategy; the same would apply to business strategy/business architecture.

Serge Thorn is CIO of Architecting the Enterprise.  He has worked in the IT Industry for over 25 years, in a variety of roles, which include; Development and Systems Design, Project Management, Business Analysis, IT Operations, IT Management, IT Strategy, Research and Innovation, IT Governance, Architecture and Service Management (ITIL). He has more than 20 years of experience in Banking and Finance and 5 years of experience in the Pharmaceuticals industry. Among various roles, he has been responsible for the Architecture team in an international bank, where he gained wide experience in the deployment and management of information systems in Private Banking, Wealth Management, and also in IT architecture domains such as the Internet, dealing rooms, inter-banking networks, and Middle and Back-office. He then took charge of IT Research and Innovation (a function which consisted of motivating, encouraging creativity, and innovation in the IT Units), with a mission to help to deploy a TOGAF based Enterprise Architecture, taking into account the company IT Governance Framework. He also chaired the Enterprise Architecture Governance worldwide program, integrating the IT Innovation initiative in order to identify new business capabilities that were creating and sustaining competitive advantage for his organization. Serge has been a regular speaker at various conferences, including those by The Open Group. His topics have included, “IT Service Management and Enterprise Architecture”, “IT Governance”, “SOA and Service Management”, and “Innovation”. Serge has also written several articles and whitepapers for different magazines (Pharma Asia, Open Source Magazine). He is the Chairman of the itSMF (IT Service Management forum) Swiss chapter and is based in Geneva, Switzerland.

3 Comments

Filed under Enterprise Architecture, Semantic Interoperability, TOGAF®

Taking Decisions In The Face Of Uncertainty (Responsible Moments)

By Stuart Boardman, KPN

Ruth Malan recently tweeted a link to a piece by Alistair Cockburn about the Last Responsible Moment concept (LRM) in Lean Software Development. I’ve been out of software development for a while now but I could guess what that might mean in an “agile” context and wondered how it might apply to problems I’ve been considering recently in Enterprise Architecture. Anyway, Alistair Cockburn is an interesting writer who would be deservedly famous even if he’d never done anything after writing the most practical and insightful book ever written about use cases. So I read on. The basic idea of the LRM is that in order to deal with uncertainty you avoid taking deterministic decisions until just before it would become irresponsible (for cost or delivery reasons) not to take them. Or to put it another way, don’t take decisions you don’t yet need to take if the result will be to constrain your options but do be ready to take them when it’s dangerous to wait longer.

Alistair’s not a big fan of LRM. He makes the following statement: “If you keep all decisions open until the hypothetical LRM, then your brain will be completely cluttered with open decisions and you won’t be able to keep track of them all.” Later in the discussion, he modifies this a bit but it certainly struck a chord with me. I’ve argued recently in this column that the degree of uncertainty (I called this entropy) in which enterprise architects have to operate is only increasing and that this in turn is due to three factors: the increasing rate of change happening in or affecting the enterprise; the increasing complexity of the environment in which the enterprise exists; and the decreasing extent to which any one enterprise can control that environment. This in turn increases the level of complexity in decision making. I’ll come back to these factors later but if you give me the benefit of the doubt for the moment, you can see that there’s actually a pretty good argument for taking any decision you can reasonably take (i.e. one which does not unjustifiably constrain everything else), as early as you can – in order to minimize complexity as you go along.

This is not (repeat not) a dogma. If it’s totally unclear what decision you should take, you’d probably be better off waiting for more information – and a last responsible moment will undoubtedly arrive.

So assuming you gave me the benefit of the doubt, you might now reasonably be thinking that this is theoretically all very well but how can we actually put it into practice. To do that we need first to look at the three sources of complexity I mentioned:

  • That the rate of change is increasing is pretty much a truism. Some change is due to market forces such as competition, availability/desirability of new capabilities, withdrawal of existing capabilities or changes in the business models of partners and suppliers. Some change is due to regulation (or deregulation) or to indirect factors such as changing demographics. Factors such as social media and Cloud are perhaps more optional but are certainly disruptive – and themselves constantly in change.
  • The increase in complexity of the environment is largely due to the increase in the number of partners and to more or less formal value networks (extended enterprise), to an increased number of delivery channels and to lack of standardization at both the supply and delivery ends.
  • The decrease in control (or more accurately in exclusive and total control) arises from all forms of shared services, which the enterprise one way or another makes use of. This can be Cloud (in which case we talk about multi-tenancy), social media (in which case we talk about anarchy) but equally well the extended enterprise network where not merely do our partners and suppliers have other customers but they also have their own partners and suppliers who have other customers. A consequence of most of this is that you can’t expect to be consulted before change decisions are made.

At best you will be notified well enough in advance of it happening. So you need to take that into account in what you implement.

Each of these factors may affect what the organization is – its core values, its key value propositions, its strategy. They may also affect how it carries out its business – its key activities and processes, its partners and even its customers. And they can affect how those activities and processes are implemented, which by the way can in turn drive change at the strategic level – it’s not just one way traffic – but this is a subject worthy of its own blog.

The point is that, if we want to be able to deal with this, to make sensible decisions in a non-deterministic environment, we would do well to address them where they first manifest themselves in order to avoid a geometric expansion of complexity further on. I’m inclined to think this is primarily in the business architecture (assuming we all accept that business architecture is not just a collection of process models). Almost all of the factors are encountered first here and subsequently reflected possibly in strategy and nearly always on the implementation side. If we make the reasonable assumption that the implementation side will encounter its own complexities, we can at least keep that manageable by not passing on all the possible options from the business architecture.

I said almost all factors are encountered first in the business architecture. The most obvious exceptions I can think of are the Infrastructure as a Service and Platform as a Service variants on Cloud. There’s a good case to be made that the effects of these are primarily felt within IT (strategy and implementation). But wherever we start, the principle doesn’t change – start the analysis at the first point of impact.

The next thing we need to do is look for ways to a) reduce the level of entropy in the part of the system we start with and b) understand how to make decisions that don’t create unnecessary lock in.  There’s not enough space in a blog to go into this in detail but it’s worth mentioning some new and some established techniques.

My attention has recently been drawn (by Verna Allee and others) to the study of networks of things, organizations and people. This in turn makes a lot of use of visualizations. These enable us to “see” the level of entropy around the particular element we’re focusing on – without the penalty of losing sight of the big picture. An example that I found useful is by Eric Berlow.  Another concept in this area involves identifying what are referred to as communities (because the idea came out of the study of social networks – clusters of related elements, which are only loosely coupled to other communities. These techniques allow us to reduce the scope (and therefore complexity) of the problem we’re trying to solve at any one time without falling into the trap of assuming it’s entirely self- contained.

A few blogs ago I mentioned an idea of Robert Phipps’s, where he visualizes the various forces within an organization as vectors. Each vector represents some factor driving (or even constraining) change. Those can be formal or informal organizational groupings (people), stakeholders both within and external to the organization, economic factors around supply or revenue, changes in the business model or even in technology. In that blog I used this as a way of illustrating entropy but Robert is actually looking at ways of applying measures to these vectors in order to be able to establish their actual force (and direction) and therefore their impact on change. Turning an apparently random factor into something knowable reduces the level of entropy and makes us more confident about taking decisions early – and therefore in turn reduces the entropy at a later stage.

One more example: Ruth Malan and Dana Bredemeyer produced a paper last year in which they examined the idea that organizations can make the most use of the creativity of their personnel by replacing the traditional hierarchical and compartmentalized structures with what they called a fractal approach. The idea is that patterns of strategy creation are reflected in all parts of an organization, thus making strategy integral to an organization rather than merely dictated from “above”. It has the added benefit of making the overall complexity more manageable. Architects belong in each fractal both as creators and interpreters of strategy. I can’t possibly do this long paper justice here but I wanted to mention an additional thought I had. What can also help architects is to look for these fractals even in formally hierarchical organizations. There’s a great chance that they really exist and are just waiting for someone to pay them attention.

Having achieved focus on a manageable area and gathered as much meaningful data as possible, we can then apply some basic (but often forgotten or ignored) design principles. Think of separation of concerns, low coupling, high cohesion. All that starts by focusing on the core purpose of the element(s) of the architecture we’ve zoomed in on. And folks, the good news is that this will all have to wait for another occasion.

The very last thing I want to say is something I tend to hammer on about. You have to take some risks. No creative, successful organization does not take risks. You need a degree of confidence about the level and potential impact of the risk but at the end of the day you’ll have to make a decision anyway. Even if you believe that everything is potentially knowable, you know that we often don’t have the information available to achieve that. So you take a gamble on something that seems to deliver value and where the risk is at worst manageable. And by doing that you reduce the total entropy in the system and make taking other decisions easier.

Stuart Boardman is a Senior Business Consultant with KPN where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity. 

1 Comment

Filed under Business Architecture, Cloud/SOA, Enterprise Architecture

Enterprise Architecture and Emergence of Social Media

By Raghuraman Krishnamurthy, Cognizant Technology Solutions

If your enterprise is predominantly a consumer goods enterprise, you would have noticed tectonic shifts in the marketing focus. Traditionally, the goods and services were promoted through the enterprise websites and advertisements; however today the added focus is on having a vibrant social media presence. Success stories of Intuit and McDonald add credence to this trend. Stories like how customer complaints that are tweeted gain immediate attention abound in the world of consumer goods. Digital media has enabled conversations and enterprises are eager at the possibility of hearing directly from the customers. The new mantras are: more listening than talking, formation of communities, word of mouth as the ultimate marketing vehicle, active monitoring of social media, identification of key advocates, etc. Internally, within enterprises, Yammer is a very popular tool for tweeting. That information systems that acquired distinct organizational flavor are now making ground for customer/human flavor is no more a fiction.

This trend of social media brings in challenges and opportunities to EA. EA aims to holistically understand business; recent attempts on extended enterprises tended to predominantly focus on “firms part of the value chain” of enterprise. Social media is a new plane of reality where customers influence the enterprise success in the marketplace. The notion of extended enterprises now need to embrace social presence. Any EA effort that does not take cognizance of emerging forces will invite greater risk in building overall understanding of enterprise and its operating environment.  Earlier CRM efforts were focused on understanding individual customers; the need of the today is to understand the communities.

Like how The Open Group suggested changes to TOGAF to accommodate SOA, we need to work on integrating social media. Some suggested approaches for EA are:

Business Architecture:

  • Focus on forming & cultivating community, nurturing and ensuring vibrancy
  • Promote word of mouth and induce consumers to share experiences
  • Listen to social media

Information Architecture:

  • Integrate information from social media to internal systems
  • Develop analytical capabilities towards measuring effective presence in the social world

Opportunities & Solutions:

  • Build vs Buy – subscription models to get feeds

How are you addressing the social media channel in your enterprise? Would love to hear your experiences.

Raghuraman Krishnamurthy works as a Principal Architect at Cognizant Technology Solutions and is based in India. He can be reached at Raghuraman.krishnamurthy2@cognizant.com.

1 Comment

Filed under Business Architecture, Enterprise Architecture

The Open Group and SABSA Institute Publish TOGAF® Integration Whitepaper

By Jim Hietala, Vice President, Security, The Open Group

2011 confirmed what many in the Enterprise Architecture industry have feared – data breaches are on the rise. It’s not just the number and cost of data breaches, but the sheer volume of information that cyber criminals are able to get their hands on. Today’s organizations cannot risk being vulnerable.

To help address this issue, The Open Group Security and Architecture Forums, and the SABSA® Institute, developers of the SABSA® security and risk management framework, joined forces to explore how security methodologies and risk management approaches can be an integrated with enterprise-level architectures for better protection and flexibility.

If you are an enterprise architect with responsibility for ensuring architectures are secure or a security professional tasked with developing secure architectures you’ll be interested in the work the Architecture Forum and SABSA® have done over the last 15 months, culminating in a whitepaper released today that provides a valuable contribution to the security and enterprise architecture communities.

 A Project Designed to Protect

All too often vulnerabilities can occur due to lack of alignment across organizations, with security and IT experts failing to consider the entire infrastructure together rather than different parts separately.

The impetus for this project came from large enterprises and consulting organizations that frequently saw TOGAF® being used as a tool for developing enterprise architecture, and SABSA® as a tool for creating security architectures. Practitioners of either TOGAF® or SABSA® asked for guidance on how best to align these frameworks in practical usage, and on how to re-use artifacts from each.

This quote from the whitepaper sums up the rationale for the effort best:

 “For too long, information security has been considered a separate discipline, isolated from the enterprise architecture. This Whitepaper documents an approach to enhance the TOGAF® enterprise architecture methodology with the SABSA® security architecture approach and thus create one holistic architecture methodology.”

The vision for the project has been to support enterprise architects who need to take operational risk management into account, by providing guidance describing how TOGAF® and SABSA® can be combined such that the SABSA® business risk and opportunity-driven security architecture approach can be seamlessly integrated into the TOGAF® business strategy-driven approach to develop a richer, more complete enterprise architecture.

There are two important focal points for this effort, first to provide a practical approach for seamlessly integrating SABSA® security requirements and services in common TOGAF®-based architecture engagements – instead of treating security as a separate entity within the architecture.

The second focal point is to illustrate how the requirements management processes in TOGAF® can be fulfilled in their widest generic sense (i.e., not only with regard to security architecture) by application of the SABSA® concept of Business Attribute Profiling to the entire ADM process.

Download a free copy of the TOGAF® and SABSA® whitepaper here.

If you are interested in exploring TOGAF® 9, online access to the framework is available here.

Information on SABSA® may be obtained here.

A large number of individuals participated in the development of this valuable resource. Thank you to all project team members who made this effort a reality, including from the SABSA® Institute, the Open Group Architecture Forum, and the Open Group Security Forum!

3 Comments

Filed under Enterprise Architecture, Security Architecture, TOGAF®