Getting value from compliance

January 28, 2009

Value from compliance at first appears to be an oxymoron.  To a large extent, there is a sound basis for this view.  After all, delivering compliant technology is non-trivial.  There is the need for documentation, stringent processes, and audits to ensure compliance to these established processes.  These all add up resulting in 20-40% of the overall costs. 

Unfortunately, there are no short-cuts.  Toolsets, templates and reuse help reduce the overhead burden, but the cost and schedule impact of compliance is felt.  Small to Mid-Sized Businesses (SMBs) feel this pinch even more due to lack of established governance practices.  In some cases, SMBs may actually forgo compliance entailing significant risks or give lip-service to compliance.  These strategies seldom work.  A better approach is to accept compliance (like taxes) as a given and get the most out of these expenditures.  Adopting these practices and customizing them to match the specific organizations technology environment will significantly  reduce risk and improve quality.   An example of getting more out of compliance investments is developing process and project metrics.  These metrics provide a sound base for planning future IT investments.

Even if an organization adopts compliant practices,  older systems may not be compliant.  One solution is to train the maintenance team in reverse engineering the system to document the core business rules and risks.  This will help develop designs that mitigate the risks and construct validation protocols to verify proper functionality of the system.  Reverse engineering is a sound technique to help improve product quality.  With the maintenance requirements fluctuating, it also helps optimal use of IT resources.


Guidelines for Implementing IT Governance for SMBs

January 23, 2009

The quality of information and its related systems revolves around the use of technology.  It is an integral part of the SMB’s business and is fundamental to support, sustain and grow the business.  The process of governing Information Technology (IT) in Small to Mid-Sized Business (SMBs) has a significant impact on the ultimate value that can be derived from technology.   The challenge is to deliver high quality which requires sound processes without sacrificing nimbleness and flexibility. 

 The scope of IT governance includes all technology components (IT infrastructure, telecommunications, software applications) and resources (IT personnel, user-IT  teams) necessary to effectively develop and manage technology initiatives and resources.  The principal objective of the governance process is to enable the SMB to achieve its business objectives.

 Six principles should shape the governance process:

  • facilitate the alignment of information technology with the business,
  • deliver value to the business units,
  • manage risks effectively,
  • develop a governance process that is flexible and can be easily updated to meet emerging business needs,
  • implement integrated governance that involves the orchestration of policies (including delineation of roles, responsibilities, and authorities), processes, and tools for successfully meeting SMB’s requirements, and,
  • create governance structure, controls and transparency at a level that appropriately fits the personality and readiness without injecting onerous processes that can stifle productivity.

IT governance includes IT policies that establish the rules and guidelines formulated and adopted by the SMB to manage IT demand and resources.  These policies are implemented by a set of operating procedures which express the IT policies in action in day-to-day operations.  These procedures are also termed as Standard Operating Procedures (SOPs).  These SOPs are supplemented by Standards which specify the technical specifications for implementing the SOPs.

IT governance must cover User/Support Management, IT Infrastructure Management, IT Applications Management, IT Audits and IT Procurement.  Measuring the effectiveness of IT governance is very subjective.  IT Steering Committees and Governance Teams usually help ensure that the governance process is effective and meet the SMB’s needs.

SaaS and C.K. Prahalad

January 12, 2009

C.K. Prahalad articulated N=1 and R=G strategy. CK, as he is known, is a great thinker, strategist and evangelist for technology that drives value.  R=G is intuitive, resources (R) are global (G) and hence SaaS vendors seek resourcing globally to build SaaS technologies.  Evidence of R=G is clear.  Outsourcing is the norm with most Fortune 1000 firms.  If you take the IT perspective, even Small to Mid-Sized Businesses (SMBs) are gaining momentum by taking advantage of IT project outsourcing to emerging markets. 

N=1 is more intriguing. It implies that each instance is customized to each and every individual user. This requires more thought. One of the larger SaaS installations  ( achieves N=1 is achieved by a product rich with user-customization capabilities.  USourceIT built Assess OnDemand and Source OnDemand platforms with exactly N=1 in mind using on-site resources to identify the customer requirements and an off-shore team to develop and maintain the applications, and a Remote Infrastructure Management (RIM) team to maintain the delivery platforms based in  the U.S.  Both the applications team and the RIM team were based in India.   

Outsourcing SaaS development actually makes sense.  The primary reason is that SaaS installations require constant improvements to ensure that customers can adapt the use of the SaaS product to changing business conditions.  This requires on-going infrastructure upgrades, application upgrades, data migration, performance testing and regression tests.  These can be extremely expensive.  By carefully developing an on-site/off-shore blended resource model, SaaS product vendors can reap huge savings, while continuously improving the product to the end-users.  Savings of 40-60% are not uncommon.

The Value of Credentialing

January 10, 2009

Organizations intending to source out a project or a task need to understand the value of credentialing a service provider.  Credentialing is analogous to background and reference check, but goes a bit further than just fact-checking.  Credentialing, in fact, serves as an instrument to use to screen and identify the right service provider for the project.  Small to Mid-Sized Businesses (SMBs) seeking to outsource an IT project rarely follow the process used by Tier-1 players.  Tier-1 players either have a preferred list of vendors or use sourcing consultants to identify the best fit service provider.  While this process usually adds value, it is expensive and time-consuming.  SMBs rarely have the luxury of either time or the money to spend in searching the right service provider.  Fortunately, a new breed of outsource consultants are emerging.  These consultants have built a pre-screened network of service providers.  Most of these networks are informal and lack the rigor of Tier-1 outsource consultants.

A hybrid model is to use the principles of credentialing.  Credentialing helps reduce the risk in sourcing out IT projects.  Credentialing a IT service provider involves verifying the IT infrastructure, project governance and corporate governance.  While Tier-1 players have usually a sound IT infrastructure and a certified IT project governance that is standards based, it cannot be taken as a give for smaller service providers.  The paradox is that it is these smaller niche service providers who are best suited to meet SMB’s IT outsourcing needs. 

Formally credentaling these niche service providers facilitates rapid selection and contracting.  Formal credentialing involves a site visit, validating the IT infrastructure with reference to standards such as ITIL (IT Infrastructure Library), interviews with project managers to understand the project governance, and interviews executives to gain a perspective on corporate governance.  These interviews are backed by a structured audit process that gathers data to help score these objective criteria.  For example, the ratio of project managers to employees coupled with adherence to well-documented processes gives an indication of the commitment to project governance.  While tools that implement these metrics are useful,  the qualitative opinion of the auditor is equally important.  This implies the need for knowledgeable auditors who have experience and training in doing the audits. Vendor assessment tools help speed up the process and reduce the cost. 

A good rule of thumb is to spend less than 3% of the project costs for selecting the right service provider.  The value of credentialing far outweigh these costs.    SMBs can also take advantage of vendors who offer pre-credentialed service provider networks at no cost.    They usually collect a fee from the service providers.

The Satyam Tragedy

January 8, 2009

Many of us who run clean IT businesses are no doubt reeling from the Enron-type disaster created by the fourth largest IT firm in India.  It is ironic that the name of this firm is Satyam. It is equally hard to imagine that only one individual is responsible for this mighty collapse. Raju has been brave to shield them, but it is certain that others, perhaps, even a few well placed politicians are involved. What we need is a systemic change in governance, but that is a distant dream in a society bereft with corruption.

Small to Mid-Sized businesses  who were contemplating outsourcing a function or a project, or even those seeking resource augmentation, will rightfully ask searching questions before selecting the vendor.  Credentialing is an approach that will alleviate this risk.  Simply selecting a vendor based on price will not work.  Proper credentialing verifies the IT infrastructure, staff capabilities, relevant experience, customer references, financial strength, and of course the underlying corporate governance.  Not that credentialing guarantees success – success is only achieved with diligence, technical superiority and excellence in project management.  However, credentialing is a necessary first step to eliminate companies that have gaps in Governance.