No Overall Control – a Future State of ICT

With all the continual talk about how ICT connects more with the Business and how the Business needs to understand ICT more, I have started to think about where all of this will inevitably lead us, plus you hear people say “if we could only solve this problem we would start to get more from our investments in IT”

I’ve had some great conversations with my colleague Martin Howitt about this topic and i want to share some of our thinking here.

Lets start with some of the key drivers impacting and changing Corporate ICT in organisations and in particular the Public Sector:

  • The increasing pressure on budgets and the predicted heavy cost savings and budget reductions
  • The growing influence of knowledge workers and generation XY, the increasing influence of consumerisation, social media and web 2.0 tools
  • The impact of the Cloud and the “stuff” as a service approach
  • Higher levels of IT competence and awareness of technology in general
  • Lower barriers to development tools, eg WordPress, Yahoo Pipes, Drupal, Joomla etc
  • Mobile devices and smartphones have increased information and data exchange and is driving location based, real time requirements for knowledge.

From an organisational perspective however the above creates new risks to be managed and mitigated, new security approaches that meet security standards and frameworks that enable lower cost delivery and information assurance.

This however does not reflect the current state of most corporate ICT functions across the public sector – understandably so – there are huge pressures to simply maintain services and “keep the lights on” around ICT costs.

But this just continues and encourages the separation of skills, so that ICT manages and decides ICT investment and the Business states the requirements and writes the strategies to provide direction.

To really address the gap between people in ICT and people who work in the Business (people outside of ICT) you actually need to start moving the competencies that IT Professionals have into the Business. There has already been a lot of work on mapping and identifying skills and competencies in this area. SFIA (Skills for the Information Age) on its website states:

The Skills Framework for the Information Age (SFIA) provides a common reference model for the identification of the skills needed to develop effective Information Systems (IS) making use of Information Communications Technologies (ICT). It is a simple and logical two-dimensional framework consisting of areas of work on one axis and levels of responsibility on the other.

Via Skills for the Information Age SFIA

The SFIA framework defines 7 levels of skills: follow, assist, apply, enable, ensure/advise, initiate/influence, set strategy/inspire.

So if a whole load of ICT competencies actually sit outside the ICT department, what effect does that have on both the external departments and the internal ICT department?

The aim is to enable better exploitation of the technology now available to us in order to cut the costs of doing business, do business better, and all that good stuff.

The new Business User

  • understands their business (as now)
  • understands the IT they are currently using
  • is on the lookout for better ways of working
  • understands the value of what they are doing
  • understands how ICT helps increase that value

In terms of the SFIA framework this means skills up to and including level 3 (or maybe 4) of the SFIA framework with large elements of infrastructure and delivery either provided by business users themselves, outsourced to the cloud or provided by an in-house delivery section (this is what the old IT department looks like).

JP Rangaswami has posted on the Facebookisation of the Enterprise which sets out the core functions that a ICT Department would need to provide  an element of management /governance around.

  • Simple self-service signup – Access
  • Set of directories, and ways of adding to them, searching them, extracting from them.
  • Tools to classify the elements of the directory.
  • Communications tools.
  • Tools for scheduling events.
  • Provide a News Feed. And ways of managing the firehose
  • A developer platform with the appropriate controls and service wrap around it.
  • Via Confused of Calcutta – 3 Posts on Facebookisation of the Enterprise

So the new Business User needs a re-factored IT department to allow the business to generate value from this core solutions architecture. This Department:

  • Researches new trends and provides analysis of strengths, weaknesess, opportunities and threats to the whole business including IT
  • Provides analysis of performance across the business and where ICT Investments add value and deliver business outcomes
  • Provides consultancy ensuring that the exploitation of IT Investments are realised across the whole business
  • provides Portfolio Management of IT and all internal investments
  • Models the organisation – Ensuring the architecture of the enterprise is fit for purpose – Business Architecture, Information Architecture, Technology Architecture, Security Architecture, Solutions Architecture etc
  • Ensures standards for procurement and support – e.g security architecture for / cost benefit analysis
  • Provides or signposts relevant resources for learning and development around new technologies and solutions
  • Provides assurance that projects meet and contribute to corporate strategy and business plans

In local government, this can be a tall order. To some extent we rely on external bodies (such as SOCITM) to provide a level of analysis to underpin the work and we have to re-use existing models like the ESD toolkit to aid in the modelling. We get some security standards from bodies like CESG (via brokers such as Government Connect) but there is no overarching CIO body for local government in the same way that, for example, John Suffolk acts for central government departments. The Government ICT strategy should, in our view, be setting all this out to enable adoption of new cost-saving delivery models like the G-cloud – which should in term be providing the sort of infrastructure that forms our common solutions architecture.

However without any real central leadership for local government, we will only ever approach this challenge in isolation and miss the opportunity for fundamental and radical cost savings.


Emergent Governance and Enterprise “Business” Architecture

As an Enterprise Architect, you would think that the current financial situation would probably provide the most appropriate climate for Enterprise Architecture – and you would be right. However in the current UK Public Sector context we need to ensure even more than ever that we can consistently demonstrate not just to our managers, but our managers, managers, that we are offering and delivering value across the whole Organisation and across the Enterprise (in local government terms this can include our partners).

The challenge that we face is two fold:

1) Our constant communication and stakeholder engagement challenge – we have plans to communicate and methods for engagement, but we also need to build trust around our deliverables and that is not always in our control, as we don’t provide project/programme management. We do however provide assurance, but we are still developing this alongside the wider governance framework.  It is also not always that easy to simply say that just because we want to encourage and develop re-usable IT components and provide a more agile IT infrastructure and development model that business stakeholders will see you delivering value. These aspects take time and require an Enterprise Architecture programme to be delivered from start to finish. It doesn’t happen overnight, well not in the Public Sector. What the business generally wants is results and not just results but results NOW. They often see more value in project management, although some still think that is a luxury within projects.

The following is an extract from Rik Laurens from CapGemini who outlines this in a much better way that i do.

Projects are managed by projects managers. And good project managers do what they are paid for: reach a predefined target, within time and within budget. It’s good that we have them. And they should stay. But today we are not only interested in a bunch of stove-piped project deliverables anymore. We want re-use of IT assets across projects and we are more than ever interested in project deliverables that are interoperable across the enterprise and beyond and play a role in a broader context. Yes, we still love our project managers that focus on a particular scope and protect that particular scope. But in this era of cloud computing, interoperability, re-use and agility we also need a strong, corporate body that safeguards that the projects are not only doing what is good for the projects themselves but also (or more importantly) do what is good for the enterprise as a whole.

via nterprise Architecture: The Only Way Forward | Capping IT Off | Capgemini

2) We are not always seen as “Enterprise” Architects, mostly we are seen as IT Architects of one kind or the other (we are based within Corporate IT) and that is a boundary that most of the organisation is comfortable with.  This is a big challenge as my role within the team along with a colleague is to develop for the first time an “Enterprise Business Architecture” (EBA).

The EBA challenge is in my opinion a similar one but one which in order to build trust and build some momentum requires a different approach. It is important to acknowledge that we have an agreed Enterprise Architecture programme and have Governance around this but it needs developing and adapting to ensure that it meets the needs of the other architectural effort we are doing. (Information, Technology, Solutions and Business) This is where i believe to help gain some traction and some buy in around “IT people” getting involved in Business issues, we need to find a back door in.

I have thought about this for some time and i’m not sure whether or not it is the right thing to do, but i guess the right thing can only be measured by the type of organisation you work within.

I believe that Governance is the key to unlocking the potential of Enterprise Business Architecture in my organisation and that if we as a team can define, model and deliver a framework of governance that actually supports the over programme. It is worth noting that our Enterprise Architecture team is only 2 years old, so i consider all of what we have done a remarkable success all things considered, but we always want to do more.

The key to governance in my opinion is ensuring that we understand what form of governance we wish to support alongside the type of participation model the culture currently allows. I have posted my thoughts on a Governance Ladder on my personal blog. However in this context we need to ensure that our governance framework is Agile and allows for “Emergent Governance”:

The notion of  emergence, where intelligence is manifested from a collection of minds, is a core concept in chaos theory and the underlying principle in James Surowiecki’s  The Wisdom of Crowds. Scientists have long noted that, on average, the assessments of a crowd are more likely to be correct than the proclamations of an individual expert. From Elisabeth Noelle Neuman’s work on predicting election outcomes ( The Spiral of Silence), to the  central limit theorem that underlies statistical sampling methodology, the emergence of intelligence from large groups has been well established.

The exciting opportunities for governance presented by social networking and collaboration technologies are palpable. The election of a president who understands this potential portents a new golden age for democracy. Perhaps

via Emergent Governance: Who Needs Bees When the Grassroots Swarm the White House

The interesting aspect and similarity i see here is that we have recently undergone some dramatic changes at the top of the organisation. A new Political Administration and a number of our Corporate Management Board retired, this presents opportunities that must be explored and pursued. So with the challenge set out, we now embark on the journey.

Doing the right thing – Todd Biske» IT Needs To Be More Advisory

An excellent blog post by Todd Biske.

IT needs to change its fundamental thinking from provider to advisor or be at risk of becoming irrelevant.

via Todd Biske: Outside the Box » Blog Archive » IT Needs To Be More Advisory.

What i find interesting about this post is that it supports what we are trying to do here in Devon with our Enterprise Architecture Team.

The key point about moving from provider to advisor is as Todd says “stating the obvious” but it clearly does require a fundamental shift in thinking not just within ICT departments but within the wider business as well.

Todd writes:

To illustrate this, take an example from the world of financial services. A broker may simply be someone you call up and say, “Buy 100 shares of APPL at no more than $200.” They are a provider of stock transaction services. A financial advisor on the other hand, should be asking about what your needs are, and matching those against the various financial offerings they have at their disposal. If they don’t understand client needs or if they don’t understand the financial offerings, you’re at risk of getting something sub-optimal.

This is correct, however in a work context, someone has to know that they want an advisor and not a broker, so part of the challenge is shifting the perception of the entire ICT function in the organisation from “provider” to “advisor”. This requires educating and working with your internal customers and delivering value in an advisory role. We believe that our Enterprise Architecture function is part of this transformation here in Devon.

Time will tell but it is reassuring to hear people such as Todd state the obvious and support your efforts.

Are you risk averse?

Back in the mists of time when I started working in local government, I was assured by experienced staff members that the council was a very risk-averse organisation that wouldn’t take kindly to any fancy new ideas.

Well, I’ve come to realise that nothing could be further from the truth: local government takes enormous risks all the time – they just don’t see them as risks.

So what do we mean by risk? In information security it’s often expressed numerically:

Risk = impact x likelihood

This simple equation tries to capture the essence of the risk decision: if a system has a vulnerability then it may or may not be easy to exploit. If it’s easy to exploit then the “likelihood” number goes up. If the consequences of that are major, the “impact” number goes up. Even if you use a totally arbitrary way to determine these numbers, you still end up with what you want: a prioritised list of risks so you know which ones are the most serious so you can tackle them.

Great. So why do I have a bee in my bonnett about it?

It’s just that we choose to ignore some risks and blow others out of proportion. Software vulnerabilities are well-understood and get a high profile – I’m not complaining about that – but risks in other areas, like the software portfolio or HR policies, are not. So what are these risks?

In the software portfolio, a number of things could happen: the supplier of the software may go out of business, hike licensing or support costs, lose a key member of staff, or decide to retire the software you are using. In HR any new policy carries the risk that a key member of staff might get the hump and leave. There is demographic risk that younger people won’t want to work for you leaving you with a skills shortage in key areas: the economy might take a nosedive (the very thought!) leaving you with drastically reduced budgets.

The possible sources of risk are actually as infinite as the universe. In many organisations it is the IT department that deals with IT-related risks, but what if a reduction in the risk in some IT area (for example a tightening up of policy on, say, removable media) leads to an increase in the risk carried by another area (as workers decide to use Google Wave or a social media platform to share documents instead)? This is known as risk asymettry.

There’s also the risk of doing nothing. Sometimes this is greater than the risk in doing something, even something radical, but our brains are programmed to favour stuff that is familiar so we mentally downgrade the risk of doing nothing: this can lead to some pretty nasty situations. I’ve seen projects and applications carry on many years beyond the point at which they were starting to cause instablity in other parts of organisations, simply because the risk of carrying on as before hadn’t been properly calculated and compared with the risks involved with change.

These issues can only be sensibly resolved if the risks are owned in the right place and practical frameworks are adopted to ensure that as many risks as possible are factored into decision-making. This might sound like a lot of red tape, the nanny state, health and safety gone mad etc etc but actually it’s just common sense. If you put your hand in the fire, it will get burned. If you don’t take it out again, it’ll get burned some more. Oh and by the way, we don’t solve the problem by putting the fire out: you must take your blinking hand out!

Risk-based decision-making doesn’t have to be always favouring the conservative approach. It can liberate you as well by enabling you to take decisions you wouldn’t otherwise have taken because you were afraid of the unknown risk. We recently had a supplier down to talk to us about moving to an open-source model for our software: at first sight this is a major change and fraught with danger and difficulty. But if we understood the risks we were currently running with proprietary software properly, then maybe it would look less risky by comparison (please note: I’m not saying this will happen, it’s just an example).

Thankfully my organisation is moving towards a much more comprehensive view in many of these areas as we implement ISO27000. But many organisations are still stuck in an emotional mindset: you only have to look at the banking system to see what happens when all risks aren’t factored in to decision-making!

I feel that risk is a very powerful concept when it comes to aligning IT decisions with the business because it shares a common language and a common goal. IT must realise the risks that it loads onto the rest of the business by making changes (sometimes very minor ones) – but the business must also step up and own all the risks (including the IT ones) in their respective service areas. This forces realistic IT decisions to be made as it becomes clear that risk cannot be outsourced, and procurement, training and whole lifecycle costs naturally get a higher profile in decision-making than before.

Lost In Translation – The trouble with Business/IT Alignment

One of the biggest challenges with business transformation and technology enabled change, is the ability of both people in the business and in IT to sit down and have a conversation with each other and for that conversation to be fully understood by all concerned. Ok, there are many other challenges such as benefits realisation, programme management, culture change, but aren’t they all people based and therefore conversation based?

Now i am simplifying this somewhat but it is a challenge that people in IT and that includes me now (my previous role of corporate web manager was based within corporate communications)

To give an indication as to the issue i thought i’d use a video from you tube. It is 40 seconds long and is about the German Coastguard.

What i find interesting about this video is that for me it kind of sums up the challenge faced by IT. In the video the guy has all the technology he needs in front of him to do his job and support a wider network of other professionals, who all have the same goal (save people). However with all that technology what lets the person down is the ability to understand the “customer”.

The ability to have “conversations” is becoming the new skill that people require in order to support change. Now i also want to make the point that people in the Business also need to learn how to have better and more productive conversations with people in IT.

Now having worked in the Business for some time, i can already hear people saying “Why should i learn how to interact with IT?” Well the answer is simple, as the pressure of budget reductions increases, technology will become even more critical for progressive business transformation across organisations. It is therefore a priority for Business people to get a real understanding of the applications that support their business and the opportunities they present. If Business people can’t do that then we end up losing the opportunities as they get “lost in translation” between IT people (who don’t understand business) and Business people (who don’t understand IT).

This is however a journey we all have to make together, as a partnership, a fellowship, a collaborative effort, whatever the terminology we decide to choose. Like most journey’s the value is not the destination but what you learn along the way.

Culture Clash

What wins: the unstoppable force, or the immovable object?

Recently we’ve been engaged in a process, like many local authorities, of connecting ourselves up to the Government Secure extranet. In order to do this (and access a range of applications hosted by central government and other agencies) then public sector bodies have to clear a number of hurdles in the form of the Code of Connection (CoCo) – a list of security standards that we have to meet in order to provide assurance that the sensitive data that will be carried will be secure.

So far, so sensible. But there’s a problem: the rules (devised by the Government’s security wing, CESG) state that a local authority must own the equipment that is being used to access the service. That is the immovable object in the opening statement of this posting. So what is the unstoppable force?

The consumerisation of ICT has been on our minds for a long time, and even more so with the advent of cheap (or free) cloud computing services like Google Apps. If the ICT department can’t come up with solutions that satisfy the requirements of ease, speed and convenience demanded by today’s digital natives, they will simply move their data somewhere that does. To this end IT strategy has largely been about providing fast access on any device, from any location, to data.

So we have a problem: how can we enable these consumer devices to access our data whilst protecting the security of our connection to the rest of government?

Possible answers include segmenting our network to provide services to unmanaged devices on one side and fully managed services (including public sector network) on the other. But this is expensive. Alternatively, some argue that a bootable device (like the BeCrypt trusted Client) could be used to provide a trusted platform on any machine to access secure GC services. We don’t yet know if these solutions pass muster with CESG though: so stay tuned.

We’re really interested to know if other local authorities have dealt with this problem and if so, how they’ve gone about mitigating the downsides.

ERP and EA

Some councils have chosen to implement ERP systems such as SAP or Oracle e-Business suite to consolidate a number of their core systems.  It is argued that, by installing a “vanilla” out of the box ERP system and by forcing changes to business processes to align with the ERP system, big savings can be made in the business processes themselves as they become more streamlined: and that consolidating systems such as finance, HR, payroll, procurement, project management, CRM and supply chain management can yield efficiencies through more integrated working and improve management information.

As an EA, however, I think I have to look at this the other way around: assuming the business wants process standardisation, better integration, and better management information, what’s the architecture that will deliver that?

I don’t know for sure, but wouldn’t integration be better delivered by an SOA implementation? Shouldn’t we implement BPM to improve and standardise our processes? Don’t we want data warehousing and BI tools to give management information?

And culturally, if we are going to implement an IT system to force through structural and process changes that we want to see, isn’t that the kind of thinking that got us into a mess in the first place?

I don’t know for sure and it is almost certain that the best practices inherent in some out of the box ERP systems will improve and streamline operations and save money. But when a business makes an investment decision on an ERP type of scale, what’s the opportunity cost?

Interested to know what others think about this, especially those working in a council that has implemented such a system.

Find the IT Innovator Within – HBR

This is a excellent post and describes in my opinion the very reason why Enterprise Architecture is essentially increasing across organisations.

To enable the business to make more decisions and to take the control away from IT themselves to enable a more responsive and flexible IT organisation.

I really like the concept of the “IT Gate” programme. I can see real value in that within a local government situation.

companies need to charter an IT “gifted-and-talented” program (“Gate”) that gives lead users special IT privileges — the best tools, equipment, education, and support — as long as they agree to “first do no harm,” clean up their own messes, and support the less-talented around them.

via Find the IT Innovator Within – Susan Cramm – Harvard Business Review.

Why I love my job

Some of my friends (and even family, bless them) are quite sniffy about Local Government at times. There seems to be a perception that we’re not in the same league as the private sector or even central government departments when it comes to EA or ICT in general.

DCC’s annual budget is in the region of £800M, with another £300-odd Million going to District Councils. Although this is not large by the standards of FTSE-listed companies (by way of comparison, Admiral Group PLC turned over £473M last year and British Airways turned over £8.7Bn in 2007/8) it is comparable with a moderately large privately owned company.

I’m now going to argue that, pound for pound, DCC is the most interesting place to work as an EA in the entire world. Why? Well, let’s consider a private company turning over £800m a year. How many products or services would it provide? I’d say that such a company would run only a handful of products. Examples:

1) Lurgi, the German engineering company: has 3 environmental process divisions and turned over around £800M

2) Ford retail (the fleet arm of Ford in the UK) turned over £800M – has one product.

One product? We EAs thrive on complexity and quite frankly I wouldn’t get out of bed to architect a company with just one product.

Maybe central government does better. I was at a conference a couple of weeks ago where there was a speaker from HMRC, and apparently they have 90,000 staff. How many services are they providing?

A quick look at their website (and I’d be happy to be corrected on this!) reveals around 50 unique services. Not bad:  but HMRC has an annual budget of around £4Bn (source:wikipedia) so they can afford a reasonably-sized EA team and resources to conduct large-scale enterprise change.

DCC runs 800 services. No contest. And we have no money to invest in big BPM or ERP initiatives that might simplify the job.

Now of course this isn’t a fair comparison. If your company has a single product then the demand on an EA is going to involve a lot more domain architecture co-ordination, whereas with 800 services then you are forced to take a more global view of things and not get involved in the nitty-gritty too much.

Even so, if budget/services = complexity, then local government is the place to be an EA.