Business Process Improvement 17 Sep 2013Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Technorati, Uncategorized.
add a comment
Working for GlaxoSmithKline IT, after the 2000 merger, developed my familiarity with business process improvement (small letters) and with Six Sigma methods and metrics. I would never call myself an expert. Routine training was to Green Belt level, without taking the qualifying exam, and I don’t have the instincts which make a leading practitioner able to pick the right tools to adopt for any specific need.
But it taught me a lot, which can be applied well beyond IT. First: as a previous CEO used to say, “If you don’t keep score, you’re only practising”. So, to drive and verify and improvement, you need metrics. But pick the right ones, which will show you where you are. Establish your baseline before you start doing anything. Use the metrics to demonstrate the change (you hope!). And when the improved process has reached the status of business-as-usual, you can probably drop the measure. It’s no longer needed.
Second: a saying that was drummed into us. “Don’t tinker!”. Don’t make changes on the basis of “I think …” without the analysis. Don’t over-react to one-off incidents: processes have variability, and some outliers will happen naturally.
And third: develop and demonstrate your own (internal IT) understanding and improvements before you try to work with the rest of the business. IT has, perhaps, an unique overview of what goes on across the company, and is almost always a participant in any business improvement project. So there’s good leverage there: but you have to gain credibility first. It takes a lot to get to the point where, when a business leader asks for an IT development, you can say “Why? What improvement are you driving? Who will own it? How will you measure it?”
Well: tomorrow I’m facilitating a Corporate IT Forum event on Business Process Improvement (BPI). I’m expecting the twin threads of, first, identifying and improving IT’s own processes; and, second, putting that experience and expertise at the service of the business as a whole. Where are the sources of information and analysis?
Gartner have a Leaders Key Initiative on BPI. The overview, as recent as July this year, has a natty graphic showing the BPI practitioner as a juggler (operations, transformation, skills, technology and innovation) under pressure from both business and technology forces. They offer a number of tools for maturity assessment “across IT disciplines” (what about the rest-of-business?); key metrics (that’s IT spending and staffing, not how to measure a process); and best practices across several competencies. It seems, though, towards the end to lapse back into business process management (BPM) not BPI.
There isn’t a lot in the Gartner blogs, but a useful post from Samantha Searle earlier this year challenges us to avoid the word “Process” (unless your business-side colleagues are process engineers or in manufacturing). That kind of gells with the observation that Gartner probably, under the covers, maintain an IT-oriented focus because Process is very present in the key initiative!
Similarly I don’t find a great deal in Forrester specifically around BPI. But there’s a stronger focus on the interplay of IT expertise and whole-business improvement. A recent report, for example, discusses the shift from “a tactical process improvement charter” to a more strategic role across the enterprise. This requires a plan “for optimizing the BPM practice to deliver on new strategic drivers and business objectives”. That sounds more like it.
Interestingly, a search collected a link to Cambridge University which I expected to be to the business school or computer science. But it’s to their internal management services division with a one-page (one-slide, really) graphic and definition of BPI. Take a look. But the Judge Institute of Management Studies does indeed have a Centre for Process Excellence and Innovation, also worth reviewing.
There’s a lot of material you can find by searching. Too much to survey. Assess with care!
• Business Process Improvement Leaders Key Initiative Overview, Gartner, 25 Jul 2013 (search Gartner for ID:G00251230)
• 10 New Year Resolutions for BPM Practitioners #2: Don’t Mention the “P-word …, Samantha Searle, Gartner blogs, 8 Feb 2013
• Optimize Your Business Process Excellence Program To Meet Shifting Priorities, Clay Richardson, Forrester report, 6 Jun 2013
• Business Process Improvement, University of Cambridge, Management and Information Services Division (undated)
• Centre for Process Excellence and Innovation, Judge Institute, University of Cambridge
Links for PCI DSS 8 Nov 2011Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Tech Watch, Technorati.
Tags: PCI DSS
add a comment
I’m facilitating a workshop next week on PCI DSS and as usual here are some of the links I’ve identified, including some recent enforcement casework.
For the uninitiated: PCI is the Payment Card Industry and DSS is its Data Security Standard. PCI is an international body, and the standards are effectively set by the “acquirers” – that’s PCI-speak for those bodies such as card issuers and banks who “acquire” the transactions and transfer money.
National information security requirements are very much to the fore too. In the UK the Information Commissioner’s Office (ICO) recently took enforcement action against Lush, the cosmetics firm, and their press release uses that case to emphasise that organisations must implement PCI DSS, or some equivalent standard, in order to be meet the basic requirements for compliance. This issue was resolved by an undertaking from Lush, but ICO information outlines all the enforcement options and potential penalties.
Compliance to standards doesn’t replace the need to understand potential vulnerabilities, not least when using embedded page elements that can be hijacked!
PCI – Payment Card Industry
PCI DSS – PCI Data Security Standards
CSRF: Cross-Site Request Forgery
IDS : intrusion detection system
IPS: Intrusion Prevention System
ISA: Internal Security Assessor
QSA: Qualified Security Assessor
ISO: Independent Sales Organisation (in this context!)
• PCI SSC Data Security Standards Overview, from PCI Security Standards Council
• ICO warns retailers to implement PCI-DSS or face “enforcement action”, Security Vibes, 12 Aug 2011
• Online security must be a priority for retailers, says ICO, ICO Press Release, 9 Aug 2011
• Taking action: data protection and privacy and electronic communications, ICO information (including a list of recent prosecutions)
• PCI DSS: An Acquirers guide for PCI Compliance Best Practices, from the PCI Compliance Guide (an independent PCI source)
• Cross-Site Request Forgery (CSRF), information from the Open Web Application Security Project (OWASP)
Tags: investment, McKinsey, strategy
add a comment
McKinsey Quarterly poses this question in the latest issue with some case study information. The fundamental issue is an old one: the IT budget being spent on maintenance, with smart investment being what gets squeezed out. But the illustrations suggest ways to move forward. It’s not the old “Align IT with the business” mantra, which still starts from the assumption that IT somehow is outside and separate from “the business” and that the disconnect is IT’s problem.
This article admittedly starts by profiling a dysfunctional CIO who doesn’t understand the issue. But it looks at the issue from the whole business perspective – that is, the CEO’s. It shows how investment can be viewed, even when it’s core infrastructure that’s at issue; it talks about benchmarking capabilities against non-competitive industries, not just competitors; and highlights some of the perceived wisdom which can, sometimes, be plain wrong and a distraction from the real challenges.
How strategic is our technology agenda? McKinsey Quarterly, Oct 2011