Business Process Improvement 17 Sep 2013Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Technorati, Uncategorized.
add a comment
Working for GlaxoSmithKline IT, after the 2000 merger, developed my familiarity with business process improvement (small letters) and with Six Sigma methods and metrics. I would never call myself an expert. Routine training was to Green Belt level, without taking the qualifying exam, and I don’t have the instincts which make a leading practitioner able to pick the right tools to adopt for any specific need.
But it taught me a lot, which can be applied well beyond IT. First: as a previous CEO used to say, “If you don’t keep score, you’re only practising”. So, to drive and verify and improvement, you need metrics. But pick the right ones, which will show you where you are. Establish your baseline before you start doing anything. Use the metrics to demonstrate the change (you hope!). And when the improved process has reached the status of business-as-usual, you can probably drop the measure. It’s no longer needed.
Second: a saying that was drummed into us. “Don’t tinker!”. Don’t make changes on the basis of “I think …” without the analysis. Don’t over-react to one-off incidents: processes have variability, and some outliers will happen naturally.
And third: develop and demonstrate your own (internal IT) understanding and improvements before you try to work with the rest of the business. IT has, perhaps, an unique overview of what goes on across the company, and is almost always a participant in any business improvement project. So there’s good leverage there: but you have to gain credibility first. It takes a lot to get to the point where, when a business leader asks for an IT development, you can say “Why? What improvement are you driving? Who will own it? How will you measure it?”
Well: tomorrow I’m facilitating a Corporate IT Forum event on Business Process Improvement (BPI). I’m expecting the twin threads of, first, identifying and improving IT’s own processes; and, second, putting that experience and expertise at the service of the business as a whole. Where are the sources of information and analysis?
Gartner have a Leaders Key Initiative on BPI. The overview, as recent as July this year, has a natty graphic showing the BPI practitioner as a juggler (operations, transformation, skills, technology and innovation) under pressure from both business and technology forces. They offer a number of tools for maturity assessment “across IT disciplines” (what about the rest-of-business?); key metrics (that’s IT spending and staffing, not how to measure a process); and best practices across several competencies. It seems, though, towards the end to lapse back into business process management (BPM) not BPI.
There isn’t a lot in the Gartner blogs, but a useful post from Samantha Searle earlier this year challenges us to avoid the word “Process” (unless your business-side colleagues are process engineers or in manufacturing). That kind of gells with the observation that Gartner probably, under the covers, maintain an IT-oriented focus because Process is very present in the key initiative!
Similarly I don’t find a great deal in Forrester specifically around BPI. But there’s a stronger focus on the interplay of IT expertise and whole-business improvement. A recent report, for example, discusses the shift from “a tactical process improvement charter” to a more strategic role across the enterprise. This requires a plan “for optimizing the BPM practice to deliver on new strategic drivers and business objectives”. That sounds more like it.
Interestingly, a search collected a link to Cambridge University which I expected to be to the business school or computer science. But it’s to their internal management services division with a one-page (one-slide, really) graphic and definition of BPI. Take a look. But the Judge Institute of Management Studies does indeed have a Centre for Process Excellence and Innovation, also worth reviewing.
There’s a lot of material you can find by searching. Too much to survey. Assess with care!
• Business Process Improvement Leaders Key Initiative Overview, Gartner, 25 Jul 2013 (search Gartner for ID:G00251230)
• 10 New Year Resolutions for BPM Practitioners #2: Don’t Mention the “P-word …, Samantha Searle, Gartner blogs, 8 Feb 2013
• Optimize Your Business Process Excellence Program To Meet Shifting Priorities, Clay Richardson, Forrester report, 6 Jun 2013
• Business Process Improvement, University of Cambridge, Management and Information Services Division (undated)
• Centre for Process Excellence and Innovation, Judge Institute, University of Cambridge
Links for PCI DSS 8 Nov 2011Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Tech Watch, Technorati.
Tags: PCI DSS
add a comment
I’m facilitating a workshop next week on PCI DSS and as usual here are some of the links I’ve identified, including some recent enforcement casework.
For the uninitiated: PCI is the Payment Card Industry and DSS is its Data Security Standard. PCI is an international body, and the standards are effectively set by the “acquirers” – that’s PCI-speak for those bodies such as card issuers and banks who “acquire” the transactions and transfer money.
National information security requirements are very much to the fore too. In the UK the Information Commissioner’s Office (ICO) recently took enforcement action against Lush, the cosmetics firm, and their press release uses that case to emphasise that organisations must implement PCI DSS, or some equivalent standard, in order to be meet the basic requirements for compliance. This issue was resolved by an undertaking from Lush, but ICO information outlines all the enforcement options and potential penalties.
Compliance to standards doesn’t replace the need to understand potential vulnerabilities, not least when using embedded page elements that can be hijacked!
PCI – Payment Card Industry
PCI DSS – PCI Data Security Standards
CSRF: Cross-Site Request Forgery
IDS : intrusion detection system
IPS: Intrusion Prevention System
ISA: Internal Security Assessor
QSA: Qualified Security Assessor
ISO: Independent Sales Organisation (in this context!)
• PCI SSC Data Security Standards Overview, from PCI Security Standards Council
• ICO warns retailers to implement PCI-DSS or face “enforcement action”, Security Vibes, 12 Aug 2011
• Online security must be a priority for retailers, says ICO, ICO Press Release, 9 Aug 2011
• Taking action: data protection and privacy and electronic communications, ICO information (including a list of recent prosecutions)
• PCI DSS: An Acquirers guide for PCI Compliance Best Practices, from the PCI Compliance Guide (an independent PCI source)
• Cross-Site Request Forgery (CSRF), information from the Open Web Application Security Project (OWASP)
Tags: investment, McKinsey, strategy
add a comment
McKinsey Quarterly poses this question in the latest issue with some case study information. The fundamental issue is an old one: the IT budget being spent on maintenance, with smart investment being what gets squeezed out. But the illustrations suggest ways to move forward. It’s not the old “Align IT with the business” mantra, which still starts from the assumption that IT somehow is outside and separate from “the business” and that the disconnect is IT’s problem.
This article admittedly starts by profiling a dysfunctional CIO who doesn’t understand the issue. But it looks at the issue from the whole business perspective – that is, the CEO’s. It shows how investment can be viewed, even when it’s core infrastructure that’s at issue; it talks about benchmarking capabilities against non-competitive industries, not just competitors; and highlights some of the perceived wisdom which can, sometimes, be plain wrong and a distraction from the real challenges.
How strategic is our technology agenda? McKinsey Quarterly, Oct 2011
Beyond gmail: Google apps event with BCS 11 Oct 2011Posted by Tony Law in Cloud, Consumerization, IT is business, IT marketplace, ITasITis, Managing IT, Tech Watch, Technorati.
add a comment
I’m at a BCS North London event at Google’s London office, listening to presenters from the AppsBroker consultancy extend my understanding of how Google Apps work. We’ve passed through the background stuff about using cloud apps in general and now getting to the meat. If you’ve wondered, like me, what Google APIs can really do, then this is an as-it-goes posting; watch the space! Any errors in understanding or interpretation are mine, of course.
How to write a Google-extended app …
1 – Appscript; 2 – Gadget APIs; s – Data APIs
Just seeing the down side of everything being online rather than on the device; the demo’s gone down through being unconnected. Notwithstanding that I’m doing this on Google’s guest network,, the demo doc is, it appears, “offline”. Embarrassing, even when the demo’s working on a ChromeBook, which admittedly does reboot nice and quickly!
When it’s come back, we get a quick view of the script code inserted into a Spreadsheet to quickly create a form with follow-on technology such as mail-outs based on the respondent’s input, or sending update notifications when an online document is changed.
2: Data APIs, based on REST rather than SOAP (HTML based, IIRC, but can use other languages eg. Java/script .NET, …). Can for example use Data APIs to push data into a shared spreadsheet in real time from multiple users/locations/sources, but maintaining one version of truth.
Google App Engine and Cloud Storage will have a >99.9% SLA from November. Cloud SQL (see Google Blog last week) is under beta.
— adding to the interest level, we just had a fire evacuation and a quick tour of Eccleston Square with the fire marshals. Now trickling back – at least, most of us. I think some people have decided to duck out.
In the pipeline: Google Big Query: online dataset analysis – data mining/BI application. And something called the Google Periodic Table (there’s an extra column in the Transition Metal section …) which visualises the family of applications and extensions. Prediction, for example, can look at web traffic and draw interesting conclusions. Lots of searches on “sore throat” might signal the start of a flu epidemic.
Abbreviated in response to the disruption: Dalim, chair of the Branch, talking about governance. What changes with the cloud? Some of the controls e.g. for change management; assurance from third parties, and provider management; identity and access management (d0 you still have super users?) and monitoring; evolving technology, complexity and challenges. Dalim offers an app assurance checklist [see BCS NLB website in due course].
Q&A … references to Google’s global infrastructure capability; e.g. guaranteeing at least four copies of data on different continents (that is, replication like Lotus Notes used to do). Regarding data protection issues – Google can’t at present commit to (for example) segregating data into the EU though this is being worked on. The offering currently may not be appropriate for heavily regulated in-country enterprises e.g. some areas of government, finance. Google, though, takes the approach that they are not data owners; they are data holders, and would pass access requests to the data owners. And there are data online about which countries request legal discovery, how often, and when. From the security point of view, just a glimpse of the multiple levels of protection applied to data.
Thinking about a portfolio of services: Google Apps will integrate both on-premise (e.g. with AD) and other cloud services (e.g. a strategic partnership with salesforce.com). And there’s a commitment to back data out if a service relationship is terminated. Cloud, to Google, is short term contractable (e.g. 12 month; or a little as 1 month) – no lock-in.
• Google Apps (follow the links)
• Google App Engine, Cloud Storage and Prediction API are open for business, Official Google Blog, 11 Oct 2011
• BCS North London Branch: Past Events 2011 (you may have to scroll for this event; presentations are not yet posted but are expected)
• AppsBroker consultancy