Before the U.S. Health Insurance Portability and Accounting Act (HIPAA) was signed into law in 1996, Capital District Physicians' Health Plan (CDPHP) was determined to be fully compliant even before the mandatory deadline. Much of the compliance burden fell to Kevin Colwell, a change-management specialist at the Albany, N.Y., health insurer.

Colwell soon found that HIPAA's stringent rules surrounding patient information complicated simple actions that had always seemed straightforward. For example, when computer users call the help desk, it seems obvious that their phone numbers must be captured for call-back purposes. But HIPAA restricts access to such numbers, as well as how the information is subsequently safeguarded.

The plot thickens when you consider that CDPHP's 750 employees are also clients of the insurer. So, when the computer users buzzed the help desk, how was the company to know whether they were calling as employees or as customers? Factor in remote workers and physicians (who might also be customers themselves), and the regulatory situation gets more complex. "We needed to protect all this communication," Colwell says. "But we also need to communicate."

Global Trend

The challenges faced by CDPHP are familiar to businesses everywhere and multiplied many times over by the latest regulations. All over the world, regulatory agencies are tightening business rules with new regulations. As a result, global enterprises now must comply with everything from regional laws that have an enormous impact (such as California's Senate Bill 1386, which compels organizations doing business in that state to contact anybody whose personal information may have been compromised -- one university recently notified 380,000 people in its database) to the growing likelihood of class-action lawsuits in Far East countries that have never before allowed such actions.

The details of the regulations vary, but what they all have in common is scrutiny over corporate governance, with an eye toward protecting consumers and investors. Thus, enterprises must track and save digital information more closely than ever before. This establishes compliance as both an IT and a business issue. And addressed properly, strategies for compliance help IT mature and move toward best practices that are good for both IT and business. Leading enterprises are responding with systems and governance processes that ensure quick response to any new rule, whether it originates in Sacramento or Singapore.

The increased government and regulatory oversight of corporate activity is a new cost of doing business, and it can be a high one at that. When you examine that expense, look at a sampling of the regulations facing business today and explore the components common to many of those regulations, the need to form a proactive compliance strategy then takes on new urgency. To meet these objectives, there are changes enterprises can make to their governance processes and technology systems to not only respond rapidly when new regulations arise, but also achieve competitive advantage and IT efficiencies while doing so.

The Cost of Compliance

To this point, regulatory compliance has been an expensive task -- but that's partly due to the newness of the concept (where information is concerned, that is). Businesses tackling HIPAA or UK Data Protection Act 1998 deadlines have generally done so by throwing together all-hands-on-deck teams, pulling key IT and business staffers away from their daily jobs, and thus leaving vital gaps elsewhere. In general, enterprises are at the steep portion of the compliance learning curve.

This underscores the need to devise a comprehensive, repeatable compliance-management process. Few companies can afford to scramble a team of specialists each time a new regulation looms. It makes sense to instead create a proactive policy that can be adjusted for the specifics of any regulation.

How much money will a proactive approach save in the long run? It's difficult to pin down, but the costs of Section 404 of the Sarbanes- Oxley Act serve as an example. Section 404 is the mandate that U.S. public companies' annual reports include a statement of management's responsibility to establish and maintain adequate internal controls, assess financial reporting, and disclose any material weaknesses in the company's internal-controls structure.

In a survey of 321 U.S. public companies, industry group Financial Executives International found that for businesses whose revenue tops $5 billion, the average cost of Section 404 compliance will be $4.6 million, which includes 35,000 hours of internal manpower; $1.3 million for consulting and software; and $1.5 million in new audit fees.

Another survey, conducted by the Business Roundtable, polled 150 CEOs at large U.S. companies. Half said their compliance costs would range from $1 million to $5 million; some estimates topped $10 million.

Where Sarbanes-Oxley is concerned, "Governance and compliance are no different than most other business issues," said Brian Wood, a Gartner analyst, at the Gartner Symposium/ITxpo 2004. "A compliance architecture doesn't necessarily require new software investments and does not need to be implemented across the enterprise in a single step. Most organizations will find that they already have many of the software tools they need." The research firm says the same is true of Basel II and other regulations.

Gartner analysts offered other reassuring words at this event, pointing out that any enterprise that has in place items including solid security and business continuity planning and a document management system possesses the foundations for a compliance architecture.

By establishing such an architecture, enterprises will reduce the cost of regulatory compliance because it "eliminates requirements to hire external auditors or consultants every time a new law appears," says Gartner's Rich Mogull.

John Hagerty, a compliance expert at Boston-based AMR Research, agrees. "If you address each new regulation in isolation, you'll overpay," Hagerty says. In February, he authored a report, "Planning for a Sustainable Active Compliance Architecture," that called regulatory compliance "a strategic objective, not just a collection of tactical projects."

Common Threads

"All legal, regulatory and industry-driven directives are vast in scope and effect," writes AMR's Hagerty. "Nonetheless, many share business requirements, allowing for a common approach and management." He adds that "virtually all compliance mandates are driven from rules, policy, and procedure." Common requirements include the following:

These common threads add up to a compelling argument for methodologies that  tie technology resources to business priorities.

Taking the Lead

Today, where regulations are concerned, it's vital to become proactive. With the right processes and tools in place, an enterprise can react quickly whenever and wherever a new set of rules springs up. In and of itself, this approach can provide competitive advantage, because you can focus on business while your competitor is still scrambling to comply with the latest regulations. Moreover, monitoring information for regulatory purposes also improves a company's knowledge about its customers, trading partners and competitive environment.

AIIM International (the Association for Information and Image Management), a leading computer industry group, has recently published a book on regulatory compliance that attempts to lay out a step-by-step program for businesses. Information Nation: Seven Keys to Information Management Compliance, by  Randolph Kahn and Barclay Blair (March 2004), details the following critical  compliance factors:

John Mancini, president of AIIM, says, "We represent enterprises all over the world. As we discuss today's regulatory environment with them, we urge them to not just think of compliance as a thing they have to do in response to new laws; if you think in those terms, you're too late. You're just knee-jerking."

Rather, Mancini says, businesses must think in broad-based terms. "Government regulations, legal requirements, process management, business requirements -- this is all part of the big picture, and it's all about treating information with the same demanding tolerances you treat anything else in your organization."

Wide World of Regulations

Some of the New Laws Facing Global Businesses

Increased regulation surrounding business data is sweeping the globe, even in nations previously regarded as laissez-faire. Here's a rundown of just some of today's international regulatory efforts.

IAS/IFRS. All European Union-listed companies must prepare consolidated accounts in accordance with International Financial Reporting Standards (IFRS) or International Accounting Standards (IAS) beginning with their first reporting period after Jan. 1, 2005. The sweeping package of regulations will affect about 7,000 European enterprises more or less simultaneously, so there's already a shortage of expertise. The goal is a standardized corporate financial statement that can be readily understood by potential investors anywhere in Europe.

BASEL II. Due to be in place by 2006, Basel II (formally known as the New Basel Capital Accord) is an international set of regulations being spearheaded by the Bank for International Settlements. Central banks and regulatory authorities in the United States, Japan, Germany and other countries are also major players. In a nutshell, Basel II is intended to paint a more accurate picture of financial institutions' risk management.

DATA PROTECTION ACT 1998. Though this UK law took effect in 2000, its ramifications are only now becoming clear to global businesses. The act established rules for processing UK citizens' personal data. It also tightly controls the transfer of UK employee, customer and subscriber data to U.S. companies.

LAUNCH OF SINGAPORE'S ACRA. This is not a regulation per se, but rather a new regulatory agency -- the Accounting and Corporate Regulatory Authority -- in Singapore, which has a history of being extremely business-friendly. "ACRA will combine the function of monitoring and ensuring that companies comply with the prescribed accounting standards," said Lim Hng Kiang, Singapore's second minister for finance, at the May announcement of ACRA's formation. Singapore, along with other Asian nations, is tightening accounting and data-gathering rules in response to reduced investor confidence.

How can a company capture attention in this, the age of the distracted customer? What happened to knowledge management? What's next for ERP? Thomas Davenport shares his insights.

Tom Davenport has been around the IT block. One of the pioneers of process reengineering, he has been instrumental in the development of our understanding of how businesses use information to compete. A seminal thinker in the field of knowledge management as well, he has recently focused on the critical field of attention-management. His latest book is The Attention  Economy: Understanding the New Currency of Business.

EL: One of the things you say in your book, The Attention  Economy, is that, "understanding and managing attention is now the single most important determinant of business success." What is the attention economy and what are its implications for companies and then individuals?

TD:The attention economy overall is an economy in which there's way too much information and knowledge floating around for the brain cells that humans have available. So it becomes an economy where attention is really scarce and hence really valuable. And getting attention for your ideas, your products, and your information is a critical prerequisite for any kind of business success. If people don't know that your products exist and spend any time  cogitating about it, you don't stand a chance. A great example is "The Blair  Witch Project" -- $750,000 making the movie, $30 million marketing it.

At an individual level, you say something about "there can't be too many  initiatives at one time."

I see that as more of an organizational thing, but it certainly impinges on  individuals. And ultimately, any organizational initiative that's successful  comes down to individuals changing their behavior. But if they're not paying any attention to what the initiative is about, its objectives and so on, they're not going to change their behavior. Getting real change to happen in  organizations becomes a matter of individual attention. Every individual has to look at him- or herself as a consumer, and you want to be a very intelligent consumer and consume only information that's going to benefit you, your family and your organization. And you've only got so much to give out, so you've always got to be making this calculation: Is this the best use of my attention right now?

That's why so many employee newsletters fail, because there is so much  useless information.

EL: You note that there are different types of attention and certain  teams are dominated by certain types ...

TD: We identified, based mostly on psychological research, three overall dimensions and six types. There's front-of-mind and back-of-mind -- what you try to do there is push as much as possible to back-of-mind through repetition and practice so you can free up your front-of-mind for other things. That's one of the dimensions with the Attentionscape tool that we've developed. There's front-of-mind versus back-of-mind, voluntary versus captive, attractive versus aversive. What we argue is that you really want to try to maximize all of those six types because you're getting a maximum amount of attention if you're hitting on all of them at the same time.

EL: You also discuss the critical success factors there are for  getting the attention of CEOs. Can you talk about that?

TD: I wouldn't say CEOs -- I'd say executives. We looked at what managers, white-collar workers, and professionals pay attention to. We first asked what sort of media they pay attention to -- it turns out email is the  most attention-getting medium in our research.

Then we asked what attributes of the message would make it most likely to receive a lot of attention. We found out that personalization was the single most important factor. Second was keeping it short and concise. Third was emotion, having either positive or negative emotion being evoked by the message. And the fourth one was making it come from a trustworthy source. The first three are relatively easy to manipulate. I say easy, but it's actually a lot of hard work, because personalization takes a lot more effort than sending out a big group distribution email.

EL: What are the lessons we should learn from the online world? How do you capture and sustain attention online -- or even offline?

TD: Actually, the biggest attention industry, if you look at how much attention goes to it, is television. People watch it for three hours and 26 minutes a day on average in the United States. They're not online quite that much. We had a whole chapter on e-commerce and the Web. But for those industries like television, the movies, publishing and advertising -- out of each industry or sub-industry, we tried to abstract some of the lessons. So for television, it's the power of narrative. They always tell stories, make it easy to get in and get out, have a predictable time schedule, and they don't let technology get in the way.

For movies, we talked about age segmentation and the captive setting. We tried to point out some circumstances where people had taken some of these lessons and moved them across industries. For example, we looked at Gamesville, a Lycos entertainment Web site, and how they start new games at the top of the hour, much like a television schedule.

EL: Let's shift to ERP. In terms of strategic use of ERP, you are the expert. Recently, I've heard from some database gurus that ERP systems are what has really allowed companies to take all their various sources of data and normalize them, allowing for one common method of talking to each other.

TD: I'm pleased that you say that, but the world didn't seem to be that interested in a strategic perspective on ERP, at least at the time. I had hoped that after the Y2K thing, people would go back and say, "Gee I spent all this money and I should optimize it and get a lot of business value." But the fact is that they did not do that. They basically moved from Y2K to e-commerce. And now people are just trying to figure out how to cut costs. I'm glad I did that work on ERP -- I think it's very important. But it (Mission  Critical) certainly wasn't the most popular book I ever wrote.

EL: But you still have to fulfill everything, you still have to do  the back-office stuff -- ERP isn't going away.

TD: Exactly. SAP in its advertising now, they call it, "Solutions for the New New Economy, the one where profitability matters." Certainly, you found some pretty small e-commerce companies were putting in ERP because they knew they had to do fulfillment and be able to promise inventory, and so on. People are still doing it -- Oracle, SAP, and PeopleSoft are doing pretty well as companies. For a while they were doing extremely well. I think there's still a valid question: For any given piece of functionality, do you want to do it in an ERP system, which optimizes the integration of it all, or do you want to do it for the "best of breed" thing, which may optimize specific functions? I think it's certainly still a valid question.

EL: What about taking the data captured in your ERP system and extracting it and turning it into knowledge that can be acted on? Are companies finally getting better at this?

TD: I think they're getting a little bit better as the tools from the ERP vendors get better. But it's still not great. Too many people still only do the transaction side and don't manage the business any differently.

EL: Would you say that the road for ERP in the future is going to be  optimizing B2B buying and really looking at that?

TD: Certainly, that's part of it -- hooking up front-office and back-office stuff so you can do e-commerce and actually fulfill your orders, make your customers happy, and so on.

EL: What about the ASP model, in which everybody hooks into a system that's hosted somewhere else so all your suppliers can be on the same ERP system? Or a marketplace, where everybody is trying to collaborate? How do you manage the challenge of ERP talking to ERP?

TD: There's a huge integration challenge. I think it's fair to say that few companies or industries have solved it yet. What you're getting into is inter-organizational reengineering, and it's very time-consuming and very expensive. And I think that's one reason why a lot of these B2B exchanges, and so on, are going out of business.

They don't have enough capital to afford to do that kind of integration across multiple companies. Frankly, I think there will be a fair number of these consortiums, e-marketplaces and the like, that won't be able to avoid it either. It's already clear that it's taking a great deal longer than anybody thought it would to be able to do transactions without a huge amount of human intervention.

EL: What about companies like enterprise application  integrators?

TD: I think there's an appeal to being able to keep a lot of your existing applications and integrate them through some means other than one big system. It's a complex world, and even if you end up only integrating pieces of the business that you've acquired, there would be a perfectly good role for software like that. I think we'll end up using a lot of that stuff for integrating across companies. You're not going to find very many industries where every company has SAP or Oracle.

EL: Knowledge management turned into business intelligence and then it turned into CRM and then supplier relationship management, some even say competitive intelligence. What's going on in knowledge management these days?

TD: Well, the bloom is off the rose on pure best-practices sharing. But I think there is more energy now than there has been in business intelligence and I think it was a good thing to think about business  intelligence from a knowledge-management standpoint as some companies are  starting to do, because that means that you don't just assume that some  technology does it all. You don't assume that because you have some sort of data mining software, that these great insights are just going to jump out of your data.

The smart companies realize it takes a lot of very bright human beings around in addition to the software, and that's sort of a knowledge-management-oriented insight.

CRM is probably going to focus now more on customer knowledge. For some reason, companies were very slow to put customer knowledge into their knowledge-management initiatives. And what could be more important than that?

EL: I think your book, Process Innovation: Reengineering Work  through Information Technology, is once again required reading . Do you see a second wave of re-engineering, brought on as companies try to transform themselves using Web technologies?

TD: The word re-engineering does seem to be coming back into favor a little bit. We're actually doing some work with high-end knowledge workers and how you make their work more effective. High-level scientists and product developers, software architects, investment bankers, and consultants -- their work has not been touched much by reengineering.

EL: What are you seeing there?

TD: We're looking at many factors. One is technology, which is probably the least exploited thus far. Workplace design is a pretty hot issue, and more people are probably doing things with it than with technology. And then organizational design, probably the single most important factor if what you're interested in are things like innovation and creativity, and so on. We were just out at Ideo, probably the most successful product design firm. They hardly use any interesting technology, their workspaces are kind of fun but not particularly unusual, but they have a  really great culture that emphasizes innovation. And I think that's why they  succeed.

EL: So it's really a people thing; almost how you manage people's  spirits.

TD: Exactly. If you want employees to think creatively and share their  ideas and so on, you have to work on that kind of stuff.

EL: What do you think about what's happening with convergence? What are some of the trends you see developing in that marketplace?

TD: The Internet is still there, and companies are still quite interested in how to take advantage of it more effectively. We're just at the beginning of thinking about how we change our processes and our cultures and our governance structures to do anything differently with it. It takes a huge amount of time. We've had ERP for 20 years, and only a small fraction of companies have started to change the way they manage using the systems. I think that will be true of the Internet.

Right now, we're sort of in a period where there's no really big new ideas, and a lot of managers, employees, and organizations just want to take all the ideas that have come along for the past several years and put them together, integrate them, simplify them, and get some value out of them. They're all looking to extract some value from their existing infrastructures and, at  this moment, cut costs from their existing infrastructures.

EL: What about online communities? It's almost as if an online community does three things: it gets attention, it sustains attention with user participation, and it encourages knowledge sharing of the kind where a novice can learn from an expert. Do you see companies embracing the concept of communities -- internally with their own employees, and externally, with customers, suppliers, and other partners?

TD: I think online communities are great and they have a number of positive attributes. But I think a lot of companies try to do them on the cheap, and they don't really take experts and put them in roles to facilitate communities. It's a huge amount of work to facilitate an online community. Ultimately, within companies, we'll see online communities as kind of another  unit of organizational structure. You'll say, "Well, I'm in the accounting department, but here are the online communities that I'm really active in." And that will give you some sense of a person's view of the organizational structure.

--

Christian Sarkar is Editor-in-Chief of christiansarkar.com. You can  see more of Christian's work at onewwworld.com.

Executive Summary

We are in the midst of a rapid growth of IT management systems  capability, responding to changing business needs. IT management systems are  beginning to address the needs of additional layers of management  accountability.

At the same time, they are expanding the range of functionality offered at  each layer. Harnessing the full potential of these IT management systems  will require significant organizational change.

More fundamentally, the real economic value of these IT management systems  will not be realized until we can more effectively create explicit linkages between the performance of elements of the IT infrastructure and the operational and financial performance of the business.

Rather than full transparency of performance data, we need much more  selective and highly targeted visibility into the performance of our  IT systems, shaped by a deep understanding of the economic leverage  points of our business.

Business needs to force  major architectural shifts

Around the world, competitive pressures are intensifying. The current recessionary environment in key regions of the world certainly doesn't help matters. But this is isn't about recessions. As painful as they may be,  they are only temporary.

Something much more fundamental is going on. Forces that have been at work for decades are reshaping the business landscape. In particular, continued technology innovation and broad-based public policy shifts favoring freer markets are making it easier for companies to challenge each other around the world. The bottom line? A lot more uncertainty, the need for continued cost reduction and the imperative to find new sources of growth to continue to create economic value.

To respond to these needs, senior executives are finding that they must  design and manage very different businesses. They seek much more flexibility within their own operations to cope with uncertainty. They also find that they must increasingly rely on other companies to supplement their own capabilities and add more value to their customers. The scope of coordination no longer stops at the edge of the enterprise. In fact, it often extends through several levels of business partners.

Flexibility and collaboration -- that's challenging enough. Layer on top of that the need for real-time management capabilities. This in part is a requirement for flexibility -- companies need to reduce the lead-time required to respond to unanticipated changes in the environment. But, more fundamentally, it is about reducing cycle times across all operations to deliver  operating savings and greater customer satisfaction.

These needs are forcing a fundamental shift in IT architectures. No sooner have we started to become comfortable with an "n-tier" architecture than we find that a new architecture is emerging to respond to these new business needs. This new architecture -- a distributed service-oriented architecture -- is  only in its earliest stages of development.

Companies are finding that flexibility and efficiency both require that IT resources be made available as services -- accessible anywhere whether these resources are local, in distant reaches of the enterprise, in business partners or located in specialized third party service providers.

We are no longer dealing with IT architectures that are defined by the boundaries of the firm -- to be effective, they need to extend across a broad range of enterprises. This new architecture enables virtualization of resources -- making resources available as needed. In the process, it promotes more efficient utilization of resources since these resources can be allocated dynamically to the areas of highest demand.

IT management systems will need to adapt

This shift in IT architectures poses significant challenges for IT management systems. These management systems will need to evolve rapidly to keep pace with the demands of the new architecture.

Services built upon virtualized and distributed IT resources significantly increase the complexity of problem identification and resolution. At the same time complexity is going up, the time available to address and resolve problems is shrinking. Real-time enterprise operations are highly sensitive to any downtime.

IT management systems will need to adapt to the demands along two very  different vectors:

Expanding management focus

We are all familiar with the paradox: we have too much data to effectively use and, when we need it, the right data rarely seems to be available. One way to resolve this paradox is to focus on understanding the specific needs of various types of decision-makers. Rather than trying to provide overall transparency, a much more effective approach is to provide focused visibility into the data that matters the most at the appropriate time. Of course, focused visibility assumes that one clearly understands the needs of various categories of data users. This will be a central challenge for IT management system providers over the next several years.

NSM platforms: IT management systems have evolved significantly already. Emerging from discrete tools to manage performance of specific elements of the IT infrastructure, these systems now provide integrated views of performance across broad segments of the IT infrastructure. These Network and  Systems Management (NSM) platforms still focus on the performance of individual elements in the IT infrastructure, but help to aggregate the performance view for managers of IT operations. They are very effective in providing quick alerts regarding performance issues and helping managers of specific IT elements to trouble-shoot the problems.

TSM platforms: Technology Service Management (TSM) platforms expand the scope of management focus. Rather than focusing on the performance of individual elements of the IT infrastructure, these TSM platforms provide  views of performance of specific IT services from an end-user  perspective.

Take the example of an "available to promise" service provided to the sales force. Many companies run into two issues as the focus shifts to service-level performance. First, what is the expected level of performance for specific  services? Service-level agreements (SLAs) help to make these end-user expectations explicit and provide benchmarks against which to measure performance. Second, this service might cross multiple networks, draw on several databases, rely upon many servers, and invoke more than one application along the way. If the service does not offer performance consistent with SLAs, few companies today have the capability to tie the service to all the elements of the IT infrastructure involved in delivering the service. The result is long delays in diagnosing the problem, much less making the service functional again.

The primary user of these platforms is the service "owner" in the IT  group who is accountable for delivering performance as specified by an SLA. Many IT management system providers are seeking to address this need today. Two of the most significant opportunities here are IT service view tools and SLA compliance tools. IT service view tools help IT managers to automate the process of identifying the various elements in the IT infrastructure that support delivery of a specific IT service. SLA compliance tools help to automatically monitor SLA-defined performance metrics and send alerts when performance begins to vary outside the prescribed range.

BPPM platforms: But the scope of management focus needs to expand even  further. Companies need Business Process Performance Management (BPPM) platforms.These are not platforms to manage the business process itself -- there's a host of Business Process Management platforms available to do that.

Instead, these BPPM platforms are designed to rapidly identify performance issues among the various IT services coming together to support specific business processes.

The "available to promise" service is only one of many services that support a Lead to Order business process. As indicated earlier, real-time enterprise performance demands faster problem diagnosis and resolution -- operational cycle times are compressed, information access demands rise, and operations need to respond more quickly to unanticipated changes. If any of the technology services supporting a business process go down, the economic impact on the business is far greater than in the past.

The user of these platforms would be the operations managers "owning" key business processes and accountable for their smooth functioning. Unlike the two lower layers of management platforms, non-IT managers will use this management platform, and it must be designed to address their needs.

BOPM platforms. There's even a broader scope of management focus.  Business Operations Performance Management (BOPM) platforms provide an integrated view of all the resources required to support the operations of a business. Once again, these platforms are not designed to manage the operations -- they provide the capability to monitor financial and  operational key performance indicators of the business.

For example, they might help senior management to determine that a growing turnover rate in certain customer segments is due to manufacturing production slippages in specific assembly plants and that these are, in turn, due to the introduction of a new product that has not been appropriately calibrated in the automated assembly equipment. The platform would provide a rapid assessment of the financial impact of these operating issues and help to troubleshoot the source of the problem.

We are no longer talking about narrowly defined IT management systems -- these BOPM platforms would cover a much broader scope than simply the IT services required to run the business. These BOPM platforms will draw heavily upon the functionality offered by business intelligence systems, but they will provide additional value by tying key operating and financial performance indicators to underlying IT services and other operating resources.

This will help the users of these BOPM platforms to not only identify performance issues, but to pinpoint the actions required to address these performance issues. The users of this platform will be chief operating officers and chief financial officers seeking to spot broad performance issues that cut across the core processes of the business.

These layers of IT management systems act like geological sediments, with the lower layers supporting the upper layers. For example, as Technology Service Management platforms emerge, they will not replace NSM platforms. Instead, they will provide an additional layer of management that actively draws upon the resources and information of the NSM platforms. In fact, the upper layers of IT management systems could not operate without the lower layers already in place. Put another way, these are nested platforms that build upon the resources and capabilities of the lower layers.

Expanding  functionality in each layer

We have just discussed IT management systems in terms of the need to provide a steadily expanding scope of management focus addressing the needs of more senior executives within the company. At the same time, each layer of IT management systems will need to steadily expand the range of functionality offered to help identify and address performance problems.

Automating problem resolution: Today, NSM platforms provide a robust set of tools to identify performance issues among individual elements of the IT infrastructure and to discover the root causes of the performance issues. These systems are much more limited in terms of their capability to either offer transitional workarounds or to fix the problems causing the performance issues. Often, these steps require expensive and time-consuming manual labor. While we will never take human intervention completely out of the equation, there are significant opportunities to automate the problem-resolution phase. At the first level, NSM platforms can provide enhanced tools to recommend specific problem-resolution actions based on problem-resolution histories and knowledge bases. Automating the resolution itself will likely take longer, especially in cases when additional elements of IT infrastructure need to be provisioned and configured. By automating this phase, however, NSM platforms could substantially reduce the cost of problem resolution and to shorten the time necessary to restore performance to acceptable levels.

Moving from reactive to proactive problem identification: NSM platforms were largely designed to help IT managers address problems as they surfaced. As these systems accumulate more performance histories of elements in the IT infrastructure in specific kinds of operating environments, management platforms can offer more proactive approaches to problem identification. By providing appropriate analytical tools, these performance histories can be assessed to identify conditions that are likely to create certain kinds of performance issues. Management can then take the appropriate steps to either modify the conditions or to adapt the IT infrastructure to the conditions so that performance issues can be averted.

Expanding beyond enterprise boundaries: NSM platforms do a great job of monitoring performance of IT elements within the enterprise. As business processes extend across enterprises, managers have a growing need to assess performance of IT elements in infrastructures of other enterprises. Currently, NSM platforms have a difficult time providing this level of visibility.

Prioritizing problem resolution: We all have scarce resources, especially these days. One of the key business challenges in this environment is to prioritize our efforts so that we maximize financial impact given the resources available. This is certainly true in the domain of IT system and service management. But, there is a problem. How do we know which are the most critical elements in the IT infrastructure to focus on when multiple elements malfunction at the same time? IT managers may have a rough intuitive sense of priority in more static IT architectures, but what tools do they have to prioritize in more dynamic architectures? Today, this server may be used to support a mission-critical, supply-chain operation, while tomorrow the same server may be deployed to support an employee survey regarding cafeteria offerings.

In many respects, this functionality is the most challenging to provide. Here is where the two dimensions of functionality improvement for IT management systems come together. The NSM layer of management systems cannot provide robust prioritization tools until the other layers in the management systems stack have been deployed. To prioritize problem resolution at the level of individual elements of the IT infrastructure, managers must first understand how the various elements knit together to support specific IT services; they must then understand the role that these services play in supporting specific business processes, and, finally, they must understand the impact of these business processes on the financial performance of the corporation.

To deliver this prioritization capability, IT management systems will need to simultaneously pursue a bottom-up, and top-down management approach. The top-down approach is essential to define the broad business context and performance impact of IT systems. The bottom-up approach is necessary to provide the granularity required at the level of individual IT elements to address and resolve performance issues. Neither approach in isolation can deliver the functionality required by management. This is especially true as IT architectures become much more dynamic and the relationships across elements change rapidly to deliver specific IT services.

Most of the preceding discussion focused on the expansion of functionality at the NSM layer of IT management systems. Of course, this same expansion of functionality will be required at each additional layer of IT management systems.

New organizational  approaches will be required to facilitate enhanced IT management

The expanded functionality of IT management systems discussed above will not  deliver real business impact unless it is accompanied by significant  organizational change. New management roles, governance structures, and skills will be required to harness the economic value offered by these more robust management systems.

Management roles: Most IT organizations today focus on defining clear management accountability for individual elements of the IT infrastructure. Far fewer organizations have systematically assigned management accountability for IT services defined from an end-user perspective -- for example, the "available to promise" IT service mentioned earlier. These IT service managers would have responsibility for negotiating SLAs with appropriate business users of IT services and then managing the performance of the IT services to ensure they remain within the prescribed ranges.

Increasingly, these IT service managers will need to be adept at negotiating SLAs, not only within their enterprise, but also with managers in other enterprises. Users in business partners will often access IT services offered by a company. For example, the "available to promise" service discussed earlier might be used not only by the sales force within the enterprise, but also by sales people within various third party distribution channels. Many of the elements required to deliver the IT service may be outsourced to third parties so the IT service manager will also need to negotiate SLAs with these service providers as well.

At an even higher level, organizations will need to assign explicit IT  management accountability and business management accountability for core operating processes within the business. The IT manager and the business manager of a core operating process like customer relationship management need to work closely together to ensure that business performance objectives are met. As these core processes span a growing number of business partners, these core process managers will also need to become adept at coordinating activities and IT services in a much more loosely coupled manner.

Without these management roles firmly in place, it will be hard to find the right decision-makers for each of the layers of IT management systems described earlier. Without the right decision-makers operating the platforms, the data provided will not result in the management actions required to deliver maximum business impact.

Governance structures: Centralized, top-down management structures have prevailed within IT organizations. Effective use of the enhanced functionality of IT management systems will require a very different governance structure that builds much more on federation principles. In any federation, decision-making authority is lodged in the lowest layers possible. Clear distinctions are made between what is local and what must be escalated to higher levels for resolution. Adhering to the principle of the least escalation possible, appropriate escalation and conflict resolution procedures are explicitly defined in advance.

Centralized, top-down IT management systems will find it impossible to cope with the growing complexity as IT architectures become more distributed and dynamic. Single, centralized correlation engines cannot perform all the analytics required. Even if this were technically possible, this single centralized correlation function would not be feasible in distributed IT architectures spanning multiple enterprises.

Federation arrangements -- both in the IT management systems and in the broader organization -- are the only way to accommodate the reality of multiple decision-making nodes. The distinct layers of IT management systems accountability outlined earlier can help to support a federated management model, provided that these layers are designed so that decision-making and action are kept as decentralized as possible. The role of the upper layers of IT management systems is to provide guidance regarding prioritization and insight regarding interdependencies. It is not primarily to perform problem identification and problem resolution.

Federated IT management systems will, of course, have a hard time functioning if they are inserted into highly centralized organizations. Organizations will need to define and implement corresponding federation arrangements, both within individual companies and across companies that are becoming more linked in terms of IT infrastructure.

Skill building: Harnessing the economic value of these new IT management system capabilities will require new organizational skills as well. As new layers of IT management systems accountability are defined, it will be harder and harder to draw the line between IT management skills and business management skills. Even at the layer of technical services management, the ability to define services and SLAs in end-user terms will require both deep IT skills and a deep understanding of the business context.

IT skills will also need to evolve. The ability to map elements of the IT infrastructure to specific services is difficult enough in a static, n-tier IT architecture. It becomes far more challenging in a dynamic, service-oriented architecture when the various elements required to support a service may change with each instance of service delivery.

Web services technology will play a significant role in accelerating the move to a dynamic, service-oriented architecture. This same technology can help to define standardized interfaces between applications and IT management systems, and thereby simplify the task of connecting into various elements of the IT infrastructure. Unfortunately, few organizations today have deep Web services technology skills. Even fewer have deep service-oriented-architecture skills. Both of these skill sets will need to be developed to realize the potential of new IT management system capabilities.

Need to move in rapid incremental  stages

Few organizations today have the systems or capabilities outlined above. There is, in fact, a significant gap between the systems in place now and the capabilities and potential that will be achieved in the years ahead. To effectively exploit this potential, companies need to have a clear vision of the systems and capabilities required. Very few companies today even have an explicit vision of the potential, so this is a necessary ingredient of any program to develop these capabilities.

But vision alone is useless -- in fact, it can become a distraction and excuse for lack of action. Many IT managers fall victim to the "architecture trap": they insist that, if detailed architectural blueprints are not fully defined, then any near-term initiatives should be put on hold until this is done. They also begin to believe that the entire architecture must be in place before any business value can be delivered. If they're not careful, these architectural initiatives can morph into ten-year mega-projects that rarely deliver the expected returns. What companies need is a broad architectural vision regarding IT management systems capability that can help to focus their near-term initiatives. If the blueprints get too detailed, they run the risk of becoming obsolete before they are complete.

Real impact is achieved when a high-level architectural vision regarding IT management systems capability is coupled with a strategy of rapid incrementalism. This approach focuses on defining short-term initiatives (at most, with a six- to twelve-month horizon) with clear business impact that can accelerate movement towards the longer-term architectural vision. These short-term initiatives speed up learning and, in turn, help to refine the longer-term architectural vision based on the new learning. The key is to stage the architectural migration in a way that delivers tangible business value at each step. This helps to build conviction and support for later stage initiatives. In an ideal world, the architectural migration becomes self-funding, although in practice this is difficult to achieve fully.

Of course, doing this effectively requires a deep understanding of the business context and the various ways in which IT systems management capability can deliver tangible business value. For example, as companies move to develop more technical service management capability, the real challenge is to understand which services have the most significant impact on the operational and financial performance of the firm.

Don't try to move to technical service management across the board -- start narrowly with a core business process and figure out where technical services become key leverage points in the performance of the process.

At the early stages, it may even be necessary to use back of the envelope calculations since detailed operational and financial data may not be available in a form that is helpful. Remember the old Pareto rule? Find the 20% of the services that deliver the 80% of the economic value to the process. At this point, figure out which of these 20% of the services are easiest to manage -- both in terms of the ability to map to the underlying elements of the IT infrastructure and the ability to affect SLA performance through enhanced problem identification and resolution tools. Start here. Depending on how evolved the IT management capabilities are today, it may even be necessary to define appropriate SLAs as a first step.

The key is to figure out what can be realistically done in a six to twelve  month time frame and what specific business benefits can be delivered at the end of this period. In this economic environment, the more the business benefits can be framed in terms of operating savings -- operating cost reduction or operating asset savings -- the more likely the short-term initiatives will be funded. Quantify the business benefits and then measure them. If these benefits materialized, document it and publicize it. Build support for the next wave of initiatives. If these benefits did not materialize, then figure out why not and incorporate this learning into the next wave of initiatives. Be clear about what has been learned and why the next wave of initiatives is more likely to produce the expected results.

The high level architectural vision will be very helpful in focusing the near-term efforts so that they produce both near-term business benefits and accelerate the movement towards a much more powerful IT systems management architecture. It helps to prevent scatter-shot initiatives, none of which receive sufficient resources or attention to have real impact. On the other hand, the discipline of seeking six to twelve month tangible business benefits helps to reduce the risk of feature creep or mega-project black holes. The key is to get started, but to have some idea of where you are headed.

IT management  performance diagnostic

Action Plan

First month

Assemble a team focused on upgrading your company's IT management system  capabilities

Conduct a diagnostic of current IT management system capabilities, focusing  on

Develop a high level IT management system architectural vision along the two dimensions outlined above -- layers of management accountability and categories of functionality available at each layer

Second month

Meet with senior IT and business management to build alignment around the high level IT management system architectural vision -- refine the architectural vision as required

Identify a series of initiatives designed to accelerate movement toward this architectural vision while at the same time delivering tangible business benefits within a six to twelve month time frame -- be sure to include organizational initiatives designed to address major capability gaps.

Third month

Create a portfolio of near-term initiatives prioritized based on magnitude of business impact and amount of effort and resources required to support the initiatives

Develop a business case for each of the near-term initiatives, quantifying  anticipated business impact

Define business impact milestones for each of the near-term initiatives and quantify the base line performance for later measurement of impact

Launch first wave of initiatives

More information is available at www.johnhagel.com; contact John Hagel at john@johnhagel.com.

Part  1  |  Part 2

III. Thou shalt build and cultivate relationships inside and outside the  enterprise.

Good relationships are critical for good partnerships. Relationships need to be continually nurtured, and to become institutionalized. Relationships need to grow, beyond individual relationships, to departmental relationships, and it must be viewed as value-added. Within the relationship, each partner's perspective and needs must be anticipated; a good partner answers a question before it is asked.

Relationships, while strongly encouraged on an individual level, need to be understood on a group level. For example, if a particularly difficult partner has been unable to form a relationship with technology staff, the technology department must recognize this and take steps to forge the right relationships. Senior technology managers may have to identify the sources of the relationship problem and proactively correct them. This may involve issues of competence, mutual respect, credibility, business knowledge and perspective, or communications, and so on. Relationships are not built overnight, and require patience and consistency.

IV. Thou shalt design the appropriate infrastructure.

IT will need to design a methodology similar to the time-tested SDLC methodology, which focuses primarily on software development activities. However, this new methodology focuses on addressing infrastructure-related issues. I refer to it as Infrastructure Development Life Cycle (IDLC^TM). The phases are similar to SDLC, but its focus is on the  infrastructure:

• Planning
• Analysis
• Design
• Construction (Test & QA)
• Deployment
• Ongoing operations

But there's more; IDLC^TM resolves the lack of effective communication practices between Applications Development and Operations. It integrates both groups to meet a common objective for every mission-critical application. Before IT can be a viable business partner, there must be alignment within IT first via the IDLC^TM.

Focus on mission critical

Structuring the infrastructure organization is to focus on mission-critical systems, not the technology. The first step is to define the scope of production. Split your infrastructure support organization into two parts: mission critical and non-mission critical. It's up to you and your customers to determine what's mission critical and what's not. How much revenue will be lost if that system is down for N number of minutes? But don't proclaim everything as mission critical; be frugal. If you try to take on the world, you will surely fail.

So many companies structure their organization to support a particular technology. Whether you run your business on NT, UNIX, or other, never structure to focus on a particular technology. This is one of the most common mistakes in IT. IT should always structure to support RAS (Reliable, Available, Serviceable) while focusing on customer service. RAS was, and still should be, synonymous with mission critical. With RAS and customer service as the focus of your organization, the entire computing environment will flourish.

V. Thou shalt honor time-tested disciplines (standards, processes).

Whether your company has a mainframe environment or not, it is crucial to understand the importance of mainframe disciplines, processes, procedures, standards, and guidelines. In the age of network computing, disciplines are more important than ever. But you cannot simply impose mainframe disciplines on network computing technology. You need to:

• Customize and streamline these disciplines
• Implement the minimum, yet sufficient, set of disciplines
• Maintain centralized control of enterprise-wide system management processes  (disciplines)

By necessity, the mainframe environment was large, complex, and enjoyed the luxury of timely planning. Today's computing environments need the same type of structure and discipline, with more streamlining.

There are many system management processes to implement, but please don't attempt to take on all of them unless you have an unlimited resource pool. Implement the handful that is most critical to your environment. From the companies I've assessed, very few have the most critical set of processes, and if they do, they're not very effective. Three of the most critical set of processes in my opinion are:

• Release Management
• Change Management
• Problem Management

Develop minimum, yet sufficient, enterprise-wide standards, architectures, documentation, and so on, for each area of IT (e.g., the network, data center, desktops, development tools, nomadic computers, servers). You need standards for today, and clear statements of direction for your standards, environments, platforms, paradigms, or architectures (you pick the buzzword) for the future.

Centralized control means controlling costs by developing architectures, and deploying standards from a central location; for example:

• Global Standard Network
• Global Standard Desktop Hardware
• Global Standard Desktop Operating System
• Global Standard Desktop Application Suite
• Global Standard Virus Scanning
• Global Standard Server Hardware
• Global Standard Server Operating System
• Global Standard Data Backup
• Global Standard Messaging and Collaboration Platform
• Global Standard Monitoring
• Global Standard Remote Access
• Global Standard Development Database
• Global Standard Application Distribution Platform
• Global Standard Development Methods and Tools

Without standards and centralized control of key enterprise-wide processes, it will be futile to attempt to build a cost-effective world-class organization.

VI. Thou shalt identify, measure, and benchmark your services  portfolio.

The first step is the easiest: Identify your services. To market those services and demonstrate the value of IT to the enterprise will be more challenging. And the key success factor is measurement; IT performance needs to be measured, so there is a benchmark to improve against. Metrics by themselves provide little value -- it's how the metrics are implemented, reported, and acted on that differentiates successful measurement programs from failures. In the latter case, measures are used that imply value, whether that value is expressed in reducing the cost of doing business or in new revenue streams that are the direct result of an investment in information technology. All services should be measurable and have a positive impact on revenues, customer satisfaction, productivity, and so on. Services should also be responsive, available, relevant, and closely aligned with business outcomes.

VII. Thou shalt demonstrate and convey the value of IT throughout the  enterprise.

Today, IT professionals need to walk with the great unwashed and communicate with customers. We need to schmooze, sell, and otherwise promote its services. IT organizations need to sell to their business colleagues the fact that IT can, and should, be leveraged for business value and growth. True commitment requires educated understanding, and it is the job of the CIO to demonstrate the relationship between the understanding of strategic technology initiatives and the long-term success of the firm. If executive management fails to see the value of their involvement, it is the CIO's role to change that perception or to think about his next career move.

Value should be quantifiable and measurable. It is best to communicate value  in its simplest recognizable form. For example:

Value is best communicated to the enterprise by IT's business partners. The right relationship and recognition of value leads to the ideal situation of business partners becoming evangelists. At a fundamental level, IT needs to be understood (without having to say so) that underpinning the entire process of value creation is the partnering relationship. All members of IT need to be educated to recognize their business contributions. All need to understand their business partner's concerns and address them both formally and informally.

VIII. Thou shalt establish and uphold a common set of shared values.

Values are guiding principles, basic beliefs that are the fundamental assumptions upon which all subsequent actions are based. Quality of life leads to success. As a whole, values define the personality and character of an individual or a group. Values are the essence of an individual or group and provide guidelines by which to make consistent decisions. In reality, values are ideals that are indicative of one's vision of how the world should work. These values form a contract between the individuals and the group.

• If all staff members are making decisions based upon the same values, it is more likely that delegation of responsibility and authority will function effectively.
• If all staff members are making decisions based upon the same values, it is more likely that thousands of individual decisions will converge in a consistent strategy.
• If all staff members are making decisions based upon the same values, it is  more likely that synergies will be realized.
• If all staff members are making decisions based upon the same values, it is  more likely that partnerships will prosper.
• If all staff members are making decisions based upon the same values, it is  more likely that productivity will accelerate.
• If all staff members are making decisions based upon the same values, it is  more likely that retention will never be a problem.
• If all staff members are making decisions based upon the same values, it is  more likely that the firm will reap large profits.

Appropriate values inexorably lead to principled actions and a high quality of life. Such values guide hiring decisions, establish a common culture, foster strategic decision-making (even short-term tactical decisions made by guiding principles are strategic), and they lay the groundwork for internal consistency.

IX. Thou shalt know and manage your vendors.

Vendors should be aligned with your services, processes, assets, and staff. Many IT organizations that have to deal with numerous assets and dozens, if not hundreds, of vendors are establishing a Vendor Management Office (VMO). The VMO has better control of your technology buying process, seeks higher levels of services, and achieves cost savings. The VMO assists executives in making educated decisions about which vendor can offer the best service at the lowest cost for any given project. The VMO also helps executives manage relationships with various vendors, track metrics and performance on these vendors, and negotiate the appropriate discounts for projects, products, and services.

X. Thou shalt continuously gauge effectiveness of the organization.

As stated throughout this article, IT is a different beast. IT executives need to be proactive and gauge the temperature of the total environment, not just the technology aspect. I recommend that IT hold quarterly organization checkups, or what I formally refer to as an organization planning and development workshop, to address the evolving and growing list of issues.

The workshop should not be one of those typical offsite management-planning sessions. This program should be designed to bring key contributors, both technical and management, from all areas of the organization,  into one room to brainstorm the issues, prioritize the issues, and develop a  playbook to resolve the issues. This is an action plan with associated milestones; responsibilities clearly noted with due dates that everyone, including the CIO, has bought into -- one plan that the entire  organization has bought into! And when I say buy-in, I mean  commitment to execute on the plan on behalf of the entire organization. One-hundred-percent support and approval must come from the CIO to the technical staff if massive improvements are to take place. The primary objectives of the workshop are to:

• Highlight, categorize, and prioritize the top three to five IT-related  issues.
• Develop an action plan to address the top issues.
• Get buy-in and commitment from all IT (staff, management,  executive management).
• Improve communication between the groups (team  building).

This ensures that IT focuses with the same intensity on people, the organization structure, and process components as they do on technology and development!

--

Harris Kern is a renowned American author, publisher, lecturer, and IT consultant, who focuses his considerable talents on simplifying IT -- and making it work. Through the Harris Kern Enterprise Computing Institute (www.harriskern.com), he has developed a powerful resource for building competitive IT organizations. Under the umbrella of the Institute, IT professionals from many of the world's leading companies come together to take advantage of leading edge disciplines and strategies for improving the IT industry.