Tag Archives: risk

International lessons in applying continuous improvement

Leah March
Process Improvement Facilitator
University of Sheffield

 

 

Lean HE 2018 Conference

I recently returned from the beautiful Tromsø where I attended the Lean HE 2018 Conference, thanks to being one of the very lucky beneficiaries of the UCISA bursary scheme. It was a brilliant week with many informative, interesting and applicable sessions.
The sessions included key notes from Niklas Modig, researcher, Center for Innovation and Operations Management, Stockholm School of Economics (author of ‘This is Lean’ about ‘How to generate change and engagement’) and Tove Dahl, Professor at UiT the Arctic University of Norway, on courage and the importance of inspiring and rewarding courage throughout change activities. The following sessions covered many topics including: incorporating visual management into everyday working, games to encourage idea generation, using institutional risk to drive change and inspiring Lean at the leadership level and within teams, to list but a few. Myself and Mark Boswell form Middlesex University will be drawing together a guide over the next couple of weeks with links and descriptions about the key tools shared, useful software used and signposting to details about next year’s conference.
There was lots of learning to take-away, particularly the similarities around the current
situation/climate/ issues many of the delegates institutions from across the world were facing. These related to difficulties finding operational staff the time to engage in change activities, uncertainty about what the future might hold in relation to funding, student numbers and student expectations and the high level of change occurring within their organisations. I found meeting delegates from other institutions and discussing how they are applying continuous improvement and overcoming obstacles in their institution a really valuable part of the conference.
Key learning points from the conference:
  • There is a huge support network within HE both UK based and across Europe, Australia and the Americas, reaching out to this network can provide you with great insights, reassurance and ideas about how to optimise your work.
  • Senior management support is crucial in driving continuous improvement within organisations and getting buy-in from senior leaders should be a key priority
  • We need to put customers at the heart of the changes and improvements we drive, on both an institutional and team level
  • Many organisations are embracing a multi-methodology approach (combining lean, service design, continuous improvement etc.) but all at maintain, at their heart, the importance of respect for people
  • It takes courage to drive and embrace change and this courage needs to be recognised and rewarded
  • As well as reaching out to colleagues within the sector we can also learn a lot by adopting open process innovation. Looking towards other industries for ideas and best practice.
  • Stories can be used as powerful tools to encourage analytical thinking in a ‘safe’ way.    
I would like to say a huge thank you to the Lean HE Europe committee and of course, to the team at The Arctic University of Norway for organising such a brilliant conference. Everyone I spoke to remarked on the wonderful and open atmosphere and interesting and engaging topics.
I would also like to say a huge thank you to the UCISA bursary scheme for enabling me to attend and learn so much and to the UCISA PCMG community for their support and interest.
Next steps, myself and Mark will share our summary guide to the conference and key tools shared, and Mark will be blogging about his conference experience and key take home points.

Interested in applying for a UCISA bursary? Then visit UCISA Bursary Scheme.

PPM and innovation

Hina Taank
Programme and Projects Officer
Brunel University

 

 

Gartner Program and Portfolio Summit 2017 – Guest Keynote

Hina Taank was funded to attend this event as a 2017 UCISA bursary winner

This blog post refers to my personal views and the learning that I experienced from attending the Program and Portfolio Summit 2017.

Track: Agile Business Impacts: Emerging Roles, Rules and Risks
PPM Innovation for Product Management by Michelle Duerst, Gartner

I saw Michelle as being very passionate about the help that the Gartner analysts offer. Her talk touched, in depth, on several interesting areas:

  • Product Portfolio Management
  • Project Portfolio Management
  • Digital Product Life-cycle Management.

I have learnt that Product Portfolio Management (PPM) is essential in the manufacturing sector. The PPM indicates where the growth is in the business, which in turn, provides the decision makers with data and information to set the portfolio priorities.  In manufacturing, the organisation has a lot to lose if the product fails, for example, ‘New customer cost’, ‘Consumer trust’, ‘Signed contracts’ and ‘Promotions and recall’.

The Project Portfolio Management is goal/scope and time driven with dedicated resources, the outcome of which supports a service or a product.

Michelle noted that ‘Product PM Builds Upon Project PM Foundation’1. My understanding is that the Project Portfolio Management is the basis of Product Portfolio Management, each with the same goals.  Michelle highlighted these goals as: ‘Objective’, ‘Focus’ and ‘Users’2.

In my opinion these goals have similar paradigms but hold different context and Michelle explained the differences. The Digital Product life-cycle management incorporates both areas, the Product and Project Portfolio Management and importantly provides the granular reporting and regulatory governance.

I will be blogging on specific Summit sessions such as this one, but information on some of the other keynotes and events can be found here.

References 1 and 2:

Duerst, M, (2017, p.23), Gartner Program and Portfolio Management Summit 2017, Presentation: PPM Innovation for Product Management, Gartner, 12-13 June 2017

Full details on the presentation contents or how to contact the analysts can be obtained from Gartner, Inc directly.

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Interested in applying for a UCISA bursary? Then visit UCISA Bursary Scheme.

Social engineering and hacking humans

Sebastian Barnes
IT Support Specialist
Leeds Beckett University

Sebastian Barnes was funded to attend this event as a 2017 UCISA bursary winner

SCHOMS Day 3 – IT Security Challenges

The end of SCHOMS 2017 conference was a half day, containing presentations and speeches as well as my favourite presentation of the week from psychologist, Jenny Radcliffe; what a speaker! Jenny delivered a presentation on Social Engineering, telling us about her life experiences in her field of work. It was amazing to listen to and very engaging, which resulted in me making very few notes.

Jenny explained how technology can have amazing security which makes it impossible to hack, however, why hack the technology when you can hack the human? If you know the password, you can bypass! Jenny explained scenarios she has been in where she has had to read body language and pretend to be someone she wasn’t to get the information she wanted. From what I remember, she was able to gain access to an account by just using Facebook; security questions are personal and unique to the person, but most of the time they are listed on Facebook! Mother’s maiden name? Within seconds she able to find this out using the family feature within Facebook. With this information she was able to reset the password and enter the account.

After watching this presentation, I was seriously considering entering this field of work. That’s how good it was!

Interested in finding out more about a UCISA bursary, then visit UCISA Bursary Scheme.

A practical approach to risk management – two perspectives

Tim Banks
Faculty IT Manager
University of Leeds

 

This is a write-up of a session  I attended on Wednesday at Educause 2015  which was delivered by Bill Arnold, Information Security Analyst at the University of Tampa, and Dr Lawrence Dobranski, ICT Security Access & Compliance, University of Saskatchewan (Canada).

Introduction

The University of Tampa, Florida, is a liberal arts institution and has a student population of around 8,000 students, 65% of whom live on campus. There are 1,200 staff and the annual turnover is c. $235m with an estimated annual economic impact of around $850 million. They formally launched their Information Security Program 3 years ago with the appointment of a Chief Information Security Officer, who reports directly to the President (Vice-Chancellor). Their stated aim is to build a culture of risk management, security awareness and data protection, and as part of this, they have created a cyber-security lab. They achieved ISO/IEC 27001:2013 accreditation in July 2015.

The (often misspelt) University of Saskatchewan is one of the top 15 research universities in Canada with 22,500 students from over 100 countries. They have a 16:1 student:staff ratio and an annual budget in excess of $1bn which includes $9.2m of scholarships and bursaries. They have 120 Graduate Degree Programs (taught postgraduate) and over 200 undergraduate degree programs. It snows regularly and can get very cold! They formally launched their information security program in June 2012, which is centred around the following three areas:

  • IT Security
  • IT Compliance
  • IT Access

It is a risk based program, meaning that priorities for investment and action are based around a risk score. Bill observed that in 2014, cybersecurity criminals were making more money than drug cartels.

A number of barriers to progress were noted which included:

  • Lack of executive support
  • Inadequate investment
  • Ineffective information security leadership
  • Information security ‘unaware’ community
  • Information security gaps especially with respect to 3rd party service providers

Practical steps

  • Ask the right questions to the right people
  • Don’t adopt every aspect of a rigorous standard (like ISO27001), use common sense
  • Focus on information lifecycle
  • Insights will come quickly once you start working with your stakeholders. These will inform your future strategy.
  • Advance planning and effective communication are absolutely essential
  • Don’t use mass surveys (if you actually want people to provide useful information)
  • Decide how you will engage – either in person or through focused surveys
  • Keep the process simple
  • Focus on business processes and impacts on information (e.g. loss / unauthorised access) rather than using technical jargon

The University of Tampa developed a very simple spreadsheet that included each major business unit on campus, each major process within the units and the process owner. The process owner was asked to rank each of their processes on a scale of 1-5 in three areas:

  • Degree of sensitivity of the data
  • Impact of loss of integrity
  • Impact of loss of availability

The average was taken of each of the three scores for each process to arrive at a risk score for the process. A discussion was held with the process owner about the information handling lifecycle involved with each process which covered:

  • Accessing the data
  • Processing the data
  • Transmitting the data
  • Sharing the data
  • Storing the data (in both paper and electronic forms)

They also looked into whether there were any compliance requirements associated with the type of information that was being stored, and determined whether the University IT department or a third party provided the service.

Summary (University of Tampa)
Bill provided the following summary of the University of Tampa’s risk based approach to managing information security.

  • Data Discovery – find out where your confidential data resides
  • Opening the Doors to positive change in University departments. You should be seen not as people who stop departments from doing things, but the people who help them to do it securely.
  • Re-engineering information handling, which will require a change in mindset from both IT and the business
  • Getting everyone to participate
  • Security Awareness (education is key)
  • Once they trust you, they will come (bringing information about risks right to your door)
  • Rinse, wash repeat (continual process)
  • Collaborate to reduce risks

Blog_4__slide1Always remember there are a lot of things we don’t know that we don’t know, as demonstrated by this slide.

 

 

 

 

Summary (University of Saskatchewan)
Lawrence focussed mainly on the best way to present information security risks to University senior management. This is done most effectively when the senior officers of the University understand and accept the cyber-risk. In addition:

  • The information presented must be in a familiar format, as we cannot afford for the busy people we are trying to communicate with wasting time trying to understanding the presentation format.
  • We need to focus on risk information and focus on the high risk areas when talking to the University executive group.
  • Don’t make the visuals too complicated or people will stop listening to you and start focussing all their attention on trying to understand the graphics.
  • Read the IEEE publication (Slide Rules)

During their audit, they discovered an internet accessible incubator control unit with a built in web server. On further investigation, if this had been hacked and the incubators shut down, then thousands of cute little chicks would have died (and research would be put back two to three years). They also found a robot roaming the hall talking to patients which the department was trying to control remotely by adding it to the wireless network. This robot was big enough to cause serious injury to somebody if an authorised person managed to take control of it.

Blog 4_slide2The key stakeholders that Laurence identified were cyber security professionals (never be afraid to ask for help) and the staff and students at the University. It is vital that those closest to the business processes are closely involved in the threat and risk/privacy impact assessment process. The world of cyber security is a fast changing one, so dedicated cyber security professionals, either internal or external are vital in order to keep abreast of emerging threats and techniques to combat them. As an institution, we need to own risk and manage it.

Some particular suggestions for ways in which to present the information security risks included using a Gartner-style quadrant with likelihood on one axis and impact on the other. Then encourage your senior team to only focus on the top-right quadrant, whilst being able to see at a glance the entire risk landscape.

slide3

An alternative is to use a radar plot to display how well the University is doing with multiple aspects of a particular IT security concern.

Overall this was a very informative session with some practical takeaways on how to both manage information security risks and communicate this to senior managers.

 

 

 

 

Insights from US and Canadian institutions on risk management and information security

michelle

 

 

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

Here are some highlights from a session I attended today about the application of practical risk management strategies, presented by the University of Tampa and the University of Saskatchewan.

    Overview – University of Tampa

  • Tampa – 8000 students from 50 states and 140 countries
  • 65% of full time students live in campus housing
  • Information security programme was started three years ago
  • CISO (Chief Information Security Officer) reports to the UT President
  • Co-manages a cyber security lab
  • Only school in the States that has reached full ISO/IEC 27001:2013 accreditation
    Overview – University of Saskatchewan

  • Member of Canada’s U15, top 15 research universities
  • 22,500 students from 100 countries
  • 16:1 faculty to student ratio
  • Info security programme formed in June 2012
  • Three representatives – ICT Security, ICT Compliance and ICT Access
  • Risk based programme not enforced
  • SSO (Single Sign-On) – for all systems that is managed by five staff
  • Cyber security challenges – Profit, risk and loss
    Risk management should focus on:

  • Lack of executive support
  • Inadequate investment
  • Inefficient investment
  • Inefficient info security leadership
  • Info security gaps
    Risk management challenges:

  • Things you don’t know/realize
  • Things you realize you don’t know
  • Things you realize you know
    Practical approach to risk management:

  • Answers are at your fingertips
  • Don’t worry about adopting every aspect of a rigorous standard approach
  • Focus on Info security lifecycle
  • Get Exec level buy-in
  • Get the stakeholders’ perspective on risk – admin staff and faculty

Resource:
Educause security awareness resources

Snake oil or common sense? Demystifying risk management

Tim Banks
Faculty IT Manager
University of Leeds

Let’s face it; risk management doesn’t have the best reputation. Many institutions see it as a necessary evil; something to keep the auditors happy, a document to pull out of the filing cabinet once a year. Something that has to be done, rather than something that people want to engage with. Proper, active IT risk management can be of enormous benefit to an institution and is the foundation upon which professional quality IT services should be built. However, this requires IT staff at every level to see risk management as a live, ongoing process, rather than just an annual activity. We all undertake risk assessments on a daily basis, not because we feel we ought to but because we see the value in doing so. Every time we cross a road, pick a child’s toy up from the floor, prepare a meal or get in a car we are (often unknowingly) assessing likelihood, impact and making judgements on how to proceed based on the overall risk level.

Let’s focus on that last example of driving a car.  The bad thing that could happen (impact) is serious injury or death resulting from a crash. The chance that it will happen (likelihood) depends on a series of triggers such as excessive speed, mechanical failure, poor weather etc.

In order to manage the risk of something bad happening, we implement a series of control measures, each of which requires checking (auditing) at different intervals.

Examples of control measures that reduce the likelihood of a crash are as follows:

  • For example, we make sure that our driving speed is appropriate to the road conditions and monitor this every few seconds whilst driving.
  • We make sure that our car is mechanically sound by putting it through an MOT test every year. However, if we hear strange noises before the next MOT is due, we don’t just ignore them – we make sure that the car is checked out by a mechanic.
  • Tyre condition is something that we would (or at least should) check weekly and when it’s wet, we use windscreen wipers to reduce the problem of poor visibility in wet weather.

Control measures to reduce the impact of a crash might include:

  • Wearing a seatbelt (which we check is securely fastened each trip; the actual belt is tested every year with the MOT).
  • Airbags (again checked every year).
  • Motorway crash barriers (installed and checked by the Highways agency).

When driving, we don’t think it’s acceptable to just check your speed once a year, but equally don’t try and test the airbags every trip. We have an audit schedule that is appropriate for each control measure. Each control measure is audited by somebody appropriate (e.g. qualified, experienced MOT tester, driver, highways agency engineers). Some are within the direct control of the driver, some need to be actioned and checked by the driver and others have to be entrusted to 3rd parties. We should take the same approach to managing risk in IT services.

I have signed up to attend several risk management sessions at EDUCAUSE 2015 and will report back on them in other blog posts.

Risk management and learning from failure

simon

 

 

 

Simon Geller
Senior Project Manager
University of Sheffield
Member of UCISA-PCMG

 

 

I made it to Indianapolis in time for Peter Tinson’s induction session. That was helpful, and it was good to meet up with UK colleagues or dinner.

The morning plenary started at 8am – not a problem for me as my body clock is still fixed halfway across the Atlantic – with the usual welcome from the CEO of Educause and thanks to the organisers.

Then we got into the star performer of the morning – Daniel Pink on motivation. He’s a good speaker and kept the audience engaged, as indeed a good motivator should!

Risk management and learning from failure
I then attended “A practical approach to risk management” (up my street, as I was lead author on the UCISA-PCMG Toolkit on risk).  However, this session really just focussed on well-known tools and techniques and how they had been implemented at particular institutions.

Of more interest was the following session on how organisations can learn from failure – this was run in a highly collaborative and participatory way, with an open Google doc used to capture thoughts from the participants.  As well as comments in the room and the session had its own Twitter tag, #edu15fail.

Enterprise Architecture Trends and Strategies

Allister-Homes-Profile-pic---small

 

 

Allister Homes
Senior Systems Architect
University of Lincoln

Gartner EA Summit Day 2

I’ll take the same approach as the blog post for day 1, summarising the sessions I attended.

Top 10 strategic technology trends for 2015

top 10

I thought this session brought together some of yesterday’s themes quite nicely – I’m not sure if that’s how it was intended or whether it was a coincidence (or even just my interpretation), but that’s how it came across to me.

First of all the presenter explained the traits that the Vanguard Enterprise Architect – Gartner’s term for the architect of tomorrow – will need to have:

  • Futurist, trend spotter
  • Business visionary
  • Technology analyst
  • Strategist (social connector)
  • Educator, communicator
  • Vendor watcher
  • Leader, collaborator
  • Evangelist, catalyst
  • Salesman

We were told that if you see trends in a spectrum, the enterprise architect should consider adopting trends, and how they can help the organisation, during their growth phase – after the emerging phase (when disruption is uncertain) and before they become mainstream (when the disruption is happening or has happened).

The top strategic trends Gartner identified as being of greatest important to EA over the coming years are:

  • Merging Real World and Virtual World
    • 1 – Computing everywhere (think mobile people instead of mobile devices)
    • 2 – Internet of Things
    • 3 – 3D printing
  • Intelligence everywhere
    • 4 – Advanced, pervasive and invisible analytics
    • 5 – Context-rich systems
    • 6 – Smart machines
  • New IT reality emerges
    • 7 – Cloud/client computing
    • 8 – Software-defined application and infrastructure
    • 9 – Web-scale IT (our IT world will look more like Google)
    • 10 – Risk-based security and self-protection

Business outcome driven application strategy
The focus of this session was bimodal application strategies, particularly the use of mode 2. Most IT departments are generally seen as good at identifying savings and efficiencies that an organisation can make, but not necessarily as good at supporting new revenue opportunities and taking advantage of new opportunities. Organisations need to take advantage of business moments – that is, opportunities that arise suddenly and are transient – and if the IT department is not good at responding to those opportunities with the business then they will become marginalised and bypassed. We heard how business moments are human-centric, transient, ad-hoc and blur the physical and digital boundaries. The difficulty for enterprise architects is that it is hard to plan the target state for these business moments when we have no idea what the state will look like until the transient opportunity arises. Instead, we have to design the architecture to be able to respond to opportunities rapidly as they arise.

In bimodal IT, mode 1 is the more traditional way of doing things, is consistent, has steady governance controls and does things ‘the right way’; mode 2 on the other hand has no simple path, is flexible and adaptive. Mode 3 looks more chaotic but it doesn’t have to be. Mode 1 might use a waterfall methodology (but might use Agile) whereas mode 2 can only succeed with Agile methodologies.

It was suggested that when starting out with a bimodal approach, we should first pick a specific project or projects to experiment with. Use agile approaches, devops, create an innovation lab and use small vendors. Then, as competence with mode 2 and a more unstructured world grows, mode 2 can start to be applied in more situations. There are significant differences in characteristics between mode 1 and mode 2 approaches, including funding arrangements, which are less predictable but can be less risky with mode 2. In an Agile project it will be known much earlier whether a project is likely to fail than would be the case in a waterfall project (called failing fast), and much less of the budget would have been spent, meaning the financial risk can be lower. Organisations will probably always have some mode 1, but a bimodal approach will start to displace it to some extent.

This session was presented by the same person who presented Application Architecture for Digital Business yesterday, and the information about app and service style application architecture from that session was repeated in this one. It was suggested that the likes of Nginx and in-memory computing are used for scale and performance. There was also a comment that, for integration, don’t assume the ESB is centre of universe. It is still good for core systems, but gateways (e.g. with APIs) can be faster and easier for mode 2 applications.

Orchestrating Ideation: Creating Breakthrough Innovation Opportunities
The ‘nuts and bolts to drive innovation’ were presented in this session, which concentrated on thoughts for an innovation pipeline. Innovation in many large businesses used to be driven by a small group, perhaps a dedicated Research and Development team. Businesses need to, and are, changing this approach now, partly because it is increasingly possible for someone with a good idea to simply go out and build it with tools at their disposal (cloud-based services in the case of IT tools) without the involvement of specialist teams in the organisation and without any kind of governance or approval. The change of approach needs to move from the likes of R&D teams to the wisdom and diversity of the crowd, and from managing innovation to orchestrating, engaging and motivating the right set of people and guiding them through an innovation pipeline.

Gartner has come up with a way of categorising problems according to their nature and applying different methods to crowd-source solutions depending on that categorisation.

pic 2

Problems can be categorised as complicated (e.g. putting a man on the moon in 10 years), complex (e.g. climate change) or chaotic (e.g. traffic movement). For each categorisation there are different knowledge scopes, and also different approaches:

  • Analysis for complicated, breaking down the problem into smaller pieces
  • Synthesis for complex, aiming for the best outcome to a problem without a way of necessarily knowing if it is ‘solved’ (see yesterday’s blog post for a session that covered analysis vs synthesis)
  • Selection for chaotic, where the whole problem can’t necessarily be solved but solutions can be selected to solve incremental parts of it.

Stakeholders will also vary according to the problem type. This is all much easier to explain using a series of Gartner’s slides, but I don’t think I can reproduce that much copyright material without falling the wrong side of the rules.

When it comes to the type of crowd used to solve the different categories of problems, complicated problems are best solved with specialist teams, e.g. the DARPA robotics challenge; complex problems are solved best with community co-creation, starting with a goal rather than a problem and then selecting the best option, e.g. the way the city of Porto Alegre involves citizens in setting the use of the discretionary budget; and chaotic problems are best solved using the largest possible target audience and giving the community a broad space to get many different ideas rather than setting a specific goal, and then working through filters of selection, development and final launch, e.g. the Department of Work and Pensions’ staff ideas scheme.

All of this needs to be done by putting rules and recognition/reward around a process. Participants are motivated from having autonomy (being part of the change), mastery (developing skills) and purpose (having meaningful contribution). A pipeline provides creative constraints to encourage creativity, because if there are no boundaries or guidance at all it is harder to think of something to be creative with, and organisations should put in place a way of managing innovation portfolios to make the best of crowd sourced ideas.

Digital Business Architecture Fuels Digital Business
At the very beginning of this session, it was emphasised that if you are not doing business architecture you are not doing EA – you’re doing EITA (Enterprise IT Architecture) instead. It was also emphasised that business architects must be part of the EA team, and even if there are reasons why the reporting lines for personnel are different it is still important for business architects to sit with and work with the rest of the EA team in a virtual team. Gartner estimates that by 2017 60% of Global 1000 organisations will execute at least one revolutionary and unimaginable business transformation effort, and if business architects are not an intrinsic part of the EA team then the rest of the architecture will not be able to respond properly to these transformations.

pic 3

My interpretation of this session was that much of it was about what should already be taking place in the business domain of EA, with elements of how to take it a little further. One interesting point is that organisations, people and things (think Internet of Things) will all be equal peers when it comes to digital business designs in future. I thought other aspects, such as how business architects should work on business strategy and goals, fill the gap between strategy and execution, and so on, were what has been suggested for a long time. Business moments were talked about again (see earlier in the day) and likened to lightning strikes of opportunity. The suggestion was made that to gain an advantage and be able to respond more quickly than competitors, business modelling should not stop at the boundary of the organisation; instead, also model the business domain of partners, competitors and customers.

Finally, the presenter urged IT and EA departments NOT to think of, or refer to, the rest of the organisation as customers, because doing so makes IT and EA subservient to the rest of the organisation. IT is intrinsic to most modern organisations and crucial to their futures, and department staff should be thought of as peers.

Three Roadmaps to Guide and Drive Change in Your Organisation
As the title suggests, this session was about roadmaps. The first point was that not every roadmap suits every stakeholder – it’s no good giving a tube map to someone getting the bus. In some cases a particular roadmap might only be relevant to a few technical staff, and there is nothing wrong with that because those people need that roadmap, but it would be a mistake to give the same one to board members. The definition of a roadmap provided by the presenter is that it is graphical, illustrates milestones and deliverables, and shows transition from current to future over specified time. Time is the primary dimension, but additional influencing factors may be shown, and the level of abstraction must be appropriate to the audience and purpose. That leads to the first piece of critical information when creating a roadmap – who and what is it for? By understanding that, an appropriate roadmap can be developed that is fit for the people and for the purpose for which it is being created.

pic 4

At this point similar emphasis to that of the previous session was made about the importance of not thinking of the IT department as separate to the rest of the organisation. You wouldn’t typically talk of the finance department and its relationship to the business, for example, so don’t do it with the IT department.

It was also suggested that staff from within the organisation are sought out for how they can help with roadmaps – many organisations have a marketing department with staff who spend much of their time making things look as appealing as possible, so ask if they can help do the same with your roadmaps for example.

A topology of roadmaps was presented covering quadrants of operational planning, operational execution, strategic planning and strategic execution. Roadmaps tend to fit towards the strategic rather than tactical axis, but lifecycle roadmaps cover some of each because they cover the full life cycle of a capability or system over time. Evolution roadmaps show a specific target state and what components are introduced or removed to support the required business outcomes. An enterprise roadmap shows current and planned strategic change at a contextual level, again including the time dimension. It tracks high level business outcomes linked to KPIs, and indicates change across the whole enterprise rather than just one programme or area of it.