>We’ve all been there asking why we missed the signs while others saw them head-on and benefited in some way. This happens with financial investments (e.g. I should’ve sold before this recent meltdown like my good buddy did), business opportunities (e.g. I should’ve opened up a chain of coffee stores like Starbucks before Howard Shultz got to it), military strategy (e.g. we should’ve seen the attacks on Pearl Harbor and 9-11 coming and been better prepared to try and stop them) and other numerous “should’ve” moments—and no I’m not talking about that” I should’ve had a V8!”
Why do we miss the signs and misread information?
Obviously, these are important questions for IT leaders, enterprise architects and IT governance pros who are often managing or developing plans for large and complex IT budgets. And where the soundness of decisions on IT investments can mean technological superiority, market leadership and profitability or failed IT projects and sinking organizational prospects.
An article in MIT Sloan Management Review, Winter 2009, provides some interesting perspective on this.
“Organizations get blindsided not so much because decision makers aren’t seeing signals, but because they jump to the most convenient or plausible conclusion, rather than fully considering other interpretations.”
Poor decision makers hone in on simple or what seems like obvious answers, because it’s easier in the short-term than perhaps working through all the facts, options, and alternative points of view to reach more precise conclusions.
Additionally, “both individual and organizational biases prevent…signals from getting through” that would aid decision making.
How do these biases happen?
SUBJECTIVITY: We subjectively listen almost exclusively to our own prejudiced selves and distort any conflicting information. The net effect is that we do not fully appreciate other possible perspectives or ways of looking at problems. We do this through:
Filtering—We selectively perceive what we want to and block out anything that doesn’t fit what we want to or expect to see. For example, we may ignore negative information about an IT investment that we are looking to acquire.
Distortions—Information that manages to get through our mental and emotional filters, may get rationalized away or otherwise misinterpreted. For example, we might “shift blame for a mistake we made to someone else.”
Bolstering—Not only do we filter and distort information, but we may actually look for information to support our subjective view. For example, “we might disproportionately talk to people who already agree with us.”
GROUPTHINK: “a type of thought exhibited by group members who try to minimize conflict and reach consensus without critically testing, analyzing, and evaluating ideas.” (Wikipedia)
“In principle, groups should be better than individuals at detecting changes and responding to them. But often they are not, especially if the team in not managed well, under pressure, and careful not to rock the boat.”
Interestingly enough, many IT investment review boards, which theoretically should be helping to ensure sound IT investments, end up instead as prime examples of groupthink on steroids.
If we are going to make better IT decisions in the organization then we need to be honest with ourselves and with others. With ourselves, we need to acknowledge the temptation to take the simple, easy answer that is overwhelmingly directed by personal biases and instead opt for more information from all sources to get a clearer picture of reality.
Secondly, we need to be aware that domineering and politically powerful people in our organizations and on our governance boards may knowingly or inadvertently drown out debate and squash important alternate points of view.
If we do not fairly and adequately vet important decisions, then we will end up costing the enterprise dearly in terms of bad investments, failed IT projects, and talented but underutilized employees leaving for organizations where different perspectives are valued and decisions are honestly and more comprehensively vetted for the betterment of the organization.
If we shut our ears and close our eyes to other people’s important input, then we will miss the planning mark.
IT governance is often implemented with the establishment of an IT Investment Review Board (IRB) and Enterprise Architecture Board (EAB); but to get these to really be effective you have to win the hearts and minds of the stakeholders.
Here are some critical success factors to making IT governance work:
- Management buy-in and commitment—this is sort of a no-brainer, but it’s got to be said; without senior management standing firmly behind IT governance, it won’t take root and IT projects will continue to fly under the radar.
- Prioritizatuion and resourcing—EA, IT Strategic Planning, and IT governance compete with IT operations for resources, management attention, and prioritization. More often than not, many not so savvy CIOs value putting some new technology in the hands of the end-user over creating strategic IT plans, developing transition architectures, and implementing sound IT governance (they do this at risk to their careers and good names!)
- Policy and procedures—IT governance needs a firm policy to mandate compliance to the user community; further the procedures for users to follow need to be clear and simple. IT governance procedures should integrate and streamline the governance processes for authorizing the project, allocating funding, conducting architectural reviews, following the systems development life cycle, managing the acquisition, and controlling the project. End-users should have a clear path to follow to get from initiating the project all the way through to close-out. If the governance mechanism are developed and implemented in silos, the end users have every reason in the world to find ways to work around the governance processes—they are a burden and impede timely project delivery.
- Accessibility—Information on IT governance services including the process, user guides, templates, and job aids needs to be readily available to project managers and other end users. If they have to search for it or stick the pieces together, then they have another reason to bypass it all together.
- Enforcement—there are two major ways to enforce the governance. On the front end is the CIO or IRB controlling the IT funding for the enterprise and having the authority to review, approve, prioritize, fund, monitor, and close down IT projects. At the back-end, is procurement; no acquisitions should pass without having demonstrated compliance with the IT governance processes. Moreover, language should be included in contracting to enforce EA alignment and compliance.
- Cultural change-Organizations need to value planning and governance functions. If operations always supersede IT planning and governance, then both business and technical stakeholders will feel that they have a green light to ignore those functions and do what they want to do without regard to overall strategy. Further, if the culture is decentralized and governance is managed in silos (one manager for SDLC, another for EA, yet another for requirements management), then the processes will remain stove-piped, redundant, and not useable by the user community.
- Communication plan—the governance process and procedures need to be clearly communicated to the end users, and it must address the what’s in it for me (WIIFM) question. Users need to understand that their projects will be more successful if they follow the IT plan and governance processes. Those are in place to guide the user through important and necessary project requirements. Further, users are competing for resources with other important IT projects, and user will benefit their projects by making the best business and technical case for them and following the guidelines for implementing them.
The Privacy Act of 1974 states: “no agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.”However, there are certain exception for statistical, archival, and law enforcement purposes.
What is privacy?
In MIT Technology Review, “The Talk of The Town: You—Rethinking Privacy In an Immodest Age” (November/December 2007), by Mark Williams, the author states Columbia University professor emeritus of public law Alan F. Westin defines privacy as, ‘the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.’”
Do we have privacy?
Already in 1999, Sun Microsystems chairman Scott McNealy stated, “You have zero privacy anyway. Get over it.”
These days, there is no illusion of privacy, as young people routinely put their biographical details and images online at a myriad of social-networking websites. Moreover, “kids casually accept that the record of their lives could be Googled by anyone at any time…some even considered their elders’ expectations about privacy to be a weird, old-fogey thing–a narcissistic hang-up.”
Privacy is certainly not an absolute, especially since we need to balance the right to privacy against the first amendment guarantee of free speech. However, when people think their rights to privacy has been abused they have recourse to tort, defamation, and privacy law.
EA’s role in privacy:
User-centric EA supports the Investment Review Board selection, prioritization, and funding of new IT investments with architecture reviews and assessments; these EA reviews include a detailed appraisal of everything in the “information” perspective, including information management, sharing, accessibility, assurance, records, and of course privacy issues.
Furthermore, more detailed privacy impact assessments (PIAs) must be conducted, according to the the E-Government Act of 2002, “when developing or procuring IT systems or projects that collect, maintain or disseminate information in identifiable form from or about members of the public.”
Although Generation Y does not particularly seem to value their privacy as you’d expect, EA, along with the privacy officer and the chief information security officer, plays a critical role in monitoring and ensuring the privacy of information managed by the enterprise.
In the Harvard Business Review (HBR) whitepaper entitled, “Harnessing Our Inner Angels and Demons” by Milkman, Rogers, and Bazerman, the authors describe the “conflict when deciding whether to behave responsibly or indulge in impulsivity”, what the authors call the want/should conflict.
How do we define want and should?
“Some options are preferred by the should self (e.g. salads, documentary films, trips to the gym, etc.), while others are preferred by the want self (e.g. ice cream cones, action films, skipping the gym, etc.).”
How do we decide between the want and should options?
“The optimal choice between want and should options requires summing the short-run and long-run utility that would be gained from each option and selecting whichever provides more discounted net utility. Although should options have more long-run benefits than want options, in many cases the short-run benefits of a want option may be significant enough to outweigh the long-run benefits of a should option.”
While salad is a should option, and pizza a want option, we frequently chose the pizza, because the short-term instant gratification of the pizza outweighs the perceived long-terms health benefits of the salad.
How does this should/want conflict impact EA?
User-centric EA is all about making choices and trade-off decisions. The enterprise has limited resources and so must chose between IT investment options. Some of these investment may be want options and others may be should options. For example, user may want to upgrade their desktops with the “latest and greatest” computer model and options every year or two. However, the enterprise should invest in business intelligence or customer relationship management software, for example, that will yield significant long-term utility to the organization. Which option does the Investment Review Board choose? Which option is called for in the EA target architecture and transition plan? The HBR whitepaper shows us to measure the utility and make decisions based on the net utility to the enterprise. In this way, the organization gets the greatest good for its IT investment dollars.
Enterprise Architecture is a combination of developing and using organizational insight and managing sound oversight.
Boeing Company’s recently announced six-month delay of its new 787 Dreamliner jet shows defects in both their EA insight and oversight.
The Wall Street Journal, 7 December 2007 reports that “layers of outsourcing slow 787 production…a look inside the project reveals that the mess stems from one its main selling points to investors—global outsourcing.”
How did global outsourcing reveal the breaks in both effective insight and oversight at Boeing?
- INSIGHT—EA is the synthesis of business and technology to improve organizational decision-making. EA develops information products, so that the organization has the information it needs to improve mission execution, and so that business is driving technology. In the case of Boeing, they were so focused on getting the technology of the new jet right, that they overlooked the underlying business problems. “It figured the chief risk lay in perfecting a process to build much of the plane from carbon-fiber plastic instead of aluminum. Boeing focused so hard on getting the science right that it didn’t grasp the significance of another big change; the 787 is the first jet in Boeing’s history designed largely by other companies,” and this has been plagued with problems ranging from language barriers to their contractors subcontracting out key tasks, such as engineering. Boeing’s focus on the technology led them to ignore important aspects of the business of designing and producing the new planes. Boeing did not have sufficient insight into the business side (versus the technology) of managing this tremendous endeavor.
- OVERSIGHT—EA involves IT governance, so that IT investments are made based on sound principles of business alignment, return on investment, risk management, and technical compliance. Generally, the Investment Review Board, the EA Board, and the Program Management Office sees to it that IT projects are reviewed and managed in terms of cost, schedule, and performance parameters. In the case of Boeing, they did not ensure adequate EA oversight for the 787 jet. “Boeing overestimated the ability of suppliers to handle tasks that its own designers and engineers know how to do almost intuitively after decades of building jets. Program managers thought they had adequate oversight of suppliers but learned later that the company was in the dark when it came to many under-the-radar details.” Boeing’s general expertise in project oversight was outsourced along with the engineering and production tasks, and this led to, what an executive of one major supplier has called, chaos.
The Boeing 787 Dreamliner may well end up being a true “dreamy” jet plane, but from a User-centric EA perspective, the 787 has been a real nightmare and a example of ineffective EA insight and oversight!
To manage IT, you’ve got to have investment reviews, but when is it too much or not effective?
There are a number of executives (CXO’s) with a stake in the success of IT projects and a responsibility to review and manage them:
- Chief Financial Officer (CFO)— is interested in the investment’s alignment to the mission and its return on investment
- Chief Information Officer (CIO)—looks at IT projects in terms of technical alignment and compliance with the enterprise architecture, systems development life cycle, IT security, and other areas like privacy, accessibility, records management, and so on
- Chief Procurement Officer (CPO)—reviews projects for contractual issues to protect the organization and ensure that “it gets what it’s paying for”
- Line of Business (LOB) Program Officials—must review projects in terms of their project management and to control cost, schedule, and performance and ensure that the organization “controls” its investments
Usually, each of these executives has boards to carry out these review functions, and they are redundant, inefficient and drive the end-user crazy answering questions and checklists.
Part of the problem is that the executives and their review boards do not limit themselves to reviewing just their particular domains, but look across the management areas. So for example, EA often not only looks at technical alignment, but also will review business alignment and performance measures.
Moreover, not only are the review boards’ functionality often redundant between CXO’s, but even within the domain of a CXO, there will be duplicative review efforts such as between EA, SDLC, and IT security reviews.
Additionally, when an organizational component of an organization needs to conduct these reviews at their level and then again all the same reviews at a higher overall organization level, then the already inefficient review process is now doubly so.
In the end, with all the requisite reviews, innovation gets stifled, projects hamstrung, and the end-user frustrated and looking to circumvent the whole darn thing.
Obviously, you must review and establish checks and balances on IT investments, especially with the historical trends of people spending extravagantly and wastefully on IT solutions that were non-standard, not secure, not interoperable, did not meet user requirements, were over-budget, and behind schedule.
The key from a User-centric EA perspective is to balance the needs for governance, oversight, and compliance with helping and servicing the end-user, so they can meet mission needs, develop innovative solutions, and manage with limited resources. Asking users the same or similar checklist questions is not only annoying, but a waste of valuable resources, and a great way to spark an end-user revolt!
Remember it’s a fine line between EA and governance showing value to the organization and becoming a nuisance and a hindrance to progress.
The Wall Street Journal, 31 October 2007 states that “the error-reporting service built into the Windows operating system is a massive global network for speaking truth to power.” When a Windows program crashes, you get the pop-up offering to “tell Microsoft about this problem.”
On busy days, “50 gigabytes of data from these error reports stream into Microsoft… [where] two dozen programmers are charged with monitoring them.”
Microsoft won’t tell you which of their programs crash the most, although Internet Explorer and Windows Explorer seem likely bets, while at the other extreme, Word and Excel “seem like Gibraltar.”
A Microsoft article, “Crash Protect Your PC Now!” (article id 835565) states:
“You’ve probably been there. You’re happily working away in Windows when suddenly everything freezes for no apparent reason. Maybe you’ve pressed [Ctrl] + [Alt] + [Delete] and managed to end the troublesome task and get on with things, but even if your machine hasn’t locked solid you’ve still lost at best a few minutes’ work, and at worst an entire document. We hate to tell you this, but the problem isn’t necessarily one with your PC either – many crashes are caused by poor use of your computer’s resources, or too many program installations that took place while you left half-a-dozen other programs running in the background.”
Some reasons Microsoft gives for the system crashes:
- Faulty hardware (sort of figures Microsoft would say that and say it first)
- BIOS updates— “hardware problems can be solved by BIOS updates. This is because of the specification that all hardware is built to is open to some interpretation.”
- Driver updates— “if you’re being plagued by crashes and you haven’t updated your drivers for a while, this could well be the solution – 40 per cent of crashes are caused by poor drivers. Of course, if your machine is fine at the moment, updating the drivers may actually introduce problems, or fix one problem and introduce another.”
- Software problems— “the other reason your machine will crash, and this is definitely the most likely cause, is due to software…. There are two main reasons that software can crash – either it can’t gain access to a resource that it needs (such as memory), or it contains a bug… One of the main reasons a program crashes is because it can’t obtain enough memory from the OS to complete an operation….Another reason programs are prone to tripping up on the memory front is that the memory becomes fragmented the longer you leave your machine on.
What does Microsoft tell you to do?
Prepare! “Prepare yourself for crashes by saving regularly and often, and to keep the amount of programs running to a minimum.”
What does User-centric EA tell us to do?
I love Microsoft, but maybe it’s time to consider having the IT Investment Review Board let Microsoft know what they think about all the system crashes by voting with the organization’s wallet and spending project dollars on alternatives that offer application stability and reliability. 50 gigabytes of streaming data reports on a busy day is just about 50 gigabytes too much!
>The Wall Street Journal, 22 October 2007 reports on a debate between the CIO of Highmark Inc. (a business education corporation) and the CIO of Google on whether employees’ use of unauthorized technologies at work compromises security or enhances productivity.
Why does locking down the desktop enhance corporate security?
The essential question is “how much leeway should office workers have to try out new technologies on company computers? For many employers, the answer is clear: none at all. Corporate IT departments already have their hands full with viruses, hackers, spyware, and data breaches, without having to worry about employees making those problems worse by adding unauthorized software or devices. Security experts warn that a company’s insiders are responsible for most security headaches, intentionally or inadvertently.”
- Tom Tabor, the CIO of Highmark states: “we recognize that employees just want to be productive…while this may be advantageous, it is also a management issue as far as maintainability, support, and potentially cost.”
Why does unlocking the desktop enhance worker productivity?
“Most employees who work regularly with computers can think of dozens of ways that unauthorized technologies makes it easier to do their jobs, whether it’s Web-based email programs, for sending large files or flash memory drives for taking work files home. And it isn’t just individuals; whole departments are turning to online software providers to handle business needs without the approval, or often the knowledge, of the IT department.”
- Douglas Merrill, the CIO of Google states: “We must give up trying to control everything, and instead focus on the few places that are the most critical.”
How do these CIOs deal with demands for new IT?
- Tabor: “We have a formalized technology-acquisition process that allows employees to submit technologies for review by the IT organization. Through this process, employees have a say in what technologies are considered.”
- Merrill: “At Google, most employees who run Windows are set as power users, not administrators. This allows employees to install some things and change some machine settings, but not everything—basically, we try to protect our employees from themselves. [However,] If they want administrator access, they just have to ask for it…”
In user-centric EA, we follow a similar method to Mr. Tabor’s technology-acquisition process by having an Investment Review Board supported by an Enterprise Architecture Board, where business sponsors can submit decision requests for new IT projects, products, or standards and get these evaluated, authorized, prioritized, and funded. The key is to have a structured process that adds value to the IT investment decision-making without stifling innovation and productivity.
As for locking down the desktop, as a user, I can’t say that I love the restrictions, but as an enterprise architect and IT and business professional, I definitely see the security value to the organization, as well as the benefits to standardizing technologies, developing enterprise solutions, and building a maintainable, cost effective infrastructure.
One of the most difficult challenges we face as enterprise architects is when end-users don’t ask permission, but instead ask forgiveness.
The typical scenario is that a division or unit or group of end-users decides to go out and purchase some new IT widget, gadget, or system without going through the CIO shop. (I know this shouldn’t happen if the CIO controls the IT funding, but even then someone always finds some money squirreled away and decides to use it for something they weren’t supposed to or in some cases even bypasses the money channels altogether, getting a freebie from a eager vendor looking to build or test some new capabilities to sell later to other customers).
Well, where’s the harm?
Oh my G-d, where should I start…
Innovation from the field and operators is great, but bypassing the CIO shop circumvents the structured processes and good governance that is in place to ensure projects succeed. Without these mechanisms, IT project can be at tremendous risk:
- Business Case—Without a business case, the justification for the IT project was never made, return on investment not calculated, alternatives not considered, and the best course ahead not properly laid.
- Investment Review Board—Without IRB vetting, the senior-level sponsorship has not been solidified, the project has not been authorized, and its priority has not been set with respect to other, maybe more critical, projects that the enterprise needs; further, the project may not have adequate life cycle funding; additionally, the project is likely not being ongoingly monitored and managed by leadership and enterprise subject matter experts for cost, schedule, and performance.
- Enterprise Architecture Review—Without an EA technical review, the IT project may align with the target architecture and transition plan, may not be interoperable with other systems, may not meet enterprise technical standards, may overload or be incompatible with existing infrastructure, may be duplicative of other investments, may not be the best or most cost-effective technical solution, may not meet various legal, regulatory, and other compliance requirements.
- System Development Life Cycle—Without following a defined, repeatable, and measureable SDLC process, the project risks failure by not having adequate and documented planning and requirements, design, development, testing, implementation, training, operation and maintenance, and disposition.
- Project Management Plan—Without a project management plan, projects are at risks for being mismanaged, having cost-overruns, schedule delays, and quality problems.
- IT Security Plan—Without an IT security plan, the project is at risk in terms of the confidentiality, integrity, availability, and privacy of the information.
No question, from an end-users perspective, there are quite a few hurdles to go through in implementing a new IT project. An if we’re honest with ourselves, the process can be onerous. Therefore, the CIO and his staff needs to work to streamline the processes, integrate them, provide the users with job aids and excellent customer support. Additionally, there should be a quick pass process for getting those “emergency” (must have now) projects through quickly (although not any less comprehensively).
The key is to balance the needs of the enterprise (ensuring mission execution and sound stewardship of enterprise resources), end-users (supporting innovation and operators ability to do their jobs successfully and safely), and customers or citizens (bringing new products or services to market quickly, reliably, and at high quality levels). To do this we have to balance the necessary processes and governance to ensure IT projects’ success with the imperative to foster innovation and deliver quality and speedily to market.
So as an enterprise architect, what do you do when a end-user asks forgiveness, instead of permission?