The Business Technology Optimization Audit: Finding the Make Money/Save Money Zone

by Steve Andriole Fellow, Cutter Consortium

Do you know where your technology is?

My guess is that many of us believe that we're state of the art, cost-effective, and well positioned to deal with whatever adversity comes our way. Yes indeed, we're a finely tuned technology machine. We have reliable vendors that give us good prices. Our hardware is solid and reliable. Our applications are fully rationalized and our networks, well, our networks are fast, reliable, and secure. People? We have the best! They are smart, motivated, and best of all, current in the technology they acquire, deploy, and support. There's not much they don't know -- and because of this deep bench, our succession plans are as solid as a rock.

We practice only the best best practices. We read all of the trade magazines and subscribe to several research companies whose reports we religiously analyze. We convert all this knowledge into playbooks for technology acquisition, deployment, and support. We're good -- and we know it. We go to the right conferences every year -- hell, several times a year, to validate what we already know. These so-called conference professionals could learn a thing or two from us. Everyone loves us at the company. Alignment? We're flat out simpatico with the business. They throw us parties. Business executives are always asking if there's anything they can do for us. We're the toast of the company. Life is good.

We're also delusional, and we have been for years! We're so busy putting out brush fires that we don't have time to think about anything else. Optimization? How about frustration? Alternative delivery models? We're still trying to get Crystal Reports to report service-oriented architecture (SOA)! Look, we're doing more with less, year after year. We face budget cuts while the businesses we support want us to cost less but deliver more, especially on the revenue-generation side. The business thinks we're too slow and too expensive. We've redefined the term "fair-weather friends." The fact is, we're drowning. Sound familiar?

Optimization is a haughty word. It suggests progress and success, not waterboarding. But it's a constant and can provide insight and recommendations on how to save money and make money with IT. But where do you start? Figure 1 identifies the roadmap. There are several things to note about the business technology optimization framework. First, technology -- that is, hardware, software, and communications -- plays a relatively minor role in the overall effectiveness equation. Technology is obviously critically important, but optimization is as much about people, processes, organization, and strategy as anything else. Optimization is also about synergy. If one piece is out of sync, then it's likely that many of them are.

Optimization is inextricably about corporate culture -- the ultimate taboo subject. Companies that are already dysfunctional are likely to have dysfunctional technology organizations. Stated somewhat differently, the degree of optimization possible correlates directly with the wackiness of the corporate culture.

We also look at alternative delivery models as part of the sourcing audit. Are you buying the right stuff from the right people in the right way for the right price? Or is Harry, the proverbial brother-in-law, still handling procurement? Yeah, and we buy from the vendors that give us the best perks, the best tickets to the best concerts. Did I mention the Masters?

The premise of the optimization audit is the acknowledgement of the width and depth of change occurring in the field. Business technologists -- not mired in brush fires -- understand just how profound the changes are. Renting? Leasing? From strangers? Clouds? Hardware-as-a-service (HaaS)? Servers for 50 cents a day? What's going on?

It's extremely likely that three things have occurred in your technology acquisition, deployment, and support strategy:

1. You're paying too much money for the wrong things, failing to save enough money with technology.

2. You're missing opportunities to really help the business achieve its objectives, failing to make enough money with technology.

3. You're leveraging the wrong best practices with the wrong people.

Now let's walk through the audit.

THE OPTIMIZATION AUDIT

We've developed the optimization audit in response to new opportunities and old pitfalls. We also developed an audit that we believe touches all of the high-leverage areas. We believe that the pieces are interdependent and synergistic. We also believe that the results can be implemented incrementally (if you must) or (ideally) holistically since so much of this is interdependent.

The optimization audit, like all audits, should be actionable. We're not dealing with "theoretical" or "perfect" circumstances here. There are limits to what can be accomplished. Realistic business cases for each recommendation to save money and make money are developed as part of the audit's final report, as suggested in Figure 2.

The optimization areas appear vertically; the analyses horizontally. Current-state reporting develops SWOT (strengths, weaknesses, opportunities, and threats) analyses for all of the areas. Recommendations for how to make money and save money extend from the SWOT analyses; they are informed by our applied research, industry best practices, industry benchmarks, technology trends analyses, and our experience that cuts across multiple vertical industries. The business case is the result of the current-state assessment and the save money/make money recommendations. Our business cases are always organized around value, cost, and risk.

Next, let's dig deeper into each of the optimization areas (strategy, applications, networks, data, organization, metrics, benchmarks, security, and delivery) and the kinds of recommendations focused on saving and making money as well as the business cases we deliver.

Strategy

It's impossible to overstate the importance of strategy or the extent to which it's frequently ignored. Technology investments are inextricably linked to business strategy. The overall business technology strategy -- in a sane (note that I did not say "perfect") world -- is the offspring of business strategy and technology optimization.

Strategy audits look at the existing strategy, the strategy of competitors, and the strategic assumptions that should guide the company. Detailed strategies are few and far between. ¹ This tells us a lot about the effectiveness of the business technology organization and the value the company places on strategic planning; without a coherent strategy it's difficult if not impossible for technology investments to be optimized.

So what do we look for in a strategy audit? A useful strategy contains the following:

• The current business models and processes of the company. If the company is decentralized by business unit, we look at the current business models of each line of business along with the business processes that support the enterprise and business unit models.

• The to-be business models of the company and the lines of business with a focus on the next two to three years. Note that the focus is not on the next four or five years, which is just too hard to forecast; instead, the recommendation is to conduct rolling two-to-three-year forecasts of the business models and processes likely to yield profitable growth.

• The as-is and to-be business models of primary and unconventional competitors.

The current-state assessment usually yields insight and recommendations about the specificity of the strategy, its relationship to the competition, and the extent to which it references out-of-the-box "unconventional" business models and processes. Of special interest are the objectives of company: is the company trying to expand, increase its valuation, grow through acquisitions, grow organically, sell itself, or continue pretty much as is? These objectives determine the range of options open to management or, stated more directly, the options that management will actually consider. They also determine -- along with other elements of the optimization audit (e.g., corporate culture, leadership, and organizational structure) -- the range of business cases possible to modify the strategy.

At the heart of the matter is the specificity and persistence of the strategy. For example, is the strategy defined down to the business process level? Is it taken seriously by the senior management team? Is it funded? Is there a correlation between what's published and what's practiced? Strategy metrics are complicated and often ignored because strategies, like stock buy-back plans, are frequently political documents written for internal consumption, investors, and advertisers -- not execution. Assessing corporate strategies is complicated and political but necessary to determine if a company is rudderless or focused.

How do you save money or make money regarding strategy? If there's no specific, persistent strategy then money will be wasted, by definition, on unfocused corporate initiatives. If there's a specific strategy, but it's the wrong strategy, then money will be wasted in the wrong direction. On the other hand, if the strategy is specific and correct, then there's significant money to be made if the company executes the strategy efficiently. Companies that are competent in strategic planning and execution are often good at defining high-level strategic requirements and lower-level tactical requirements. They're also good at the conversion of requirements into projects. The very best are excellent project and program managers who continuously align project performance to strategic and tactical business requirements. This is a corporate skill essential to success, though relatively few companies have mastered the art and science of project/program/portfolio management. The optimization audit assesses these skills and recommends ways to improve them.

Technology's role in the strategy execution phase is critical because companies cannot exist without digital technology. Specific strategies yield effective technology investments; unfocused strategies yield ineffective expensive technology investments. The optimization audit profiles a strategy's specificity, quality, and execution potential. A cost/impact/risk business case is the outcome of the strategy audit that focuses on what's right about the strategy, where the strategy needs work, how to improve the strategy/requirements relationship, and how the strategy might be implemented.

Applications

There are many pieces to the applications optimization audit. The first piece is the relationship between corporate transactions and infrastructure requirements (linked to the company's primary business models and processes) and the deployed applications. Are they satisfying the requirements in a cost-effective manner?

The applications end game consists of a set of integrated and interoperable back-office, front-office, virtual-office, desktop, laptop, PDAs, and other thin-client applications that support the current and to-be business strategy. Increasingly, access to data, transactions, and inventories is from multifunctional mobile devices. Applications should be standardized to support activities, processes, employees, customers, suppliers, and partners regardless of where they physically sit or how mobile they are. All applications should be audited to determine their contribution to this objective and the applications end game described above. It's essential that companies assess their applications with reference to their business strategy and the relative contribution they're making to the company's business processes and profitability. If the outcome of that assessment is clear, then decisions should be made to decommission applications (in the case of expensive applications that contribute little to the business) or transfer functionality to other, less-expensive-to-maintain applications (in the case of older systems with limited, but still valuable, contributions to the business).

Companies need to assess the variation in their applications portfolio. How many architectures are supported? Are the most important applications on the oldest, most-expensive-to-maintain platforms? The audit determines the existence -- or lack thereof -- of a consistent, standards-based architecture that will save money, keep support requirements manageable, and provide the flexibility necessary to become more collaborative with more employees, customers, suppliers, and partners. The audit also focuses on the range of applications in production, how they're procured, supported, replaced, and modernized.

Some applications are bread-and-butter operational applications, like Microsoft Word and PowerPoint and Internet browsers like Microsoft Explorer, Mozilla Firefox, and Apple Safari. Microsoft Office is the de facto standard for desktop/laptop personal productivity applications, while browsers are essentially "open." Companies also have big "enterprise" applications like enterprise resource planning (ERP) applications and customer relationship management (CRM) applications. There are also homegrown applications built over time, and there are Internet applications that face outward to customers, suppliers, and partners. Finally, there are applications that help companies manage their applications and the computing and communications infrastructure (e.g., network and systems management applications). In order for all of these applications to be cost-effective, they need to integrate and interoperate. The analysis of strategic value versus operational support assumes integration and interoperability. The optimization audit drills down on these and related capabilities.

It's relatively easy to save money through a sound applications deployment strategy. Principles like standardization and integration (through SOAs and EDAs) and the application of impact/cost metrics can keep application costs to a minimum. It's also more than possible to make money with applications since the right applications can contribute directly to revenue growth through up-selling, cross-selling, and improved customer service capabilities. There are also opportunities to deploy open source software, which almost always reduces costs. While the decision to deploy open source applications should not be driven exclusively by anticipated cost savings, it is definitely worth a hard look. There are also "green" considerations that can save money, especially steps that can better manage power consumption, data centers, server consolidation, and other actions designed to improve operational efficiency.

Networks

As we proceed through the early 21st century, we need to recognize changing work models and processes, including:

• Telecommuting and mobile commuting

• B2C and B2B transaction processing

• Business-to-enterprise (B2E) transactions

• Business-to-government (B2G) transactions

• Tethered and untethered voice/data devices

• Supply chain planning and management

• Continuous (versus discrete) transaction processing

• E-learning

• Collaborative customer service

• Real-time supplier integration and partner management

• LANs, WANs, and VPNs

• The Internet and the Web

• Real-time rich media-based teleconferencing

These are just a few of the major challenges and opportunities. Increasing numbers of us are working from home, from the road, and in virtual spaces where we're constantly connected. Companies are sending workers home, away from airplanes, and into "office hotels" all in an effort to reduce real estate, travel, and support costs. Pressures on the businesses to provide reliable, secure, cost-effective communications are unprecedented and will continue to grow. Can the company deliver these capabilities in a cost-effective manner? Unified communications, which integrate and deliver all forms of communications, is one of the major end games here.

The Internet represents an alternative network for much corporate computing. We are feeling better about control, security, and privacy and are relying more on the Web for communication among employees, customers, suppliers, and partners. In fact, the Web is emerging as a virtual operating system and the preferred platform for more companies, especially smaller ones. The audit focuses on where LANs, WANs, and VPNs end and where the Web begins. Web 2.0 technologies, especially wikis, blogs, crowdsourcing, and virtual worlds, live primarily on the Web -- well outside of corporate firewalls. As the use of these and other tools increase, the role of the Web "as a platform" will continue to grow.

All of this is useless unless there are processes in place to exploit communications investments. But processes are often political. Prior to a new application, a new network and systems management tool, a new business model or a new communications network, new, vested interests must replace old ones. Companies must make sure that the processes necessary to support the new communications technology-driven business models are in place and make certain that the administrative and management processes to support them are well defined and understood. The optimization audit checks to make sure the right communications technologies and processes are in place.

The movement toward virtual enterprises means that companies are always changing their business models -- how they sell, how they service and retain customers, and how they measure success. This trend involves expanding e-business but also sees the full supply chain firing within an adaptive communications network that supports local and remote customers, employees, and suppliers. As companies move more toward virtual/e-business, their communications requirements will grow dramatically.

Saving money is not that challenging here because communications costs are falling, and communications providers are providing more functionality for less money. There are also emerging technologies including some of the Ethernet variations, VoIP, and wireless broadband that can help with cost management. Making money is part of the story as well, but communications cost management is usually where the emphasis is placed. The network/communications audit identifies where the opportunities and constraints lie. Some Web 2.0 technologies -- implemented via the Web (e.g., crowdsourcing) -- can both save and make money. This is also true for tools like blogs that connect companies to their customers.

Data

Data lies at the heart of all business models: without data, it's impossible to customize, personalize, up-sell, cross-sell, automate, or gather business intelligence (BI). Everyone's got data in one place or another. "Operational data," especially if it's in different forms, often needs to get translated into a form where it can be used by lots of people in the company to perform all sorts of analyses. "Translation" results in the development of data warehouses and smaller data marts that support all varieties of online analyses and ultimately "data mining" -- the ability to ask all kinds of questions about employees, customers, suppliers, and partners. Everyone's working on universal data access from tethered and untethered devices. Eventually, structured, unstructured, hierarchical, relational, and object-oriented data, information, and knowledge will be ubiquitously accessible.

The data audit looks at variation: if companies have lots of different kinds of data in different places, then they need to develop a data integration strategy that will probably involve building some kind of data warehouse or relying heavily on current and emerging integration architectures. Over time, companies need to reduce the need for integration by moving to fewer data platforms and standardizing the analysis tools used to mine the data for BI. Standardization, integration, and master data management are but a few of the ways to save money.

The optimization audit also focuses on storage platform variation and standardization, data integration, and, especially, the ability of the company to engage in multiple aspects of BI. Making money here is the objective: sophisticated BI enables all sorts of analyses designed to focus strategies, target customers, improve supply chain planning and management, and improve customer service. BI is the means to this end. Disorganized, multiple-platform data management costs money. The audit exposes money-making and money-saving opportunities.

Organization, People, and Culture

The audit focuses on organizational structure and its effectiveness. It also focuses on the people and the corporate culture in which the organization and people operate. Needless to say, this is an extremely challenging (and political) assignment.

The audit asks at least the following questions. Is the company organized effectively? Does it have the right people reporting to the right people doing the right things? Is governance explicit? Is the right centralization/decentralization ratio in place? Is there accountability? Is the organization flexible? Most important, is the organization perceived by its customers as effective? Perhaps the most vital metric is what the user community thinks of the technology organization. A serious, objective assessment of how the technology organization is perceived is job one. Companies need to know where the technology organization sits in the corporate hierarchy. Is it respected? Disrespected? Ridiculed? Technology organizations often think they're performing better than any of their customers who often think they're slow, expensive, sometimes arrogant, and incapable of managing complex projects. It's essential to objectively profile the technology organization. The methods include data collection (if data collection and performance metrics are in place), interviews, and, as always, leveraging industry benchmarks and best practices onto the assessment of the current state. The audit focuses squarely on these and related areas.

There's no polite way to ask the question, "Are the people at the company any good?" When was the last time a skills-gap analysis was conducted? The way to assess staff is to juxtapose the current and future computing and communications requirements (ideally derived from the corporate business strategy) with current and future skill sets. But the real work lies in the objective assessment of the gaps between what a company needs and what it actually has. The sad fact is that most companies underinvest in the development of their professionals, which inevitably results in large skills gaps. The audit focuses on what the company is doing about closing the gaps. Are there internal and external training programs? Are they making a difference? Are their before-and-after metrics to determine if training and education is effective? Are incentives in place to reward and punish employees who achieve and underachieve?

What about the corporate culture? "Auditing" culture is a strange pastime, but it's essential to profile culture in terms of its approach to risk, rewards, accountability, and decision making, among other unique aspects of how a company actually operates. Objective assessments are important here, since cultures determine what can actually be achieved.

Organizational reform is probably the easiest fix on the list; it's much harder to deal with people problems and almost impossible to alter the corporate culture in the near term. Organizational reform can help deal with people problems to the extent that the reform involves adding, eliminating, or investing in people. Culture tends to bend only when major opportunities or crises are at the doorstep. Note that eliminating jobs comes immediately to mind when we discuss saving money on people. While payroll costs can obviously be reduced by firing unproductive or problematic employees, there are total elimination costs that should be considered. A good skills-gap analysis and response will invest in the "keepers" -- those with the potential to improve and contribute. It's always cheaper to improve the productivity of existing employees than to hire new ones.

Metrics

The metrics audit asks simple questions. What's measured at the company? How is it measured? How do performance metrics impact the company? The first question is crucial. Is the company a "measurement company," or does it fly by the seat of its pants? Public companies measure the most models, processes, assets, and the like, primarily because they're required to do so. Private companies often measure things as well, though the motivation is different. Our audits seek to first measure the objectivity of the measurement process. Are those companies that measure models, processes, and assets prepared for raw results that may challenge the existing power structure at the company? Or is the measurement process pro forma, existing primarily as either window dressing or as a necessary compliance evil? So what should be measured? Hard assets, software assets, hard processes, and soft processes, as discussed in the following sections.

Hard Assets

These include:

• Number/location/assignment/age of desktop PCs

• Number/location/assignment/age of laptop/notebook computers

• Number/location/assignment/age of PDAs and other access devices

• Number/location/assignment/age of servers

• Number/assignment of LANs under control

• Number/assignment of WANs under control

• Number/assignment of VPNs under control

• Description of network topologies in your organization and under control

• Number/location/assignment/age of midrange computers

• Number/location/assignment/age of mainframe computers

• Number/location/assignment/age of storage devices

• Number/location/assignment of desktop/laptop/PDA applications and licenses

• Number/location/assignment of utility applications (e.g., change management, configuration management, requirements management, maintenance, testing, and related applications across all of the computing environments)

• The original equipment manufacturer (OEM) brands of hardware suppliers and the percentages across vendors

• The distribution of software vendors in the software asset/license pool

• Number/location/ownership/age of applications by platform (e.g., mainframe, minicomputer, client-server, and desktop)

• Number/location/ownership/age of applications by architecture (e.g., single-tier, two-tier, three-tier, multi-tier, and n-tier)

Soft Assets

These include:

• Number of people in your organization

• Their educational backgrounds and professional experiences

• Their current applicable skill sets

• The mapping of those skill sets onto requirements; skill set gap analyses

• The salaries and bonuses (and other parts of compensation packages) of professionals and support staff

• The intracorporate relationships and partnerships

• External alliances and partnerships

• Brand(s)

• Goodwill

• Professional reputation

Hard Processes

These include:

• Systems analysis and design processes (lifecycle methodology)

• Requirements management processes

• Risk management processes

• Project/program/portfolio management processes

• Process adoption/sustainment rates

• Service-level agreements (SLAs) and success rates

• Hardware and software acquisition processes

• Hardware disposition processes

• Asset management processes

• Network and systems management processes

• Vendor management processes

• Vendor selection and management processes

• Help desk processes

• Security authentication processes

• Security authorization processes

• Security administration processes

• Disaster recovery and business resumption processes

• Database administration processes

• Knowledge management processes

• Standards setting processes

• Standards governance processes

• Business technology audit processes

Soft Processes

These include:

• Human recruitment processes

• How effective have recruitment processes been (measured by number of recruits and the percentage that have stayed over time)?

• Employee performance review processes

• Jobs/opportunities description/classification/posting processes

• Benefits administration processes

• The processes that "touch" customers

• How effective have these processes been (measured by customer service data)?

• The processes implemented to stay technologically current. Is there an internal R&D/innovation process? The number of internal proposals received? How many have been funded? How many have been successful?

The optimization audit looks at measurement philosophy, methods, and specific metrics. How disciplined is the company? What kinds of data does it collect? How accurate is the data? How timely is the data? Metrics are necessary to save money. It's hard to develop a going-forward plan without knowing where you are. But with accurate data, a company can save significant amounts of money. It can also make money by improving product/service development, manufacturing, distribution, and customer/supplier-facing performance.

Benchmarks

There are many ways to collect and analyze benchmark data. Much of this data is basic; some is very industry-specific. All audits leverage benchmarking data. Knowing what the industry is spending on technology, for example, as a percentage of gross revenue is an important benchmark. Knowing what technology spending looks like in specific industries is essential to understanding one vertical industry from another. Knowing how companies are prioritizing technology investments helps with technology-adoption due diligence. Benchmarking data is available from a variety of sources but it's generally not free. Some of it is quite expensive, in fact -- especially if you want to drill down on the data through primary and secondary analyses. Audits must include benchmarking data that informs the audit process. How is the company doing against the relevant benchmarks? Are we looking for perfect synergism here? Of course not; to the contrary, we're looking for significant variations and how they can be explained.

Security

Figure 3 identifies the targets of the security audit. Security policy should address data access, applications access, network access, software, privacy, and business resumption planning. Authentication looks at the methods, tools, and techniques that allow users to access networks, data, and applications. The options here are numerous, ranging from simple passwords to sophisticated biometrics. Companies are regulated by what they can and cannot do. For example, if you use passwords to manage authentication, you may need to change them every 30 days. Single sign-on to networks and applications remain worthwhile objectives. Firewall technologies can deliver functionality that includes many flexible authentication (and authorization) techniques. Authorization is all about allowing people, once they are on a network, to access specific data and applications. Once users are authenticated, they need to be monitored according to some predefined authorization schema. Access to networks, applications, and data needs to be defined, and individual and classes of users need to know where they can go and what they can do once they get there. Administration can be expensive if it is not well conceived and implemented. It's important to develop some metrics against which companies can track the effectiveness of their administrative procedures. Recovery is as essential to security as authentication. Business disruption and resumption planning simulations should be conducted on a regular basis to determine if business resumption planning policies and procedures will actually work when a major business disruption occurs.

The basic elements of a business resumption plan should include:

• Plan activation policies and procedures

• Individual, group, and team recovery policies and procedures

• Onsite/offsite resumption policies and procedures

• Administrative policies, procedures, and responsibilities

• Contingency planning

Supporting security and privacy policies and technologies is tricky. Unless a company has a lot of inhouse security talent, it might have to look outside for end-to-end security solutions integration. This decision must be made carefully, since there's a tendency to think that the inhouse staff -- who may have managed security in a host-based, data center-enclosed environment pretty well -- can manage a growing number of distributed applications that link employees, partners, customers, and suppliers over the Web.

What else do companies need to know about security and privacy? Companies need to understand:

• Firewall technology

• Antivirus technology

• Certificate authority technology

• Biometric technology

• Encryption technology

• Privacy-compliance technology

These technologies enable security strategies and tactics and are the focus of the security audit, along with the other areas in Figure 3. There's a lot of money to be lost through poor security methods, tools, technologies, and processes. If security is weak, the ability to save money will be lost and the ability to make money will be unreachable. Security optimization audits are especially important in the digital age where viruses, denial-of-service attacks, and full-fledged information warfare can be enormously expensive to remedy.

Delivery

Many of the major trends occurring in the industry are related to technology delivery through alternative forms of outsourcing. Alternative delivery models are all the rage. Software-as-a-service (Saas), hardware-as-a-service (HaaS), storage-as-a-service, and communications-as-a-service all have a familiar on-demand/pay-by-the-drink ring. Assessments here are especially critical to optimization since these (and other) technology delivery models can save money and make money for organizations if deployed prudently.

The delivery/outsourcing audit begins with a core competency assessment that is both objective and political. What does the senior management team believe the company does well and poorly? Is technology high on the list of competencies? Should it remain there? Most everyone outsources some part of their business technology operation for all sorts of good, and occasionally bad, reasons. There's a reason why the technology services industry is clipping along at more than $1 billion per day in the US alone. More companies have discovered the benefits of outsourcing compared to the recruitment and maintenance of large internal business technology staffs. In the early years, we all thought outsourcing was about saving money, but then we discovered the truth: outsourcing is not only about saving money, it's about rerouting money from noncore to core activities.

Delivery strategy is -- when all's said and done -- about whether or not companies should build and maintain internal technology staffs because they believe that personally controlling "technology" is essential to their success. All of the books, articles, and seminars about core competencies are, in the final analysis, about shedding processes that companies no longer believe they can optimize or need to personally control. The core competencies drill is critically important to acquisition effectiveness.

Companies have a number of options including:

• Combining outside vendors with their own. Sometimes called insourcing or cosourcing, this model can be very effective if structured and managed properly.

• Completely outsourcing segments of the technology mission, such as data center, call center management, or customer relationship management (CRM), while keeping others inhouse. This option can also be effective, especially when there are clearly defined areas that companies do well and those that they do poorly -- and when there's no ambiguity about what's core and what's not.

• Completely outsourcing everything to vendors that come onsite and manage the business technology resources (including machines, networks, and people).

• Completely outsourcing everything to vendors that "rent" hardware, software, and communications in "X-as-a-service" models.

There are variations, but these four options identify the primary outsourcing delivery models that companies might consider. All of these variations require companies to do the following:

• Systematically identify requirements.

• Compare current (so-called baseline) costs with what outsourcers bid.

• Aggressively negotiate with vendors on prices and services.

• Develop clear and unambiguous SLAs.

• Make sure that management is in place to monitor the results of the work.

The audit determines where core competencies lie, the range of delivery options that make sense, and the steps necessary to implement alternative technology delivery models.

Some delivery models can save money. While cost reduction is not always the reason to outsource, there are circumstances where 20%-30% can be saved with the right sourcing strategy. There are also opportunities to make money by renting (proprietary and open source) customer-facing applications (e.g., CRM) and other technologies that can contribute to revenue growth and profitability. Finally, delivery audits are almost always controversial so they must be handled delicately (and sometimes even confidentially).

BUSINESS CASES

As stated earlier, our business cases are organized around value, cost, and risk; value is defined around saving or making money; cost is defined around dollars, lost opportunities, and people; and risk is defined around technology, project, and people challenges (among other things that can go wrong). The business cases for the save money/make money recommendations in the audit areas are presented as investment options. We develop business cases for investments that will save money or make money -- business cases that are reviewed by senior management for their likely success, given the leadership and the corporate culture.

Every single project option should be based on a rigorous analysis of a solid business case. Every single project should be conceived and evaluated with three possible outcome decisions: go, no-go, or we need more information. Business case development is all about the identification of real and political reasons to buy something, to build something, to rent something, or engage a consultant. This can be a very tricky process since (because of the perennial competition for funds) there will always be project enemies, those just waiting to say, "I told you so" when the project goes south. Technology buyers, especially in large enterprises, have to make sure they've covered their flanks. The "business case" is therefore as much a "real" document as it is a political one. When we write them, we make sure we use these two lenses.

The business case should also identify accountable people whose reputations rest to some extent on the success of the project. One should be from the technology side of the organization and one from the business side (if you can find the right hybrid). If there are no project champions, it's time to go home. Business cases are not that difficult to create; what's difficult is swallowing them. Cultures that are especially political have the worst digestion problems and make the most business technology investment mistakes.

THE AUDIT CHECKLIST

Our optimization audits cover a lot of ground. They typically last six to nine months, but they always result in an assessment of the current state, make money/save money recommendations, and business cases for the most promising. To review, here's a checklist of audit areas to consider:

Strategy

A useful strategy contains the following:

• The current business model of the company; if the company is decentralized by business unit, then it contains the current business models of each line of business as well as the business processes that support the enterprise and business unit models

• The to-be business models of the company and the lines of business with a focus on the next two to three years

• The as-is and to-be business models of primary and unconventional competitors

• Assessments of corporate objectives

• Assessments regarding the specificity, persistence, and execution potential of the strategy

Make money/save money strategy recommendations:

• Define high-level strategic requirements and lower-level tactical requirements.

• Convert requirements into projects (from solid business cases).

• Use best practices in project/program management.

• Align project performance to strategic and tactical business requirements.

Applications

Activities in the applications optimization audit include:

• Assessing the relationship between corporate transactions and infrastructure requirements (linked to the company's primary business models and processes) and the deployed applications

• Pursuing an applications end game consisting of a set of integrated and interoperable back-office, front-office, virtual-office, desktop, laptop, PDA, and other thin-client applications that support the current and to-be business strategy

• Assessing access to data, transactions, and inventories from multifunctional mobile devices

• Assessing the extent to which applications are standardized to support activities, processes, employees, customers, suppliers, and partners regardless of where they physically sit or how mobile they are

• Assessing applications with reference to their business strategy and the relative contribution they're making to the company's business processes and profitability

• Decommissioning applications (in the case of expensive applications that contribute little to the business) or transferring functionality to other, less-expensive-to-maintain applications (in the case of older systems with limited, but still valuable, contributions to the business)

• Assessing the variation in the applications portfolio

• Assessing the existence, or lack thereof, of a consistent, standards-based architecture that will save money, keep support requirements manageable, and provide the flexibility necessary to become more collaborative with employees, customers, suppliers, and partners

• Assessing applications in production; how they're procured, supported, replaced, and modernized

Make money/save money applications recommendations:

• Use standardization and integration (through SOAs and EDAs) as well as the application of impact/cost metrics that can keep application costs to a minimum.

• Assess the Web as a primary, secondary, or hybrid transaction platform across a spectrum of cost-benefit scenarios.

• Assess the cost-saving ability of open source software adoption.

• Reduce power and environmental data center management costs; invest in newer hardware technologies designed to run cooler with less power.

• Improve revenue growth through up-selling.

• Cross-sell.

• Improve customer service capabilities.

Networks

Activities in the network and communications optimization audit include:

• Assessing the company's positioning vis-á-vis telecommuting, mobile commuting, B2C and B2B transaction processing, B2E transactions, B2G transactions, tethered and untethered voice/data devices, supply chain planning and management, continuous (versus discrete) transaction processing, e-learning, collaborative customer service, real-time supplier integration and partner management, LAN/WAN/VPN, the Internet, the Web, and real-time rich media-based teleconferencing

• Assessing technology investments that support these areas

• Assessing the company's approach to unified communications

• Assessing the company's processes that support communications investments

Make money/save money network/communications recommendations:

• Exploit the ability of communications providers to provide more connectivity, functionality, and security for less money.

• Exploit emerging cost management technologies like some Ethernet variations, VoIP, and wireless broadband.

Data

Activities involved in the data optimization audit include:

• Assessing the company's "operational data" -- especially if it's in different forms -- and the extent to which it needs to be translated into a form where it can be used by any number of people in the company to perform all sorts of analyses

• Assessing the company's "translation" capabilities toward data warehouses and smaller data marts that support all varieties of online analyses and, ultimately, "data mining"

• Assessing the company's movement toward universal data access from tethered and untethered devices

• Assessing the company's movement toward the storage and analysis of structured, unstructured, hierarchical, relational, and OO data, information, and knowledge

• Assessing data variation, location, quality, and security

• Assessing the company's data integration strategy, which will probably involve building some kind of data warehouse or relying heavily on current and emerging integration architectures

• Assessing the company's movement to reduce the need for integration by moving to fewer data platforms and standardizing the analysis tools used to mine the data for BI

Make money/save money data recommendations:

• Reduce platform variation and increase standardization, data integration, master data management, and especially the ability of the company to engage in multiple aspects of BI.

• Invest in sophisticated BI technologies that enable all sorts of analyses designed to focus strategies, target customers, improve supply chain planning and management, and improve customer service.

Organization, People, and Culture

Activities of the organization, people, and culture optimization audit include:

• Assessing the company's organizational structure and effectiveness

• Assessing the company's reporting relationships, governance, centralization/decentralization ratio, flexibility, and perceived effectiveness

• Assessing the company's professional staff in terms of its skills, energy, ambition, and effectiveness

• Assessing the company's professional development strategy, including its training and education strategy, programs, metrics, incentives, succession planning, and the overall effectiveness of these initiatives and investments

• Assessing a company's corporate culture in terms of its approach to risk, rewards, accountability, and decision making, among other unique aspects of how a company actually operates

Make money/save money organization, people, and culture recommendations:

• Use organizational reform focused on adding, eliminating, or investing in people.

• Proceed with caution: culture tends to bend only when major opportunities or crises are at the doorstep.

Metrics

Activities of the organization metrics audit include:

• Assessing the company's overall metrics quotient (What's measured at the company? How is it measured? How do performance metrics impact the company? Is the company a "measurement company" or does it fly by the seat of its pants?)

• Assessing the objectivity of the measurement process (Are those companies that measure models, processes, and assets prepared for raw results that may challenge the existing power structure at the company? Or is the measurement process pro forma, existing primarily as either window dressing or a necessary compliance evil?)

• Auditing hard assets, soft assets, hard processes, and soft processes

Make money/save money metrics recommendation:

• Identify and track specific asset, process, and performance metrics.

Benchmarks

Activities of the benchmark audit include:

• Leveraging benchmarking data (Knowing what the industry is spending on technology, for example, as a percentage of gross revenue is an important benchmark; knowing what technology spending looks like in specific industries is essential to understanding one vertical industry from another; knowing how companies are prioritizing technology investments helps with technology adoption due diligence.)

• Benchmarking data available from a variety of sources

• Benchmarking data that informs the audit process (How is the company doing against relevant benchmarks?)

• Focusing on significant variations and how they can be explained

Make money/save money benchmarking recommendation:

• Identify and apply specific benchmark data.

Security

Activities of the security audit include:

• Assessing security, authentication, authorization, administration, and recovery as well as the methods, tools, technologies, and techniques used to support these activities

• Focusing specifically on business resumption planning and plan activation policies and procedures; individual, group, and team recovery policies and procedures; onsite/offsite resumption policies and procedures; administrative policies, procedures, and responsibilities; and contingency planning

• Focusing on security and privacy policies and technologies

• Assessing the extent to which the company understands firewall technology, antivirus technology, certificate authority technology, biometric technology, encryption technology, and privacy-compliance technology

Make money/save money security recommendations:

• Money can be lost through poor security methods, tools, technologies, and processes: if security is weak, then the ability to save money will be lost and the ability to make money will be unreachable.

• Money can also be lost in the digital age where viruses, denial-of-service attacks, and full-fledged information warfare can be enormously expensive to prevent and remedy.

Delivery

Activities of the delivery audit include:

• Assessing how new delivery models, such as SaaS, HaaS, storage-as-a-service, and communications-as-a-service, are relevant to the company

• Beginning with a core competency assessment that is both objective and political (What does the senior management team believe the company does well and poorly? Is technology high on the list of competencies? Should it remain there?)

• Determining whether or not the company should build and maintain an internal technology staff or turn to alternative delivery and sourcing models

• Assessing alternative delivery/sourcing forms, including combining outside vendors with the company's; completely outsourcing segments of the technology mission such as data center or call center management or CRM; completely outsourcing everything to vendors that come onsite and manage business technology resources (including machines, networks, and people); and completely outsourcing everything to vendors that "rent" hardware, software, and communications in "X-as-a-service" models

• Auditing the extent to which companies effectively identify requirements, compare current (so-called baseline) costs with what outsourcers bid, negotiate with vendors on prices and services, develop clear and unambiguous SLAs, and ensure that management is in place to monitor the results of the work

• Determining where core competencies lie, the range of delivery options that make sense, and the steps necessary to implement alternative technology delivery models

Make money/save money delivery recommendations:

• While cost reduction is not always the reason to outsource, there are circumstances where 20%-30% can be saved with the right sourcing strategy.

• There are also opportunities to make money by renting customer-facing applications (e.g., CRM) and other technologies that can contribute to revenue growth and profitability.

• Finally, delivery audits are almost always controversial so they must be handled delicately (and sometimes even confidentially).

THE SAVE MONEY/MAKE MONEY ZONE

Regardless of the business climate at any point in time, companies always need to save money and make money through their technology investments. These two filters are sacrosanct: all investments should serve one or both of these objectives.

Business cases still rule, but the objective of projects (approved from solid business cases) should serve these two masters. Project performance metrics should speak directly to saving money or making money. For example, how much money could be saved with an infrastructure overhaul? How much could be saved by renegotiating communications contracts? Help desk support? ERP application support? Is it cheaper to outsource e-mail or to host it yourself? What would applications standardization save you? What about cooling off your data centers? How many more customers might you attract with an automated marketing application? How about up-selling existing customers? Investments in data integration and interactive scripts could certainly contribute to cross-selling.

What are the meaningful metrics here? Cost savings of less than 10% are not worth chasing. Why not? Because the political, social, and organizational costs will likely offset the savings. But expected savings of 20%-plus should be aggressively pursued especially if the politics, culture, and organizational lights are green. Revenue growth in the 10%-plus area may be worth pursuing since the chain-reaction effect of revenue growth, especially profitable growth, is far-reaching. Public companies that can boast about 10% growth will serve their investors well. Growth in excess of 10% is golden and should be pursued at all cost. If the ROI on technology investments can contribute to profitable growth, then they should be made; if, on the other hand, they are unlikely to yield meaningful revenue growth, then they should be avoided. Sounds pretty simple, right? It is -- so long as there's senior management team leadership -- and so long as the corporate culture will spend money to make money.

The zone is clearly marked. See how much money you can land. Good luck.

ENDNOTE

¹ In my university role, I teach a course on business technology strategy where MBA students are expected to develop business technology strategies for their companies. I always suggest that they begin with the existing strategy. Over the past seven years, I can report that less than 5% of the companies actually have a business technology strategy in place.

ABOUT THE AUTHOR