Information Security: What comes first – Business Impact Analysis or Risk Assessment?

Last week, I attended a 2 day course on ISO 27001: Information Security Management System. The course was meant for auditors and as part of the course we discussed the relevance of Business Impact Analysis (BIA) and Risk Assessment (RA) in the context of Information Security Management System (ISMS). The questions that was asked was what comes first: BIA or RA?

My immediate response was Risk Assessment. As an organisation, one would need to identify all risks, Rank the risks based on the quantum of impact and probability of occurance, and finally Formulate mitigation plan for top risks. By my argument, business impact analysis was a sub set of Risk Assessment.

However, there was a counter argument to this. For large organisations, it is time and effort intensive exercise, if not impossible, to identify all risks and assess their impact. So rather than carrying out risk assessment, it would be a lot easier to carry-out Business Impact Analysis upfront. This would involve identifying critical activities of the business value chain or critical assets and assessing the impact (in terms of loss of production, loss of revenues, loss of person hours of time, etc) to the overall business in case of their non performance. Risk assessment would then be carried out to identify the risks that would impact these critical value chain activities or assets adversely, which is followed by formulating a mitigation plan for the top risks identified.

On the second thoughts the later approach seemed very rational and logical. What do you think?

Advertisements

Sidewalk: Do BAs need to have domain knowledge?

I always thought that the answer to this question was very obvious! A big YES! But a recent discussion on IIBA group on LinkedIn generated mixed responses. In fact a large number of respondents felt that business analysis method and tools were more important than the domain knowledge.

In my opinion, Business Domain knowledge alone may not guarantee success to a business analyst but lack of it would certainly make his / her job difficult. And the same argument holds good for Business Analysis method. And this is because Business Analysis is as much an individual skill as it is a science.

While there seems to be no debate on the need to know Business Analysis method, I thought I should elaborate my points in favour of domain knowledge. For that I would like to start with the definition of Business Analyst (BA) role is.

Primary role of the BA is to provide business solutions (with or without involving technology) to business issues, by assessing buisness problems, and identifying root causes. The success of the BA role lies in the benefit that the solution provides to the business either in terms of savings in costs, improvement in productivity, increase in revenues and so on. BA should also be able to provide measurement framework so that effectiveness of solutions can be monitored and further improved upon.

Most of the time BA role is misunderstood as Project Managers, System Analysts (IT System designers, etc., in which cases domain knowledge may not be as important as the method.

Now some of the reasons why Domain knowledge is important:

#1 – Domain knowledge makes easier for BA to connect with Business Users

In order to understand business problems, BA is expected to interact with business users to map business processes, gather business data, discuss their analysis and findings, etc. A number of bsuiness users get extemely frustrated if business analysts ask basic questions about the business as to what (rahter than how and why) the business happens. For example, in an assignment to improve New Business Process cycle time in life insurance, Business Analyst cannot be expected to ask questions such as What is term insurance, What is ULIP, What is underwriting, Whether a pension plan requires underwriting. Such basic questions would lead to loss of credibility of the BA with the users and hence the solution that is being proposed.

#2 – Lack of Domain knowledge may lead to delays in providing the solution

BA may spend most of his / her time understanding the basics of business rather than spending time in carrying out the actual business analysis work of mapping business processes, collecting & analysing business data, and so on.

#3 – Domain knowledge makes understanding and analysing business issues a lot easier

Domain knowledge may help BAs to quickly identify the real business issues and real root causes rather than getting bogged down by peripheral issues and root cuases. This may help the BA to offer better and quality solutions to business users.

In summary, domain knowledge is not a replacement to Business Analysis method. Method may be a necessary condition but certainly not a sufficient condition to be a good Business Analyst.

Digital Convergence – A round-table at Welingkars’, Mumbai

I was invited to participate in a round-table discussion organised by Welingkar institute. The topic was Digital Convergence.

Before I share my takeaways and thoughts on the topic, I must say that it was a very professionally organized event. Students management was excellent and so was the format of the round-table, conduct of the participants & moderation. Welingkars’ have amazing infrastructure for a business school. So, while the round-table discussion took place in their campus in Mumbai, it was also attended over video conference by their students and faculty of campus in Bangalore, an illustration of digital convergence!

What is digital convergence?

In my humble opinion, digital convergence is the convergence of:
– the content…. audio, video, data
– the media of delivery of the content…. various types of wired and wireless network & protocols, and
– the devices receiving, storing (?) and processing the content… desktop, laptop, mobile, tv, PDAs, kiosks

By convergence I mean interoperability and compatibility of the content, media and devices with each other. This means any content should be feasible to be delivered over any media on to any device that the user is using to receive and use the content.

Now, if this is the broad definition, then I guess, we haven’t seen anything yet. This is because on one hand standards and protocols need to evolve, the media and end user devices must support the standards and protocols that are evolving. And on the other hand, regulations and laws need to take shape too.

What is drving Digital Convergence:

A number of reasons:

Convenience & End user experience – Consumers have to deal with multiple types contents on multiple types of devices. They are demanding convenience.

Affordability & Costs – Technology is making it feasible for businesses to deliver to their consumers highly cost effective solutions.

Reach and Penetration – It gives businesses tremendous opportunity to reach untapped or unreachable markets and consumers!

The missing link:

The student presentation at the beginning of the session and subsequent discussions mostly centered around applications developed for business to consumers space. My point to the forum was: Is digital convergence only about Business to Consumer space. Isn’t Digital Convergence relevant for inter-enterprise or intra-enterprise applications? What do you think? Do you have any success stories to share?

Sidewalk: Buzz on Business Analysis

In the last few months, I have been extremely busy with the launch of our start-up venture and have been guilty of not blogging! Probably, I am not managing my time as well as I should have been. But hopefully, now on, I will be regular!

While I have been working on an exciting project, I have also been associated with an initiative to launch Mumbai Chapter of IIBA – International Institute of Business Analysis. This initiative was started with a couple volunteers like me approaching IIBA to start the chapter in Mumbai and IIBA giving their nod. However, the initiative got a big boost when Prof Pradeep Pendse, Dean of IT and Business Design, Welingkar Institute, Mumbai agreed to join the group. We had our first chapter meeting in May and the response we received was impressive. We plan to host our 2nd meeting in the 2nd fortnight of September. So in case you are in Mumbai, please do join us. You can track us at: http://mumbaiin.theiiba.org.

We have also set-up on-line communities on Yahoogroups.com and LinkedIn.com. To join at:

1. Yahoogroups.com: send a blank email to mumbaibas-subscribe@yahoogroups.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it

2. Linkedin.com: search for Mumbai Business Analysts group in group directory and follow the instructions stated on the group homepage to join the group.

Business Analyst world is buzzing with action. The community is also getting attention and acknowledgment from within the IT industry! With IIBA pushing the issue, I am sure Busienss Analyst will no longer be a strange animal that my HR Head once addressed to Business Analysts in my previous company. IIBA has developed a Body of Knowledge on Business Analysis and also offers a certification – CBAP (Certified Business Analysis Professional). While there are institutions such as IIBA, which are working for the cause of Business Analysis, there are indivual efforts too!

Prof Pendse himself has done a lot of work in the area of Business Analysis and has authored a book. This will be most probably the first ever book written on Business Analysis. To know more about his book, click here.

Sidewalk: An electronic whitebaord and system implementation projects

Recently, we had an internal workshop to discuss the project plan for our start-up insurance venture in India. The facilitator of our workshop, who was coming from our overseas office requested an electronic whiteboard for the workshop. We procured the board and ensured that the board was installed at the site of the workshop on the previous evening. Hoping to impress our guest that in India things do work as planned, I reached the site on the day of workshop well ahead of our schedule. And guess what happened? The board we had procured was an interactive board, far more complex than the simple electronic board our guest had asked for. He was impressed with the features and functionality of the board, but sadly, it was too complex for him to use. Neither, any of us who procured the board nor those who were present in the workshop were trained to use the board. As a result, the board was hardly utilised during the workshop for the purpose that it was initially envisaged for.

Sounds familiar? I could not help but draw analogy between our board story and IT system implementation projects. This is what happens in a typical IT system implementation project. Due to urgency of the need or shortage of time, neither users not IT spend adequate time in requirement analysis. Then the software is developed / procured / implemented in a hurry without taking proper sign-offs, with incomplete testing and with even more inadequate end user training. End result: Users reject the system and the project fails to achieve its desired impact!

BPM Series: Operations as a Service or Business in a Box!

As we are evaluating an IT partner for the start-up Insurance company that I am working for, more than one prospective IT partner have offered to work with us on Operations as a Service or Business in a Box model.

What is Operations as a Service or Business in a Box Model?

As part of the model, IT partner would take complete responsibility for back-office business process execution as well as IT systemms & infrastructure implementation and offer it as a combined service. So for example, for an insurance company, the IT partner would invest in systems such as Policy Administration System, Channel Management System, Auto Underwriting System, Portal, BPM & Imaging system, etc. along with the necessary infrastructure – Data Center & Network. The IT partner would go on to configure the company’s products and processes on these systems. The IT Partner would then run the back-office business processes such as New Business & Underwriting, Policy Administration, Claims Management using the IT systems and infrastructure implemented for the company. The IT partner would charge a consolidated fees – per transaction / rental fees – for the IT systems, infrastrcutre and process services.

I couldn’t believe my ears. This is something that I had predicted almost a couple of years back through various blogs on SaaS and convergence of SaaS, BPO and Shared Services:

Sidwalk: Software as a Service – A reality check!
BPM Series: SaaS, Shared Services, BPO – Will they converge?
BPM Series: SaaS, Shared Services, BPO – Will they converge? – Most likely

There are atleast one financial services company and two insurance companies recently set-up in India have opted for this model offered by an Indian IT MNC and a global IT MNC. There seem to be obvious advantages especially for start-up companies to opt for this model. They are:
– Quick time to market
– Focus on critical ser-up activities such as Branding, Marketing, Product Development, etc
– Lower capital costs
– Scalability and flexibility in running operations

What do you think are the challenges and downsides?

BPM Series: Do business organisations need single process management infrastructure?

Last week, a friend sought my advice on whether her company should implement single process management infrastructure to automate & manage their enterprise-wide process management needs. The insurance company she works for is evaluating BPM system / application to automate travel reimbursement process. While doing so, the company is also exploring the possibility to utilise the same process management infrastructure to automate processes such as New Business process, Policy servicing process, Claims Management process, New Product Development process, etc.

Now the processes described above are different in nature and have different traits. I remembered having read an interesting process classification theory put forward by two wise men (unfortunately I do not remember their names) many years ago. They classified organisational business processed based on Business Value (Revenue Increase, Cost Reduction, Productivity / Efficiency enhancement, etc) and their Repeatability, i.e. their ability to repeat itself for every instance of the process that occurs.

As is shown in the diagram above, organisational processes can be classified into four areas:

  • Production processes – with high business value and high degree of repeatability;e.g. New Business process, policy servicing process, claims management process
  • Collaborative processes – with high business value but low degree of repeatability, e.g. New Product Development, Contract Formulation
  • Admin processes – with low business value but high degree of repeatability; e.g. Travel Reimbursement process, Leave approval process, Conference booking process
  • Miscellaneous / Ad-hoc processes – with low business value and low degree of repeatability

In my opinion, the same process management infrastructure may not be utilised to manage all the types of processes described above. There are two issues:

  1. Is the BPM system capable to manage both repeatable and non-repeatable processes
  2. Is it financially feasible for the organisation to manage high value and low value processes using the same BPM system

Fortunately, BPM systems have evolved over a period in time, and some of the leading BPM systems now possess dynamic process management capbility, which allow business users to alter the flow of the process even at run time, i.e. as the business process gets executed. Such BPM systems would address issue #1.

However, these BPM systems tend to be expensive requiring high end IT infrastructure. In such cases, software, hardware and implementation services costs tend to be prohibitively high to justify the utlisation of the same process management infrastructure for low value admin processes along with high value add production and collaborative processes.

So, in my opinion, organisation may have to settle for more than one process management infrastructure to manage all the enterprisewide processes. What do you think?

Sidewalk: Web 2.0 may not be just a buzzword

Let me be absolutely honest. I have not been a great fan of Web 2.0 in enterprise applications space. I felt that proponents and analysts are creating hype out of nothing. But my recent experience with Google Apps is forcing me to alter my views about Web 2.0.

I am now working with a start-up insurance venture in India. Currently the venture is in project phase. We are a team of 15 members operating from a small office in Mumbai. Setting up an Insurance company is an intense and highly collaborative engagement spanning over a period of at least 15-18 months. We are still about 10-12 months away from the launch of our operations. Obviously, our investment in infrastructure and IT at this point in time are limited to desktops, laptops, and internet connectivity. They are likely to remain so for a significant period in time for obvious reasons.

When I joined the company, the team was about 10 people and some of them were using email infrastructure of the promoter companies. Those like me who were recruited for the joint venture were simply using web based mail services. And of course, there was no collaboration infrastructure.

My first job after I joined was to set-up common email and collaboration infrastructure. When I evaluated options, I decided to be experimental and opted for Google Apps, rather than procuring hardware, software & hosting services for collaboration infrastructure.

I just had to buy domain name and register myself for Google Apps and we were in business in just couple of hours. We now have an intranet site hosted on Google Apps. Intranet site enables us to share project documents, publish our internal policies and procedures, team directory, project milestones and so on using various Google gadgets offered as part of Google Apps. In addition we are also using the email & calendar service configured with our registered domain name. All in all, we could establish collaboration infrastructure very quickly, without any maintenance hassles and almost without any cost. For a start-up company such as ours, Web 2.0 service like Google Apps is an effective and efficient tool.

While, I still am cautious of application of Web 2.0 in the mission critical enterprise applications space, I will certainly not dismiss and discount the concept and those who promote it as in the past.

Happy New Year

Happy New Year! May the new year be brighter and happier to all!

I know, off-late, I have not been able to blog for a number of reasons or should I say excuses. But I have also realised that last few months I have been hopelessly out of touch with the latest in the IT world, which is not such a wise idea. So, you will keep hearing from me more often!

And here is the most impressive new year advise that I received:

“Due to cost cutting don’t turn off the light at the end of the tunnel.” 🙂

Keep in touch. Keep writing. Keep smiling.

Q&A: BPM Certification

In Q&A series, Vinayak answers emails and questions from readers. For privacy reasons, name as well as any specific references which may reveal questioner’s identity are not published.

Question:

I know very little about Business Process Management, but I want to be a BPM certified Professional. So could you please help me out with the procedure to prepare on the same.

Currently I am working as a Project Engineer with 1.9 yrs of experience in the IT industry. My Skills Area are: Java/J2ee, Autonomy, Plumtree.

So although in technical streams,I would very much like to be involved in Management Streams.

Response from Vinayak:

Thanks for writing to me.

There are a number of BPM methodologies such as Business Process Re-engineering, TQM, Activity Based Management, and Six Sigma followed worldwide to define, execute, manage and improve processes. However, in none of the above areas there is any single world wide recognised body offering certification like you have in the area of Project Management (PMI), or IT Governance (ISACA).

Following are some of the international agencies offering BPM Courses:
OMG’s BPM certification
http://www.omg.org/oceb/oceb-faqs.htm

International Process and Performance Institute:
https://ipapi.org/

BPM Council
http://www.bpmcouncil.org/bpmc_cert_details.html

BPM Institute
http://www.bpmcouncil.org/bpmc_cert_details.html

I am not aware of content and quality of programmes offered by any of these certifications. My guess is that many of these programmes may have evolved from BPM systems or technical standards such as BPMN. The one by OMG, which is under beta testing, claims to offer Business and Technical oriented tracks as part of their certification.

My advise to you would be to go for Six Sigma in case you wish to pursue career in Business Process Management. Six Sigma is an extremely comprehensive methodology based on qualitative and quantitative tools to manage and improve business processes. So, try and participate in six sigma programme, if it exists in your organisation. If such a programme does not exist within your organisation, then read books / literature (you will find plenty on the Internet) on Six Sigma and Business Process Re-engineering to begin with and then look for opportunities to participate in such programmes implemented by an organisation. If you desire to be a recognised expert in methodologies such as Six Sigma, then certification has to be accompanied by actual experience in implementing six sigma methodology. So, certification alone in this area is not very helpful.

Some of the well known agencies offering six sigma training courses in India are:
Motorola:
http://www.motorola.com/in/sixsigma.jsp

KPMG
http://www.in.kpmg.com/sixsigma/sixsigma.asp

QAI
http://www.qaiindia.com/Certification/frameset.htm

Hope this helps.