How to avert a storm in your cloud

The closer IT expenditure is to the front line of genuine business need, the better the return on investment should be.  So the positives arising from the growth in shadow IT – spend on digital applications and services by business teams rather than the IT function – are huge.   Estimates suggest that shadow IT expenditure now accounts for over 30% of total spend and 55% of digital spend.  And a key driver of this growth is the increasing prevalence of cloud solutions which can be deployed by a business team with minimal support from IT.

But the full scale of benefits will only be realised if risks created by business owners’ unfamiliarity with technology solution governance and inefficiencies generated by distributed decision-making are identified and managed.  The traditional IT-led approach to solution governance, based on large ERP or CRM implementations, will not work for Shadow IT solutions – it is over-engineered for the rapid evolution demanded by business teams.  A new model is required – one that is business-led and balances the need of business functions for speed and flexibility with the assurance that IT teams can provide.

So what risks does business ownership of IT solutions create?  Operational risk increases in direct proportion to any gap between the knowledge managers need for effective supervision and the knowledge they actually have.  The increasing digital divide between senior managers and their younger, junior tech-savvy colleagues is one such example.  And as cloud offerings enable solutions to be deployed by functional teams without IT oversight, the need for digital understanding among senior managers is increasing.  Research by the Harvard Business Review Analytics Services concluded “Digital acumen is essential for business leaders in today’s hyper-competitive, technology enabled world. But most companies lack the knowledge and skills needed to succeed in the digital aspects of their business.”

With high risk activities – such as proprietary trading in investment banks – these knowledge gaps can be catastrophic.  But most cloud solution deployments will not come into this category.  A more relevant analogy can be found in the recent history of data and reporting solutions.  These are often owned and deployed by business functions – marketing, finance, risk, compliance, operations and HR – in which case multiple reporting solutions are typically being licensed when one would do, generating inefficiency and excess maintenance costs.

Alternatively the deployment may be centrally owned (by IT) with space in the enterprise data warehouse made available to different functions to do with as they would wish.  This typically results in multiple ungoverned cottage industries with no documentation of which marts are being used for what purpose and what would happen if they were removed (and probably multiple versions of the truth as well).

This is the type of trap that business-owned, cloud based applications will fall into if there is a lack of management understanding of how such solutions should be governed.  Governance has always created tension between business functions and IT teams, with the former seeing the controls IT teams introduce as being over-engineered and a brake on rapid progression.  In the absence of IT involvement, the risk – as we have seen with reporting and analytics solutions – is that such disciplines are ignored.

Obviously a balance is required.  With digital implementations, there need to be good enough levels of governance.  Our experience with delivering data management and reporting solutions over the past fifteen years has given us relevant insights into what this looks like.  As one client put it, ‘you provide enough governance to keep IT happy and not so much as to delay delivery’.

So with that in mind, herewith our primer for business leaders on good enough governance.

  1. Ownership

Every cloud solution should have an owner who maintains a business case for the solution’s continued use as part of their accountability to whoever the budget holder is.  Unlike traditional implementations where most of the investment is sunk up front, the rental model for cloud solutions requires a living business case with quantifiable improvements in KPIs the solution is delivering tracked against ongoing and forecast costs (including potential spikes).  Such an approach facilitates the solution being swapped out should a new one that will generate greater value become available.

  1. Monitoring

The business case requires the determination or inference of linkages between the operational metrics that the solution can impact and the strategic goals and financial objectives of the organisation.  These metrics and the hypothesised linkages need to be tracked so both the operational efficacy of the solution and its strategic relevance can be tracked.  Hence the second component is the creation of a dashboard to support the living business case.  The dashboard also needs to track compliance related metrics and cover change request progress.

  1. Responsibilities

Effective governance requires a sequence in solution deployment of requirement documentation, solution design, delivery, test, release and support, with the same process applying for subsequent changes requests.  In the traditional model, these activities are performed by different teams.  Cloud solutions typically follow a DevOps model whereby these activities are carried out in rapid sequence by a single business team.  Either way, all stages need to be completed so both processes for how changes will be managed and who will be responsible need to be defined.

  1. Oversight

The governance committee needs to have both business and IT representation – IT teams’ experience of solution design and demand management being particularly important to success.  The governance committee needs to meet on a regularly scheduled basis – monthly or quarterly – and focus on organisational (e.g. responsibilities), security and the commercial model (to avoid the risk of unbudgeted spikes in costs).

  1. Documentation

There are two facets to the knowledge that needs to be captured in documentation – explicit and tacit.  The former includes the business requirements the solution is meeting, process maps for the processes that the solution enables, and the underlying policies and procedures.  It should provide all the information required for someone new to operate the solution from scratch under normal conditions.  Tacit knowledge covers what to do in abnormal conditions, when problems arise and the process isn’t running smoothly – e.g. who to contact if an important feed is not available, fixes for when the solution doesn’t run as it should, answers to common questions about the outputs generated.  Tacit knowledge is typically captured as FAQs and answers.  The basic principle should be that a solution SME can’t progress to a new role unless all the necessary knowledge that their replacement will need has been codified and documented.

  1. Integration

Cloud solutions don’t stand in isolation.  Typically they require data inputs of some form and generate data outputs.  Where does this data come from, how is static data in the solution maintained, what happens with the outputs?   All integration points need to be included in the documentation.

  1. Compliance

Cloud solutions need to comply with the organisation’s security policies for access control and data protection.  Equally the organisation’s security policies need to evolve to reflect the new cloud-based world – relying on firewalls to lock data in a chamber with one door in and one door out is no longer feasible.  Cloud enables and encourages collaborative working practices and the inter-connectivity of system to system processes – data is moving all over the place  – and security policies need to evolve to reflect this new reality while still effectively mitigating risk.  And the more integrated a cloud solution is, the greater the risk that it opens a gate to other parts of the IT estate, hence controlling access or levels of access is critical.  Any data that resides in the solution also needs to be secured (e.g. via encryption or tokenisation) and where that data is hosted needs to comply with data protection legislation and organisational policy.

The rise of cloud requires IT teams to operate differently to how they have historically.  Control is no longer an option, collaboration will become the norm.  In turn, business owners of cloud solutions need to make the IT function their friend.  That will require compromises on both sides – less governance than IT are used to applying, more than business solution owners would like.  We believe that addressing the seven factors above will provide the ‘good-enough’ governance required to mitigate operational risk without inhibiting agility and slowing progress to a halt.

 

With thanks to my colleagues Manoj Bhatt, Mark Howard, Andrea Pesoli and Venkatesh Ramawamy for their contributions to this piece.

New kids on the blockchain

At Sopra Steria we often talk about a world ‘beyond digital’. This is so that we can help our clients to prepare themselves and their organisations for the challenges they are likely to face looking out three to five years into the future.

I shared some of the topics we have identified for a world beyond digital with an audience of digital and eCommerce professionals at a Thought Leaders of the North West event a couple of weeks ago. Our themes seemed to resonate with those in the room prompting plenty of discussion and debate.

One theme attracting a lot of interest was the ongoing challenge we face in the world of Information Security, where we see protection from attack being built into new products and services from the ground up rather than as an afterthought.

We also see an emerging era of unprecedented corporate responsiveness and agility as industry giants look to iterate their business models ‘on-the-fly’ in response to unforeseen threats and attacks in the way Sony Pictures did recently in immediately releasing ‘The Interview’ to digital channels and abandoning its plans for a full theatrical release.

Disintermediation is another concept having an immediate impact on the way we live, work and do business. Services such as Uber and AirB’n’B are already beginning to transform different aspects of the travel industry through their creative use of the crowd, the cloud and the semantic web.

In financial services we see the ‘blockchain’ threatening to disintermediate the traditional banking industry as Bitcoin continues to gain profile and transacting in such crypto-currencies nudges its way ever closer to the mainstream.

“whilst barriers to entry are very low, barriers to mass acceptance remain incredibly high”

It was in this field, at a second technology event I attended recently that I witnessed a tense debate between an established retail bank and an up-and-coming Bitcoin podcaster.

The bank, when talking about FinTech start-ups looking to establish themselves in the emerging global Bitcoin economy, outside of a traditionally regulated banking industry, suggested that “whilst barriers to entry are very low, barriers to mass acceptance remain incredibly high”, which is the kind of thing they used to say in the music industry in the 1990s.

Nevertheless, the power of the ‘blockchain’, the virtual ledger where the crowd validates transactions without the assistance of traditional banking infrastructure and regulation, may actually be found beyond Bitcoin trading, as new and emerging use cases emerge for this technology bring it further into many people’s lives.

One such service which could be leveraged by the blockchain may be that of personal data broking, where citizens take control of the value of their own personal data and begin to firmly negotiate with local and global organisations alike based on the value of their own data as derived from their own connections, online activity and their extended social graph.

Sopra Steria is working with some of the world’s most exciting start-ups in exploring these concepts, as these ‘new kids on the blockchain’ begin to collaborate with us and our clients as, together, we continue to play a vital role in the transformation of business for a world ‘beyond digital’.

We’d love to hear how you think ‘blockchain’ technology will transform our lives. Leave a reply below, contact me by email, tim.difford@soprasteria.com or on Twitter, @timdifford

Photo: used and modified under Creative Commons license thanks to BTCKeychain

Virtual robot workers and the impact on my pension plan

Sadly, I’ve reached the age where I am beginning to count how many years it is until I can start to draw my pension. Most days it’s a number far too close as I generally still love my job, although occasionally other days do have me dreaming that it was tomorrow.

My years of experience (!) in designing and running large back offices in the banking sector have seen me live through the centralisation of these back office functions, their subsequent outsourcing, followed by panicked in-sourcing when the wind or accountable exec changed, the drive towards off-shoring and, most recently, the delight of handling an 800-seat partial on-shoring project for a client.

For each one of those, the primary business case rationale was a step change reduction in the cost of the operating model, with CX being a nice to have secondary benefit when the business case needed a more politically acceptable feel to it!

What I couldn’t see was “what next” in the step change evolution of the back office.

That was held to be true until I reluctantly deputised for my boss at a meeting last year and was formally introduced to the world of virtual workforce robots, and an epiphany happened!

At its most simple level this is a piece of software that emulates the actions of a human in an operational process – once configured/trained, each virtual instance of an FTE is fully scalable, 100% trained, 100% accurate, and is available up to 100% of each 24 hour day.

Depending on your cost base and its location, these virtual wonders can also do the same volume of processing for as little as 1/9th of the cost of a human.

With our partners at Blue Prism, Sopra Steria has developed a Lean Robotic Automation (LPA) proposition, coalescing our deep capability in Lean process management and Blue Prism’s software wizardry.

We are still at a relatively early stage in deployment both internally and externally but watch this space – every commentator and analyst in the marketplace recognises virtual robots as playing a significant part in all our clients thinking within 12 months.

As for my pension plans, they’re on hold for a while – I’ve a target audience in the UK alone of around 8,000,000 jobs to try and automate!

What do you think about the role virtual robots will play in operational processes? Leave a reply below or contact me by email.

Mobile payments?

Oh no!” (I can hear you say) “Not another blog about mobile payments…” Well, yes… and no.

I’m probably as fed up as you are with a lot of the stuff that gets written about “mobile payments” – almost as fed up as I am with the nonsense that people write about “mobile wallets”, but that’s a whole different discussion.

Why am I fed up? Well, basically because many of the blog posts and articles and much of the commentary around mobile payments cast too wide a net and addresses products, solutions or developments that are way wide of the mark when compared against a proper expression of a mobile payment implementation. All of this noise helps to perpetuate the idea that anything which involves:

  1. a mobile phone, and
  2. a payment of some sort

automatically qualifies as a “mobile payment”.

So, if I take out my Samsung Galaxy S4 and use the Chrome browser to call up the Tesco Dotcom site, place an order for groceries to be delivered over the weekend and then pay for the goods by entering my credit card details, then that’s a mobile payment, right? Or if my friendly neighbourhood plumber fixes that annoying leak under the sink and he accepts my credit card payment (well, it was an emergency!) by using his iPhone connected to an iZettle card reader, I’ve just made a mobile payment, haven’t I?

Compare that to walking into your nearest Starbucks with your Starbucks Rewards app open on your iPhone and presenting the “Pay” barcode to the scanner at the till to buy a caramel macchiato and a chocolate muffin – see the difference? It’s not the best example of a mobile payment by a long way, but at least it’s heading in the right direction insofar as you haven’t had to supply any payment credentials at the point of interaction to effect the payment (as in the Tesco example above) and you haven’t had to provide your plastic card to complete the transaction (as in the payment to the emergency plumber). Instead, information related to a payment card – in this case, the Starbucks Rewards card linked to a pre-paid account has been transferred from your mobile phone to the point of sale terminal, and all you had to do was wave your iPhone screen in front of the scanner.

If you want to get technical about it, you had to open your iPhone, which requires a screen swipe and (hopefully) a passcode; then you had to look for and open the Starbucks app; then you had to click on the “Pay” button and then orient the iPhone screen in such a way that the barcode could be read by the awkwardly positioned laser scanner… But it was easy, wasn’t it? And you got a star for making the purchase with your Starbucks Rewards card (in your iPhone app). So maybe it wasn’t that easy and it could have been better designed to ensure a smoother, more convenient customer experience, but it’s still more like a “real” mobile payment than the other examples above, despite its sub-optimal implementation.

So, in my view, there are true mobile payment solutions and there are other implementations which are “mobile payments” in name only. But what makes a good mobile payment product, as far as I’m concerned? Well, there are a number of factors at play in building a fit for purpose solution in the mobile payments space, including security, functionality and ubiquity of acceptance, but most of them revolve around the customer and the customer’s experience of using the mobile payment solution. I talk about this aspect of mobile payments and what customers are looking for in a mobile payment product in my recent white paper on mobile payments as well as discussing what makes a mobile payment a mobile payment. Take a look at it: it might help you appreciate why I get fed up with some of the stuff that I read about “mobile payments”.

What do you think? Post a reply below, contact me by email at liam.lannon@soprasteria.com.

The future of mobile payments is contactless

Mobile payments may well be set for a period of explosive growth, according to the recent Guardian article “Mobile payments: the brave new cashless future”, but it won’t just be down to Apple Pay, despite its apparent success since launching in the US in October of last year.

Yes, Apple Pay might be convenient and secure – two of the three consumer-centric attributes which MasterCard’s Jorn Lambert identified in the same article as key to the success of m-payments – given its reliance on a tokenized set of card credentials in an embedded Secure Element, a Touch ID payment authorisation process and a slick user interface. However, it falls short when it comes to the third attribute identified by Lambert, namely ubiquity. Never mind that Apple Pay is only accepted at the 3% of US retail terminals which have been upgraded to support contactless payments, it is also only available today on the iPhone 6 (and soon on the iPhone 5 for anyone who pairs it with an Apple Watch) so it definitely won’t be everyone’s favourite way to pay, at least in the short term.

Separately, Kevin Dallas of Worldpay took the view that merchants need to ensure that they partner with the “right” payment app since research suggests that consumers will only load one or two payment apps on their phones to avoid confusion. Since in-store retail payments still account for over 90% of all payment transactions by dollar volume, we would argue that the “right” mobile payment app for merchants to support is one which is optimised for use at a point of sale (POS) terminal. The following might help those merchants who are still sitting on the payments app fence come to the right decision:

  • Apple Pay was launched to support both in-app and tokenized in-store NFC (contactless) payments
  • Samsung Pay has just been launched to support both NFC and magnetic secure transmission technology (MST)
  • Google have recently announced support for Android Pay which uses NFC and tokenization
  • MasterCard announced (Sept 2014) that all legacy POS devices in Europe must support contactless payments by 1 January 2020, with all new POS devices to be compliant from the start of 2016

Merchants who today accept card payments will – in five years or less – be accepting contactless card and mobile payments. Those merchants who today do not accept cards but who want to accept mobile payments would do well to consider a future where smartphone penetration is expected to reach 6bn subscriptions by 2020, where the dominant handset models will be mobile payment and NFC-compliant and where their competitors are servicing customers with these handsets at contactless POS terminals for both low and high value transactions.

That’s right: the future of mobile payments isn’t cashless, it’s contactless.