Data Analytics has accepted a Silver Partner offer from Informatica.
WHO IS INFORMATICA?
Informatica is the world’s leading provider of data integration, ETL (extract, transform & load), integration platforms, data quality, meta-data management and master data management solutions & has been for many years (see Gartner Magic Quadrant reports in each category).
WHO IS DATA ANALYTICS?
Data Analytics is a full-service management consultancy service centring around enterprise data, including data strategy & management, data governance, data science (AI/ML/Big Data), data engineering, data quality, data platform architecture & implementation and data analytics. Data Analytics Consulting can transform your business into a fact-focussed enterprise where reality drives business decisions.
WHAT THIS MEANS FOR CLIENTS
Data Analytics can now also help your business design and deploy Informatica-based solutions in Australia & New Zealand. Data Analytics, however, maintains its right to independently advise clients to choose non-Informatica products where Data Analytics architects believe it is in the client’s best interest to do so. Similarly, Informatica retains its right to advise its clients to use other professional services other than Data Analytics where appropriate.
Informatica and Data Analytics are now taking steps to enhance their respective offerings and services to clients in the ANZ market utilising the best of each other’s capabilities. For further information please contact Jeff Popova-Clark (+61 421 960 048 or email@example.com).
Risk management has gone through various stages in its lifetime. During the early 2000s, risk management started to get more generically formalised beyond those specialist areas of risk control in domains like insurance, engineering and finance. We had various management standards for risk management including AS/NZS4360, COSO, FERMA, BS31100 and eventually the ISO31000 series. Although not mandated in any of these standards, we all got used to sitting in rooms with risk workshop facilitators trying to identify all of the risks our organisations faced and then analysing them to see how big they were, what we were doing about them, whether we were adequately mitigating the risk and what else might we be able to do to further reduce the risk. At various times throughout the last 20 years, ERM has dissolved into little more than a box-ticking exercise. However, in the era of global pandemics, global economic shocks, tsunamis, earthquakes and global warming, Enterprise Risk Management (ERM) is making a comeback as an important component of a sustainably successful enterprise.
Therefore it is interesting to note that there are actually a number of other approaches to identifying, analysing and mitigating risk that are not commonly practised in a structured way by most organisations. They are the forgotten risk analysis methods of ERM:
History: A historical review of events at your own organisation can identify those risks that have actually realised (or maybe near-missed) over the history of your enterprise and how frequently and how big they actually were. This should be done rigorously using metrics wherever possible. Often, if the firm’s own history is ever mentioned, it is normally done so anecdotally. This runs the risk of primacy and recency effects overriding objective risk assessments of the likely frequency and severity of a risk realisation. Also, it may be possible to see what was tried before and to assess how well it worked to dampen the frequency and severity of occurrence, rapidly detect occurrence if it occurred, contain the consequences and then efficiently and rapidly recover and remediate.
Research: A research effort to assess what kinds of risks have actually occurred to similar peer organisations across the globe and across time to help identify what could happen that may not have happened within your organisation before. Also, identify mitigations that have been attempted and assess the historical success of those.
Experts: Getting the opinion of actual experts in a field. Too often the Financial Controller or the CEO’s Chief of Staff are providing opinions on the flood risk to the organisation’s operations. Are these officers really sufficiently qualified to assess the likelihood of flash flood or river/coastal flood at the organisation’s premises, and are they qualified to estimate the frequency and severity of those potential events? And are they qualified to estimate the likely impact such events might have on operations? When specialist knowledge is available, why not use it instead.
Crowdsourcing: Very rarely are surveys or idea boxes employed to tap the ideas and thinking of all the brains available in your organisation. Your staff represent a very large number of eyeballs seeing the world, with a very wide diversity of experiences and a large repository of grey matter, which are, at least some of the time, thinking about your enterprise and what is good and bad for it. Senior executives at a risk workshop may not be aware of all of the thinking of their staff on these risks. This is much easier now in the era of cloud and social media.
Literature: Academic survey of what researchers are highlighting and identifying in the literature as potential risks to your organisation. Once again this doesn’t need to be a hit or miss of what your CRO happened to be reading last week or last saw at a conference. A dedicated effort to monitor published articles on industry-relevant risks is useful especially in industries that are changing rapidly.
Benchmarking: Undertake industry risk benchmarking. What are similar organisations to yours identifying as risks and taking mitigating action against? Is your enterprise missing something that others have identified?
Models: Develop a digital twin of your enterprise or operations and run simulations to see where its vulnerabilities are. Armed with this knowledge, how likely is something going to occur that could threaten those vulnerabilities. Models can also be used to forecast the outcomes of various mitigation options. What mix of event suppression, detection, resilience, containment, recovery and insurance provides the most cost-effective mitigation option?
Rollup: Local risk analysis is being undertaken for cybersecurity, treasury risk, workplace health and safety, IT & construction projects, asset management and various other domains. Some organisations neglect to aggregate these individual exercises as input into the enterprise level.
Post-event analysis: Although this is sometimes done, it is not done frequently with the purposes of Enterprise Risk Management in mind. Post-event analysis should look at an occurrence from many angles: (a) had we identified this as a potential risk before? If not, why not and if so, did we assess its likelihood and severity accurately? If not, why not and if so, what did we do to mitigate the risk? (b) Did mitigations function? If not, why not, but if so did they decrease the likelihood and/or severity of the risk as expected (c) were containment and recovery plans available and triggered and did they function as expected?
Scenario testing: Not quite as forgotten as the ones above. This is more commonly seen in the ERM subcategories of Disaster Planning and Business Continuity Planning, but can actually be used more widely for all kinds of risk management. Develop a scenario where things are going wrong and try to operate through the simulation. Often risks, weaknesses and vulnerabilities are brought into relief under the more realistic circumstances of a simulated scenario.
As you can see there are many other options to identify and assess enterprise risks. None of these are outside the various ERM standards; it’s just that they are not used very often in practice. This could be because many of these require somebody to spend time and effort in researching these risks and interviewing experts outside of the semi-annual executive risk workshop. But is it time to invest resources into actually taking risk management seriously? How many of these forgotten methods are actually practised in your organisation?
You knows those people who are always seemingly disagreeing with the rest. Those people who passionately explain their ideas but lose most of us along the way. Those people who seem frustrated with the status quo and are constantly speaking up inconveniently when you are trying to get alignment across the team. They are outspoken, passionate, different, annoying and generally the people that most organisations try to repress. We brand them “mavericks” and not team players. But often they are speaking out at tremendous cost to their own reputation and career. Why do they do it?
And they do it despite the natural affinity to do the opposite. A range of famous psychology experiments by Solomon Asch shows that most of us will not disagree with the crowd even when the crowd is patently wrong. Survey’s show that over 70% of employees will not correct their boss even when they know the boss is wrong. So these dissenters are already a very rare bunch. Do they do it for kicks? Do they just enjoy stirring the pot and watching the commotion?
So how can you tell if the person is (a) an innovator that has a very important point such that they were willing to risk their public reputation, or (b) is simply a misguided hot head or naïve know-it-all. If they are an innovator who sees something that no-one else is seeing, it is likely you yourself are not seeing it either. I suggest that you pull the person aside and ask them to take the time to explain three things (maybe in writing to help you take it to other stakeholders if it proves that it is actually innovation):
What is the driver for why you are speaking out? (e.g. I believe what I’m saying will avoid a risk to the company/strategy/team that is likely to occur if we don’t change, or; I believe that the current approach is less fair to these stakeholders and they will object.)
What is it you think needs to be different than what you think things will be if we don’t heed your advice/idea? (e.g. “I believe that we need to run the project in an agile, iterative style because if we pretend that we already know the risks and costs up front we are misleading everybody and ourselves, significantly increasing the risk of major project failure.” or “Our strategy presumes that everyone is like ourselves, but not every culture we are dealing with has the same goals and desires as the people in our team. For instance some of those stakeholders value time with community more highly than they value jobs within their region. We are likely to get major community pushback if we proceed this way. We need to accommodate their different personal and community goals”).
Why do you think you are the one who sees this opportunity differently than everyone else? (e.g. “Perhaps I am the only person in the team with a combination of psychology, finance, science and commercial operations in my background” or; “My great grandmother lives on a native people’s reservation and I spent significant time in my childhood there. Few others have that experience” or “I have several years experience at another employer doing these projects and they changed their approach for the reasons I am highlighting and the changes really improved outcomes. No-one else in the team worked there.”)
You may need to help the person with their communication to ensure they get it right (even if they are the only right person about this particular issue doesn’t mean they are an all-competent super person). However, there are also times when the person simply does not have all of the facts or hasn’t thought through the strategy logically themselves. Also the person just might be someone who has a psychological need to be contrary or just loves office drama. All of these potentials have useful information about the team communications and/or the mentoring/coaching needed for the person in the future.
Working out what remuneration someone is worth is of enormous interest to both employers and their people alike. But what are the key ways to determine the appropriate compensation for the contribution of current and potential future contributors to an enterprise. I thought I’d jot down some of the main approaches to work out that elusive number:
Market value approach: what do persons who do that type of role generally receive for performing that kind of work or what does the market think that person is worth. Essentially what is the market rate for that type of work or for the individual in question. This is a common approach for commodified positions in the private sector and for individuals who are well-known in their industry.
The marginal utility approach: if the person is undertaking their role to the standard expected, what extra revenue/profit/gross margin will the enterprise achieve over and above what the enterprise will achieve if the person was not undertaking their role. This value can change over time based on variations in market conditions and on the performance of other roles in the enterprise. An example may be the remuneration of a football player. If the football player is so good that the club is much more likely to win a football game and attract more fans to watch the game, then they are worth a significant amount based on marginal utility.
Equal share approach: if the surplus value being created by the enterprise is shared equitably around the firm amongst the people responsible for achieving that surplus value, then this is a fair compensation for that contribution. So if the value add is $1M per annum over and above other input costs (including return on equity), and 10 staff helped achieve that value add, then everyone should receive $100K. This is more often used for bonus calculations, but is nonetheless, part of an individual’s remuneration.
Company value delta: what is the increased value of the enterprise in the market if the individual is in the role as opposed to if the individual is not in the role. Some CEOs are valued based on this concept, where the value of the company is increased because the market believes this CEO will improve the performance of the company or bring a loyal book of established clients. Therefore the CEO is worth a proportion of the net asset value delta of the company with him/her vs the value without him/her.
Compensation for investment approach: how much would a person have to have invested in their education/certifications/experience to have been capable of undertaking the role and what is a fair compensation for that. For instance, some medical specialities require over 10 years of tertiary studies to achieve a level of education and expertise to be able to function autonomously. This level of investment leaves less career lifetime to earn and therefore requires higher compensation to make up for the level of prior investment made by the position holder/candidate.
Optimise churn approach: what level of compensation is sufficient to deter an incumbent from choosing to go elsewhere. This can even be below market rate, as there is a cost to change employers that incumbent staff may factor into their decision to quit to start with a new employer who may be paying the higher market rate.
Attract the best approach: what remuneration is likely to attract, retain and motivate the best people who are more likely to contribute more to the enterprise’s success. This may be a “set the tone” approach which says that a high performing culture is the expectation and that the enterprise attracts and retains the best, and appreciates the added value the best bring to the enterprise.
Lifetime value approach: as opposed to viewing a person in their current role or the value they are currently contributing, this approach looks at the value add of a person over the lifetime of their tenure with the enterprise. This looks at the person’s potential to add value both now and into the future. This approach decides what is the right remuneration to remit as a function of their expected lifetime value to the enterprise. Some individuals who are being groomed for future leadership positions may receive more remuneration than their current role or value might justify.
Seniority approach: the key here is the current size of the budget, the current delegated authority, the current number of staff and the general seniority of the position held. This is common in the public service where marginal utility or market rates can’t be determined easily.
Length of Experience approach: the key here is how long the person has held the position or has worked in the enterprise. The theory is that more experienced incumbents are more likely to contribute more than the less experienced. Once again this is common in the public service.
Industrial Award approach: based on the pre-negotiated industrial award, pay what is specified in the award for an incumbent in a particular position. Depending on the power-relationship between the negotiating parties, award rates may be a little above market rates. Essentially a union is likely to try and capture more of the enterprise’s surplus for the workers out of the owner’s capital return. Unions do have a vested interest in maintaining the continued operation of major employers.
Incentive approach: what level and structure of compensation will incentivise the person to perform at a high level adding further value to the company than an unmotivated incumbent, whilst encouraging them to stay with the company to continue contributing.
The perceived-by-peers fairness approach: what would the majority of the person’s work colleagues believe is fair compensation for the work they do, the effort they put in, the sacrifices they make and the contribution they make to the success of the enterprise
The perceived-by-incumbent fairness approach: what would the person themselves feel is a reasonable compensation for the work they do, the effort they put in, the sacrifices they make and the contribution they make to the success of the enterprise. This can be impacted by the incumbent’s knowledge of the remuneration of others.
Past achievement approach: how much better did the organisation do last year/period as a result of the contribution made by the incumbent. Once again some CEO’s claim responsibility for the increased revenue/profit/gross margin from the previous year/period and claim that they are worth a proportion of that increase.
Compensate for opportunity cost: how much could the person have earned if they were investing their time, expertise and effort elsewhere? This is commonly used by headhunters where they offer a potential recruit at least a bit more than their current remuneration to attract them to give up their current role.
Minimum allowable approach: some enterprises will try to minimise remuneration to the lowest allowable by law. This is common when the labour market is a buyers market, with plenty of alternate labour available to replace the leaving of any incumbents and when the expertise and skill required to undertake the role is very low.
Hardship compensation approach: How much hardship, danger or sacrifice is required to undertake the role and what is a fair compensation for the sacrifices required to undertake the role. The role may be based in a remote location, or require unusual hours of attendance, or be particularly physically demanding or emotionally traumatising (e.g. mercenary work).
Key contribution approach: a person may have an idea or piece of intellectual property upon which the unique differentiation of the business model relies. This person could have taken their IP to elsewhere but chose to contribute that unique differentiator to the enterprise. In recognition of that unique and key contribution and the importance of it to the overall value or competitiveness of the enterprise, perhaps compensatory remuneration is justified.
In some circumstances, some of the above approaches amount to the same thing, and often the final number does include consideration of multiple of the above approaches. How many of the above considerations does your enterprise use when determining compensation for current and potential contributors? Are there others not included on this list?
In 1994, Standish group dropped a bombshell on the rapidly growing IT industry by publishing the gob-smacking rate of only 16% successful IT projects in the prior 12 months. They suggested that the reason was a lack of project management discipline for IT projects; akin to the kinds of project management discipline that engineers use to build skyscrapers, cruise liners and bridges. Standish’s conclusion: “IT needs its own project management methodology and the skills and tools to deploy it!”
The impact was dramatic. A number of efforts began across the world to develop a suite of standards and methodologies that could help project managers and their stakeholders improve the chance of IT project success. Some (e.g. PRINCE2) were based on embryonic existing methodologies, whilst others were genuine efforts to develop new methodologies from the ground up.
Over the first few years of the Standish Group results, the new project methodologies were still maturing and adoption was slow. Most practitioners did not hear of PMBOK or Prince2 until some 4 or 5 years later, so widespread adoption of these methodologies (and therefore their potential impact) lags their development. However, that initial report was 25 years ago now and we have since developed globally-adopted and widely practiced standards in (i) project management, (ii) program and portfolio management, (iii) business analysis, (iv) change management and (v) benefits realisation. Indeed an entirely new multi-billion dollar education, training and certification industry has arisen to service this apparently pressing skills gap.
So, if Standish was right and it was methodology and project discipline that was the problem, then we should by now see a significant improvement in IT project success hit rates. So lets take a look:
Analysis: The first few Standish Reports had changing definitions and sampling frames which explains the initial fluctuations particularly between the “challenged” and “failed” categories. However, eventually the rate of “failed” projects has settled to around 20%, “challenged” to around 45% and “succeeded” to around 25%. What looked like improvements up to 2012 have since turned around and have generally headed in the wrong direction for the last few years. Some have suggested the apparent improvements up to 2012 were actually due to the increased proportion of smaller projects in the survey (particularly post-GFC). Smaller projects have always shown a higher rate of success throughout the entire period. Indeed comparing 1996 vs 2015 shows an increase of just 2% of projects successfully completed (27% to 29%).
A 2% improvement is scant justification for the enormous investment in training, standardisation, certification, discipline and management effort. The project management education industry is now a multi-billion dollar industry globally, but as far as we can tell from the above analysis, it is not contributing to improved IT project success rates. If so, then how is all of this investment and effort contributing to the economy beyond John Meynard Keynes’s hole diggers.
Us humans do lot of things because they sound right. If it has a good story (see Beware of the “just-so” Use Case Stories) that’s good enough for entire industries and academic disciplines to continue working away for years and even decades before its noticed that it is all based on nothing tangible. I’m afraid that the evidence is in:
Project Management discipline has not improved the success rate of Corporate IT projects!!
A common reaction is to just do things harder. The story that project discipline improves projects must be true. So the lack of empirical results is simply evidence of a lack of effort/discipline/application: If we just hired a more qualified/experienced/talented project manager…if we just documented user requirements more thoroughly!…if we just applied more management effort toward realising the benefits in the business case! “The floggings will continue until morale improves”. No! The problem is that Standish, even though it sounded right at the time, have proven to be wrong and there are other (much more important and prevalent) causes for such widespread IT Project failure rates. So we must look more widely for clues as to why we still have such high project failure rates. I believe some clues can be found here (over-generalisation of success in different domains) and here (the planning fallacy).
Do you agree that project management methodologies have been oversold as a panacea for IT project failure rates?
“Corporations are people, my friend” said Mitt Romney in 2011 during his ultimately unsuccessful presidential campaign against Barack Obama. But we all know that he is not correct. Corporations (or any disembodied entity like companies, trusts, partnerships etc) cannot be embarrassed about an unexplained lump on an inconvenient body part, or feel the need to hide a secret love of Rick Astley tunes from their friend group, or, perhaps more importantly, have a need to suppress public knowledge of racial or cultural origins, a current or prior disability or of a personal religious belief for fear of vilification. Let alone the inability to have their liberty curtailed by spending time behind bars for breaking the law.
What is Privacy Protection For?
Indeed privacy is primarily about these issues. Privacy helps protect minority individuals from persecution by ensuring that they are the only one’s who can reveal their private information… to whom they desire & if and when they so choose . The other purported benefits such as protection from identity theft or reduction in being hassled by telemarketing companies are, in fact, primarily treated via other legislation. Note that the right to ensure that data held about you is accurate (and therefore decisions based on such are well informed) is related to privacy, but actually does not relate to the right to have that data restricted from distribution.
Fair Use vs Privacy
Fair use (not privacy) is the concept that it is a form of con job if you ask for someone’s information for one purpose and then use it for another purpose, which may be harmful to that person. The idea being that if the person had known the other secondary purpose was a potential use and that that secondary use may result in a negative outcome for them, then they must be allowed to have chosen to restrict the provision of the information in the first place. But what if the secondary use is for regulatory compliance checking or criminal investigation. If such information collection is compulsive then the individual could not have chosen to not provide to the second use. So secondary use, in such cases, is simply a more efficient method than compulsively re-asking for the same information.
Privacy as a means to hide criminal activity
Privacy rights do not imbue an individual (nor their agent) the right to restrict access to information based on the argument that it may reveal the individual’s illegal activity and therefore result in a negative outcome for them. This is called obstruction of justice. So, if a regulator or police investigator is attempting to detect, prevent or discourage illegal activity, individuals do not have the right to prevent data about them being used for this purpose. This is doubly so for corporations, partnerships, companies, and trusts etc. Firstly, privacy does not apply to these disembodied entities as explained above and secondly these organisations are simply legal entities which possess publicly recognised and accepted associations between multiple individuals. These associations (e.g. a corporation) and the entity’s rights and privileges are bestowed by community licence. Therefore their privacy is anathema to the community’s ability to oversee whether the community licence should continue to be granted.
Privacy should not be granted to corporations (only to the individuals inside them)!
This is particularly important for regulators; whether they be regulators of markets, industries, elections or parts of government. If they are conducting regulatory compliance assessment activity they are looking for non-compliance with regulation. Mostly this is regarding the actors within a market or industry that are corporations or are, at most, individuals as it pertains to their activity in a market. None of this should be considered private information. So regulators, government agencies and 3rd party data holders should be able to share data about corporate activity without having to consider the corporation’s “privacy”. Even sole trader’s data will only be of interest in so far as it relates to the sole trader’s activity in the market. Such activity needs to be transparent to regulators and so, it too, should not be subject to privacy.
Similarly corporations cannot claim commercial-in-confidence as regulators are not competing with them. Such data, of course, should not be shared by regulators with competitors nor shared publicly; but it can be safely used for regulatory compliance analytics work.
If the data required to assess regulatory compliance is inextricably inter-twined with an individual’s preferences for Rick Astley tunes, then we may have a problem.
So does your organisation separate the information about individuals from that of disembodied entities (e.g. corporations) and treat these cohorts differently with regard to privacy legislation or is at all treated in the same way?
The world of big data has certainly revolutionized the areas of marketing, promotion and customer fulfillment (see Google and Amazon respectively) and has also had significant impact in the areas of finance and insurance. Government and regulators, however, really haven’t been capturing the benefits of big data a great deal to date. All that is about to change.
The new concept of Auto-Compliance is the regulatory nirvana of all participants in a market complying with all regulations because its the simplest, most efficient, lowest risk and most profitable thing to do. Its a state where all participants in a market evaluate the risk of non-compliance as too high to make pursuit of a non-compliant approach worthwhile. Sounds great but how can this be achieved?
To illustrate, lets imagine you are a manufacturer who can (i) choose to dispose of industrial waste compliantly at significant cost or (ii) choose instead to dispose of the waste non-compliantly at next to no cost. The temptation is there to decrease costs by disposing waste non-compliantly. What’s worse is that if your competitors are all disposing of their waste non-compliantly, they can cut their costs & their prices and then put you out of business. You may be almost forced to violate the waste disposal regulations. The only (ok, major) disincentive is the risk of getting caught… known as compliance pressure. But if there’s little risk of getting caught, then not only will you not get caught, but neither will your competitors!!
Many regulators only receive data and information provided to them by the participants in the market themselves. This means that regulators only know about things in detail based on data they’ve been provided (and what they find out about the individual entities they conduct expensive investigations upon). Most importantly, participants themselves know what data they have given a regulator, and also what they have not given. This puts participants in an ideal position of knowing what regulations they can safely violate and what regulations they cannot safely violate. Indeed, they also know that their competitors know this information as well. If the Regulator has no further sources of detailed information and/or any ability to undertake sophisticated analytics, then there is little compliance pressure. Participants are almost forced to violate the un-monitored regulations, just to stay competitive.
But Regulators can’t simply keep asking for more participant data. Onerous regulations such as these increase the regulatory impact on the industry, and eventually the cost of compliance overcomes the ability to turn a profit. Another impact is the artificial barrier to market entry such onerous regulation creates for startups. Regulators need to exert compliance pressure on all, without penalizing the compliant and the small with onerous regulatory burdens.
The response: Big Data & Analytics
Some regulators are now beginning to build sophisticated analytics capabilities and looking for opportunities to get data from other sources (e.g. other regulators, other government agencies or even 3rd party data providers). These Regulators can begin to use sophisticated big data and other analytical techniques to predict and detect non-compliance far more accurately and efficiently. A few key busts of non-compliant behavior with their shiny new Regulatory Analytics capability and suddenly market participants can no longer be sure what their regulator knows and what it doesn’t know.
Indeed if the regulator vaguely announces that the Analytics capability is “continually improving” and that new sources of data are being continually attained and deployed (without being too specific), participants can’t even be sure they can continue to violate regulations they previously violated safely. Participants may have gotten away with breaking a rule last week, but the Regulator’s analytics capability is improving and might get them if the participant tries it again next week.
Interestingly, even the regulations that are not being actively monitoring are enforced, because the participants don’t know which activities are being monitored or predicted. It becomes rational to simply just comply with the entire regulatory regime. And, most importantly, all competitors are in the same boat…there’s no strong competitive pressure to cut corners to gain competitive advantage. Congratulations, the Big Data & Analytics Fortified Regulator has now achieved “Auto-Compliance“.
Generalized cost effective compliance of all participants with the entire portfolio of regulations is the dream of regulators the world over. Overseeing a level-playing field where competitive advantage has been achieved only through innovation and industriousness and not through covert regulatory avoidance is possible with Auto-Compliance. Indeed many complex and onerous regulations are in place purely to encourage compliance with other more fundamental regulation. Auto-Compliance allows the regulatory landscape to be simplified back to core compliance goals, saving significant overhead for both market participants and the regulators themselves.
If you’re a regulator and have started the journey toward Auto-Compliance (I know some of my clients have begun the journey) make a comment below. If you want to join this latest wave in regulation, let me know.
Business Cases are one of the most common business documents used today and yet their use is commonly misunderstood. Often business cases are seen as simply “step 4” on the path to a completed a project. Worst of all they are often written by someone who is incentivised to have the project approved. Indeed, in some cases, the quality of the business case is even assessed based on whether the project was approved.
This kind of “need-to-get-it-approved” bias leads to an underestimation of costs and risks and an overestimate of benefits. But often decision making bodies such as Boards and Steering Committees simply don’t have the time and/or expertise to delve into the detail sufficiently to detect this bias. They can ask some pointed questions, but essentially the costs, benefits and risk estimates in the business case are what the decision makers must use to make their decision. No wonder Standish Group keeps finding so many IT projects failing to achieve project benefits on-time and on-budget (over 80% failure rates for enterprise wide system implementations in a number of their annual surveys).
So what can we do to balance the ledger and ensure that we aren’t receiving an overly rose-coloured assessment of a potential project at the business case stage? Enter the Anti-Business Case. This is a business case written by the “opposition”, who are independently trying to prove to the committee that the project should not proceed. In many cases the cost of developing a business case is only 2-5% of the total cost of a project. Money well spent, if the benefit is a clear-eyed view of the real costs, benefits and risks before investing large in a new endeavour.
The concept is borrowed from the justice area where a plaintiff and defendant provide opposing views to a judge before the judge balances the evidence and argument and makes a decision. Similarly the parliamentary system which tends to have an opposition which provides an alternate viewpoint to the voters. These institutions have stood the test of time and have proven their worth against the risks of groupthink and biased provision of information.
However, in practice, developing an anti-business case does require some practicalities. There does need to be a coordinator that ensures the options being evaluated by both the business case and the anti-business case are sufficiently simlar to be of value. It is no point if the anti-business case is arguing against a “strawman”; something the business case is not recommending. It is also important that any factual information is available to both sides (equivalent to legal “discovery”). However, it is important the two efforts develop their cost, risks and benefit estimations independently.
At the end of the business case process we should have a number of outcomes beyond a simple “Approve” decision:
The Sponsor asserts that they have researched the proposed project in sufficient detail using reliable approaches to accurately estimate/forecast the likely costs, risks, resource requirements and interdependencies. The Approvers accept the Sponsor’s assertion when approving the business case.
The Sponsor commits to deliver the benefits identified in the business case document and has determined that it is possible to do so within the documented resource, timing and cost allocations and that any risks can be mitigated to an acceptable level as outlined in the business case. The Sponsor commits to do so in the manner described in the business case, which the Sponsor asserts is the most feasible manner to achieve the benefits within the resource constraints.
By approving the business case, the Approvers (e.g. the Board or Steering Committee) accept the Sponsor’s assessment that the benefits are of value to the organisation and that they can be delivered within the resource, timing and cost constraints at an acceptable level of risk. The Approvers also agree that the manner of achieving the benefits outlined by the Sponsor in the business case is the most feasible approach.
The Sponsor asserts and the Approvers agree that the expected business benefits are sufficiently high and delivered in time to justify the expenditure of the resources required to achieve them. The Approvers obtain the right to have the Sponsor or some 3rd party demonstrate that the benefits documented in the business case have been realised in the timeframes required at the end of the project.
The Sponsor has asked for delegation of the resources, budgets and permissions required to undertake the project (or at least its next stage) and the Approvers have delegated those resources to the sponsor
The Approvers commit to not approve alternate uses of the delegated project resources in the future and will not approve future projects that presume that this project will not deliver the benefits (unless this newly approved project is altered accordingly)
The Sponsor commits to use the delegated resources in the manner specified and for the achievement of the documented business benefits and not for other reasons or in other ways.
The Approvers agree that any portfolio interdependencies of this newly approved project have been identified, resourced appropriately and that the interdependencies and their timing are acceptable to the organisation and the project/program portfolio. From approval onward, the Approvers agree to treat this newly approved project as part of the relevant program and portfolio.
If there are any departures to organisational norms required by the project (e.g. relaxation of architecture standards, changes to policy), then the Sponsor commits to limit the departures to those documented. The Approvers indicate acceptance of the departures when approving the business case.
The Sponsor commits to communicate the expected activities, resource impacts, timings, deliverables, etc of the project over the coming horizon to all stakeholders (at least to high level). The detailed project plan will provide these to a greater detail.
If the Approvers accept the timing proposed by the Sponsor, then they are affirming that they believe that the proposed project has sufficient priority to deploy the resources required in the timeframes outlined. Approvers may approve a business case but ask that timings be changed to fit within a portfolio prioritisation. If this is so, then the Sponsor must affirm that this change has no material impact to the achievability of the benefits.
If the Sponsor has come to the conclusion that the project is not advisable as a result of undertaking the analysis required to develop a business case, then the business case should still be developed to demonstrate to stakeholder the reasons why the project does not “stack up”. The Approvers are then affirming acceptance of the recommendation and agreement with the analysis and estimates in the business case. Obviously an anti-business case is not required in this scenario.
It is important that all stakeholders know what commitments they are making when submitting and/or approving a business case. It is not simply a “Go/No Go” decision. Given this range of commitments made by both the Sponsor and the Approvers it becomes clear that a reliable set of unbiased assessments of likely costs, benefits, risks, interdependencies etc are required to ensure that stakeholders can make those commitments in an informed manner. An Anti-Business Case may be appropriate in some circumstances to help stakeholders make approval decisions with confidence. Can you think of a time when your organisation should have appointed someone to undertake an anti-Business Case?