business performance management: have we gotten anywhere? › sites › default › files ›...

March 2005 Vol. 18, No. 3

ACCESS TO THE EXPERTS

The Journal of Information Technology Management

Business Performance Management: Have We Gotten Anywhere?

BPM Is Strategic, SoCIOs Must Be StrategicBPM can impact the entire orga-nization. Rapid changes insideorganizations and within marketsrequire agile IT organizations thatcan not only accommodate thischange but also help lead it.CIOs need to think differently.

BPM Is Broad, So CIOs Must Be PreparedBPM systems touch many topics,including process management,measurement, compliance, security,integration of multiple quality andprocess frameworks, visualization,knowledge management, collabora-tion, and corporate culture. Gettingthe many facets of BPM right iscritical for success.

“BPM determines the key forces within andaround the enterprise that create success and,through the correct use of information technol-ogy, allows the enterprise to better monitor,predict, and manage those forces.”

— Vince Kellen, Guest Editor

Opening Statementby Vince Kellen 2

Are We There Yet? Three Challenges for BPM

by Russell Keziere 5

BPrM: The CIO’s Ticket Back to the CorporateMainstreamby Peter A. McGrath and Manoj Sinha 10

All Together Now: Merging IT Quality and Other BPM Frameworks

by Sevgi Ozkan 16

I Can See Clearly Now: BPM and Data Visualization

by Tawfik A. Hammoud 21

The Security Management Triple Play:Protection, Detection, and Visualization for SOX Compliance

by Anthony Tarantino 24

BPM: Out of the Darkness and Into the Lightby Vince Kellen 28

http://www.cutter.com

It is seductively easy to look atbusiness performance manage-ment (BPM) as a technology play,which partially it is. It is also notuncommon, in our haste as busi-ness or technology professionals,to elide the tremendous impactBPM can have on the success oforganizations. And in between thelower-level bits and bytes of BPMtechnology and the rarified airof BPM’s strategic impact lies aplethora of subjects too broad toadequately address in any medium,much less this one.

Even the acronym BPM is a bitbeguiling. We’ve deliberately cho-sen the term business performancemanagement instead of the morespecific terms business perfor-mance measurement or businessprocess management. Other catchphrases, such as the real-time enter-prise, business activity monitoring,corporate scorecards, key perfor-mance indicators, and even thedreaded word “dashboard,” justdon’t do the subject justice. Theseterms are narrower in scope, oftenmore focused on the technologyitself, and not inclusive of humanand business process concepts.

While it is true that the term “busi-ness performance management”frequently gets hijacked by soft-ware vendors selling everythingfrom accounting software to data

and application integration tools,the term (hereafter called BPM)captures the essence of the matterbest. Management is a multi-disciplinary affair; using thatterm instead of measurementbroadens the topic and gives it amore direct linkage to strategy.Reflecting this idea, Performance-Measurement.net, one of thetop BPM portals, uses the phraseperformance measurement andmanagement (www.performance-measurement.net). For its part,the UK’s Cranfield School ofManagement, one of the most pro-ductive centers of BPM research,uses the phrase measurementand management of organiza-tion performance (www.som.cranfield.ac.uk/som/research/centres/cbp).

How then would we define BPM?BPM is an approach to managingthe enterprise that goes further thantraditional accounting measuresand techniques. BPM determinesthe key forces within and aroundthe enterprise that create successand, through the correct use ofinformation technology, allows theenterprise to better monitor, pre-dict, and manage those forces.

BPM has a rich and varied history,interlinking with other conceptslike economic value added, activity-based costing, quality

management, and the balancedscorecard (BSC). Not surprisingly,BPM focuses on tangible assets andoperational processes, which aremore easily measured. However,in today’s markets, knowledge andother intangibles such as brandvalue, intellectual capital, and man-agement team performance arecoming up as emerging issues thatrequire better measurement andmanagement. On the softwareside, BPM has been addressed withevent management and alter soft-ware, BSC software, business activ-ity monitoring software, and, ofcourse, software carrying the busi-ness performance management/measurement banner. By my count,there are at least 50 software ven-dors in the market vying for ourattention.

With all the maturity and depthhere, why address BPM in 2005?Because mastering BPM is stillhard! New wrinkles appear and oldproblems resurface. While datasystems are improving, markets aremoving faster, creating change notjust from outside but within firms.

As you would expect, the authorsin this issue of Cutter IT Journaladdress some of those old prob-lems and a set of new, intriguing,and often little-discussed wrinkles.First up is Russell Keziere ofPegasystems Inc., a provider of

March 2005

Opening Statement

by Vince Kellen

more

than d

ash

board

s

©2005 Cutter Information LLC2

rules-based business processmanagement software. Kezierediscusses three key challengesfor BPM: the rate of change in busi-ness goals, increasing amountsof unstructured data and eventsto deal with, and lastly, the needfor speed. The perfect storm ofincreased compliance demand andongoing business change createsan execution gap in BPM systemdeployment. Keziere argues thatorganizations will need to adopt adifferent way of thinking in order toclose this gap.

Peter McGrath and Manoj Sinha,both BPM experts and solutionproviders, rightfully point outthat the process aspect of BPM iswhere the CIO can firmly implanthim- or herself in the corporatemainstream. They give us the eye-catching acronym BPrM (your eyeruns over the “r” like a road bump)to differentiate business processmanagement from BPM moregenerally. With the dominance ofenterprise resource planning (ERP)systems and the rise of customerrelationship management (CRM)systems, many CIOs are now pursu-ing process improvement to fostersuccessful adoption of ERP. BPMsystems are getting increasinglyagile, shortening implementationcycles and enabling CIOs to helpclose the BPM execution gap ofwhich Keziere reminds us.

There exists a strong relation-ship between BPM and qualityframeworks such as ISO 9000,Six Sigma, the Baldrige NationalQuality Program, and the like. Manyenterprises have adopted theseframeworks, typically with BPM

systems in place to support them.IT organizations, too, have longsince adopted such frameworks,typically tailored for the IT environ-ment. These include the SoftwareEngineering Institute’s CapabilityMaturity Models® (CMMs®), aswell as some newer frameworkssuch as CobiT (Control Objectivesfor Information and RelatedTechnology) and ITIL (IT Infra-structure Library). As BPM systemadoption proceeds, enterpriseswill often need to integrate or alignmultiple frameworks. Middle EastTechnical University researcherSevgi Ozkan compares and con-trasts several of these frameworksand shows how they can comple-ment each other, offering someinteresting conclusions for thosemanaging IT frameworks.

As we can easily imagine, lots ofdata flows through BPM systems.But just because we have accessto data does not mean that weare any wiser because of it. Howdata gets transformed into actionis a curious puzzle, and TawfikHammoud discusses the impactthat data visualization can have inBPM systems. I must admit that Ihave a soft spot for this topic, as mycurrent research is examining thispoint. The first (and current) cropof BPM analysis tools gave us thetypical dashboards and data dis-plays that we have known for thepast two decades. However, a newcrop of vendors and thinkers areeagerly exploring more advancedvisualization techniques that canaid in business decision making.Hammoud digs a bit deeperand discusses how these tools

Get The Cutter Edge free: www.cutter.com 3Vol. 18, No. 3

Cutter IT Journal®

Cutter Business Technology Council:Rob Austin, Christine Davis,Tom DeMarco, Lynne Ellyn,Jim Highsmith, Tim Lister, LouMazzucchelli, Ken Orr, Ed Yourdon

Editorial Board: Larry L. Constantine, Bill Curtis, Tom DeMarco, Peter Hruschka,Tomoo Matsubara, Navyug Mohnot,Roger Pressman, Howard Rubin,Paul A. Strassmann, Rob Thomsett,George Westerman

Editor Emeritus: Ed YourdonPublisher: Karen Fine CoburnGroup Publisher: Tara JohnsonManaging Editor: Karen PasleyProduction Editor: Linda M. DiasClient Services: Carol Bedrosian

Cutter IT Journal® (ISSN 1522-7383)is published 12 times a year by CutterInformation LLC, 37 Broadway,Suite 1, Arlington, MA 02474-5552,USA (Tel: +1 781 648 8700 or, withinNorth America, +1 800 964 5118;Fax: +1 781 648 1950 or, withinNorth America, +1 800 888 1816;E-mail: [email protected];Web site: www.cutter.com).

Cutter IT Journal® covers the soft-ware scene, with particular empha-sis on those events that will impactthe careers of IT professionalsaround the world.

©2005 by Cutter Information LLC. All rights reserved. Cutter IT Journal®is a trademark of Cutter InformationLLC. No material in this publicationmay be reproduced, eaten, or distrib-uted without written permissionfrom the publisher. Unauthorizedreproduction in any form, includingphotocopying, faxing, and imagescanning, is against the law. Reprintsmake an excellent training tool. Forinformation about reprints and/orback issues of Cutter Consortiumpublications, call +1 781 648 8700or e-mail [email protected].

Subscription rates are US $485 a yearin North America, US $585 elsewhere,payable to Cutter Information LLC.Reprints, bulk purchases, past issues,and multiple subscription and sitelicense rates are available on request.


mailto:[email protected]


mailto:[email protected]

©2005 Cutter Information LLCMarch 20054

can bring some answers to theBPM puzzle.

The US Sarbanes-Oxley Act (SOX),security, and regulatory complianceare typically not the stuff that BPMdreams are made of. However, intoday’s climate of increased regu-lation, this underbelly of BPMdemands CIO attention. SOX expertand regular Cutter Consortium con-tributor Anthony Tarantino exam-ines the details of compliance andsecurity management and dis-cusses what some of the leadingsoftware providers in this area arebuilding into their solutions. LikeHammoud, Tarantino also pointsout the need for information visual-ization to help enterprises effec-tively manage this now data-richworld of security and compliance.

Lastly, I leave us with a potpourri oftales from the darker side of BPM —and suggest that there is light at theend of the tunnel. Fellow practition-ers exploring this territory for thefirst (or even the second, third, orfourth) time might find interestingthe different potholes or bends inthe BPM highway that I’ve tried toshare here. Rarely is the path from

point A to point B a straight line,especially when it involves humanbeings, motivation, and our oftenconstrained brains. For example,BPM metrics, like car tires, wear outand need replacing. Organizationaldefensiveness can lead astray eventhe best of BPM plans. The knowl-edge within BPM systems oftenflows, like a meandering river, pastwater coolers and into corporateculture in unpredictable ways.While the obstacles are there, BPMsystems are nevertheless a potentcombination of knowledge andmotivation.

More than just a class of software,BPM systems are computingsystems and human processesclasped together. While we some-times struggle with this concept,we ought to remember that today’syouth established their social per-sonas using AOL, MSN, and Yahooinstant messengers (see avatars).For this group of future corporateleaders, it is not simply thatthe human processes are insidethe machine, it’s the soul of thehuman inside the machine. Whenthis generation reaches the exec-utive office, what will our BPM

systems look like? When humanpersonalities and computingarchitectures converge, the user-interface design and perhaps thefeatures themselves within thetechnical interface will change;they will also need to service per-sonal self-image needs. If so, whatdoes this have to say about metrics,measurement, and performancemanagement? Are we thinking toonarrowly given the next generation?

In his book ManagementChallenges for the 21st Century,Peter Drucker points out thatknowledge worker productivity isone of the key management issuesbefore us. That’s why it’s so fittingfor this journal to tackle BPM. CIOsand IT professionals stand in a hubof information and knowledge.Because the knowledge latentwithin BPM systems is tied soclosely to corporate action andhuman desires, it is perhapsthis knowledge that is the mostsignificant and strategic withinthe organization. CIOs will needto contribute their fair share bothtechnically and strategically tomake BPM a success.

The Politics of IT ManagementGuest Editor: Robina ChathamIT professionals are not typically prepared, by tradition or training, to deal with the ambiguities of organiza-tional politics. Yet there are times — many times — when “being right” is not enough. For IT professionalsto achieve their goals, they will have to learn to engage stakeholders and influence executive decision mak-ers. In our next issue, Guest Editor Robina Chatham will lead a lively debate on the politics of IT manage-ment. You’ll discover the six characteristics of a successful politician, find out how framing the politicalenvironment can impact decision making, and learn how to recognize common political “games” — and puta stop to them. Join us next month for an intriguing look at “the art of the possible.”n

ext

iss

ue

where

the r

ubber

meets

the r

oad

Get The Cutter Edge free: www.cutter.comwww.cutter.com/consortium/ 5

There are three challenges facingtoday’s business performancemanagement (BPM), both the busi-ness philosophy and the technolo-gies that support it. The first is theexponentially increasing rate ofchange to the goals and objectivesagainst which we measure our per-formance. The second is the newchallenge of encompassing com-plex, external unstructured dataand events. The third challenge,both for the technology and man-agement practice, is to act in atimely and effective manner on theimperatives that arise from perfor-mance measurement and analysis.

The BPM spirit is strong, but theoperational flesh, one might say,remains weak. We can see the“good” in our BPM balanced score-card (BSC) dashboards; we cansee clearly the start of a path toincreased growth, reinvestment incustomer equity and loyalty, andnew opportunities for productivity,but actually executing the processand business rule changes seemsno easier than it was before we hadthe vision.

PLANNING FOR UNPLANNEDCHANGE

The first challenge is self-evident toanyone following the global econ-omy. Globalization has made a

tremendous impact on the rate ofchange. For many organizations,outsourcing is a prerequisite forremaining or becoming competi-tive. Consumer goods manufactur-ers must ensure that their productcodes and supply chain logisticsmap to global and unique identi-fiers (i.e., electronic product codes[EPCs]), with radio frequency iden-tification (RFID) around the corner.Wal-Mart’s interdependency withthe Chinese consumer goodsmanufacturing sector (70% of Wal-Mart’s low-priced goods aresourced in China1) continues tospiral upward. Consolidation in thefinancial services sector continuesunabated. Against this backdrop,the changes in how we do busi-ness obviously increase, but moreimportantly, so too do our strategiesand goals — how we want to andknow we should do business.

Compliance with government-imposed reporting requirements,such as the US Sarbanes-Oxley Act(SOX), adds significantly to thechallenge of managing unplannedchange. Organizations must nowprovide full documentation of their

current processes, document allchanges to processes that affect thebusiness in a material way, andshow audit trails and prove appro-priate levels of security. No onewho has recently gone through aSOX 404 audit looks forward to thenext one. How can one think aboutplanning for change in the futurewhen you are forced to focus somuch energy on the past and as-isprocess? While SOX complianceis undeniably a costly burden, thelong-term result may actually pro-vide an unexpected dividend forBPM. Building cross-functionalprocess-centric perspectives andmetrics is ultimately useful forbuilding better-grounded, action-able, and measurable plans.

A senior database application man-ager at a global aerospace manu-facturing company confided to methat ever since his company built incompliance-oriented project man-agement and change requests(which oblige business sponsorsto justify and show strategic align-ment for new projects), the numberof poorly thought-out and allegedlyurgent but ultimately dead-endprojects that formerly preoccupiedIT development has dropped signif-icantly. The signal-to-noise ratio hasincreased, and they now find them-selves working on more projectsthat have a greater impact on the

Vol. 18, No. 3

Are We There Yet? Three Challenges for BPM

by Russell Keziere

1See Ted C. Fishman, China, Inc.: Howthe Rise of the Next SuperpowerChallenges America and the World(Scribner, 2005), especially chapter 10,“The Chinese-American Economy.”


business and the prospect of alonger shelf life. This is a goodexample of accountability at work;the business has achieved higherproductivity because governancerequirements have given it a defaultbaseline of processes to work andmeasure against.

Of course, metrics alone do notdrive business change. One SixSigma black belt at a utilities con-glomerate told me that the projectthat had the most impact on thebusiness (a business rules–drivenprocess management project) didnot fall within the strict guidelinesfor a Six Sigma project. She endedup selecting smaller, more easilymeasurable — but ultimately lessimportant — projects for heraccreditation.2

Globalization and compliance con-verge when management is forcedinto a cycle of continually revisingits goals and objectives. This cycleof change affects both the rate andvolume of granular proceduralchanges and business rulechanges. The gap between goalsand execution increases in the veryact of trying to bring the two closertogether. For example, an insur-ance company is tasked with intro-ducing many new and differentkinds of products, each requiringa different set of processes, proce-dures, and rules. As the teams

struggle to bring these newproducts to market, they must alsomaintain the old ones, leading todelays and an ever-increasing lagthat makes it difficult to catch up.

This is the perfect storm — obligedto comply, forced to compete, andburdened with newfound insightthanks to advanced business intelli-gence (BI) that further fuels a senseof urgency. In the same week thatApple’s stock split, HP (whoseshare price has remained flat since2001) asked its CEO Carly Fiorina tostep down, citing a pressing need to“execute” the strategy. Increasedvision and insight without the abilityto exercise effective change adds tothe execution gap. It is ironic thatone of the most ambitious businessprocess modeling projects everwas HP’s own adaptive enterpriseinitiative — the as-is and to-bestates were mapped to incredibledetail after thousands and thou-sands of hours of modeling. Alas,the project is on hold and did notexecute in time to be of assistanceto Ms. Fiorina (although one finds ithard to feel sorry for someone witha US $21 million severance pack-age). BPM, in short, cannot be atheoretical exercise. It must find away to be immediately actionableto accommodate the fierce rate ofchange in business today as well asthe growing burden of compliance.

SENSE AND RESPOND

The second major challenge facingBPM is the need to broaden itspurview to include unstructuredand complex event data within

the enterprise business intelli-gence dashboard. The BSCbecomes imbalanced quickly ifthe measurement criteria excludechanging events and discerniblepatterns found in both internal andexternal events. Event, causality,time, and event abstraction are ournew data attributes, and the vol-ume of data that must be parsedagainst these dimensions defiesimagination and metaphor.

Consider the use case of EPC-coded RFID chips in the millions ofproducts flowing through a globalsupply chain. EPCs are next-generation bar codes that not onlyidentify what kind of product hasthe tag but also the specific unit.Retailers and manufacturers will beswimming in an ocean of data asproducts are removed from storeshelves and inventory fill ordersare handled dynamically. But whatpotential event patterns will becorrelated and detected that willfurther drive the rate of businesschange as we know it?

Situations such as the Barings Bankfiasco (precipitated by the infa-mous rogue trader Nick Leeson,who traded derivatives on multipleexchanges in an attempt to hedgea hedge) are precisely the kind ofcomplex events one might want todetect earlier rather than later. And,of course, those microscopic andsoon-to-be-ubiquitous RFID chipswill mean billions of events every-where. It is interesting to note thattwo of the leading forces behindRFID adoption are the Chinese gov-ernment and Wal-Mart. If Wal-Mart


2Six Sigma aspirants must log a certainnumber of “flight hours” with projectsthat conform strictly to the Six Sigmaapproach of reducing measurabledefects and attaining quantifiableproductivity gains.

Get The Cutter Edge free: www.cutter.com

already imports $12-$20 billionworth of goods a year from China,how much more efficient could thecompany be in the future with anRFID-enabled supply chain? Inother words, the event cloudsare gathering and becomingomnipresent.

While complex event-processingtechnology is still emerging, it isnow included in the referencearchitectures and roadmaps frommajor IT vendors such as Oracleand IBM. The underlying premiseof complex event processing iscompelling. Business performancemanagers and management tech-nologies that remain blinkered tothis larger if initially bewilderingworld of event data will continue tobe surprised by change. An appro-priate first step is to ensure thatperformance management issupplemented by a “sense andrespond” capability that is changeaware, alert to events within theenterprise itself, and able to listenfor, detect, and correlate patterns.

THE EXECUTION GAP

The third challenge facing BPM isthe execution gap itself. We areasked to make operational changein a timely, iterative manner, tomake good on the promise of con-tinuous improvement, and to avoidthe fate of modeling and BI paraly-sis. However, the promise of a Webservices–driven architecture thatcan offer pan-application processtransparency to break down appli-cation silos needs a reality check.In the early days of enterpriseresource planning (ERP) implemen-tation, we would have considered

the expression “ERP silo” to be anoxymoron. ERP was supposed tobe the all-encompassing hub forthe enterprise, capable of support-ing many spokes. And yet in recentyears, we have come to speak ofERP systems as constituting silosthat are much larger and moredaunting than any of the others.(Just talk to anyone who has gonethrough an SAP upgrade lately.)

In the early days of enterprise appli-cation integration (EAI), we werewarned that integrating legacy orERP systems might involve signifi-cant duplication, as enterprisemodels, data, and processes weremirrored, patched, and connectedon initially passive bus frameworks.We did this, of course, to addressthe demand for more opennessand agility, to expose self-servicecustomer portals, and to providenimble, primarily Internet-basedapplications that could “bridge”existing applications. Now, how-ever, we are beginning to see EAIprojects stretching far into thefuture, and they appear as forbid-ding in scope as the legacy ERPsilos they were meant to bridge.

Services-oriented bus approaches,in their turn, offered the promise ofstandardization, of a level playingfield of device- and environment-independent business models.Sounds familiar! XML promised usportable data and B2B transparencybut instead delivered a confound-ing proliferation of conflicting stan-dards and no inherent ability topolice its own data integrity. Sotoo did the Enterprise Service Bus(ESB), which is becoming a victimof its own popularity. There are now

many flavors of ESBs, from multiplevendors, and this proliferation ofversions will require yet anotherlayer of translation. We must nownavigate across ESBs with theirvarious dialects in the same waywe convert one variant of SQL toanother to help transform databetween databases.

It is against this backdrop of highhopes, loosely coupled Web ser-vices enthusiasm, and even morework that we face the familiar prob-lem of executing informed businessprocesses and effectively messag-ing real-time operational changesso that the business can truly per-form against its own BSC. Businessprocesses span applications andtrading partners, but proceduresand practices are discrete, specific,and situational. If process man-agement is to become effective, itneeds to incorporate rules-drivenbusiness models. (Disclosure: I amemployed by Pegasystems Inc., asoftware vendor that offers rules-driven business process manage-ment, and I am naturally informedby the company’s research andphilosophy.)

Process management is by its verynature procedural, rooted in work-flow, but it is inspired by the changeimperative. Performance manage-ment leads inevitably to declarativeobjectives, goals that are obliviousand insensitive (as they should be)

Vol. 18, No. 3 7

The event clouds are

gathering and becoming

omnipresent.


to the impact they have on process.This longstanding debate has domi-nated computer science textbooksfor the past two decades, and it hasstrong parallels in business. Thedeclarative programming world(Prolog, LISP, etc.) resembles theexecutive management of a busi-ness in that it does not especiallycare how specific goals areachieved, so long as they are.Meanwhile, those in the proceduralworld care very much which stepfollows the next, since they are theones that must do it. Rules-drivenbusiness process management hasbecome the place where these twoworlds collide. The strong declara-tive heritage of rules engine andrules management technologies isan important and missing part ofthe puzzle.

RULES RULE

Rules were born in the early 1980s,part of the declarative program-ming movement within expertsystems and artificial intelligence.They were once the sole domain ofhealthcare, financial services, andinsurance organizations, whichused them to handle large volumesof complex claims and exception

processing. But business rules arenow becoming more and moremainstream. The number of busi-ness applications and softwarecompanies that will be adding arules engines capability to theirportfolios is growing steadily.Oracle, CA, Microsoft, and IBM, forexample, now have rules withintheir roadmaps and referencearchitectures.

Rules are in fact destined tobecome a larger part of ourInternet life, as a cornerstone ofthe Semantic Web. This academicand industry project intends tobring into existence a smart Web,one that can search, sense, andrespond to “meaning” rather thanmerely repetitive or frequentlysearched words. The SemanticWeb wants to provide context andlogic rather than just communicatepackets. Distributed and connectedinference rule engines that cantranslate, normalize, deduce, anddetect will help make the SemanticWeb real. (Interestingly, the busi-ness rules community also includesearly adopters of Semantic Webconcepts; they have reason toconverge.)

In the meantime, while theSemantic Web bubbles in thebackground, rules lend themselveswell to the situationally specificrequirements for executing busi-ness decisions. They also offeran effective conduit for commu-nicating and executing iterativelychanged processes that come fromgoal expressions without any pre-determined procedural path (i.e.,“I don’t care how you get it done,

just do it”). Once these rules andthe precise specific responsesthey produce can be (1) managedeasily without egregious coding,(2) rendered visible, and (3) eas-ily maintained in real time, theirimportance to BPM as a whole willbe even greater, and we will findthem an effective means to helpclose the gap between goals andexecution.

CONCLUSION

Business performance manage-ment, as a business strategy,implies a higher order of reportingand analysis; one that:

Spans internal processes aswell as unstructured externalevents

Can create a synoptic viewof all these events (a singleview of the truth)

Assumes that the businesscan effectively measure itselfagainst goals (a BSC)

Today’s software vendors offer tohelp achieve some of this, withsuite offerings that combineenterprise information integration,activity-based cost accounting,business analytics, opportunisticdata aggregation, dashboard para-digms that offer a view of the puls-ing vital statistics of an enterprise,cross-functional process monitor-ing, and more.

Industry analysts who cover BPMwant it to be “agile” — a part of the“real-time” enterprise. They want itto create “a business nervous sys-tem” and help foster an “adaptive


The declarative program-

ming world resembles the

executive management of a

business in that it does not

especially care how specific

goals are achieved, so long

as they are.


enterprise.” These word choicesare revealing, as they point not justto the technology or to the businessphilosophy but also to the peoplewho use it and deploy it. To attainthis adaptive and agile state, oneimagines empowered championsand a team of inspired IT profes-sionals who somehow find the timeto nail down a robust enterpriseobject model in between patchingup the sagging legacy infrastructureand beating away a clamoringhorde of business users who keepadding to a backlog of applicationrequests that never seems to dimin-ish — no matter how enthusiasticthe Jolt Cola devotees of RationalUnified Process or agile program-ming might be.

Technology alone is not a magic pillthat will create the adaptive busi-ness nervous system that allowsyou to work in real time. Theseadjectives (“agile,” “adaptive,” and“nervous”) describe the future ofBPM to be outward-facing, current,and mapped to the strategic think-ing of the enterprise. The globaleconomy is a busy, nervous placeto be sure, made even busier bygovernance and compliancerequirements. The universe ofcomplex event data threatens toincrease the velocity and magni-tude of change even more.

It is the nature of business goals tobe injunctive and declarative. Andit is the nature of performance ana-lytics to be summary and abstract.Increased clarity and visibility arewelcomed, but they also exacer-bate the execution gap, since theBPM vision inspires new goals,corrective measures, and a senseof urgency and opportunity. LikeTantalus, we find that the object ofour desire remains forever out ofreach. That is why business perfor-mance management must becomepart of a much more holistic andcohesive approach and includeprocess management and theimmediate execution of new busi-ness rules and policies. When thathappens, our performance metricsdashboards — useful for knowingwhere we are going and how fastand how much fuel we have left —will finally be equipped with anaccelerator pedal, a brake, a turnsignal, and a steering wheel.

Russell Keziere is VP of Business ProcessManagement at Pegasystems Inc., theleading supplier of rules-driven businessprocess management software. He hasworked as a consultant, analyst, andwriter, and has worked in and com-mented on the software industrysince 1983.

Mr. Keziere can be reached [email protected].

Vol. 18, No. 3 9



inte

rnal re

venue s

erv

ice

March 2005

The IT profession has suffereda thousand cuts over the pastdecade. In many organizations,the CIO position has lost status,and its place on organizationalcharts has been marginalized.

One of the key reasons is that theCIO’s role has traditionally beenviewed as a support function,which by definition comes with itsown constraints. In order to gainleverage in the decision-makingprocess and exert a greater influ-ence in a company’s operations,CIOs need to embed their IT organi-zations in the revenue-generationprocess.

CIOs have traditionally catered tothe information requirements ofpeople within their organizations.To become more effective, theymust expand their focus to includecustomers and vendors, payingspecial attention to attracting andserving the customers who providethe revenues essential for the orga-nization’s very existence.

The information, automation, andsupport needs of the CIO’s IT orga-nization will therefore change as aresult of this market/revenue focus.CIOs must refocus their prioritiesand goals, placing particularemphasis on integrating channelsof delivery, creating integrationlinks between information silos,creating the flexibility necessary to

change process configurations anddefinitions as needs change, and,most importantly, identifying oppor-tunities to use variable or utilitypricing (as opposed to infrastruc-ture pricing) for identified solutions.

As we discuss in this article, theemergence of business processmanagement (BPrM) technologypresents CIOs with an opportunityto deliver on these requirements,making the CIO an essential part ofthe operational and strategic partsof the organization.

THE RISE AND FALL OF THECIO ROLE

The role of CIO arose in responseto the need that corporations andgovernment organizations had toput one individual in charge of therapid adoption of computer-basedtechnology. The CIO’s role began inthe 1960s with the implementationof mainframe software applicationsdesigned initially for accountingpurposes and then, dependingon the organization, for othercore functions such as humanresources, production, sales, andinventory control. At the beginningof the information technology age,few people understood IT or hadthe skills needed to make it workin a large organization. Both public- and private-sector entitiessaw the need to reward those who

had this expertise, and the resultwas the creation of high-level CIOpositions throughout industry andgovernment. The rise of the PC inthe 1980s, however, created condi-tions that started a move towardcommoditization of IT, and oneresult has been a subsequentreduction in the corporate statusof those in the CIO position.

This trend accelerated with theadvent of vendor-provided enter-prise resource planning (ERP)and customer relationship manage-ment (CRM) software, which moreoften than not went notoriouslyover budget and demanded thatorganizations make significantchanges to business processes inorder to implement these systems.In addition, complex CRM and ERPsystems are big-budget projectsthat often require the assistance ofthird-party IT consultants, increas-ing costs even more. One of theunintended consequences of thishas been the relative decline in sta-tus of the traditional CIO. Withoutthe ability to implement these proj-ects with internal resources, theCIO’s role has been reduced to thatof being a coordinator of third-partyconsultants.

Although the results of ERP imple-mentations have often been dis-appointing, the problem withthese ERP systems has not been

BPrM: The CIO’s Ticket Back to the CorporateMainstream

by Peter A. McGrath and Manoj Sinha

Get The Cutter Edge free: www.cutter.com Vol. 18, No. 3 11

the software itself but rather theneed to customize the software tofit the unique business processesthat typically exist within eachcompany. Organizations trying toimplement a one-size-fits-all ERPsystem have found themselves fac-ing the daunting task of having toreengineer each of their businessprocesses to conform to vendor-supplied, hardwired ERP soft-ware solutions that reflect the waybusiness processes supposedly“should” work, as opposed to whatmight be best for each individualorganization.

ERP implementations carry sig-nificant costs for an organization.The up-front license costs and theongoing yearly maintenance costsare not inexpensive. In addition,the need to reengineer businessprocesses can be internally disrup-tive and push other important proj-ects further down the priority list.Implementation time is oftenmonths longer than expected, andfuture modifications often requirecostly customization. The budgetfunds to do this reengineeringare often dollars that have beendrained away from the CIO’s bud-get, thus further marginalizingthis position within the organiza-tion. Even more frustrating is therealization that after organizationsspend all this money on theseenterprise-class solutions, theapplications lack the necessaryflexibility to adapt to changes inenvironment, business processes,and evolution in the organizationover time, leading to a disconnectbetween solutions and users.

Another significant problem isthat these solutions come withan infrastructure cost model thatrequires significant up-front invest-ment and a long gestation periodbefore any results can be seen.To be fair, these past investmentsin technology are now beingabsorbed and have resulted insome improvement in operationalefficiency. However, the goal of ERPadvocates to fully integrate all keyfunctional aspects within an orga-nization has remained elusive.

CIOS: THE REALITY TODAY

Revenue generation is critical forany organization. Those role play-ers in an organization that con-tribute to revenue generationtypically control the decisionsabout what investments areneeded to make that revenuegeneration possible. Since inmost organizations the CIO is asupport role and not a revenue role,there is seldom any opportunity toplay a significant part in the organi-zation’s decision making. For thisto change, the CIO needs to beembedded in the revenue-generation process.

Technology-driven organizationsthat have embraced the role oftechnology and use it to bring theirproducts and services to markethave placed key executives in theCIO position. Certain leading finan-cial services organizations andleading Internet retailers are primeexamples of such organizations.

CIOs must explore additionalstrategies to bring value to their

organizations and search for betterways to provide and pay for newtechnology. They must identifyways to bring operational improve-ments to their organizations withminimum risk of failure, at a rea-sonable cost, and without thedelays that have been problems inthe past. CIOs who can accomplishthese tasks will see their statuswithin the organization rise and findthemselves recognized as corpo-rate heroes.

WHAT IS REQUIRED: FIVE SUCCESS FACTORS

The pathway to success for theCIO includes five key successfactors. Any successful IT strategyneeds to address these factors:

1. Customer focus. CIOs needto insert themselves in theprocess of revenue generation,which will give them the nec-essary maneuvering room forother initiatives. To achievethis key objective, they needtools that are adaptable to thechanging needs of the market-place; that help integrate dis-parate systems in order toprovide relevant information tocustomers in an accurate, effi-cient, and timely manner; andthat help deliver these throughdifferent channels — phone,fax, portal, e-mail, paper.

To play a significant part in

the organization’s decision

making, the CIO needs to be

embedded in the revenue-

generation process.



2. Adaptable architecture. Anystrategic solution the CIOconsiders should have theflexibility to deliver support forchanging business processes.CIOs can increase the proba-bility of success by using toolsand technologies that not onlyprovide a good initial fit butalso have an architecture thatsupports easily changing con-figured processes at minimalcost. An adaptable architectureallows the organization toleverage the same investmentin ever-changing business sce-narios and provides the flexi-bility needed to achieve themost cost-effective solutionfor process execution.

3. Time to market. Anotherimportant aspect of any pro-posed approach is the speedat which solutions can bedelivered to users, customers,and vendors. This meansaccelerating all the activitiesof a project, from concept toexecution (i.e., system design,configuration, and implemen-tation), with the ultimate goalbeing the delivery of informa-tion to the customer in a timelyfashion.

4. Open, interoperabletechnologies. The CIO whoinvests in solutions based onopen technologies will havethe flexibility to leverage exist-ing infrastructure and keep awider variety of options openboth in terms of computinginfrastructure and the kindof “experts” and “expertise”required.

5. Utility pricing. Equallyimportant for CIOs is to have

maximum flexibility whencommitting an organization’sresources to new initiatives.CIOs must be able to easilyswitch technologies, products,and tools if they find a certainapproach does not work.Utility or usage-based pricingmodels will help the CIO tomeet this requirement.

THE BPrM STRATEGY

The BPrM approach has emerged inthe past several years, and it holdsthe promise to address most if notall of the issues discussed above.In its most basic form, BPrM helpsautomate and streamline businessprocesses. It does this efficientlyand without having to resort totime-consuming engineering tasks.Built on top of a relational database,BPrM allows for process simula-tions, captures transactional infor-mation, and provides managerswith process dashboards and theability to access statistical reportsand documents via a secureWeb portal.

HOW CAN BPrM HELP?

BPrM stands in contrast to the tradi-tional approach of managing theentire system development, deploy-ment, and maintenance lifecycle.

This approach either deploys off-the-shelf products and customizesthem to the extent possible orinvolves the design and use ofcustom applications. The solutionsthat this approach provides hasthe disadvantage of being “hard-wired.” This makes the approachdifficult for organizations to easilyadapt it to changing market andbusiness conditions or alter it if therequirements were not properlyunderstood in the first place.

The BPrM approach and the toolsthat subscribe to it have the capa-bility to integrate different silos ofinformation and configure changesto business processes — makingit possible to rapidly configure,deploy, and implement processes.This will help CIOs achieve theirobjective of being more responsiveto the needs of information con-sumers. BPrM tools, because oftheir ability to map and configurebusiness processes on a living-breathing enterprise deploymentplatform, offer an ideal means ofbeginning to attack these issues.An end-to-end BPrM solution canhelp integrate different applicationsalready in production as well asprovide a way to unify deliverychannels.

Disparate systems, isolated imple-mentations, and paper are someof the worst obstacles to achievingsuccess with business processimprovement initiatives. Integratingthese information silos and fillingfunctionality gaps is perhaps thefirst, most significant step towarda whole new level of processimprovement. Accomplishing this

Any strategic solution the

CIO considers should have

the flexibility to deliver

support for changing

business processes.


is not easy, but there are somestrategies available with BPrMtechnology that will make it easierto achieve this goal.

Hands Off the Business Processes!One of the biggest advantages ofthe BPrM approach is that there isno need to reengineer businessprocesses, an activity that carrieswith it a tremendous businessdislocation risk. While businessprocess reengineering has its mer-its, any reengineering exerciseshould be mandated by businessneeds rather than dictated by therequirements of implementing ahardwired solution. The BPrMapproach facilitates replicationrather than replacement of currentbusiness processes. Any solutionshould work with “the given” in anorganization — starting with its peo-ple. The BPrM approach helps cap-ture the organizational structure,the roles in the organization, andthe designated individuals who fillthose roles.

What makes BPrM technology sin-gularly applicable to meeting theneeds of CIOs is its ability to map,configure, and deploy businessprocesses without the need to writecustom software code. What usedto take weeks and months of soft-ware development time can nowbe done in hours and days. Further,changing a process once built andimplemented is no longer a time-consuming and expensive task. Allthis places CIOs in a position wherethey can respond rapidly to thechanging needs of informationconsumers.

What We Have Here Is a Failureto CommunicateBPrM technologies also providea solution to the problem repre-sented by those standalone silos ofinformation that can’t communi-cate with each other. This problemhas arisen because of the way infor-mation technology has evolved.Applications and databases werecreated to store information relatedto a specific problem or functionalarea within an organization, suchas production, inventory, oraccounting. These were developedat different times and often withoutconsideration being given to otherorganizational units.

Moving information from one siloto another is not an easy task. Theresult is that when informationneeds to be exchanged, theprocess often breaks down. Ittypically requires communicationusing spreadsheets, documents,faxes, e-mails, or phone conversa-tions. This leads to duplication ofwork, threatens the integrity ofdata, and introduces inefficienciesinto a business process.

While all this may not seemsignificant with respect to any oneperson or activity, when taken as awhole across all functional areaswithin an organization, the impactson cost and responsiveness to theinformation consumer are huge.Most BPrM tools provide featuresneeded to ease data interchangewith other databases and legacysystems. This means that disparatedatabases and application systemscan now “talk” to each other. Asa result, BPrM technology hasgreatly improved the potential

for business process improvementand increased the organization’sability to respond to informationconsumers.

Play by the RulesBPrM tools are designed so thatbusiness rules are embedded inthe process. Participants in aprocess are required to followthese business rules in order for agiven transaction to move forward.Compliance with company policiesand government regulations suchas the US Sarbanes-Oxley Act thusbecomes easier to enforce andmanage. With BPrM’s strong report-ing and tracking capabilities, man-agers at all levels now have a toolwith which to develop perfor-mance standards and the metricsby which to measure success. Thenet result is better information onwhich to base decisions; and theperson at the center of makingthese improvements possible isthe CIO.

Transact, Document, CalculateAs complex entities, organizationsspend significant resources com-municating internally and exter-nally with vendors, partners,regulators, and customers —the information consumers.Transmitting documents as e-mailattachments has certainly been animprovement over sending hard-copy documents by mail and fax.

The person at the center of

making these improvements

possible is the CIO.


E-mail, however, is only a partialsolution. While e-mail messagesfacilitate quick communicationboth internally and externally, theinformation they contain still needsto be filed and stored for later use.Users can save the electronic fileswithin their e-mail program or printout e-mails and file them with otherrelated paper documents. Neithersolution is very efficient.

The goal of better information deliv-ery can be achieved by unifying theworlds of document processingand transaction processing. Thiscan be done by providing unifieddocument repositories and trans-action databases that can beaccessed with a Web browser fromany location with Internet access.This would directly lower the costof retrieving information in a timelymanner.

And Then Automate and IntegrateOrganizations have made greatprogress in automating their corebusiness processes. However,processes that involve paper andsome form of manual activity stillremain in every organization, andthey consume a disproportionate

amount of an organization’sresources. BPrM can be used tostreamline these remaining paper-intensive and manual processes.Most business processes stillrequire people to use e-mail, fax,or phone. There is an enormousopportunity to increase efficiencyby automating these processes,and the CIO now has a technologysolution available that can makethis possible on an incrementalbasis using internal resources.Because of BPrM’s flexibility, it canbe used to automate processesthat are small in nature and involvenonstandard components. BPrMalso makes it possible for the CIOto provide a quick action responsein a corporate environment thatincreasingly faces change driven bymarket reactions and regulations.

BPrM technology has emerged andmatured over the past three to fouryears. There are several vendorsthat now offer this software, andeach product offers its own uniquefeatures and user interface. Whatall of these solutions have in com-mon, however, is the ability toautomate almost any businessprocess regardless of industry orfunctional area.

Each step in a process usually hassome activity that needs to bestreamlined and automated. BPrMsoftware has process modelingand configuration componentsto design and replicate theseactivities. Using these BPrM fea-tures, an organization can specifyand configure the business rulesassociated with each step in theprocess. The process can then be

deployed without having to expendtime and money reengineering it.

BPrM solutions also provide fea-tures that allow administratorsand managers to track and monitorthe status of every transaction in aprocess. Some BPrM systems havea built-in simulation tool that allowsplanners to do “what if ” analysis toidentify and cure potential systembottlenecks.

WHAT ARE THE BENEFITS OFBPrM FOR THE CIO?

Looking at the five key successfactors for a successful technologystrategy, BPrM gives the CIO whatis needed to address these chal-lenges. BPrM is a strong customerfocus tool because it is adaptable tothe rapid economic and financialchanges that result from changesin consumer tastes, rising or fallinginterest rates, and global marketforces. When change comes, as itinevitably does, BPrM’s adaptablearchitecture enables the quickresponse to market changes thatis impossible with hard-wiredapplications. A corollary of this isthe speed that BPrM offers in thequest for ever more rapid time-to-market solutions. BPrM’s open,interoperable technology and thefact that it can be priced on a utilitybasis also provide potential costsavings. With the advent of BPrM,the CIO can be a catalyst for signifi-cantly improving the organization’soperations on both the revenue-generation and cost fronts. WithBPrM, CIOs now have a tool to pro-vide the necessary speed, flexibility,and integration between systems


When change comes, as it

inevitably does, BPrM’s

adaptable architecture

enables the quick response

to market changes that is

impossible with hard-wired

applications.


and channels of delivery. Thesesystems become more responsive,thus resulting in better customerservice, increased satisfaction,and higher revenues.

In terms of developing automatedsystems, what used to take weeksand months can now be done inhours and days. Keeping auto-mated processes in sync withchanging requirements is mademore affordable due to the flexibil-ity inherent in the BPrM approach.By increasing productivity (andthus reducing costs), BPrM offersanother significant opportunityfor CIOs to create value for theirorganizations.

It is clear that because of BPrM,the time is ripe for CIOs to reestab-lish their leadership position inusing technology to improve theoperations of their organizations.

BPrM is now a key factor that willhelp CIOs make more money fortheir companies. While BPrM canadd dollars to the bottom linethrough cost reduction, rememberthat it is revenue enhancement thatwill attract the most attention andresult in a new corporate status forthe CIO.

Peter A. McGrath is CEO of Coriendo,LLC, which is based in Rosemont,Pennsylvania, USA. Coriendo providesBPrM solutions to private- and public-sector organizations.

Mr. McGrath can be reached at Tel: +1 610 527 1411; E-mail: [email protected].

Manoj Sinha is founder and CEO of BISIL, which is based in Rosemont,Pennsylvania. BISIL has developed andmarkets an acclaimed BPrM softwareproduct called Enj. He is also cofounderof Coriendo.

Mr. Sinha can be reached at Tel: +1 610527 8890; E-mail: [email protected].



whate

ver

work

s

March 2005

INTRODUCTION

Today IT managers can choose froma bewildering array of quality disci-plines for performance manage-ment. On the one hand, CEOs tendto dictate such well-recognizedquality models as Six Sigma, theEuropean Foundation for QualityManagement (EFQM), the BaldrigeNational Quality Program (BNQP),and ISO 9000. These are temptingapproaches since quality theoryoriginates from business processenvironments. On the other hand,IT auditors impose IT-focused disci-plines, such as Capability MaturityModels® (CMMs®) for softwaredevelopment, CobiT (ControlObjectives for Information andRelated Technology), and the ITIL(IT Infrastructure Library) for IToperations and services. But canthe IT-focused quality frameworkscoexist with the well-known busi-ness performance management(BPM) frameworks? Moreover,how can the effectiveness of suchcoexistence be evaluated?

In this article, I argue that presentIT performance measurement dis-ciplines are highly sophisticatedand comprehensive. One of theunderlying reasons for this is thatwhereas most early applicationsof IT were “discrete technologies”applied to specific or closely

related functions, these compre-hensive IT frameworks attemptto integrate and link together thewhole range of functions across anorganization. This comprehensive-ness often makes them much toodetailed to be practical, and thusthese models are not as effectivein practice as they are intended intheory. As a consequence, organi-zations seek reduced complexity,either choosing to (1) build theirown quality framework, or (2)merge or fuse the available frame-works, taking the best of eachmodel and making use of two orthree models simultaneously [2].

I will argue that none of the qualitymodels or quality frameworksshould be seen as a substitutefor or a competitor with another.Depending on the type of the orga-nization, one framework on its ownmay not be sufficient, and thereforetwo or more frameworks may beapplied together in complementaryfashion. For instance, very often theCobiT framework is too genericto make the control objectivesoperational. To translate the controlobjectives to concrete measures,organizations can use such stan-dards as the CMM for softwaredevelopment, ITIL for IT servicemanagement, and/or ISO forgeneral quality management.

There are various success storieswithin the empirical research litera-ture that demonstrate the effective-ness of “model alignment” and“model combination” in suchcompanies as Philips, HP, NortelNetworks, and Mastercard [3, 4, 7].Such alignments (fusion models)take the best of each model to cre-ate the most effective and efficientmethods for the organization. Afterdetermining which IT processesare relevant for a particular organi-zation, the models and methodsincorporated in an IT quality disci-pline (i.e., CobiT, ITIL) should beused. In the remainder of this arti-cle, I briefly describe the CMM,CobiT, and ITIL performance man-agement frameworks and discuss:

Business process fusion

Applicability and the impor-tance of the organizationalcontext

The complementary natureof the frameworks

Process alignment

CMM, CobiT, AND ITIL

It has been observed that, in mostorganizations, senior IT managerssee IT management frameworks(CobiT for IT management auditand ITIL for IT service man-agement) as the holy grails of

All Together Now: Merging IT Quality and Other BPM Frameworks

by Sevgi Ozkan


business-IT alignment. However,they are IT management frame-works, not business managementframeworks, and as such theyplace IT in the middle and thebusiness on the outside. As longas IT clings to its own frameworksand shuns business managementframeworks that are shared acrossthe business (including IT), thenthere is a poor chance of alignmentand no chance of integration. Theresult is bad news for the businesswhen it comes to agility and valuefor money.

Organizational case studies haveshown that alignment of businessprocesses with IT is hard to achieve[1, 4, 9, 11]. Organizations are try-ing to find answers for the perfectalignment of their IT and businessgoals [1], and one common strat-egy is to align business processes inthe IT function with process modelsand methodologies such as CMM,CobiT, and ITIL [3, 4, 6, 11]. Theseall are practical choices for achiev-ing best practice performance.Table 1 provides a brief comparisonof CMMs, CobiT, and ITIL.

As the pace of change in businessincreases, business risk is com-pounded by unaligned and rigidIT infrastructures. However,enterprises that achieve businessprocess fusion (i.e., coexisting per-formance management models)will see increased IT infrastructureflexibility, which mitigates risk andimproves returns.

BUSINESS PROCESS FUSION

Business process fusion isthe transformation of business

activities brought about by integrat-ing previously autonomous busi-ness processes to create a newscope of management capabilities.It will drive stronger alignment of ITwith core business processes andprovide linkage of operational andmanagement processes with a trueend-to-end scope.

Business process fusion shouldnot be seen as just another IT inte-gration project. The objective ofCMM-CobiT-ITIL process alignmentstrategies is to integrate busi-ness processes to create value,regardless of how — or evenwhether — the underlying technol-ogy is integrated. In that regard, busi-ness alignment (in the context of ITgovernance) can be viewed as busi-ness driving IT (top-down) and ITdriving the business (bottom-up).This is achieved through a combina-tion of leadership, organizationalstructure, and processes.

Business driving IT, in theory, is cas-cading strategy and objectives downinto the organization. The organiza-tion is responsible for determiningits business objectives and the ITstrategic plan based on these objec-tives, and it must ensure that thenecessary control processes andmonitoring mechanisms arein place. The latter, IT driving busi-ness, refers to the feedback loop.It is a continuous metric-drivenprocess that checks IT performanceto enable the organization to takecorrective action when reports indi-cate that IT is not in alignment withbusiness goals and to ensure contin-uous improvement.

“When looking at business in itsentirety, strategy-aligned changelinks with business process fusionto help overcome the disconnectbetween top-down policy, strategy,change, and bottom-up infrastruc-ture constraints we call the GrandCanyon of Strategy,” said businessanalyst Jorge Lopez. “This processcoincides with the two things exec-utives say are the most difficult tochange: corporate culture andinformation systems. Using thisapproach improves businessreturns, resolves internal conflicts,reduces business risk, and definesIT infrastructure” [6].

APPLICABILITY AND THEIMPORTANCE OF THEORGANIZATIONAL CONTEXT

The IT quality models that havebeen briefly discussed here aremost appropriate for use by orga-nizations whose organizationalgoals are explicitly defined. Thismeans that organizations willing touse such disciplines should havetheir processes specified with con-crete definitions of inputs and out-puts. This is usually the case forprofit-oriented organizations wherethe organizational goals are clear-cut (cost, effort, ROI, production,etc.). When the organization’sbusiness goals are well defined, atop-down approach may be taken.Implementing such a top-downapproach would commencewith redefining and modifying thebusiness processes of the organiza-tion. These optimized businessprocesses may then be alignedwith an IT framework.



This implementation approachsupports the argument that “anysystem can be said to be effectiveas long as it adds value to theorganization’s goals” [11].However, it is important to

underscore here that this couldonly be valid for profit-orientedorganizations whose organizationalgoals are explicitly defined withmeasurable inputs and outputs.

THE COMPLEMENTARY NATUREOF THE FRAMEWORKS

None of the quality models orframeworks should be seen asa substitute for or a competitor

Framework

Sponsor

What It Is

Strengths

Limitations

CobiT (Control Objectives for Information and Related Technology)

Information Systems Audit and Control Association and the IT Governance Institute

An audit-oriented set of guidelines for IT processes, practices, and controls

Geared to risk reduction, focusing on integrity, reliability, and security

Addresses four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring

Has six maturity levels, similar to the CMMs’

Good checklists for IT

Enables IT to address risks not explicitly addressed by other frameworks and to pass audits

Can work well with other quality frameworks, especially ITIL

Says what to do but not how to do it (i.e., weak in processes)

Doesn’t deal directly with software development or IT services

Doesn’t provide roadmap for continuous processimprovement

ITIL (Information Technology Infrastructure Library)

The UK Office of Government Commerce, Pink Elephant, and others

Best practices for IT service management and operations (such as service-desk, incident, change, capacity, service-level, and security management)

Especially popular in Europe

Well established, mature, detailed, and focused on IT production and operational quality issues

Can combine with CMMI to cover all of IT

Doesn’t address the development of quality management systems

Not geared to software devel-opment processes

Use is highly dependent on interpretation

Limited in security and system development

CMMs (Capability Maturity Models)

Software Engineering Institute (SEI), Carnegie Mellon University

Maturity growth models organized into five maturity levels

Allow organizations to assess their practices and compare them to those of other organizations

CMMs that the SEI is currently involved in developing, expanding, or maintaining are:1. CMMI (CMM Integration) 2. P-CMM (People CMM)3. SA-CMM (Software Acquisition CMM)

Most comprehensive process improvement models available for product and service development and maintenance

Strong in organizational practices and provide a roadmap for continuous process improvement

Build on and extend the best practices of CMMs and other process improvement models

Can be used for self-assessment

Don’t address IT operations issues, such as security, change and configuration management, capacity planning, troubleshoot-ing, and help-desk functions

Focused exclusively on software development processes

Set goals but don’t say how to meet them

Table 1 — Definitions and Comparison of CMMs, CobiT, and ITIL [4, 5, 8-10]


to another. For process alignmentpurposes, any two, three, or moreof these may be combined, orthey may be used separately. Forinstance, the CobiT frameworkmay be aligned with ITIL, CMM,and ISO, as mentioned above.

ITIL tracks problems in IT serviceareas such as help desk, applica-tions support, software distribution,and customer-contact system sup-port, and it overlaps CMM in certainareas such as configuration man-agement. For example, ITIL tracksthe changes made to operationalsystems, but the quality of thosechanges — in terms of the numberand severity of problems resultingfrom them — is more a CMM metric[6]. Similarly, John Lainhart [8], oneof the developers of CobiT, statesthat CobiT and ITIL should be seenas complementary and not com-petitive. ITIL describes servicemanagement processes and rec-ommends security and controlpractices, but it does not have astandard for them. This is whereCobiT comes in, because it pro-vides a framework to performaudits on a particular organization’sITIL processes. So rather than com-pete, CobiT and ITIL complementeach other.

One of the many examples of suchsuccessful alignments is the Philips’IT performance measurement strat-egy [4]. The Philips InternationalBV internal audit department hasa long-standing tradition of usingCobiT along with the company’sperformance measurement pro-gram. In addition to extensive inter-nal audit implementations, thecorporate IT department of Philips

International used the CobiT frame-work when participating in twocompany-wide initiatives:

1. The BEST (BusinessExcellence through Speedand Teamwork) qualityimprovement program. Thisprogram has strong, visiblesupport from senior manage-ment and is one of the topfive items on the managementagenda. As part of this pro-gram, Philips developed aprocess survey tool for IT,which is completely basedon the CobiT model.

2. The Statement on BusinessControls program. This formalstatement is issued by eachorganizational unit withinPhilips. It is consolidated intothe annual report’s internalcontrols statement and there-fore has complete support ofsenior management. The ITsection of the Statement onBusiness Controls is also basedon the CobiT control objectives.

PROCESS ALIGNMENT

It is also evident from the empir-ical research that once they arealigned with the organization, cur-rent IT quality disciplines facilitateroot-cause analysis of problems(i.e., finding the real cause of aproblem and dealing with it ratherthan simply continuing to deal withthe symptoms). These models aregood at identifying what needsto be done; however, they do notprovide much guidance on howto fix a problem or on how toachieve the IT performanceobjectives. For instance, CobiT doc-umentation provides definitions for

all control objectives but does notguide the organization toward theachievement of these documentedobjectives. It does not even providea roadmap for aligning the organi-zational processes with the CobiT.

This is one of the reasons why largeIT organizations tend to developtheir own IT quality frameworks.Only in this way can they can makeeffective and efficient use of suchmodels as CobiT or ITIL. Thesecustom-built, home-grown ITquality frameworks are well suitedto the organization’s goals, andtherefore they can be aligned withthe organization’s business objec-tives. For example, HP has its ownprogram called HP OpenView, inwhich it maps ITIL to the CobiTand COSO (Committee of Sponsor-ing Organizations of the TreadwayCommission) frameworks.OpenView combines industry con-trol frameworks in both accountingand IT, and HP recommends theframework for companies thatwant to be in control of the IT ser-vices that are essential for businessoperations and reporting [3, 4].CobiT works well in HP’s casebecause it has a knowledge andperspective of business needs. Itties control objectives back to busi-ness objectives. In that regard,CobiT plays an instrumental rolewhen aligning technology with theorganization’s strategic businessgoals.

For its part, IBM uses ISO 9000,CMM, ITIL, Six Sigma, and sev-eral home-grown quality pro-grams. Meanwhile, other equallysophisticated companies also pre-fer to roll their own. For instance,



MasterCard International Inc.has adapted parts of severalprograms to its own way ofdoing business. It underwent anexternal CMM assessment andimplemented some ideas fromthat, but it hasn’t adopted theframework formally. MasterCard’shybrid quality program has reducedthe development time for new soft-ware releases from 18 months to12, as well as reducing the numberof software defects.

For some organizations, anoutside body’s stamp of approval,such as an ISO 9000 or CMM cer-tification, may be an importantfactor. For example, Nortel usesa telecommunications-orientedversion of ISO 9000, a choice drivenby the organization’s customersand partners.

CONCLUSIONS

As we’ve seen, the IT performancemeasurement frameworks —namely, CMM, CobiT, and ITIL —are all compatible within them-selves and can complement othergeneral BPM frameworks suchas ISO 9000, Six Sigma, and thebalanced scorecard. By using asystematic IT-based performancemeasurement discipline embed-ded into a general BPM framework,companies can improve their orga-nizational performance.

REFERENCES

1. Brand, K., and H. Boonen. ITGovernance: A Pocket Guide Basedon CobiT. Van Haren Publishing,2005.

2. Chickowski, E. “Models of ITGovernance.” Processor, Vol. 26,No. 15, 9 April 2004.

3. HP ITSM and HP OpenView:An Approach to Attaining Sarbanes-Oxley Compliance. HP, 7 April 2004.

4. Information Systems Auditand Control Association Web site(www.isaca.org).

5. IT Governance Institute Web site (www.itgi.org).

6. ITIL College Web site (www.ITILcollege.com).

7. IT Service Management ForumWeb site (www.itsmf.com).

8. Lainhart, J.W., IV. “CobiT: AMethodology for Managing andControlling Information andInformation Technology Risks andVulnerabilities.” Journal ofInformation Systems, Vol. 14, No. 1,2000 Supplement, pp. 21-25.

9. Paulk, M.C., B. Curtis, M.B.Chrissis, C.V. Weber. CapabilityMaturity Model for Software,Version 1.1. Technical ReportCMU/SEI-93-TR-024, ESC-TR-93-177.SEI, February 1993.

10. SEI, Carnegie Mellon UniversityWeb site (www.sei.cmu.edu/cmm/cmms/cmms.html).

11. Yuthas, K., and M. Eining.“An Experimental Evaluation ofMeasurements of InformationSystem Effectiveness.” Journal ofInformation Systems, Vol. 9, No. 2,Fall 1995, pp. 69-84.

Sevgi Ozkan is an IT lecturer and a Ph.D.candidate in information systems atthe Informatics Institute at Middle EastTechnical University (METU), Turkey.Her research interests include IT eval-uation, IT performance measurement, e-quality measurement, and Internet-related information and communicationtechnologies. She has served as anadvisor on IT governance and softwareprocess evaluation for HP Turkey and forlarge Turkish enterprises in such indus-tries as defense, software development,and telecommunications.

Ms. Ozkan received her B.A. and M.A.in electrical engineering and informa-tion sciences from the University ofCambridge, UK, and her M.Sc. in busi-ness information systems from theUniversity of London, UK. Prior to herdoctoral studies, she worked as anengineer for IBM UK and Motorola UK.Ms. Ozkan is a member of Centre of ITEconomics Research, the Netherlands.She is currently working on a book aboutsoftware process measurement.

Ms. Ozkan can be reached at theInformatics Institute, Main EngineeringBuilding No. 418, Middle East TechnicalUniversity, 06531, Ankara, Turkey. Tel:+90 532 5961040; E-mail: [email protected].

seein

g is

perc

eiv

ing

Get The Cutter Edge free: www.cutter.comwww.cutter.com/consortium/ 21Vol. 18, No. 3

Business performance manage-ment (BPM) solutions help com-panies understand their entireorganization in a business contextand take action based on that holis-tic view. When you can see andunderstand how people, processes,infrastructure, and assets acttogether across your enterprise toaffect business performance, youcan respond rapidly and effectivelyto whatever demands, opportuni-ties, and threats come your way.

Take the example of Joe Shelly. Joeis senior director of procurementand logistics at a large manufactur-ing concern in the Midwest. As partof his daily responsibilities, he hasto read multiple reports to see thestatus of all current projects and siftthrough mountains of data, storedin dozens of locations and formats,to be able to make educated deci-sions involving hundreds of millionsof dollars in purchasing, inventorymanagement, and logistics activi-ties. Joe has several business intelli-gence (BI) and BPM tools at hisfingertips to help him achieve hisgoals, but none gives him a real-time, single-view window into allthe relevant data he needs to seekanswers and look for potentialopportunities and problems. Whenhe needs a particular piece of infor-mation not readily available within

the existing tools, he has to put in awritten request to IT and wait 48hours to get a customized report.

Joe’s situation is, unfortunately,fairly common. Even today, with allthe solutions available in the mar-ketplace, most companies are notreaching their optimal performancebecause of the lack of software thattruly allows business users to “see”and analyze the data available.

WHAT IS DATA VISUALIZATION?

The amount of data stored withinorganizations continues to grow atan alarming rate. Yet while mostorganizations have mastered theart of collecting data, they have notmastered what to do with it. Inrecent years, BI/BPM solutions havebecome increasingly popular tohelp organizations make sense of allthis data — data from transactionalsystems such as enterprise resourceplanning (ERP), supply chain man-agement, financial, and customerrelationship management (CRM)systems, as well as information heldin data warehouses and data marts.

In the broadly defined BI/BPM mar-ketplace, there are two generalareas where most vendors havefailed to provide a compellingsolution: access to details and datapresentation. But the last couple of

years has seen the emergence ofniche software players focused onextending a company’s BI/BPMinvestment.

This segment of the market,defined as data visualization oractive data visualization, fills a keyvoid in the BI spectrum by provid-ing added functionalities (such asvisual queries, dynamic data dis-covery, or multiple linked images)that are critical in the decision-making process for most businessusers. Data visualization collectsdata from multiple sources andformats (not always compatible)and presents it in an efficient andbusiness-intelligent manner, thusallowing users to quickly digest andinterpret the data. A data visualiza-tion tool also allows non-IT users todo data prospecting or data drilling— browsing through data and infor-mation to identify patterns, trends,opportunities, and issues — with-out requiring knowledge of thedata structure or programminglanguages.

The objective of data visualizationis literally to take thousands or mil-lions of data points and representthem in a way that non–powerusers can understand in seconds.This represents a significant shiftfrom traditional charts, which aregeared more toward plotting a few

I Can See Clearly Now: BPM and Data Visualization

by Tawfik A. Hammoud



hundred data points. Unlike otherforms of graphical representation,such as those used in most currentBI/BPM tools, information visualiza-tion is also a tool for exploring andviewing the unknown — for thediscovery of critical issues, rela-tionships, and structure. With infor-mation visualization, the visualsconvey critical information thatallows users to interact: exploring,browsing, filtering, drilling down,and zooming. This ability to inter-act with the presentation lets usersask questions and then ask morerefined questions. Very few peoplerealize that the average humanbrain can process up to eightdimensions visually — and muchmore effectively than with text.

In a nutshell, data visualization soft-ware puts into the hands of the rightpeople the ability to finally convertdata into intuitive, relevant, action-able information.

HOW DOES THIS CAPABILITYIMPACT A COMPANY’S BPMINVESTMENT?

Companies that have invested inBPM solutions find themselveswondering how to best leveragethat investment. My colleaguesand I believe data visualization isone way of increasing the ROI ofBPM solutions. But key questionsremain: Is BPM data appropriate forvisualization? What impact doesvisualization have on the adoptionof BPM systems? What about cost?

Data visualization solutions allowfor an intuitive presentation of datathat easily accommodates anorganization’s business logic. Easy

and intuitive access to business-relevant information — from inter-nal and external sources — givesthe users the insight they need torespond rapidly to opportunityand change.

BPM solutions allow for robust mon-itoring of business performance andcoordination of activity across strat-egy, management, and operations.This enables companies to create abusiness that is aligned, account-able, and action-driven. BPM isgreat at monitoring key metrics,implementing balanced scorecardinitiatives, and delivering betterplanning, budgeting, and forecast-ing processes. BPM data comes in avariety of formats and stems frommultiple data sources. The visual-ization layer is usually data- andvendor-agnostic and can coexistwith most BPM solutions. Mostoften, visualization solutions arebrowser-based and use very flexiblearchitectures to accommodate alarge set of technology scenariosand requirements.

Visualization also increases useradoption rates significantly. Customvisual reporting tools are gearedtoward the non-data-savvy users —a subset of users who can’t (or

don’t) use BPM tools. They are typi-cally overly dependent on supportgroups such as IT or analysts toinvestigate unforeseen issues, andthe last thing they want is morereports or metrics.

Deploying a BPM solution is onlyhalf the battle: ensuring usage is thekey. Some cases have resulted infull project failure due to lack ofend-user adoption. As a clientrecently told us, “If you can’t visual-ize the problem, chances are youwon’t be able to solve it.” By imple-menting data visualization solu-tions, companies equip a muchlarger subset of users with the toolsto make accurate and timely busi-ness decisions.

Finally, the cost of a BPM softwarepackage is often a fraction of theoverall expense. Unless carefullyselected, a major software packageimplementation can consumea considerable amount of yourorganization’s time and energy.Visualization solutions are usuallydeployed within four to eightweeks and require very little usertraining. The cost of adding soft-ware is minimal compared to thebenefits realized.

SELECTING A DATA VISUALIZATIONTOOL TO HELP YOU ACHIEVEYOUR GOALS

According to business integrationconsultant Steve Craggs, “Concernsare beginning to mount aboutBPM’s capability to deliver realbusiness value and return oninvestment” [1]. A significant por-tion of BPM implementations donot achieve their expected ROI.

In a nutshell, data visualiza-

tion software puts into the

hands of the right people the

ability to finally convert data

into intuitive, relevant,

actionable information.


Why? As I previously observed, onereason is that organizations oftenbuild the “right” solution for thewrong users. Another reason is thatmost BI tools claim to be able to doeverything — but don’t.

Many BPM vendors claim to havepresentation layers that allow theusers to interact with data in aneffective way. Others are addingcapabilities by developing oracquiring true visualization tech-nology. The reality is that today onlya handful of small niche vendorshave really mastered the art ofdata visualization. The vast majorityof complex business problemshave many dimensions, yet mostreporting/visual tools only exposetwo or three dimensions at a time,so users are expected to run multi-ple data simulations and piecetogether the information for a com-prehensive picture. My colleaguesand I have found that most visualtools are either too simple (graphs,charts) or too complex (scatterplots, scientific visualization) forthe average business user.

As the analyst firm IDC reportedin early 2004, simple visualizationtasks such as charting or plottingare common, but the future lieswith tools that provide people withvisual navigation and guide them interms of how to drill down [2]. Asmany an executive has discovered,dashboards are only adequate foranswering questions the useralready knew to ask.

Before deciding to invest in datavisualization software, you need toask yourself some questions and

assess whether you are currentlyoptimizing the use of your data:

Do your people get the criticalinformation they need to dotheir jobs?

Is critical business informationonly available to power users?

Do you get too many reportsthat are not actionable?

Do you need to submitrequests and wait for reportsto get key information?

Are complex queries requiredto fully understand the data?

The following functionalities, whileby no means an exhaustive list, arekey in getting the most out of yourdata visualization tool:

Ability to drill down throughthe multiple layers of data;see the forest and each tree

Meaningful visual indicatorswith color-coding rules

Actionable alerts

Integration with other datasources and back-endapplications

Ability to nonprogrammaticallyfilter the information ata detail level

Easy implementation, rapiddeployment

Scalability

Speedy performance on largedata sets

Customization features

Ability to see both summaryand details in context

Gaining a competitive edgeincreasingly entails the ability toleverage existing data and obtaincritical insights into businessperformance. While most organiza-tions have the systems in place tocapture and store reams of data,few can use that data for actionabledecision making. Companies thathave that capability gain an advan-tage over competitors by being ableto anticipate problems and exploitopportunities that remain buriedelsewhere.

In summary, the use of datavisualization as a complementarytechnology provides enhancedfunctionality for users and allowsa much larger section of userswithin an organization to harnessthe power of data. That increasesthe return on the investments com-panies have made in BPM software.

REFERENCES

1. Craggs, Steve. “Business ProcessManagement — The Holy Grail orJust Another Mirage?” DM Review,February 2005.

2. Report on Visualization Software.IDC, 18 February 2004.

Tawfik A. Hammoud most recentlyserved as VP of Marketing and CorporateDevelopment at Antarctica Systems, apioneer provider of BPM software. Hewas previously a founder of Citadon Inc.,a project management software com-pany, and a management consultantat Bain & Company. He has more than10 years’ experience as an entrepreneurand software executive.

Mr. Hammoud can be reached [email protected].

Vol. 18, No. 3 23



an o

z. o

f pre

venti

on is

wort

h a

lb. of

cure

March 2005

The US Sarbanes-Oxley Act (SOX)has received a great deal of atten-tion as organizations struggle tomeet its internal controls provi-sions. Internal controls have beengiven a broad definition by theUS Securities and ExchangeCommission (SEC), which adopteda framework established overmany years by the Committee ofSponsoring Organizations of theTreadway Commission (COSO).1

Section 104 of SOX requires thePublic Company AccountingOversight Board (PCAOB) to con-duct a continuous program toinspect public accounting firms. Arecent article in Compliance Weekreports that one-third of companiesinspected by the PCAOB to datehave identified deficiencies [3].

Companies are struggling with theinitial phases of internal controlscompliance due to decades’ worthof lackluster efforts to supportexternal audit, internal audit, andrisk management and to improvecorporate governance overall. Core

to any internal controls regime issecurity management. Two sec-tions of SOX will have a directand profound impact on securitymanagement:

1. Section 404 mandates thatorganizations attest to the via-bility of internal controls. Thisincludes proof that auditablesecurity measures are in placeto protect an organization’sassets.

2. Section 409 mandates thetimely reporting (i.e., withinfour working days) of materialevents using Form 8-K. Materialevents can include a variety ofproblems caused by securityviolations.

SOX is only the beginning of aglobal trend to improve internalcontrols as a means to providetransparency in financial reporting.All such efforts will have a COSOframework and strong securitymanagement at their core. Manyare also embracing a CobiT(Control Objectives for Informationand Related Technology) or ISO17799 framework to improve ITgovernance. Global efforts under-way include the following:

OMB Circular A-123 mandatesSOX-like regulations for USfederal agencies.

Canada’s Instruments 52-109and 52-111 closely parallel USSOX 302 and 404.

The UK’s Turnbull Guidanceactually predates SOX andfollows a COSO framework.

The Basel II Accord appliesa COSO-like framework toglobal banking.

The OECD Principles arebecoming a global standardfor improved controls.

Beyond the demands to improveinternal controls in order to complywith regulatory requirements, goodsecurity management is also essen-tial in maintaining robust businessperformance management (BPM).Those who embrace all three ele-ments of security managementdescribed below will be followinga BPM best practice.

THE THREE ELEMENTS TO GOODSECURITY MANAGEMENT

There are three elements to goodsecurity management that supportefforts to improve internal controls.I will use the analogy of a burglaralarm to demonstrate them:

1. Prevention is the strong lockon the door.

2. Detection is the alarm sys-tem that is triggered uponattempted entry; it mayinclude monitors to recordthe activities of the intruder.

The Security Management Triple Play: Protection,Detection, and Visualization for SOX Compliance

by Anthony Tarantino

1COSO defines an internal control as a“process, affected by an entity’s boardof directors, management, and otherpersonnel, designed to provide reason-able assurance regarding the achieve-ment of objectives in the followingcategories: effectiveness and efficiencyof operations, reliability of financialreporting, and compliance with lawsand regulations” [1].


3. Visualization is the means ofidentifying actual intrusionsversus numerous false alarms.

There are software providers whofocus on each of the three elements.There are those that also offer bothdetection and prevention capabili-ties. The leaders are moving quicklyto offer all three. I will explain whyall three are essential for complyingwith SOX and the host of related reg-ulations mentioned above. Let’sbegin by listing capabilities that theleaders are offering for each of thethree elements.

PreventionAutomate key data changeswithin business applications.

Secure master-level data, suchas customers, suppliers, anditems.

Ensure data integrity (i.e.,make sure that data is enteredaccurately to prevent report-ing issues and downstreamcontrol problems).

Enforce tolerance limits on thenumber of fields accessible toa user.

Enforce approvals within keyprocess flows and updates,such as application setups,credit limits, and signing limits.

Enforce segregation of dutiesdown to the function anduser level.

Provide change control andsystem monitoring.

Prevent assignment of respon-sibility and function conflicts.

Prevent unauthorized updatesto sensitive setup or transac-tional data.

Restrict access to pick-lists,pull-down menus, and lists-of-values by user or responsibility.

Provide alerts as to the time,origin, and nature of anyattempted violations.

DetectionMonitor responsibility andfunction conflicts thatalready exist.

Monitor key data changeswithin business applications.

Monitor failed transactions orstuck interface transactions.

Monitor changes in processcontrols.

Report on responsibility andfunction conflicts.

Report on control violations(e.g., segregation of dutyconflicts).

Provide a comprehensive audithistory at the field level for keydata changes (e.g., setups,master data, transactions).

VisualizationProvide a visual and globaldashboard that captures allrelevant internal controls.

Create alerts for the dashboardwhen out-of-tolerance situa-tions occur, such as past duedates, violations of security

protocols, and potential mater-ial events.

Provide hierarchical functional-ity, which summarizes alerts atan executive level and permitsdrill-down navigation for moredetails on the origin and natureof the alert.

Provide alternatives to the pop-ular red light/green light alertsto support users who are visu-ally impaired.2

THE INHERENT RISKS OF AFTER-THE-FACT DETECTION SOLUTIONS

There is a significant differencebetween software solutions thatprovide continuous prevention,monitoring, and reporting, andtools that only provide continuousmonitoring and flag violations afterthe fact. To continue the burglaralarm analogy, an after-the-factmonitoring device would trigger analarm only after the break-in hadoccurred and the thief was longgone. In a worst-case scenario, thealarm would not go off in the policestation for a day or two after thebreak-in. Those responding typi-cally have to sort through a largenumber of false alarms as well.Little wonder that we typicallyignore alarms and that police givethem their lowest-priority response.

In today’s global business environ-ment, with 24/7 operations, eventhe most robust after-the-fact moni-toring systems could experiencesubstantial delays in detection and

2For more information, see the USgovernment’s voluntary accessibilityprogram Web site (www.section508.gov).

An after-the-fact monitoring

device would trigger an

alarm only after the break-in

had occurred and the thief

was long gone.



require users to sort through manyfalse positives. Imagine a detectionsystem in which human beingsmust look at thousands of dailytransactions, and it is easy to seehow an actual violation would notbe flagged immediately or couldescape detection altogether.

A clever person wishing to commitfraud could time his or her activitiesto coincide with evenings, week-ends, and time zone differences toprovide as much as a two-to-three-day period before the fraud wasdetected by such a system andanother few days for humans tosort through the false alarms. Forexample, a person working in thePacific time zone of the US couldwait until Friday afternoon andcommit fraud after the East Coast–based IT folks have departed for theweekend. Assuming reports andalerts are run daily, the fraud maynot show up on an alert or reportuntil Monday and may not bereviewed or acted upon until mid-week or later. Even if the activity isonly an innocent and unintentionalerror, it may raise to the thresholdof requiring an organization todeclare a material weakness usingForm 8-K under Section 409 of SOX— a major breakdown in internalcontrols.

While auditors, analysts, andinvestors will welcome an after-the-fact detection system as a goodfirst effort, they will not be pleasedwhen it documents the extent of anorganization’s poor internal con-trols. They will be unmerciful whenit documents breakdowns thatrequire the filing of a Form 8-K.

Indeed, an after-the-fact detectiontool may well provide regulatorsand litigants with the ammunitionthey need to win convictions andsettlements against an organiza-tion. It is no accident that manyprivately held companies have tra-ditionally and intentionally main-tained records in a sloppy andhaphazard manner to complicateand frustrate tax and financialaudits. Nonetheless, SOX clearlyrequires stringent record keeping,making a preventative solution (inaddition to after-the-fact reporting)a necessity. Such a solution goesbeyond SOX compliance, and rep-resents a BPM best practice.

VISUALIZATION IS THE NEXT STEP

Leading software providers havecombined both prevention anddetection capabilities. Obviously, astrong lock that prevents entry is themost essential element, followed bya means to detect break-ins. But inlarger organizations with thousandsof users creating several thousandtransactions on a daily basis, thereis a need to feed all these outputsinto a user-friendly compliancedashboard that summarizes dataand provides very concise andvisual alerts3 when problems arise.This is called a “visualization”solution, and it is seen as an obvious

next step for the best-of-breedcompliance solutions.

Certus’s Governance Suite andPaisley Consulting’s Risk Navigatorare examples of leading point solu-tions that provide process visibilityat every organizational level, high-light the risks associated with thoseprocesses, and suggest the meansof mitigating those risks. Thisentails visibility across complexbusiness topographies (multi-national and multidivisional organi-zations) and across heterogeneousIT environments (multiple anddisparate financial systems).

Oracle’s Internal Controls Managerand SAP’s Management of InternalControls are examples of efforts bythe top two enterprise resourceplanning (ERP) players to providevisualization for their risk manage-ment solutions. These productsprovide a centralized view of risksand controls across an entire orga-nization. Visualization includessummarized internal control dash-boards that can be customized,real-time views as to changes inthe control and certification ofprocesses, and the rankings of riskmitigation efforts.

Visualization is also being addedto preventive solutions. LogicalApps offers solutions that combine

3Many of these dashboards rely on popular red light/green light graphics to alert usersto out-of-tolerance situations, but they are also sensitive to users who are visuallyimpaired, color-blind, or dyslexic. Section 508, a voluntary provision of the USRehabilitation Act, calls for text backups to graphics; for example, the text “Green,”“Good,” or “Pass” might appear in a green field. Such products also avoid the use offlashing lights within certain frequency ranges due to the danger of causing epilepticseizures.


both prevention and detectioncapabilities, using a compliancedashboard to summarize an arrayof data in a simple visual format.The company has added visual-ization to its Q2 2005 productroadmap.

WHY THIS IS ESSENTIAL BEYONDREGULATORY COMPLIANCE

Joseph Wells is a former FBIagent and criminologist who, in1988, founded the Association ofCertified Fraud Examiners (ACFE).In his book The Corporate FraudHandbook: Prevention andDetection [2], Wells cites a 2004ACFE report that measured the costof fraud among the 30,000 ACFEmembers. In a 2004 survey, partici-pants were asked, based upon theirpersonal experience and generalknowledge, what they believed atypical entity loses to fraud andabuse. Their median response,which the author states is consis-tent with two prior surveys, wasthat fraud represents 6% of annualgross revenues. Applied to the USgross domestic product of $10 tril-lion, this results in $600 billion inlosses a year.

So beyond complying with corpo-rate governance requirements,

security management is integralto BPM and clearly makes goodeconomic sense. Security manage-ment efforts that can cut fraud byeven a small percentage can beself-funding. Organizations that uti-lize all three elements of securitymanagement will enjoy a competi-tive advantage through:

Reduced risk of materialdeficiencies and weaknesses

Reduced fraud losses

Reduced antifraudenforcement costs

Improved investor confidence

Higher analyst ratings, whichtranslate into improvedshare prices

REFERENCES

1. COSO. Internal Control —Integrated Framework. NationalCommission on FraudulentFinancial Reporting, 1992.

2. Wells, Joseph T. The CorporateFraud Handbook: Prevention andDetection. John Wiley & Sons, 2004.

3. Whitehouse, Tammy. “PCAOBInspections Reveal Problems;Board Way Behind.” ComplianceWeek, 15 February 2005.

Anthony Tarantino is a recognizedauthority in supply management andthe internal controls–related provisionsof SOX and related regulatory require-ments coming to Canada, Europe,and the UK. Dr. Tarantino has 10 years’executive-level consulting experience and20 years’ industry experience in supplymanagement. He has nearly 30 years’experience in management positions in avariety of industries. He has implementedmore than a dozen ERP, procurement,and supply management systems.

Dr. Tarantino is a regular contributorto Cutter Consortium’s Business-ITStrategies Advisory Service and variousindustry publications, including InsideSupply Management, Sarbanes-OxleyCompliance Journal, and Line 56, ontopics such as corporate governanceand SOX, as well as informational supplychain and e-business. He is a frequentspeaker at the Institute of SupplyManagement (ISM) and various SOX-related conferences.

Dr. Tarantino has held a Certified inProduction and Inventory Managementcertification from the Association forOperations Management, is pursuing hislifetime Certified Purchasing Managercertification from ISM, earned a Ph.D. inorganizational communications from theUniversity of California, Irvine, and a B.A.from the University of California, SantaCruz. He is now working with LogicalApps as Chief Compliance Strategist.

Dr. Tarantino can be reached [email protected].



it’s

alw

ays

dark

est

befo

re t

he d

aw

n

March 2005

Business performance manage-ment (BPM) systems are quicklybecoming mainstream. Dash-boards, scorecards, key perfor-mance metrics, business activitymonitoring, and other terms popup perennially on the CIO agenda.Despite the continued optimismand often unquestioned head-firstplunge into the deep end, therelurks a darker side to BPM thatpractitioners should contemplate.Problems include:

The bewildering diversity ofthe field

Lagging adoption rates in themid-market

Data quality problems

Poor BPM satisfaction scores

Difficulties in making thelinkage to strategy

The short shelf life of metrics

Cognitive limitations inherentin human beings

Organizational defensiveness

The slippery and social natureof knowledge that BPMsystems can generate

BPM systems are a potentiallypowerful source of organizationalalignment and motivation. If practi-tioners are mindful of these chal-lenges, successful adoption canbe close at hand.

THE DARK SIDE

Mind-Boggling Diversity Perhaps the first important issuewith BPM is its diversity. AndyNeely of the UK’s Cranfield Schoolof Management cites 12 millionWeb sites dedicated to perfor-mance measurement (PM) (upfrom 200,000 in 1997), a significantrise in the number of conferencesworldwide on the subject, andwidespread adoption of the bal-anced scorecard (BSC) in largeorganizations [20]. He also citestremendous diversity in the acade-mic field as well, with experts inaccounting, economics, humanresource management, marketing,operations management, psychol-ogy, and sociology all exploring thesubject independent of each other.Neely notes that at a 1998 multi-disciplinary conference on perfor-mance management in the UK, the94 papers presented cited 1,245books and articles, of which fewerthan 10% were cited more thanonce. More importantly, he arguesthat there is little agreement onwhat are the most importantthemes and theories in PM.

Mediocre Adoption RatesDePaul University Professor MarkFrigo and Boise State UniversityProfessor Kip Krumwiede report thatthe BSC approach is in use at about

40% of Fortune 1000 companies [9].In the public sector, only 33% of UScounties with populations of morethan 50,000 were using PM systemsin any form, with a similar adoptionrate among cities [5]. BPM systemadoption may be following a diffu-sion pattern similar to that of otherproductivity improvements, many ofwhich have taken a generation toachieve widespread acceptance. Itmay turn out that BPM adoption canbe advanced with a more tacticalapproach focusing on specific activi-ties and outputs, while tackling thelarger issue of achieving strategicoutcomes at a more deliberatepace. Linking BPM to higher-leveloutcomes requires stakeholder orcustomer perceptions of timeliness,quality, and usefulness of services,all of which involve data not widelygathered [5].

Poor Data QualityBPM systems typically draw theirdata from data warehouses, whichin turn draw their data from sourceenterprise systems and numerousancillary software and data sourcesthroughout an enterprise. Bad dataquality is affecting the usefulness ofdata warehouses in general. TheData Warehousing Institute (TDWI)reports that 40% of the 647 com-panies it surveyed have sufferedlosses, problems, or costs due topoor data quality [6]. Sources of

BPM: Out of the Darkness and Into the Light

by Vince Kellen


data quality problems include lackof validation routines in data entrysystems or in system loading; mis-matched syntax, data formats,and code structures; unexpectedchanges in source systems; thenumber and complexity of systemintegration interfaces; poor systemdesign; and data conversion errors[6]. Mistrust of data can torpedoadoption of BPM technology. CIOsshould marry an aggressive dataquality improvement program withBPM system adoption.

I Can’t Get No (BPM System)SatisfactionThe Institute of ManagementAccountants (IMA) conducts anannual survey of its 1,300 memberson BPM systems, practices, andtrends and performs followup inter-views with respondents. The 2001IMA survey reported that 31% of allrespondents (BSC users and non-BSC users combined) felt theirexisting PM system was less thanadequate to poor in supportingmanagement’s business objectivesand initiatives. Only 15% consid-ered their PM systems as very goodto excellent in communicatingstrategy. BSC users fared muchbetter in perception (see Table 1for a breakdown) [8].

One key challenge for BPM systemslies in managing intangible assets(human and information capital)and innovation [7]. In the IMA sur-vey, 60% of the respondents saidthat innovation was a key part oftheir firm’s mission statement, yetmore than 50% rated their BPM sys-tem as poor or less than adequatein this area. Overall, less than10% of the respondents rated

performance measures forintangible assets as very goodor excellent [8].

The American Institute of CertifiedPublic Accountants and LawrenceMaisel of the Balanced ScorecardCollaborative conducted a study todetermine current perceptions andpractice regarding PM systems [17].The study included 2,000 respon-dents to a survey and on-site inter-views with a smaller numberof companies. Only 35% of therespondents rated their PM systemsas effective, and 80% consideredthe information from their PM sys-tems as merely adequate if notpoor. Many respondents indicatedusing BSCs even though their BSCsystems failed to meet the criteriaset by BSC creators Robert Kaplanand David Norton [13].

Performance measurementinvolves change management; andtherefore, staff buy-in, education,and leadership are all required. Thebenefits of BPM include improvedorganizational development andleadership, financial performance,operating performance, decisionmaking, and strategy and align-ment. Common barriers citedinclude issues related to buy-in,leadership, education, and themeasurement process itself. Better

information quality and technologywere cited as areas that neededimprovement [17]. In addition, arecent KPMG study of US andEuropean business and govern-ment executives noted the follow-ing factors in BPM system failures:measuring things that are easilymeasured versus what should bemeasured, data inaccuracy, meas-ures that were too complicated,and users who didn’t understandthe system and its measures [14].

Challenges in Measuring StrategyBPM systems come in two distinctflavors: strategic and operational.The balanced scorecard is anexample of a strategic BPM system.Operational BPM systems helpmanagers with specific operationalprocess control issues that mayor may not be directly related tothe strategy. Measurement playsa crucial role in translating busi-ness strategy into results.Researchers John Lingle andWilliam Schiemann surveyed 203executives, 72% percent of whomwere top executives, and found thatonly six in 10 place confidence inthe data presented to them [16].Factors that prevent successfulmeasurement include fuzzy objec-tives, unjustified trust in informalfeedback systems, and existing

Percent rating PM system either “very good” or “excellent”

BSC users Non-BSC users

Supporting management’s objectives and initiatives

Communicating strategy to employees

Supporting innovation

52% 5%

48% 3%

22% 2%

Table 1 — User Perceptions of BPM Systems



entrenched measurement systemsthat make adoption more difficult.Those who reported that theyactively measured performancesaid they gained agreement onthe strategy; had clarity of commu-nication, focus, and alignment; andreceived organizational cultureadvantages.

Measuring performance is certainlyimportant, but not all measures aregood ones to include in a strategicmeasurement system. Strategy andperformance measurements needto be intertwined and, as a result,are likely to be unique for eachcompany. Companies shouldmeasure how parts of their valuechain actually fit together for anoverarching advantage instead ofrelying on process-by-process met-rics [21]. Despite the widespreadunderstanding of the link betweenstrategy, measurement, and suc-cess, and the need for some bal-ance between internal/externalinformation and leading/laggingindicators, many companies relysolely on internal, lagging metricsto populate their BPM systems [15].

Different Conceptions of StrategyIn practice, companies craft theirstrategies differently. In somecases, strategy is a planned anddeliberate process. In others, it isunplanned and emergent [19].How a firm actually crafts, exe-cutes, and controls its strategy canhave a significant effect on its BPMsystem. The way firms constructtheir strategic BPM systems —that is, the ones that measure thestrategy — will most likely need tomirror the way they constructed thestrategy itself. Is it conceivable that

a top-down strategy (in which thedetails of the strategy are known toa few at the top of the firm) can bemeasured with a BPM system builtusing bottom-up approaches (ask-ing managers and directors closerto the front lines how to measurethe strategy)? Emergent strategieswill have provisional BPM that mustevolve over time, either using top-down and/or bottom-up conversa-tions in the firm to describe how toformulate the strategy and how tobest measure it.

Past-Their-Prime BPM MetricsHowever appropriate a metricmay be when it’s first devised,almost all measures lose their abil-ity to discriminate between goodand bad performance over time[18]. Improved performance oftenrenders a specific metric unusable;either the bar must be raised, oranother activity should be meas-ured. Some employees learn howto meet the measure withoutimproving the performance thatis sought (“gaming the system”).Some firms replace low-performingmetrics with high performers to“look good” (selection) or withholdperformance data when differ-ences persist (suppression). Thesemaneuvers require firms to changemeasures and search for newmeasures that can discriminateperformance better.

Cognitive LimitationsTechnology and process considera-tions aside, decision making basedon measurement data is fraughtwith individual biases, dependingon how the measurement data andproblems are presented within therelevant decision-making context.

The way decision problems aredescribed (framed) can lead todecision outcomes that deviatefrom standard decision-makingtheory (utility theory) [12]. Forexample, managers consistentlyexhibit unwarranted risk aversionand a propensity to look at deci-sions in narrow terms, often iso-lated from future or past decisions(narrow framing). This tendencycould quite possibly lead to, inaggregate, incorrect managementchoices.

A PM system project that proceedsunaware of the framing issues, theheuristics people employ whenmaking judgments under uncer-tainty, and the cognitive biases thateven statistical experts possess andemploy may have little impact onthe business or, worse still, actuallyaccelerate faulty decision making.Many of the errors and biases indecision making can be overcomethrough the use of information visu-alization and careful presentationof the data required for decisionmaking. The implication for BPM isthat information representation canhave a significant impact on thenumber of decision errors madeas a result of common cognitivelimitations.

Defensiveness and OrganizationalLearningBeyond cognitive limitations andproblem framing lurks more dan-ger. It is one thing to frame theproblem appropriately and repre-sent the performance data prop-erly. It is another to get humanbeings to discuss the informationand its implications and takeappropriate action. The way that


organizations deal with threateninginformation is thus another sub-stantial concern.

Well-known organizational learningconsultants and researchers ChrisArgyris and Donald Schön haveexamined the role defensivenessplays in organizational learning.Organizational inquiry (the inter-twining of thought and action thatproceeds from doubt to the reso-lution of doubt) can produce achange in thinking and actingwithin an organization. This learn-ing, however, takes two distinctforms: single-loop and double-looplearning. Single-loop learning pro-duces a change in behavior but nota change in the underlying assump-tions within the organization. Forexample, a normal product processimprovement inquiry may yieldchanges in the manufacturingprocess but not impact basicassumptions about the organiza-tion. Double-loop learning, on theother hand, results in a change inthe strategies and assumptions gov-erning the activities [3]. The rela-tionship between the two forms oflearning is depicted in Figure 1.

Argyris and Schön describe twomodels of theories in action. Theseare theories that organizations actu-ally put into use (action theory)versus theories that organizationssay they put into action (espousedtheory). The first model, Model-I, isone the researchers claim to haveobserved in many organizations inmany environments throughout theworld. It has four main governingvalues and accompanying actionstrategies (see Table 2).

An organization with this learningmodel (which Argyris and Schöncontend is a great many organiza-tions) is “highly unlikely to alter itsgoverning variables, norms, andassumptions” [3]. The secondmodel, Model-II, has three maingoverning values and accompany-ing action strategies (see Table 3).

If an organization follows the lattermodel, the degree of defensivenessbetween individuals and groupswill tend to decrease, and double-loop learning will be enhanced [3].Argyris contrasts the organizationalreasoning associated with thesetwo models as defensive reasoning

and productive reasoning, respec-tively. He points out that productivereasoning in dynamic environ-ments is especially difficult for peo-ple because it requires them to“reexamine their basic assump-tions and test their judgmentsagainst changing conditions” [1].

Argyris further argues that organi-zations need to move beyond thestatic conception of the world thatis reflected in deterministic causal-ity to forms of probabilistic reason-ing. He notes, “Because the worldof action is dynamic and uncertain,probabilistic reasoning is morerealistic and accurate in assessing

Value Action Strategy

1. Define goals and try to achieve them.

2. Maximize winning and minimize losing.

3. Minimize generating or expressing negative feelings.

4. Be rational.

Design and manage the environment unilaterally (be persuasive, appeal tolarger goals).

Own and control the task (claim ownership of the task, be guardian of the definition and execution of the task).

Unilaterally protect yourself (speak in inferred categories with little or no directly observable data, be blind to impact on others and to incongruity, use defensive actions such as blaming, stereotyping, suppressing feelings, intellectualizing).

Unilaterally protect others from being hurt (withhold information, create rules to censor information and behavior, hold private meetings).

Table 2 — Model-I Values and Action Strategies

Governingvariables

Actions Consequences Match?No

YesSingle-loop learning

Double-loop learning

Figure 1 — Double-loop and single-loop learning (adapted from [2]).



the likelihood of accomplishing ourintended result” [1]. Action canmore easily follow from probabilis-tic reasoning for Model-II organi-zations. Organizations holding todefensive reasoning are more likelyto dismiss probabilistic evidencethat challenges the organization’sespoused theory.

Organizational defensiveness hassignificant implications for BPMsystems. While cognitive biasescan be overcome by reframing andrepresenting problems so they aremore intuitively understood, orga-nizational biases due to defensivebehaviors are much harder toroot out and change. Argyris pointsto some hope in the form of man-agement information systems,which he says offer the followingbenefits [1]:

Technology allows the designof information practices thatsupport individual and organi-zational learning.

Storing and retrieving rele-vant actual performanceinformation is relatively easyand timely.

Individuals can use IT toolsto record and discover dis-crepancies between statedgoals and actual performancein a nonthreatening setting.

All members of the organiza-tion can have access to con-firming and disconfirmingdata, lowering the cloak ofsecrecy and control.

By linking accurate, timelyinformation to the sense ofstewardship among decisionmakers, the likelihood of learn-ing increases. As organizationsbegin to change their prac-tices, individuals within themwill feel less threatened andbe more willing to correct theirmismatches between intentand action as part of an ongo-ing development process.

To date, most BPM systems excel inassisting single-loop learning; thatis, correcting specific processes sothat they meet stated goals. BPMsystems are currently not designedspecifically or solely to help man-age the double-loop learning prob-lem. That requires more. Sinceorganizational environments

(markets and competitive situa-tions) can rapidly change andextinguish even the largest orseemingly most durable entity,enhanced double-loop learning iscritical for long-term survival.

The Social Nature of KnowledgeThe notion of knowledge as a socialphenomenon is emerging as a sig-nificant contribution to knowledgemanagement (KM). Knowing whatconstitutes the social and cognitivecontext required for individuals tounderstand things is critical for suc-cessfully managing knowledge inan organization. IBM researchersJohn Thomas, Wendy Kellogg, andThomas Erickson go so far as torelabel KM as “knowledge social-ization” [23]. Some social tech-niques for managing or creatingknowledge include Bohm dia-logues (noncompetitive groupconversations that balance con-tinued inquiry with the needfor an answer), systematic use ofmetaphor, strategy mapping, story-telling and narrative, and expres-sive communication.

Complexity sciences researcherRalph Stacey criticizes whathe calls mainstream thinking onKM for many oversimplifications orinadequate explications [22]. Thekey concepts in mainstream think-ing — double-loop learning, tacitand explicit knowledge, systemsdynamics, sender-receiver modelsof knowledge transmission frominformation theory, dialogue as aspecial form of communication —have the following problems:

They treat individual learningdifferently from organizational

Value Action Strategy

1. Valid information

2. Free and informed choice

3. Internal commitment to the choice and constant monitoring of its implementation

Design situations where participants can be originators of action and experience high personal causation.

Jointly control the task.

Recognize that protection of self is a joint enterprise and oriented toward growth (speak in directly observable categories, seek to reduce blindness about own inconsistency and incongruity); engage in bilateral protection of others.

Table 3 — Model-II Values and Action Strategies


learning and hence require notone but two theories of howlearning takes place.

They fail to account for hownew knowledge is created.

They cannot explain the unpre-dictable patterns of knowledgethat may emerge outside of thecontrol of the managers.

Stacey argues that “systems, data-bases, stored and written artifacts”are simply “records that can onlybecome knowledge when peopleuse them as tools in their process ofgesturing and responding to eachother” [22]. He goes even further,arguing that knowledge is notdesigned but emerges from theconscious and unconscious inter-actions and gestures between indi-viduals, and as such can be thoughtof as a complex adaptive system.

What this means for BPM is that theart of identifying, linking, and gath-ering data for a BPM system is onlypart of the problem and not thethorny problem at that. Gettingknowledge regarding the PM datadiffused and used throughout anorganization is at the core of whatKM and BPM are all about. WithBPM systems, culture and humancontext matter.

INTO THE LIGHT

So, forewarned is forearmed. Witha recognition of the problems thatbeset BPM systems, and a betterunderstanding of the organizationalcontext they require, we’re pre-pared to take BPM out of the dark-ness and into the light.

Constructing BPM SystemsAdopters of BPM systems shouldunderstand that these systemshave their own nuances andcommonalities with other systems.Like other systems, end-userinvolvement is important. Forexample, BSC users report thatBSCs work best if employees haveinput into the formation of theirparameters [10]; the number andtype of parameters must be wellthought out in advance. Firmsshould limit the number of parame-ters so that using the BPM systemdoes not become too cumbersomeand time-consuming.

As in other key technologies,establishing a process for imple-menting BPM systems helps. BPMresearchers Eileen Van Aken andGary Coleman have identified sucha process [24]. After definingthe need for measurement andimprovement, the process pro-ceeds through the following steps:

1. Creating a common under-standing of what the organiza-tion does (its mission, keyprocesses, and key outputs)comes first.

2. Defining key performanceareas and understanding themetrics (so everyone knows ifthe process was successful)are next.

3. After a balanced and focusedset of metrics has beendefined, the measurement sys-tem must be implemented,taking into account requiredresources, technology, training,and communication.

4. In the remaining steps, themanagement team must

systematically use the meas-urement system to assessperformance, determineimprovement actions, andreview the impact of theseactions.

Van Aken and Coleman report thatfirms can take as little as one totwo months to implement a BPMsystem if no major technologiesor tools are needed [24]. Kaplanand Norton also state that a BSCcan be created in about eightweeks [13]. These short, two-month adoption time frames seemto bode well for BPM systems. Ordo they? Should firms spend moretime planning and designing theBPM system? Perhaps. GeorgeMason University researchers AnneJensen and Peter Sage describe aprocess for selecting and refiningmetrics (see Figure 2) [11]. Sincemetrics in a BPM system do changeover time, firms need to establisha process for accommodating thischange.

Successful Violations of AcceptedBPM PrinciplesThe widely accepted model of per-formance management and meas-urement adheres to three basicprinciples: performance shouldbe clearly defined, performanceshould be accurately measured,and rewards should be contingentupon measured performance.However, continued acceptanceof these three principles maybe misguided. Cutter BusinessTechnology Council Fellow RobAustin and Brandeis UniversityProfessor Jody Hoffer Gittell docu-ment cases where firms deliber-ately violated one or more of these

Vol. 18, No. 3 33


three principles but still exhibitedhigh levels of performance relativeto competitors [4].

The widely accepted model of per-formance is based on complianceand extrinsic motivation. Extrinsicmotivation typically consists ofrecognition, rewards, compensa-tion, and behavioral norms toencourage specific behavior.According to Austin and Gittell,these approaches tend to give riseto undesirable outcomes, includingthe distortion of information quality,the displacement of employeeeffort from real organizationalgoals to ones that can be moreeasily prespecified and measured,and a deterioration of performance[4]. In contrast, the firms in the

anomalous cases used a PMapproach that was based on ambi-guity and intrinsic motivation. Inthese approaches, informationquality tends to be high andrequires dialogue across levels inthe organization to determine theright thing to do in a particular con-text. Moreover, in these ambiguity-loving environments, individualsare frequently not identified in spe-cific performance situations, thusthe “information-reducing” effect offear is minimized.

CONCLUSION

The strategic, human, and dynamicfeatures of BPM dwarf the purelytechnical issues. While the storyhere does indeed seem dark at

times, there is a light at the end ofthe tunnel. Perhaps the biggest con-tribution BPM systems can make isin serving as an integral piece in alarger organizational developmentprocess. Technology executivesmust master the factors discussedabove in order for their organiza-tions to be successful. Masterywill involve plenty of executive col-laboration and integration of theenterprise, which for the foresee-able future will allow technologyexecutives to keep a seat at thestrategy table.

REFERENCES

1. Argyris, Chris. “Initiating ChangeThat Perseveres.” AmericanBehavioral Scientist, Vol. 40, No. 3,January 1997, pp. 299-309.

2. Argyris, Chris. On OrganizationalLearning. 2nd ed. BlackwellPublishing, 1999.

3. Argyris, Chris, and Donald A.Schön. Organizational Learning II:Theory, Method, Practice. Addison-Wesley, 1996.

4. Austin, Rob, and Jody HofferGittell. “When It Should Not WorkBut Does: Anomalies of HighPerformance.” In BusinessPerformance Measurement: Theoryand Practice, edited by AndrewNeely. Cambridge University Press,2002.

5. Berman, Evan. “How Useful IsPerformance Measurement?”Public Performance andManagement Review, Vol. 25,No. 4, June 2002.


34

Begin

Identify/revise set of organizational mission, goals, objectives

Identify/revise set of internal andexternal organizational entities

Identify/revise set of organizational inputs,

outputs, influences

Identify/revise set of IT resources

Evaluate requirements for candidate metrics

Identify candidate metrics for inclusion in metrics set

Identify candidates in metrics set if requirements are met

Assess complete set of metrics against refinement criteria

No

Implement metrics set

Have goals or environment changed?

No

Is metrics set sufficiently refined?

Figure 2 — Metrics identification and refinement process flowchart [11].


6. Eckerson, Wayne W. Data Qualityand The Bottom Line. TDWI, 2002.

7. Frigo, Mark L. “The Stateof Strategic PerformanceMeasurement: The IMA 2001Survey.” The Balanced ScorecardReport, November 2001.

8. Frigo, Mark L. “Strategy, BusinessExecution, and PerformanceMeasures.” Strategic Finance,Vol. 83, No. 11, May 2002.

9. Frigo, Mark L., and Kip R.Krumwiede. “The BalancedScorecard.” Strategic Finance, Vol.81, No. 7, January 2000, pp. 50-54.

10. Ho, Shih-Jen Kathy, and Ruth B.McKay. “Balanced Scorecard: TwoPerspectives.” The CPA Journal, Vol.72, No. 3, March 2002, pp. 20-25.

11. Jensen, Anne J., and Peter B.Sage. “A Systems ManagementApproach for Improvement ofOrganization PerformanceMeasurement Systems.”Information, Knowledge,Systems Management, Vol. 2, No. 1, 2000, pp. 33-61.

12. Kahneman, Daniel, and AmosTversky. “Choices, Values, andFrames.” In Choices, Values,and Frames, edited by DanielKahneman and Amos Tversky.Cambridge University Press, 2000.

13. Kaplan, Robert S., and David P.Norton. The Strategy-FocusedOrganization. Harvard BusinessSchool Press, 2001.

14. KPMG. Achieving MeasurablePerformance Improvement in aChanging World: The Search forNew Insights. KPMG, 2001.

15. Krell, Eric. “The Stateof Corporate PerformanceManagement.” Business FinanceMag.com, June 2002.

16. Lingle, John H., and William A.Schiemann. “From BalancedScorecard to Strategic Gauges:Is Measurement Worth It?”Management Review, Vol. 85, No. 3, March 1996.

17. Maisel, Lawrence S.“Performance MeasurementPractices: A Long Way fromStrategy Management.” TheBalanced Scorecard Report, May-June 2001.

18. Meyer, Marshall W. “FindingPerformance: The New Disciplineof Management.” In BusinessPerformance Measurement: Theoryand Practice, edited by AndrewNeely. Cambridge UniversityPress, 2002.

19. Mintzberg, Henry. “CraftingStrategy.” Harvard BusinessReview, July 1987.

20. Neely, Andy, ed. BusinessPerformance Measurement: Theoryand Practice. Cambridge UniversityPress, 2002.

21. Porter, Michael E. “TheImportance of Being Strategic.”The Balanced Scorecard Report,March-April 2002.

22. Stacey, Ralph D. “TheEmergence of Knowledge inOrganizations.” Emergence, Vol. 2, No. 4, 2000, pp. 23-39.

23. Thomas, John C., Wendy A.Kellogg, and Thomas Erickson.“The Knowledge ManagementPuzzle: Human and Social Factorsin Knowledge Management.” IBMSystems Journal, Vol. 40, No. 4,2001.

24. Van Aken, Eileen M., and Gary D. Coleman. “BuildingBetter Measurement.” IndustrialManagement, Vol. 44, No. 4, July 2002, pp. 28-33.

Vince Kellen is the VP of InformationSystems and a member of the faculty ofDePaul University. Prior to joining DePaulin 2003, Mr. Kellen served as a businessstrategy and IT consultant for severallarge and midsized companies, including20th Century Fox, Exxon/Mobile, GeneralMills, SC Johnson, Arthur J. GallagherInsurance Co., and R.R. Donnelley. Hehas spoken nationally and internationallyon CRM, KM, and information visualiza-tion. Mr. Kellen has written four bookson database technologies and numerousarticles on technology topics. He lectureson enterprise architecture, CRM technolo-gies, and distributed systems and is cur-rently researching the impact informationvisualization has on decision making.

Mr. Kellen can be reached at School forComputer Science, Telecommunications,and Information Systems, DePaulUniversity, 1 E. Jackson, Chicago, IL60604, USA. E-mail: [email protected].


ww

w.c

utt

er.com

or

+1 7

81 6

48 8

700

Cutter IT Journal

Vince Kellen, Guest Editor

Vince Kellen is the VP ofInformation Systems and amember of the faculty ofDePaul University. Prior tojoining DePaul in 2003,Mr. Kellen served as a busi-

ness strategy and IT consultant for severallarge and midsized companies, including20th Century Fox, Exxon/Mobile, GeneralMills, SC Johnson, Arthur J. GallagherInsurance Co., and R.R. Donnelley. Hehas spoken nationally and internationallyon customer relationship management(CRM), knowledge management, andinformation visualization. Mr. Kellen haswritten four books on database technolo-gies and numerous articles on technologytopics. He lectures on enterprise architec-ture, CRM technologies, and distributedsystems and is currently researching theimpact information visualization has ondecision making. He can be reached [email protected].

Part of Cutter Consortium’s mission is to foster the debate of, and dialogueon, the business-technology issues challenging enterprises today, to help orga-nizations leverage IT for competitive advantage and business success. Cutter’sphilosophy is that most of the issues that managers face are complex enough tomerit examination that goes beyond simple pronouncements. Founded in 1987as American Programmer by Cutter Fellow Ed Yourdon, Cutter IT Journal is oneof Cutter’s key venues for debate.

The monthly Cutter IT Journal and its weekly companion Cutter IT E-Mail Advisoroffer a variety of perspectives on the issues you’re dealing with today. Armed withopinion, data, and advice, you’ll be able to make the best decisions, employ thebest practices, and choose the right strategies for your organization.

Unlike academic journals, Cutter IT Journal doesn’t water down or delay its coverage of timely issues with lengthy peer reviews. Each month, our expertGuest Editor delivers articles by internationally known IT practitioners that includecase studies, research findings, and experience-based opinion on the IT topicsenterprises face today — not issues you were dealing with six months ago, orthose that are so esoteric you might not ever need to learn from others’ experi-ences. No other journal brings together so many cutting-edge thinkers or letsthem speak so bluntly on issues such as:

• Proving the value of IT ROI• The give and take of offshore outsourcing• The value of high-quality data• The evolution of agile project management• When and how to kill a dying project

Cutter IT Journal subscribers consider the Journal a “consultancy in print” andliken each month’s five or six articles exploring a single topic to the debates theyparticipate in at the end of a day at a conference — with every participant in theconversation forcefully expressing his or her viewpoint, backing it up with dataand real-life experience.

Every facet of IT — application integration, security, portfolio management, and testing, to name a few — plays a role in the success or failure of yourorganization’s IT efforts. Only Cutter IT Journal and the Cutter IT E-Mail Advisordeliver a comprehensive treatment of these critical issues and help you makeinformed decisions about the strategies that can improve IT’s performance.

Cutter IT Journal is unique in that it is written by IT professionals — people likeyou who face the same challenges and are under the same pressures to get thejob done. The Journal brings you frank, honest accounts of what works, whatdoesn’t, and why.

Competition remains intense in the high-tech world. Budget cutbacks and shortdeadlines have become the norm. You need advice and experience you can relyon. Put your IT concerns in a business context. Discover the best ways to pitchnew ideas to executive management. Ensure the success of your IT organizationin an economy that encourages outsourcing and intense international competition.Avoid the common pitfalls and work smarter while under tighter constraints. You’lllearn how to do all this and more when you subscribe to Cutter IT Journal.



business performance management: have we gotten anywhere? › sites › default › files ›...

Documents