Delivery Documentaries are a behind the scenes look at how our Enterprise Architects (EAs) in the field perform Value Realization activities for customers. The documentaries are raw and real, and the purpose is to share what actually happens on the ground. They are always a learning opportunity, and we hope that over time we can help bridge the state of the art with the state of the practice, and continue to move the ball forward.

This example, provided by Atul Totre, describes what happens when a Microsoft Architect finds that one of the projects he was called in to help with is not likely to produce the expected return on investment. What steps led to this finding, and what changes did the Microsoft Architect recommend to help the business succeed? Let’s find out…

Executive Summary

A Microsoft Architect was called to help with a project that he assessed and found was not likely to produce the expected value. After thoroughly assessing the project and interviewing stakeholders, the enterprise architect presented his findings to the CIO and other top stakeholders. After reviewing and discussing the evidence, they agreed that continuing the project was not in the best interests of the business, and the resources involved could provide more value in other projects.

The Situation

I began helping a business with a multi-year project to design and implement a new Identity and Access Management (IAM) system. The project had begun after an internal audit found that most of the IT systems failed the security compliance checks. The new system was supposed to replace the multiple identity systems currently in use at various facilities, to help bring the systems back into compliance with security standards.

Because the audit results had attracted attention within the company, the IAM project was well-funded, even though it was not expected to significantly change productivity. Its main impact was expected to reduce risk and improve understanding (and manageability) of the affected systems.

When asking for Microsoft’s help with the IAM project, the CIO expressed skepticism about the project’s progress. In the CIO’s opinion, the project was too big and there was a lack of structure in the approach of the internal project team. As the first priority, the CIO was looking for leadership and guidance from Microsoft to help:

  • Redefine the vision for the IAM project. The process of doing so would include assessing the current state of the project and evaluating its business case.
  • Rationalize the project with existing and proposed Microsoft solutions.

After these steps were complete, the engagement could move on to redefining the strategy, roadmap, and plans for the IAM project.

The Plan

For the first part of the engagement, I worked with five customer stakeholders and stakeholder groups:

  • The main executive sponsor for this part of the engagement
  • The main executive stakeholder responsible for executing the IAM strategy
  • Members of the leadership team, who were responsible for overseeing the IAM project, and for making decisions about the course of the project (including budget priorities)
  • The IAM Program Manager at the business
  • The PMO team, which provided oversight and affected process changes

Within a few weeks, I expected to have assessed the current state of the IAM initiative, including:

  • The IAM system landscape
  • The capabilities of the IAM systems, including any current capability gaps
  • The IAM governance standards, model, and framework
  • Dependencies
  • Processes and workflows
  • The maturity levels of the IAM systems

I also made a preliminary assessment of the expected (“To Be”) state of the IAM system following the current project. This assessment covered:

  • The expected IAM capabilities and any capabilities gaps
  • The expected maturity levels of the IAM systems

I also talked to the stakeholders and others to gain the perspective of the business on the IAM initiative. During discussions with the stakeholders, I also provided information about best practices for IAM strategy, as identified by Microsoft.

Following the assessment, I spent the next period on initiative planning and stakeholder workshops. The results of this planning process included roadmaps for business capabilities, the IT service model, and technology for the initiative for the current year, and a strategic roadmap for the initiative for the next 3 to 5 years.

To keep the stakeholders informed during the engagement, I regularly reported status:

  • Quarterly reports to the executive stakeholder with overall status, strategy, and objectives, and the current top priorities. This report also provided an opportunity to adjust the next steps and update the engagement plan.
  • Monthly one-on-one meetings with the CIO.
  • Monthly meetings with the CIO’s senior leadership team.
  • Weekly or biweekly (as needed) one-on-one presentations with the IAM Program Manager, tracking progress made, deliverables achieved, and the status of phased activities. This presentation provided opportunities to make or receive recommendations for the course of upcoming work.

The Assessments and Analysis

I completed the first assessments, which included infrastructure optimization, maturity, compliance, as well as investment assessments, and a standard ESP initiative assessment. The information I gathered during this process helped me understand:

  • The business rationale behind the IAM initiative.
  • The business requirements for the IAM initiative, including existing features, required features, and the fitgap analysis for the required solution.
  • The current state of the identity systems, including its Active Directory implementation, and the various systems and applications that used the current identity systems.
  • The current processes for provisioning, controlling, and de-provisioning identities.

As I conducted my assessment and discussed it with business leaders and stakeholders, I began to see factors that contributed to the problems that the initiative was having.

  • The initiative was not clearly defined. Even after discussing it with stakeholders, I could not build a consistent, complete business case for the initiative.
  • The initiative did not have much support across the business. It was started by the IT organization and was supposed to span the entire organization. However, it did not have much broad management support or buy-in across business groups.
  • The initiative did not map to any of the eight critical priorities that the CIO had defined for the IT organization.

I began a deeper examination of the IAM initiative based on my own perspective, knowledge, and experience. I found it to be a “horizontal” initiative that affected business groups throughout the organization, affecting operations throughout the organization. And it would cost a lot of money to implement. To succeed, the initiative must have support and ownership beyond the IT organization, and it must take the concerns and considerations of the business priorities into account.

In addition, I confirmed the CIO’s view that there was a lack of structure in the project team’s approach. In my experience, an initiative of this scope and size must be built on detailed structural analysis and strategic work, which was lacking.

To complicate matters, although the CIO had defined priorities for the IT organization, the strategies for supporting those priorities were not yet fully defined. Without those, it would be difficult to determine how to bring the initiative in line with those priorities (or if that realignment was even feasible).

I concluded that the business was unlikely to succeed with the current initiative, which did not directly address the needs of the business, and did not have enough support to succeed. The business would have to finalize strategies supporting its eight IT priorities, or face ongoing difficulties in defining a identity and access management solution that would be satisfactory across the business.

The Outcome

I presented my results to the CIO and the leadership team at their regularly scheduled meetings and used that forum to start the larger conversation about the identity and access management needs of the business. I shared my analysis, showing that the current path would not produce a solution that met the needs of the business, and I recommended that the business would be better off not spending money on a solution until having identified one with a better chance of success.

After reviewing my recommendations, the CIO agreed that the IAM initiative in its current form could not provide the needed return on investment, and he made the call to shelve the project.

The business also released the third-party consultants that had been helping with the IAM initiative, and redeployed its internal resources to address other initiatives:

  • The main sponsor for the IAM initiative changed focus to a new project: modernizing the email system. I’m participating in this modernization project.
  • The security team resources have moved to another project, and I am helping them assess the security requirements the business has for productivity software and enterprise social features.