“I want it all, I want it yesterday, and I want it free.” In a nutshell, that’s what most business customers demand from SharePoint, right? And, of course, it doesn’t work that way.
SharePoint architecture, deployment, management, and solutions development are chock full of very difficult decisions about how, exactly , to balance out what the customer wants and what a project is given in terms of funding, time, and resources.
One of the most common questions I’m asked is how to “sell” an organization on an architecture, solution, or other decision that is mandated by the business need as expressed by the business customer, but not supported by real-world constraints of money, time, and people.
This week, I’ll give you a tip that I’ve found helps a lot of my customers.
For many years, the discussion in IT has centered around Return on Investment (ROI), which of course calculates the extra value generated by investing $x. There are many ROI case studies and calculators to be found.
Unfortunately, ROI doesn’t cut it when there’s basically $0 to spend. When funding is at a premium, investment will be zero, so return will be zero or, even worse, return will be expressed in crazy negative infinites as a project crashes and burns due to inadequate resourcing.
And, more unfortunately, that’s the boat in which many SharePoint projects are sailing. Between the global economic crisis and the fact that IT organizations have painted themselves into a corner as a cost center, they’re fighting for every dollar they can get.
But there is an answer—the “other ROI”—its evil twin: Risk of Inadequacy.
Risk of Inadequacy is the calculation that expresses how much you have to lose by delivering a service or solution in a half-hearted, corner-cutting, penny-pinching way. It’s what exposes the fact that with inadequate time, effort, resources and, most relevantly, funding, bad things will happen.
Inadequate infrastructure? Poor performance, downtime, data loss.
Inadequate security? Data leak, bad headlines.
Inadequate response to business need? Business users going “outside the firewall” to Dropbox and the like as solutions, putting corporate data at risk.
Inadequate tough decision making around information management and service management policies? Serious pain down the road.
You get the idea.
Most of us report to someone whose job it is to do something within budget. They won’t spend another dollar if they had to, because their metric is, basically “project complete, in budget.” It really doesn’t matter to them what happens later.
But every organization has one or more people whose butts are on the line if risk becomes reality and bad things happen. Executives, board members, and business owners certainly care about risk. Security offices, safety offices, legal departments and risk management teams certainly care. Often, HR and Finance care if you can determine what “scares” them.
So yes, this is about selling fear. But not in a crazy, world-is-ending way. Rather in a way that clearly states:
• This is the business need
• This is the solution that the need mandates
• This is the compromise that is being considered to balance business need with constraints
• This is the risk that is being assumed in the compromise
• This is the magnitude of the risk, and the probability that it will happen
and then letting the business decide whether the risk is acceptable or not.
What I see, too often, is that IT is not equipped or focused to communicate risk. And, in most cases, it really is IT—architecture and solutions development—that is closest to the knowledge about what should be done and what is being done, and the risk in the gap between those two posts.
Governance processes should define how risk analyses are “bubbled back up” to business customers to make an informed decision; how that decision is documented; and how the environment is managed and monitored to mitigate or at least identify and respond to the risk.
IT, you have to push back to the business customer. Often, they won’t know what to do when you push back, and many times they won’t be able to make a decision—at least not in early iterations. But at least it was their decision to make, and whatever the result is, you’ve documented it and can manage to it.
Risk of Inadequacy. Risk of Inaction. Risk of Ignorance. Those are the ones I’ve “invented” in customer discussions. They’re all related. What “dark side” ROIs can you define?