Guest Blog- Lauren Kitchen preview's Bay Crits

Bay Crits 2015 Preview by Lauren Kitchen It’s the new year and that means one thing, time to head down to Geelong to get stuck into some fast and furious criterium action at the Bay Crits. This will be my eighth Bay Crits having competed every year except one since I was U19. I love starting the new year and the new season here and this year Im just as excited as if I was that 16 year old kid again.

SKCC Supercrit 2014 no wm-279

In 2015 I will be racing with the Roxsolt team for the second year. We have a super strong team this year with; Kimberley, Loren, Tiff, Carlee, Jo and myself and we are being led by our owner manager Kelvin Rundle. So whats going to happen this week? Well here is my prediction;

Having a slightly changed format with teams now allowed to start 6 riders instead of 5 this will for sure change the dynamic of the racing with teams having more cards to play on different courses. Teams are now also able to pick and choose which days they race different riders, this will give some teams an advantage with rested riders coming in later in the series, while I believe most riders will race all four criteriums, there are a large number of individuals just targeting one or two days, most likely to perfect their nationals preparation.

Day 1 is Ritchie Boulevard, an infamous heart-pumping hot dog course at only 600m long, it results in about 100 standing starts in 45 minutes. What is great about this course is it is not only a great spectacle, it can be a great tactical race that has been won from nearly every situation. Roxsolt will have a few cards to play here as we expect to be one of the most inform teams, but if it comes to a sprint we will be looking to set up Kimbers against the likes of the Hosking-Bronzini duo of Wiggle Downunder. Giorgia won here last year with Kimbers taking it in 2013 and Hosking in 2012.

Logo- Roxsolt

Day 2 we move to the Botanic Gardens where we are faced with a more open course where the wind is defiantly a big factor. This course has a touch little climb just before a long finish straight so in the past has lead itself to a tough long sprint with Hosking (then of Roxsolt) taking the win here last year. This is an important day for us as we will also be celebrating Kelvin’s 40th Birthday! We will be racing to get Roxsolt out there on day two and we hope you see one of us with our arms in the air at the end of the day.

Day 3 is Portarlington. I have a love hate relationship with this course. You can’t hide here. This is the race where it shows your form. Back in 2007 Gary Sutton told me, “this course will suit you” so as a 16 year old I toughed it out and I finished. I was the only rider from my team that year to do so and it was my biggest achievement of the week. Since then the course has changed slightly a few times but we have always seen a tough race. Tif has won here twice and last year Jo was 4th on this circuit. I have had my best results here with a 1st (2008) and a 2nd (2011). This course will suit our team. You can look for us at the front trying to force the break in Portarlington.

Day 4: Last day is Williamstown. The is a great spot to finish, with a trendy Melbourne vibe and cute cafes lining the course, by day 4 a coffee fuel up is a must. Being a dead flat square course we normally see a bunch sprint, however its day four, so anything can happen. Roxsolt will want to go out with a bang and we are aware we have one of the fastest girls with us so I think Williamstown might be about Kimbers lining it up.

There are two other super strong stacked teams for 2015 with Wiggle Downunder and Orica AIS. So Im sure it will be really exciting racing. Our main goal is to have fun, but we are a competitive bunch of girls so hopefully you will see us on the podium.

Now to catch a plane

Lauren

Is Your 5x5 Falling Short?

Most organisations use a 5x5 risk matrix of some description when assessing the level of risk across the business. On one side is a sliding scale for expected frequency for a period of time (typically 12 months) and on the other is the impact of the incident that itself is a further variable of different loss dimensions such as financial, customer impact, regulatory, staff health, safety and moral and so forth. This works wonderfully well in highlighting if a particular event of scenario will land the business inside or outside of risk appetite and therefore highlights if a risk requires further attention or should simply be entered into the risk register, accepted and monitored. When I say this works wonderfully well what I mean is it works well when you have suitable data to base your assessment around. If for example you work in OH&S and you want to risk assess an existing piece of machinery such as a car for example you can look at historical data of frequency of accidents and amount of loss. Of course all of this information is being recorded in the loss database or within an incident report form awaiting entry into the loss database. So this makes life nice and easy as you can make a reasonable assumption that left unchanged whatever frequency and impact occurred last year would occur again in the following year within a small margin of variance.

The challenge arises for estimating IT losses. Few organisations have suitable measures in place to record and capture frequency and impact, let alone traceability back to how effective existing controls are in reducing impact and or likelihood. In typical organisational segmentation architecture and design respond to new business requirements and operations are left to run what ever is handed over from the build team. Rarely does the business understand, nor care about the operational impact of their new project, until of course something doesn’t work and everyone gets in a big meeting room and looks at each other to discuss how the situation can be remediated.

While insurance companies can risk assess the likelihood and impact based on historical data down to the street and house number to adjust insurance premiums the same cannot be said for IT actuary data. Finance companies can use predictor and historical customer data with reasonable accuracy to predict customers that are likely to default on loans prior to the default taking place. Yet ask any organization the likelihood and impact of unintentional data loss for the next 12 months and sadly you will get either wild speculation or blank stares. Likewise ask the same organization what the reduction value of the existing firewall infrastructure was for the prior 12 months in ensuring customer trust and confidence and you will probably be met with silence. For a variety of reasons the industry cannot draw on third party aggregated data to assist in investment decisions.

Organisations should be looking internally to collect and aggregate this data. By tracking actual frequency and loss data over time the organization can build a profile of historical risk. Through expanding this tracking information existing controls can be tested for effectiveness. Time-driven activity-based costing is a potential tool that could be leveraged to assess the control cost using a total cost of ownership (TCO) model. By implementing effectiveness measures risk owners are better informed around lifecycle costs of implementing controls versus potential loss. This can flow through to a relaxation or tightening of specific IT policies, standards and guidelines.

By using a robust actuary database an organisation can clearly articulate the value of existing controls such as firewalls, IPS, DR plans, anti-virus but can evaluate the risk of new projects and technology effectively rather than relying on guestimates or blank faces.

Let’s Ride! – Using a Strategy Map to Win.

How to Finish First

I have recently had the opportunity to spend some time observing and helping out with competitive cycling across all levels from club racing to the National Road Series to international level in Europe. One of the stark contrasts was that teams are divided into two types, the haves and the have-nots. Some teams are highly organized, highly motivated and have clear roles, responsibilities and a purpose. Other teams look lost and in a constant state of disorganization, are under resourced and as a result rarely win any races. It would appear they are just going through the motions, making up the numbers and seem increasingly reliant on luck and goodwill to get by. While funding is clearly a factor at the extremes having a lot or a little money doesn’t translate into either a have or have-not team.

What provides this translation and I am sure subsequently the difference between being able to attract an increment in funding (until a self feeding loop is essentially created) is the execution against strategy of the entire team. The teams that have a clear strategy and therefore everyone is pulling in the same direction reflects the higher level of organization. This carries into attracting funding through sponsors by understanding and creating alignment with the values of the organisations providing the financial backing irrespective of how large or small the investment. This strategy then flows through to individual roles and responsibilities right from the top from the sponsor objectives down to how races are won and lost. Nothing is left to chance; the riders have specific jobs (ride the race to the plan provided), while support staff looks after all the small details. Everyone is clear on what needs to be executed to reach the goal. Races executed well are won, be it club races right through to World Championships or Olympics.

When looking at IT Strategy you can see many similarities with cycling especially the translation between the have or have-not teams. While many have-not teams may start with large amounts of sponsor dollars quickly this money dries up as sponsors have decreasing faith in IT teams being able to deliver on what was promised. Many times the have-not teams are a result of a lack of strategy and therefore a lack of direction and understanding around what team members should be working towards. Where a strategy is present it is often disconnected from the sponsors objectives having being developed in isolation as part of a 3 or 5 year technology plan.

A good IT strategy should provide the translation between business strategy and technology. It should act as a ready guide to influence day to day decision making to confirm (or deny) the question of; are we heading in the right direction? For IT which can often have long lead times for supporting technology and requires investment decisions to be prioritized an aligned strategy provides an indication of what needs to be prepared ahead of time in order to support the business in it’s execution of it’s strategy.

While all of this is generally known and understood within the IT business the challenge comes down to providing the translation of the business strategy into day to day activity execution. Essentially how do you make the transition to wanting to win to actually standing on the top step of the podium? While the SABSA framework outlines the use of business attributes (and other architecture formats have an equivalent) many practitioners struggle with the initial bootstrapping effort required to present relevant attributes back to the business.

Navigating the Course

A solution may sit in the use of Strategy Maps. A Strategy Map outlines the salient objectives of the business strategy group into supportive dimensions. Each dimension relies on the foundations below to be in place to provide for execution of the strategy.

ExampleStrat

Once completed a Strategy Map provides a quick reference guide to support day-to-day decisions. The map can also be used for traceability to bootstrap business attributes as part of the opportunity to educate the business around requirements in order to reach each objective. An organization may choose to start with a single enterprise Map and then build sectional supporting Maps for each business unit objectives. Once the intial Maps have been produced referenced guides for IT staff can then be produced outlining each key type of stakeholder within the business and how to communicate with each stakeholder based on their unique strategic requirements.

From a day to day IT perspective a sectional Map can be produced that highlights the strategic IT objectives required to support the business in meeting the overall strategy. Feeding into existing architecture frameworks as an input the IT Strategy Map should then identify gaps in current technology, tools, templates and other supporting initiatives that will be required to support the business strategy. As part of this process gaps will be identified which left unfilled will prevent execution and duplication and conflicting priorities can be identified. This provides the IT business with the ability to proactively fill those gaps and resolve conflicts. An added benefit is that discussions can take place around investments in non strategic items or items that cannot show traceability back into an imperative contained within a Map dimension. Each dimension can then be used to develop a set of Key Performance Indicators (KPI) with a set of appropriate measures to monitor progress on a day to day basis towards the execution of the strategy.

Developing and using a Strategy Map establishes the opportunity to build out your sponsor’s objectives into a winning team.

Further Resources

HBR - http://hbr.org/2000/09/having-trouble-with-your-strategy-then-map-it/ar/1

Book - Strategy Maps: Converting Intangible Assets into Tangible Outcomes by Robert S. Kaplan and David P. Norton (Feb 2, 2004)

SABSA Attributes - http://www.sabsa-institute.org/the-sabsa-method/sabsa-attributes.aspx

Can You Manage Without Measures?

When looking at IT Strategy and Architecture it is very easy to become reactive. Each day the business throws up new challenges and directions often without consultation. From a security perspective the attackers always have the upper hand in knowing when and where they will attack while showing the business the value of proactive controls is difficult without hard data.


Crisis Management or Planned Chaos?

With the advent of Agile projects and an increased desire for operational efficiency it is easy to fall into a task focused responder role with strategy and architecture decisions becoming hastier or point in time. Exemptions are made on an ongoing basis for non strategy aligned projects because the business has progressed to a point that by the time the Architect discovers the project it is too late to align the solution towards the static strategy.

What are often intangible benefits make it hard to justify expenditure towards strategy and architecture especially when if both are done well then the worse case examples that would result in a loss will never be realized. Most organizations don’t have a strong actuarial database to record historic decisions and the financial impact over time. This makes showing how much an investment in a strategic direction has saved the business over time in productivity, availability, enablement or security. It also fails to record the impact of any losses due to oversight of project or delivered risks.

An increasing trend towards using risk based security for IT projects and the subjectivity around what is and is not a risky activity makes it easy for the organization to drift too far from each side of the threshold. On the one hand you typically have the project manager who is focused on delivering a project on time, on budget and (hopefully) within scope. On the other you have the security architect & risk adviser who is focused on what are often subjective measures of minimizing risk.

All of these influences combined with an “as a service” culture where the IT department looks to internal users & consumers as valued customers and are subsequently evaluated on providing excellent customer service the use of Key Performance Indicators (KPI) becomes increasingly important.

 

Real Time Data

When looking at how to measure IT strategy and architecture much can be learned from operations and even the sales department. There is little value in discovering that you have missed your measures at the year-end when performance evaluations are due and bonuses are being allocated. In the same way that the server team likes to know proactively that a server disk is about to fail or a sales manager doesn’t want to have to step in at the last week of the quarter to close some sales to hit the revenue targets. IT strategy and architecture measures need to flow through in real time or as near real time as possible.

Outliers or Black Swan events can tip the scales quickly and drastically in either direction. Finding out that a key project has significant unmitigated risks the day before go live (generally at the go live meeting with the executive team) can quickly result in poor KPI values with little opportunity to restore or direct a project in a more aligned direction.

As a result when looking at measures try and collect data in real time or as near real time as possible. Rather than relying solely on month, quarter, half year or full year values.

 

What to Measure

Determining what to measure will be different for each business. Each measure however needs to be traceable upwards to a strategic imperative and each strategy item should have at least one measure. The purpose of each measure should be questioned, along with whether the data is the best or most suitable source for collection. Measures should highlight gaps in execution of the strategy early enough to enable restoration but should also focus on areas that have a potential for overinvestment. Risk appetite measures should focus on aggregated and single events that would result in the business falling either outside of appetite or leaning too far inside resulting in the loss of opportunity as a result of risk aversion. Finally when looking at measures ensure that all organization dimensions are evaluated including people and culture to ensure both a short and long term view is obtained.

 

How to Measure

Use a combination of leading and lagging measures and automate collection where possible. Often portal or CRM types of technology can provide a good base of data collection, manipulation and presentation and should be accessible to most organizations. More sophisticated measuring software is available such as risk and service management software that can also be used if available. The key objective is to get the data sooner and with less effort.

Look towards how you can publish data internally and show trending towards targets. Building data over time can show progress and highlight value of strategy and architecture to the business. Additionally where numbers are lower than desired it clearly communicates to the team areas of focus and sets a clear expectation of desired performance with no year end surprises.

Importantly look for early warning indicators. Perform post mortems on good and bad projects where strategy and architecture worked well and not so well. Looking at root cause for both situations across a number of projects will highlight measures that should predict performance.

Be careful of overdoing measures; focus on key and significant measures rather than a vast quantity of less relevant information. Often near enough is close enough especially when looking at leading indicators. Having a full data set is valuable but consideration should be given to the subsequent delays of not being able to act until all information is on hand. Look towards using Time Based Activity Costing (TBAC) as a short cut for productivity measures and build data out over time to assist with future forecasting.

 

Tips

When looking toward leading measures balance the quality of data versus the time taken to collect. Work out what data can be simplified to provide a suitable but not necessary perfect measure.

Likewise be careful placing too much priority on certain measures over other measures. This can have undesirable results. For example a measure of how many times an Architect got a solution right the first time with no rework could result in much longer working times, longer than multiple iterations of the same solution as a result of rework.

Remember that remuneration dictates behavior. Tying measures to performance can result in employees trying to manipulate the values of measures. Not only will this hide the true data but can lead to short term decision making based on the focus on specific measures. Think carefully about what sort of behavior specific measures will dictate.

 

Further Resources

Kaplan & Norton – Using the Balanced Scorecard as a Strategic Management System

SABSA Lifecycle - http://www.sabsa.org/the-sabsa-method/sabsa-lifecycle.aspx