We Need to Create Information System Ratings
Toxic financial products prospered due to weaknesses in the regulation that was otherwise designed to limit risks, in particular Sarbanes Oxley and Bâle 2. While some people see the loopholes and already offer to write more regulations, the symptoms should be carefully isolated from the cause: it is less the lack of financial regulation than the lack of precision when measuring risks that should be blamed for the current situation.
New or modified regulations will not change anything. When an organization operates in a highly complex environment at a speed higher than its ability to measure the reality of its operations, a dire unbalance can emerge. This unbalance does not appear immediately; it emerges slowly and prospers with the organization. The higher the value created, the more intense the loss of control may become. During its inception, the unbalance is not visible enough to impact operations. However, the later it is discovered, the harder it is possible to initiate corrective actions. The collapse of the financial system is a perfect illustration of this phenomenon. The fundamental question is why an organization can loose the control of its operations so quickly and with such magnitude, undetected. The products’ sophistication and the ever-increasing speed of execution represent the ideal substrate for such crises. The opacity of these products indexed on the opacity of the information systems that support their operations makes it nearly impossible to evaluate and refine the risks with enough precision. Yet, today, hardly any action or decision is made without analyzing some data set. In addition, while information systems have automated nearly all business processes, most enterprises suffer from an inability to rapidly change these systems of record to meet changing business needs and respond to competitive pressures. Eventually, it leads to a situation where the systems of record do not reflect the state of the organization and, or, there is no shared understanding of the meaning of the state captured in the information systems.
The incidental complexity introduced by too many tactical fixes on a poorly architected infrastructure, combined with ongoing budget cuts has become toxic for IT itself. It has become impossible to upgrade or even retire applications and technologies, at best patches are applied on the premise they will fix major issues. Psychologically, one does not change what works, but most importantly, IT management never empowered its staff to perform any kind of in-depth renovation while projects are rarely scoped and staffed to achieve consistent visibility across operations. To be fair, over the last 15 years, ISVs have had difficulty to deliver stable infrastructure and packaged applications on which sustainable business solutions can be built. Software also gives a luring impression of eternity, unlike hardware which wears out or reaches some natural limits fairly obviously. We could expect new software vendors like Google and Amazon will avoid the mistakes of the past, for instance, by building upgradeable infrastructure software, but that’s not a given. Every organization is pretty much on its own when it comes to create transparent sustainable business solutions with enough efficiency and consistency.
The question becomes how can we increase the awareness of this situation? For the CIO, it is not easy to accept this reality. Too often, the Chief Information Officer has become the Chief Information System Officer. Then he or she resigned from this mundane role to focus exclusively on the company strategy. This shift has been widely supported by industry pundits and analysts who have often established a strategic link between business innovation and IT. Yet, in reality, IT is perceived as an inhibitor to innovation, precisely because CIOs content themselves on managing information systems and not information. CIOs should at least focus on reducing the opacity of information systems vis-à-vis the business. The mere alignment between the business and information would increase the ability to innovate while offering a better understanding of the risks involved in business operations, which is vital for our society. Ultimately, one must realize that human communities have become highly dependent on information systems and with them created such level of complexity that they will thrive or perish with or without them.
One of the best illustrations of this phenomenon is the Société Générale’s trader, Jerome Kerviel, who incurred a $7B loss because systems of record access controls were left open as IT had decided to not implement the reality of the business (in this case the difference between simulations and real transactions). Tragically, they were also unable to provide the visibility to correctly report on the risk that the bank was taking.
The CIO must return to his role of Chief Information Officer and once more focus on Information Technology; keeping the lights on the Systems of record is not going to be enough. The Enterprise must demand an IT at the service of the business. To achieve this transformation one must put the value of the technology and application portfolio at the center by enabling IT assets to align with business capabilities. Today, CIOs see IT as a set of applications and data stores operated and managed by technicians with little transparency to the business, except for analytic tools. CIOs, as they consciously shift towards a more strategic role, and away from technology, manage these systems as information controllers short of managing the value of their portfolio. What a paradox! The P&L of the CIO is not aligned with the function that he or she is looking to fulfill.
It is however possible to achieve this transformation with a methodology and new technologies developed on years of experience. Modern CIOs should rather focus on the management of core IT assets such as master data, business rules and business processes. Today these assets are all too often hard coded in information systems contributing to the level of opacity incompatible with the current need of the business both in terms of flexibility and visibility. For instance the market research company Forrester states: "Most enterprises still embed process, rules, and reporting in applications. In other words, process flows, rules, and analytics are hard-coded into individual applications. It's hard to even find these definitions when they're mixed in with other application code, and making changes requires lengthy QA procedures." (How The Convergence Of Business Rules, BPM, And BI Will Drive Business Optimization, Forrester Research, Inc., May 2008)"
These assets must be opened to and auditable by the business. Governance Policies that define the access rights, semantics and versioning rules for instance increase traceability and offer a solid foundation to understand the operational risks of the enterprise. How could we even fathom these operational risks when master data, business rules and business processes are hard coded (and hand coded) in the technical abysses of the Information Systems?
For executives, IT is a necessity, all too rarely a competitive advantage. CIO driven improvements are poorly rewarded: IT management is only chartered to reduce cost and keep the lights on. Executives seem content when IT costs less as long as the key operational metrics are green. Of course, the business is hurt by the lack of flexibility and visibility offered by IT, everyone is conscious of that, but with time, this seems to have become a fait accompli after trying so many promising technologies. Most organizations manage this painful situation day after day, until a major problem happens.
Paradoxically, most IT organizations are collecting, processing and reporting on orders of magnitude more information than in the past decades. Yet, today, an organization can reach a point of no return unbeknownst to its management, after which it would only collapse. In the last couple of years, major international corporations have shown this process can happen in 12 months or less starting from a “healthy” position, as some of them were unable to assert the risks they took and could not measure the sustainability of their business model due to a lack of visibility. Historically, investors have been able to rely on rating agencies but, today, these ratings have little or no value as they are often based on opaque information. In that respect, adding more control to support the ratings of the rating agencies would be useless. It is rather critical to offer true visibility into the company’s operation. The key here is to establish a ranking of the information systems themselves by defining a metric that expresses the confidence of an audit. This ranking would evaluate the enterprise on its ability to manage the value of its assets, i.e. how it manages Master Data, Business Rules and Business Processes.
Based on a high level of maturity, these tools and methods have already shown successes. Most importantly they do not require a big-bang approach, but progressive and planned change in compliance with risk management and supported by IT, Data and SOA Governance. Coupling these three repositories is decisive. Together they form the powerful concept called ACMS - Agility Chain Management System: no agile processes without agile rules, and no agile rules without a business management for reference and master data (Figure 1). Each of these three would support advanced governance functions including version management, rights management, traceability management and so on...
Figure 1. Agility Chain Management System
Let's consider an example: a business regulation, for instance Sarbanes Oxley or Solvency II, requires financial reports to be auditable. This means that the company must be able to display data and computation rules used to build reports and the proof the data and rules are the right ones. Commonly in this context the company may at best show auditors documentation on paper which obviously cannot be executed by IT systems. At worst, documentation for IT tools is obsolete and only specifications or, even worse, program codes are available to be analyzed by auditors. And because auditors are not IT technicians they won't be able to use these materials. This could be accepted in some cases but what if auditors insist? What if independent IT rating agencies appear to rate Information Systems by request of shareholders? The same auditors by accessing business rules and master data repositories could easily audit financial elements by scrutinizing rules and data usages. This would be possible because the repositories systems include business oriented UIs and not technically-only oriented ones.
These repositories can usually be deployed progressively. An enterprise starts modifications on legacy systems by moving out some business rules and by adding an MDM repository in front of legacy databases while wrapping the appropriate governance processing around them. Legacy databases are not touched in this phase. In less than a year benefits may be obtained from rules and master data repositories by the increase in traceability and agility. The business gets at last, access to information system's assets with a business point of view which cancels the common opacity lying between business and IT people. Commonly, and as an important target of the process, enterprises should also see an increase in the business knowledge both on business rules and reference data, thanks to the recognized modeling efforts and the documentation obtained from repositories. It is important to keep in mind that this documentation is directly executable by IT teams and systems: this is a guarantee for good alignment between business and programs and an increased auditability of systems, including answers to regulation requests.
After this first phase using methods and tools to control repositories and their adoption for integration with legacy systems, the next step is commonly a phased rebuild of all systems to get even more agility and to abandon obsolete platforms when useful.
In this phase, an information model must be designed to bring a detailed business view on data structures handled in legacy systems (Figure 2). This model must be based on a global organizational data scheme to encourage weak coupling between data aggregates which group data sharing a strong semantic cohesion. Some parts of the common model form the basis to build the repository for reference data, i.e. data shared between systems which are often the primary target for business auditors. To avoid the blank page syndrome we may choose an off-the-shelf data architecture model like the one published by MDM Alliance Group (MAG) which is focused on processes for reference data modeling.
Figure 2. Master Data Management
On the business rules side, some algorithmic parts must be extracted from existing code to be rewritten as rules in the BRMS. To replace the diverted code, a call to the rules engine is added. Business data routed by the call to the rules engine are formatted with respect to the Common Information Model introduced above. The BRMS and MDM system share the same data models which are independent from physical representations often heterogeneous and living in current systems. Rules discovery is not an easy task. It requires collaboration between business and IT teams. Together they analyze IT systems and discover or re-discover rules hidden inside (Figure 3).
Figure 3. ACMS in action
Governed Information Semantics and Systems Agility are once more IT’s major challenges as they have proven lately to have vital consequences. These challenges will only be addressed by a deep re-engineering – a recasting- of information systems following the principles of ACMS built on the foundation of a Service Oriented Architecture. The good news is that this work can be done in phases, adding value along the way. In particular, the key driving factors include operational visibility (and auditability) and value driven portfolio management. The progress made by any organization should be rated publicly to provide Senior Management and Shareholders with meaningful risk management metrics.
I REALLY hope policy-makers understand you!
I hope that the content, including the conclusions, can be simplified in a presentation format that members of Congress and Executive Branch staff can understand.
I think an 'IT Solution' to the 'Wall Street Problem' may be an easy sell in this administration....
Question and Answer
To me the answer is not in the models but in persons.
Could we change B.Gates or S.Jobs with model? Absolutelu NO. The problem is the awareness should be in the right hands. And only in small numbers of hands to be fast and effective.
Models in computers are only models. Models in brains -> doing the work.
Re: Question and Answer
Mish - club penguin
Re: Question and Answer
Re: Question and Answer
I am Pierre Bonnet, founder of the Sustainable IT Architecture. Since this article, our community has delivered many materials about Agility Chain Management System (ACMS) and the IS Rating Tool is now available, you can download it via this link:
Hope this is useful
Jon Whittle, John Hutchinson, Mark Rouncefield Oct 19, 2014
Shane Hastie Oct 17, 2014
Phil Brock & Rebecca Parsons Oct 16, 2014