IT Asset Portfolio Management is a practice focusing on all elements of IT portfolio managed in the context of a given enterprise. It considers 360 overview of all areas which influence IT Landscape:
- Compliance Regulations
- Company’s Strategy
- Company’s Structure
- Business Services / Products
- Business Capabilities
- Business Processes
- IT Strategy
- Enterprise Architecture
- IT Standards
- Policies
- Investments / Projects
- Human Capital
- IT Assets
- Risk Management
Value
IT APM discipline provides transparency and decision supporting model for:
- Cost optimization
- Risk management
- Investment decisions (business cases)
- Capacity management
- IT Service Management
- Process optimization
- Enabling business
- Mergers & Acquisitions
- Compliance management
How?
There are three key values that should guide you throughout implementation of and driving IT Asset Portfolio Management discipline:
Quality
Every action that you’re taking and planning in IT APM always must have clear resemblance in rate of quality. If you want to achieve 100% in every aspect and all areas then for sure it’ll require more investments than e.g. choosing only the most critical areas or setting up lower goal for some of the less important ones.
Example: Having top quality data, information and processes on managing servers or controlling compliance requirements will pay off; however, doing the same for vending machines in your locations might not.
Reality
Everything that you do must resemble reality. It’s nice to say that all systems must undergo Disaster Recovery exercise every six months; however, you need to investigate whether it makes sense. Usually only critical systems require such investments and less critical ones can use standard Disaster Recovery procedure.
Example: You have 1000 systems in your environment. 150 of them are critical for your operations. On average it takes 40 manhours to do a Disaster Recovery exercise (remember that there are multiple people involved, that’s why you need to include all of them in manhours estimation) which will consume 80 000 manhours during the year (1000 X 40 X twice a year). If you focus on only 150 of them then effort drops significantly to 6000 manhours a year (150 X 40 X twice a year). You can then use 74 000 manhours on various other activities which will bring your company additional value.
Practicality
Everything that you do must be practical. Always ask yourself the three basic questions:
- Why are we doing this?
- What decisions will be taken based on this?
- How are we going to do this?
You can expand it with additional questions:
- Who is going to do this?
- When we need to get this done?
- Where are we going to do this?
Answers to these will help you decide in the early stage whether something really needs to be done, and if yes, then how to do this in an optimal way.
Example: You must adhere to compliance regulations regarding GDPR (General Data Protection Regulation) in European Union. Let’s go through the questions:
- Why are we doing this?
- We’re processing data of European Union’s citizens, thus we must apply to the regulations to avoid potential penalties (fine framework can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher).
- What decision will be taken based on this?
- If we process GDPR regulated data, we need to implement adequate processes in respective systems and processes, and create data privacy management process.
- If there is a data leak, we must act accordingly to the regulations to minimize the risk and avoid penalties.
- How are we going to do this?
- By identifying all systems and processes which handle GDPR regulated data.
- Who is going to do this?
- Compliance team can coordinate the task, but Application and Process Owners have the knowledge about what data is being processed.
- When we need to get this done?
- As soon as possible if we operate on EU market or when we enter it.
- Where are we going to do this?
- Whole enterprise must adhere, so we need to ask all Application and Process Owners.
- Only those who process GDPR regulated data will have further actions to act upon (there is no sense in applying policies and workflows for system which does not handle GDPR regulated data – it’s a waste).
