Sometime at the beginning of the year, the Head of Infrastructure of a manufacturing company walks into the CIO’s office: “I just had Oracle on the phone. We have a problem”, he said. “Why is that?”, asks the CIO. “We need to get off that Version 11 Database. They are going to waive premium support and the security risk is no longer acceptable”. “Uh, ok… What does this really mean?", asks the CIO looking puzzled. The head of infrastructure starts to explain: “The migration will have quite a few ripple effects, and the new version requires a newer server operating system. That means some of the older servers need to be replaced. I suspect that a large number of applications will be affected, and migration from the older ERP legacy systems will be tricky. I cannot promise that we will make it without any production downtime.” With a worried expression, the CIO mutters, “I wish you would have told me that before the budget planning two months ago…” Source
If you are researching how to do a technology risk assessment, this story is probably already familiar to you. Here are 6 steps to a complete technology risk assessment.
Step 1: Get a complete list of the applications you use
Hopefully, you have been documenting your applications over the past year. If not, I would suggest first reading our 9 Rules and Guidelines for Application Rationalization.
Without an overview of your current application landscape, it does not make sense to start a technology assessment. You wouldn’t start baking a cake without a list of ingredients, right? As a first step, you need to collect a list of all the applications you are currently using in your enterprise.
Step 2: Assess the software versions that are in use
The next step is to find out what software versions are being used.
As a best practice, we recommend using a technology stack to group your software. You can also tag your software (manually or using out-of-the-box LeanIX tags) to reference them in the future. In the screenshot example below, you can see that we have tagged them via the Candidate, Leading, Exception, Sunset model.
Step 3: Assess servers and data centers in use
This next step is similar to the previous ones. We recommend again to assign a technology stack to each server and data center.
In this step you should also verify the data. For example, you can check where your servers are located by using an IT component location report.
Step 4: How to link software and servers to applications
After having collected and verified all of the data in the previous steps, it is important to now create the link between software, servers, and applications. This lets you later understand the dependencies between these objects, and thus avoid situations like the one previously described.
Step 5: Find out how technology affects your business
You made it to the final step. Now it’s time to find out what technology risk actually means for your business and the benefits of assessing technology risk.
Benefits of technology risk assessments
There are various benefits to this. Amongst them are:
Find out what the best technologies are by assessing the functional fit of each IT component and the business criticality. This lets you opt for a standard across regions or offices, thus reducing redundant applications and/or technologies. For example, why would we use Oracle and MqSQL? We would be paying for both, when one of them could be suitable for the entire organization. You can read more about this here.
Reducing risksWhat happens when we haven’t updated our software to the latest version? Or even worse, why we are using five different versions? This could be due to an underlying technology. Other applications dependant on an underlying application could eventually lead to a snowball effect of errors throughout the entire organization. It is crucial to identify and understand which underlying technologies exist, their lifecycles, and any software dependencies.
One of the topics that most companies battle with is standardization. When we do not have clear standards defined, things get chaotic fast. Once these standards have been defined, we must also make sure that they are being followed. Ideally, one should not have to go door to door assessing, for example, how well stakeholders are adhering to IT security standards. To acknowledge this, we recommend using surveys. You can either use a tool, such as Surveymonkey or use the LeanIX Survey feature, which automatically imports all answers into the tool, ready for assessment.
For more information, read our white paper on the topic.