Wednesday, October 27, 2021

The Open Group marks 25 years of working together to make successful standards

Way back in 1996, when web browsing was novel and central processing still ruled the roost of enterprise IT, The Open Group was formed from the merger of the Open Software Foundation and X/Open.

This October marks the 25th anniversary of remarkable achievements in the technology standards arena by The Open Group. Beginning with a focus as the publisher of the single UNIX specification technical standard and steward of the UNIX trademark, the organization has grown to more than 850 members in over 50 countries -- and it leads the field and technology standard services, certifications, research, and training.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

Stay with us as BriefingsDirect explores how standards like UNIX and TOGAF evolved to transform business and society by impacting the world as a digital adoption wave swept over human affairs during the past quarter century.


Here to commemorate The Open Group’s achievements and reminisce about the game-changing, earth-shattering, and culture-evolving advances of standards-enabled IT, are Steve Nunn, Chief Executive Officer (CEO) at The Open Group; David Lounsbury, Chief Digital Officer (CDO) at The Open Group, and  Jim Hietala, Vice President Business Development and Security at The Open Group. The panel discussion is moderated by
Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Steve, even after 25 years of clearly breathtaking changes across the IT landscape, why is The Open Group’s original mission as salient as ever?

Nunn: In a nutshell, it’s because the world needs open standards. That has been our heritage -- open systems, open standards. We added conformance to open standards, importantly, along the way. And it’s never been more needed than it is now.

Nunn

When we began, there was a crying need for more choice among customers and more interoperability among different software applications. The main proprietary vendors just weren’t necessarily delivering that choice. So, it’s really because customers need standards.

You know, they help suppliers, too. They help all of us in our day-to-day lives. That’s why we’re still needed at 25 years on -- and we’re looking forward to a bright next 25 years.

Gardner: David, sometimes you have to pull people kicking and screaming into standards. It’s like what your mom told you about eating spinach. It’s for your own good, right?

Lounsbury: Right.

Gardner: But we couldn’t get to the current levels and breadth of technology use without them.

Meeting the need for standards

Lounsbury: That’s right. And, you know, Steve mentioned the need for standards -- and the technology does drive the standards. At the time when we were founded, there were relatively few CPU manufacturers, and now there has been an explosion in compute power and a radical fall in the cost of networking, and that’s led to lots of new ways of doing business. People are looking for guidance on how to do that, how to restructure their organizations, and on which technology platforms they need to use. That need is fueling a swing back to seeking new standards.

Gardner: Jim Hietala, with your focus on security, 25 years ago we couldn’t have imagined the things we’re facing around security today. But without people pulling together, we wouldn’t be able to buttress our supply chains. How has security in particular been enabled by standards?

Hietala: It’s interesting to look back at the past because in the world of security today you hear about two predominant themes. One is zero trust, and if you look back at some of the work the Jericho Forum was doing inside of The Open Group 10 to 12 years ago, those were the origins of what we’re calling zero trust in the security industry today.

Hietala

The whole notion of perimeter security was failing. We needed to move security controls closer to the data and to secure people’s access within what were previously considered secure networks. The Jericho Forum seeded that discussion a number of years ago.

The other big issue out there today is supply chain security, with some of the supply chain security attacks in the last 18 months. And here again an initiative inside of The Open Group that was formed some 10 years ago, the Open Trusted Technology Forum (OTTF), that was brought to us by the US government, was focused on addressing the security of the hardware and software for the components that go into the IT systems being procured.

And again, we’ve had some groundbreaking work inside of The Open Group on the topic of security that’s highly relevant today, even though the environment has changed tremendously in the last 25 years.

Gardner: Yes, as Steve mentioned, this is a long game. Sometimes it takes decades for the value of these efforts to become fully evident to all the players.

I’m old enough to remember there used to be quite a few UNIX® standards or variants. The process behind pulling them together for the benefit of everyone -- both the users and ultimately the vendors as well -- became a cookie cutter model for creating standards generally.

Steve, how did the evolution of UNIX standards in particular become opportunity to do much more?

Nunn: We converted what it meant to be a UNIX system, from being derived from a certain code base, to being based on a standard. The key is it wasn’t just one standard. It was a lot of standards. There were 1170 different specs that changed what it meant to be a UNIX system. It was then all about conformance with the standard and how the system operates in connection with the standard -- rather than derived from a particular code base.

It was gathering a set of standards together. Our history since then -- this idea of a standard of standards -- has evolved and developed to make standards approachable and useful for solving business problems.

Fundamentally, at The Open Group, all our work on standards starts with trying to solve a business problem. A set of standards makes solutions more applicable, more approachable, for implementation. And increasingly nowadays we add things like developing some code alongside it. That’s the essence of it. We were transforming the first kind of UNIX standard, the Spec-1170, set of standards.

Gardner: David, what a success UNIX has become since back when we thought this was going to be just a way for workstations to interoperate better on a network. It became the foundation for Linux, BSD, and for the MacOS. It went from workstations to servers and then dominated servers. It seems that there’s no better validation for the success and power of standards and what we’ve seen with UNIX over the past 25 years.

Lounsbury

Lounsbury: Yes, no question about it. I come from the minicomputer revolution, where I started in my career, and basically that whole industry got run out of business by UNIX systems. And now we have it, as you said, on our laptops. I’m running it on my laptop right now. It’s on all our smaller systems. Embedded processes all tend to run a variant of things that look like the UNIX standard.

If you have to create something quickly, and you want to create something that’s robust and will run predictably, you pick something that follows the UNIX standard.

Gardner: And how did you get people to rally to such standards? There’s more to this than technology. This is also about a culture of cooperation. There is a human behavioral aspect to it.

How has The Open Group been able to pull so many different threads together and repeat this? You’ve been doing this as well for TOGAF, with enterprise architecture, with Open Agile, ArchiMate, FACE, and reference architectures like IT4IT, among many others.

What is behind this ability to govern so many factions into a common goal?

Staying power of neutrality

Lounsbury: There are a couple of dimensions to it, and Steve’s already mentioned one of them. He talked about the end-customers. We recognized the value of neutrality -- not only neutrality of technology, but also the other dimension of neutrality, which is the balance between the buy-side and the supply-side.

There are many things called standards activities that are really altered to one side or the other. We found the balanced viewpoint: balanced across the technologies, balanced across the demand, which is the essential key to having stable buy-in. Now, of course, that must be built on rock-solid processes that respect all the parties, all the way through. And that’s how our formal governance comes in.

Nunn: That’s right, you’ve hit the nail on the head. The magic happens when the customers drive this. They have things that need to be achieved through standards.

The process has been essentially stable -- evolved slightly over the years -- but it's a tried-and-tested process; a consensus process of one company, one vote. It's allowed us to create trust.

The second point David made is key, too. The process has been essentially stable -- evolved slightly over the years -- but it’s a tried-and-tested process; a consensus process of one company, one vote. It’s allowed us to create trust.

That’s the word I want to want to bring out here: trust in the process, trust in the equity of the process; that all parties get to have their say. That has essentially stood us in good stead. We’ve been able to apply that process, and that same approach in governance, across many different industries and business programs.

Gardner: I suppose another key word here, Jim, is cooperation. Because while The Open Group is a steward and has been involved with governance, there’s a tremendous army of people who contribute the things that they have learned and know and then bring to all this.

How important has it been to encourage that level of cooperation? It’s astonishing how many people are involved with these standards.

Hietala: It’s critical to have that cooperation, and the work, frankly, from the members. The Open Group brings the staff who help initiate standards initiatives and run them per our processes and our governance in a fair, open, and transparent way.

But it’s the members who bring the subject matter expertise in whatever area we’re talking about. In the case of The Open Group FACE Consortium, it’s the defense contractors and government folks administering some of the programs who bring subject matter expertise that helps us produce business guides, procurement guides, and the standards themselves, as well as the reference software.

We have a saying that joining a standards effort such as The Open Group is like joining a gym. You have to not just get the membership -- you have to show up and do the work, too.

Lounsbury: Both of Steve and Jim mentioned confidence. I think that the confidence we project in the process, both the formal governance and the ability to bring people together, is the real differentiator of why The Open Group has stood the test of time.

We see many examples of groups that get together and say, “Well, why don’t we just get together and solve this problem?” And what we often find is that they don’t because they lack stability. They can’t project stability. They don’t have the endurance. The government is a good example of where they then come back to The Open Group and say, “Hey, can you help us make this a sustainable activity that will have the impact over time that we need?”

Gardner: Another key word here then is journey, because you never get to the destination, which is actually a good thing. You must be self-sustaining. It has to be ongoing, the peeling back of the onion, the solving of one problem that perhaps creates others: and then again and again.

Is that never-ending part of the standards process also a strength, Steve?

Nunn: Yes, because around the world the various industries we work with don’t stand still. There’s a new problem coming up every day, as you alluded to, Dana, that needs solving.

When a group gets together to solve an initial problem through a standard, there's much more. ...The problems don't stand still, and technology evolves the world. Disruptive events happen, and we need to adjust and update the standards accordingly.

When a group gets together to solve an initial problem through a standard, they realize there’s much more there. I can think some recent examples, such as the Open Subsurface Data Universe (OSDU) Forum, which is in the oil and gas industry. They originally got together to focus on subsurface issues. And now they’re realizing that that a standards approach can help them in many other areas of their business as well.

The problems don’t stand still, and technology evolves the world. Disruptive events happen, and we need to adjust and update the standards accordingly.

Gardner: Is there a pattern to the standards you’ve chosen to foster? You obviously have been very successful with enterprise architecture and TOGAF. You’ve gone to modeling, security, and reference architectures for how IT organizations operate.

What’s the common denominator? Why these particular standards? Is there an order to it? Is there a logic to it?

One success leads to another

Nunn: The common denominator is something mentioned earlier, which is a business need. Is there a business problem to be solved, whatever industry that might be?

Over the years, The Open Group can trace one activity where a group of companies got together to solve a business problem and then it led to several other forums. The example we usually use is The Open Group Future Airborne Capability Environment (FACE) Consortium in federal avionics. They recently celebrated their 10th anniversary.

That effort led directly to work in the sensor architecture space, and strangely led to our Open Process Automation Forum. Members saw the great work that was being done in the FACE Consortium, in terms of a modular method that creates an architected approach. The past saw a situation where one aircraft, for example, is funded completely separately, with no reuse of technology or parts, and where everything was done from scratch with one prime contractor and subs.

And we had some other members fortunately who saw from the oil industry how a set of industry standards had emerged. They said, “We have the same issues in our industries. We want a standardized approach, too.”

As a result, the Open Process Automation Forum is doing great work, transforming the way that systems are procured.

These successes form a traceable connection between an industry that has a problem to solve and the established best ways of doing it. They come together and work on it as an industry, and through tried-and-trusted processes, rather than trying to beat each other in the marketplace to the first magic solution.

Gardner: Jim, it sounds like the need for a standard almost presents itself to you. Is that fair?

Hietala: As an outsider, you might say, “What in the world do control systems users have in common with the military avionics industry?” But the takeaway is with each iteration of this new standards initiative our staff learned better how to support the formation and operation of a set of best practices around an operating standards initiative. The members learn as well. So, you had folks from Exxon Mobil at a conference speaking about how they transformed their industry, and the light bulb went off. Others brought the idea back from the oil and gas industry.

Then we at The Open Group helped them identify similar uses in some other industries: metals and mining, pulp and paper, utilities, water utilities, and pharmaceuticals – they all use the same set of control system equipment. They all had similar problems until we were able to bring it into a standards initiative. And once you have that sort of support behind an initiative, the suppliers don’t have a choice but to pay attention, get involved, and help drive the initiative themselves.

Gardner: David, it’s clear that just presenting a standard isn’t the only factor for success. You must support it with certifications, additional research, events, and forums that continuously bring people together in an atmosphere for collaboration and ongoing training. You’ve not only broadened the scope of what The Open Group does in terms of the standards, but also a wider set of functions that augment and support those standards.

Lounsbury: That’s right. Both Jim and Steve mentioned the process of discovery by the members, or by potential members, and the value of standards. That’s a critical component because the natural instinct is for people to go off and try to solve things on their own, or to get a magic bullet competitively.

The art of what we do is help members understand that only through collective action, only through wide agreement, is there going to be a sufficient response to solve the business problem.

But part of the art of what we do is help members understand that only through collective action, only through a wide agreement, is there going to be a sufficient response to solve the business problem and provide a center of gravity for the vendors to invest in building the systems that embrace and employ the standards.

And so, a part of building that continuing confidence is knowing that there will be trained people who know how to use the standard effectively. There will be systems that conform to the standard, and you can get together with peers in your industry to find out about what’s going on at the cutting edge of technology.

And, frankly, even the social networking, just meeting people face to face builds confidence that everybody is working toward the common objective. All of these things are critical supporting pieces that give people confidence to invest in solutions and the confidence to specify that when they purchase.

Gardner: It seems like a big part of the secret sauce here is mutual assured success for as many of the people in the ecosystem -- on all sides of the equation -- as possible. It sounds simple, but it’s really hard to do.

Nunn: It is, Dana. And you need champions, the people who are passionate about it in their own organizations.  


For me, the single biggest differentiator and reason for The Open Group’s success so far is that we have a very respected set of certification programs and processes. The importance of certification is that it gives standards some teeth. It gives them meaning. We’re not just publishing standards for the sake of it, and nobody uses them. They’re being used by trained people. There might also be certified products out there, too.

Certification helps turn it into an ecosystem, and that in turn gets people more engaged and seeking to evolve it and be part of the movement. Certification is key because of the teeth that it gives the standards.

Gardner: Well, the custom is when we have an anniversary to do toasts. Usually, toasts are anecdotal or remembrances. Are there any such moments in hindsight that ended up being formative and important over the past 25 years?

Cheers to 25 years of highlights

Nunn: For years, we had heard that UNIX was going away, that it’s not relevant anymore. I think the work we’ve done has proven that’s not the case.

Another highlight or breakthrough moment was when we got our TOGAF practitioner certification program up and running. That spread around the world to a large number of individuals who are certified and who are promoting the value of the standard itself.

We’ve created a community over the years, even though that community is harder to bring together right now in the pandemic days. But certainly, for the vast majority of our history, we have brought people together; these people are familiar with each other, and new people come in.

The face-to-face element is special. Somebody recently made a great point about the effect of the pandemic. And the point was that you need the personal interactions in developing standards. Standards are about contributing intellectual property, but also about compromise. It’s about discussing what’s best for the relevant industry. And that’s hard to achieve in a virtual world.

You need the dinners, the beers, whatever it might be to build the social networking and up the trust for the individuals in these situations who are often from competing companies. The way that we have encouraged the community and built up what we’ve often called “The Open Group family” over the years is a key factor for us.

Gardner: David, what are some anecdotes that come to mind that highlight the first 25 years?

Lounsbury: I’m going to pick up on Steve’s theme of face-to-face meetings. One that stands out in my mind was the first face-to-face FACE Consortium meeting, which was at a vendor building on the National Mall in Washington, DC.

And, I’ll be honest, there was a ton of skepticism, both from the government agencies and from some of the larger vendors, that this could ever possibly come together. And because we got the people together and we had a few enthusiastic champions -- not necessarily the people who started things out -- but the people who saw the value of cooperative industry engagement -- we got it together. And 60 companies walked out of that room saying, “Yeah, this might actually work.” And from then on -- that was over 10 years ago -- it changed the way avionics are produced. And now it has inspired changes in other industry verticals as well.

Because we got people together and we had a few enthusiastic champions we got it together. What we sometimes call The Open Group Way differentiates how we create standards. It has inspired changes in other industries as well.

So, what we sometimes call The Open Group Way differentiates how we create standards from what had gone on in other standards activities that they had been engaged in.

Gardner: Jim, what’s your toast to the past quarter-century?

Hietala: At little bit higher level, I point to the fact that The Open Group has grown to more than 850 member organizations from dozens of countries. The specific things that resonate with me and made an impact over the years are engaging with all those members from the many different countries and nationalities at events we’ve held.

That and to getting to over 120,000 TOGAF-certified people, which is a huge milestone and was definitely not an overnight success. TOGAF was tens of years in the making, so those to me are indicative of where we’ve come in 25 years.

Gardner: It seems that the Tower of Babel isn’t particularly high when it comes to information technology (IT). The technology is a common denominator that cuts across cultures and boundaries. There really is a common world stage for IT.

IT – The universal language

Hietala: I think that’s true. There’s probably work that goes on inside of standards organizations like The Open Group, that isn’t necessarily seen, that enables that. There’s a fair amount of work translating the products of The Open Group into various native languages, such as Brazilian Portuguese, French, or Spanish, or Chinese. Those often happen at the ground level by volunteers, typically from the countries that want to enable adoption of what they see as a highly valuable standard.

Lounsbury: The profusion of technology you mentioned has driven a fundamental change in the way people run their businesses. And The Open Group is very much at the forefront of thinking about how that’s best going to happen.

What does it mean to architect your business going forward when you have all of these new management techniques, all of this new technology that’s available at very low cost causing these fundamental shifts in how you interact with your customers and in your ecosystem? That’s currently on the forefront of the minds of many of the groups working inside The Open Group.

We all know there’s a new management book a day nowadays. That’s why there’s a growing demand for stability of guidance in this world. How to do these new digital ways of working? We look to standards bodies to come out with that guidance. Our members are working on it.

Gardner: I suppose the past is prologue. And back when I first got involved with enterprise IT in the late 1980s, this type of technology transformation was still fringe in business. But it’s become more than mainstream, it’s become dominant.

We talk about digital transformation. We could probably just drop digital, now it’s transformation, period. Given the depth, breadth, and importance of IT to business and society -- where do we go from here?

How do you take the success you’ve had for the past 25 years and extend that to an even grander stage?

Standards provide frame for future transformation

Nunn: As Dave said, organizations have to transform. They’re looking for structure. They’re looking for tools that help go through this transformation. It can’t happen soon enough. The pandemic has been an accelerator.

But they need a framework, and standards provide that framework. That doesn’t mean exactly the same approach for all standards. But I don’t think we need to fundamentally change the way standards are built.

We’ve talked about our legacy of trust and the tried-and-tested. We need to evolve how things are done as we go forward, to fit with the speed with which transformation needs to occur and the demands that individual organizations in their industries have.

But we definitely now have a very solid bedrock for evolving, and the transformation aspect of it is key because people see standards as helping them transform. Standards give them something to work with when so much all around is changing.

Gardner: Jim, how do you take the success you’ve had with digital standards and expand the use of the methodologies?

Hietala: We’ve seen that the practices, business model, and the approach to taking a big industry problem and solving it through the development of standards has been proven to work. Companies in need of those standards efforts are comfortable looking at The Open Group and saying, “You’re an honest broker to be in the middle of this and make something happen.”

For example, a member from our OSDU Forum looked at what was happening there and saw a similar need inside of his company. It happened to be in the energy industry, but he saw a problem around how to measure and manage their carbon footprint. They examined the approach used in the OSDU and said, “That’s what we need over here to determine what our carbon footprint is.”

Taking a big industry problem and solving it through the development of standards has been proven to work. Companies in need of those standards efforts are comfortable looking to The Open Group.

And what they found quickly in looking at that customer need was that that’s a universal need. It’s certainly not just an energy industry issue. Cement companies, large auto manufacturers, and many others all have that same need. They would all be well served by having a standard effort that produces not just standards but a reference software platform that they could build from that helps them measure and manage any carbon footprint. The approach has evolved a bit. We’re able to support now open-source initiatives alongside of standards initiatives. But fundamentally our consensus-oriented standard process has not changed.

And that’s the way we build these initiatives, rally industry support, and take them from looking at the customer business problem to producing standards and business guides. The way we address the issues hasn’t changed.

Gardner: David, if you can apply the lessons learned at The Open Group to even more challenging and impactful problems, that sounds worth doing. Is that part of your next 25 years?

Lounsbury: Yes, it certainly is. There’s a couple of dimensions to it. There’s the scale in number of people who are engaged. And we’ve given plenty of examples of how we went from a core standard like UNIX or IT4IT or TOGAF and applied those same proven techniques to things such as how you do avionics, which led to how to do process control systems, which led to how to do subsurface data. That has all led to a tremendous expansion in the number of organizations and people who are engaged with The Open Group.

The other dimension of scale is speed. And that is something where we need to keep our standards up to date, and that has evolved. For example, we’ve restructured our architecture portfolio to have more modular content. That’s something we’re going to be looking at across all of our core standards, including how we link them together and how we make them more cohesive.

We’re looking at reducing the friction in keeping standards up to date and improving the pace so they’re competitive with those one-off, two-people-writing-a-book kinds of guidance that characterizes our industry right now.

Gardner: For those who have been listening and are now interested in taking an active role in open standards, where can they go? Also, what’s coming next, Steve?

Nunn: Yes, we’ll have some anniversary celebrations. We have a great event in October. We’re doing a moving global event over a 24-hour period. So, a few hours hosted in each of several locations around the world where we have offices and staff and significant membership.

We also have an ever-growing number of active meetings in our groups. Most of them, because of the pandemic, have been virtual recently. But we’re starting to see, as I mentioned earlier, the eagerness for people to get together face-to-face again when, of course, it’s safe to do so and people feel comfortable to do so.

And we’ll be looking at not just what we’ve achieved but also looking at how we make the next steps. A big part of that relates to the work we’ve done with governments around the world. A good example is the government of India, which recently published a standard called IndEA, based on our TOGAF Enterprise Architecture standard.

It’s being used to fundamentally transform government services, not just in the national government of India, but in various states there. And then other countries are looking at that work. We also have work going on with the International Telecommunication Union (ITU) in healthcare and digital services for citizens.


We’re doing a lot of work with governments to make a real difference to people’s lives as citizens, in countries that may need to catch up with some of the more developed countries. They’re using our standards and the work groups we’ve put together to get up to speed.

For me, that’s an exciting part of our future: The difference we can make in people’s daily lives.

Gardner: And, of course, a lot of this information is on your website, www.opengroup.org. Any other resources that people should be aware of?

Lounsbury: Yes, all our standards are free to download from our library on our website. You can obviously find how to register for events on the website, too. At the Forum level, there’s good information about each Forum that we’ve been working on. There’s always a contact form associated with each of the Forum webpages so you can leave your details and someone from our team will get in touch and tell you how to get involved.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: The Open Group.

You may also be interested in:

Tuesday, October 26, 2021

Now’s the time for more industries to adopt a culture of operational resilience


I
n the last
BriefingsDirect sustainable business innovation discussion, we explored how operational resiliency has become a top priority in the increasingly interconnected financial services sector.

We now expand our focus to explore the best ways to anticipate, plan for, and swiftly implement the means for nearly any business to avoid disruption.

New techniques allow for rapid responses to many of the most pressing threats. By predefining root causes and implementing advance responses, many businesses can create a culture of safer and sustained operations.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy.

To learn more about the many ways that businesses can reach a high level of assured business availability despite persistent threats, please welcome Steve Yon, Executive Director of the EY ServiceNow Practice, and Andrew Zarenski, Senior Manager and ServiceNow Innovation Leader at EY. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solution.

Here are some excerpts:

Gardner: Steve, our last chat explored how financial firms are adjusting to heightened threats and increased regulation by implementing operational resiliency plans and platforms. But with so many industries disrupted these days in so many ways, is there a need for a broader adoption of operational resiliency best practices?

Yon: Yes, Dana. Just as we discussed, the pandemic has widened people’s eyes -- not only in financial services but across other industries. And now, with hurricane season and those impacts, we’re continuing to see strong interest to improve operational resiliency capabilities within many firms. Being able to continuously serve clients is how the world works – and it’s not just about technology.

Gardner: What has EY done specifically to make operational resiliency a horizontal capability, if you will, that isn’t specific to any vertical industry?

Resilience solutions for all sectors

Yon: The platform we built the solution on is an integration and automation platform. We set it up in anticipation of, and with the full knowledge that it’s going to become a horizontal capability.

Yon
When you think about resiliency and doing work in operational models, it’s a verb-based system, right? How are you going to do it? How are you going to serve? How are you going to manage? How are you going to change, modify, and adjust to immediate recovery? All of those verbs are what make resiliency happen.

What differentiates one business sector from another aren’t those verbs. Those are immutable. It’s the nouns that change from sector to sector. So, focusing on all the same verbs, that same perspective we looked at within financial services, is equally as integratable when you think about telecommunications or power.

With financial services, the nouns might be things around trading and how you keep that capability always moving. Or payments. How do I keep those seems going? In an energy context, the nouns would be more about power distribution, capacity, and things like that.

With our solutions we want to ensure that you don’t close any doors by creating stove pipes -- because the nature of the interconnectedness of the world is not one of stove pipes. It’s one of huge cross-integration and horizontal integration. And when information and knowledge are set up in a system designed appropriately, it benefits whichever firm or whatever sector you’re in.

Gardner: You’ve created your platform and solution for complex, global companies. But does this operational resiliency capability also scale down? Should small- to medium-size businesses (SMBs) be thinking about this as well?

Yon: Yes. Any firm that cares about being able to operate in the event of potential disruptions, if that’s something meaningful to them, especially in the more highly regulated industries, then the expectation of resiliency needs to be there.

How to Build Resiliency into Operations

We’re seeing resiliency in the top five concerns for board-level folks. They need a solution that can scale up and down. You cannot take a science fair project and impact an industry nor provide value in the quick way these firms are looking for.

The idea is to be able to try it out and experiment. And when they figure out exactly how to calibrate the solution for their culture and level of complexity, then they can rinse, repeat, and replicate to scale it out. Your comment on being able to start small and grow large is absolutely true. It’s a guiding principle in any operational resiliency solution.

Gardner: It sounds like there are multiple adoption vectors, too. You might have a risk officer maturity level, or you might just have a new regulatory hurdle and that’s your on-ramp.

Are there a variety of different personas within organizations that should be thinking about how to begin that crawl, walk, run adoption for business continuity?

Yon: Yes. We think a proper solution should be persona-based. Am I talking to someone with responsibilities with risk, resilience, and compliance? Or am I talking to someone at the board level? Am I talking to a business service owner?

And the solution should also be inclusive of all the people who are remediating the problems on the operational side, and so unifying that entire perspective. That’s irrespective of how your firm may work. It focuses broadly on aligning the people who need to build things at the top level, to understanding the customer experience perspective, and to know what’s going on and how things are being remediated. Unifying with those operational folks is exceptionally important.

The capability to customize a view, if you will, for each of those personas -- irrespective of their titles – in a standard way so they are all able to view, monitor, and manage a disruption, or an avoidance of a disruption, is critical.

Gardner: Because the solution is built on a process and workflow platform, ServiceNow, which is highly integratable, it sounds like you can bring in third parties specific to many industries. How well does this solution augment an existing ecosystem of partners?

Yon: ServiceNow is a market-ubiquitous capability. When you look under the hood of most firms, you’ll find a workflow process capability there. With that comes the connectivity and framework by which you can have transparency into all the assets and actors.

ServiceNow is a market-ubiquitous capability. When you look under the hood of most firms, you'll find a workflow process capability there. With that comes the connectivity and framework to gain transparency into all the assets and actors.

What better platform to then develop a synthesis view of, “Hey, here’s where I’m now detecting the signal that could be something that’s a disruption”? That then allows you to be able to automatically light up a business continuity plan (BCP) and put it into action before a problem actually occurs.

We integrate not only with ServiceNow, but with any other system that can throw a signal -- whether it’s a facilities-based system, order management system, or a human resources system. That includes anything a firm defines as a critical business service, and all the actors and assets that participate in it, along with what state they need for it to be considered valid.

All of that needs to be ingested and synthesized to determine if there’s an issue that needs to be monitored and then a failover plan enacted.

Gardner: Andrew, please tell us about the core EY ServiceNow alliance operational resilience offering.

Detect disruptions with data

Zarenski
Zarenski: Corporations already have so many mitigation policies in place that understanding and responding to disruptions in real time is obviously essential. Everyone likes to think about the use case of plugging cybersecurity holes as soon as possible to prevent hackers from taking advantage of an exploit. That’s a relatively easy, relatable scenario. But think about a physical office service. For example, an elevator goes down that then prevents your employees from getting to their desks or people in a financial firm getting to their trading floor.

Understanding that disruption is just as important as understanding a cybersecurity threat or if someone has compromised one of your systems or processes. Detection today is generally harder than it’s been in the past because corporations’ physical and logical assets are so fragmented. They’re hard to track in that or any building.

Steve alluded to how service mapping, to understand what assets support services, is incredibly difficult. Detection has become very complicated, and the older ways of picking up the phone just isn’t enough because most corporations don’t know what the office is supporting. Having that concrete business service map and understanding that logical mapping of assets to services makes a solution such as this help our operators or chief risk officers (CROs) able to respond in near real time, which is the new industry standard.

Gardner: So, on one hand, it’s more difficult than ever. But the good news is that nowadays there’s so much more data available. There’s telemetry, edge computing, and sensors. So, while we have a tougher challenge to detect disruptions, we’re also getting some help from the technology side.

Zarenski: Yes, absolutely. And everyone thinks of this generally as just a technology exercise, but there’s so much more to it than the tech. There is the process. The key to enterprise resiliency is understanding what the services are both internally to employees as well as externally to the customers.

We find that most of our clients are just beginning to head down the journey of what we call business service mapping to identify and understand the critical services ahead of time. What are my five critical services? How can I build up those maps to show the quick wins and understand how can I be resilient today? How can I understand those sensors? What are the networks? What objects let me understand what a disruption is and have a dashboard show services that flip from green to red or yellow when something goes wrong?

There's so much signal out there to let you know what's going on. But to be bale to cut through and synthesize those material aspects of what's truly important is what makes this solution fit for duty and usable. And it does not take a lot of time to get done.

Yon: And, Dana, there’s so much signal out there to let you know what’s going on. But to be able to cut through and synthesize those material aspects of what’s truly important is what makes this solution fit for duty and usable. It’s not a big processing sync and does not take a lot of time to get done.

A business needs to know what to focus on, from what you imprint the system with to how you define your service map and how you calibrate what the signals represent. Those have to be the minimal number of things you want to ingest and synthesize to provide good, fast telemetry.  That’s where the value comes from, knowing how to define it best so the system works in a very fast and efficient way.

Gardner: Clearly, operational resiliency is not something you just buy in a box and deploy. There’s technology, business service mapping, and there’s also culture. Do you put in the technology and processes and then hope you develop a culture of resiliency? Or do you try to instill a culture of resiliency and then put in the ingredients? What’s the synergy between them?

Cultural shift from reactivity

Zarenski: There is synergy, for sure. Obviously, every corporation wants to have a culture of resilience. But at the same time, it’s hard to get there without the enabling technology. If you think about the solution that we at EY have developed, it takes resiliency beyond being just a reactive solution.

How to Build Resiliency into Operations

It’s easy for a corporation to understand the need for having a BCP or disaster recovery plan in place. That’s generally the first line of enabling a resilient culture. But bringing in another layer of technology that enables investment in the things that are listening for disruption? That is the next layer.

If you look at financial institutions, they all have different tools and processes that look at things like trade execution volume, and so forth. One person may have a system looking to see if trade execution volume has a significant blip and can then compare that to prior history. But to understand if that dip means something is wrong is not an easy process. Using EY’s operational resilience tool helps understand the patterns, catalog the patterns, and brings in technology that ultimately further enables that culture of resilience.

Yon: Yes, you want to know if something like that blip happens naturally or not. I liken this back to the days when we went through the evolution from quality control (QC)-oriented thinking to quality assurance (QA)-oriented thinking. QC lets you test stuff out, and lets you know what to do in the event of a failure. That’s what a BCP plan is all about -- when something happens, you pick up and follow the playbook. And there you go.

QA, which went through some significant headwinds, is about embedding that thought process into the very fabric of your planning and the design to enable the outcomes you really want. If there is QA, you can avoid disruptions.

And that’s exactly the same perspective we’re applying here. Let’s think about how continuity management and the BCP are put together. Yes, they exist, but you know what when you’re using them? You’re down. Value destruction is actually occurring.

So, think about this culture of resilience as analogous to the evolution to QA, which is, “Be more predictive and know what I’m going to be dealing with.” That is better than, “Test it out and know how to respond later.” I can actually get a heck of a lot better value and keep myself off the front page of the newspaper if I am more thoughtful in the first place.

That also goes back to the earlier point of how to accelerate time to value. That’s why Andrew was asking, “Hey, what are your five critical business services?” This is where we start off. Let’s pick one and find a way to make it work and get lasting value from that.

The best way to get people to change is quickly use data and show an outcome. That’s difficult to disagree with.

Gardner: Andrew, what are the key attributes of the EY ServiceNow resilience solution that helps get organizations past firefighting mode and more into a forward-looking, intelligent, and resilient culture?

React, respond, and reduce risk

Zarenski: The key is preventative and proactive decision support. Now, if you think about what preventative decision support means, the capability lets you build in thresholds for when a service maybe approaching a lag in its operational resilience. For example, server capacity may be decreasing for a web site that delivers an essential business service to external customers. As that capacity decreases, the service would begin to flash yellow as it approaches a service threshold. Therefore, someone can be intelligent and quickly do something about it.

But you can do that for virtually any service by setting policies in the database layer to understand what the specific thresholds are. Secondly, broad transparency and visibility is very important.

We’re expanding the usefulness of data for the chief risk officer (CRO). They can log into the dashboard two or three times a day, look at their 10 or 15 critical business services, and all the subservices that support them, and understand the health of each one individually. In an ideal situation, they log in in the morning and see everything as green, then they log in at lunchtime, and see half the stuff as yellow. Then they are going to go do something about it. But they don’t need to drill into the data to understand that something is wrong, they can simply see the service, see the approaching threshold, and – boom – they call the service owner and make sure they take care of it.

Yon: By the way, Andrew, they can also just pick up their phone if they get a pushed notification that’s something’s askew, too.

Zarenski: Yes, exactly. The major incident response is built into the backend. Of course, we’re proactively allowing the CROs and services owners to understand that something’s gone wrong. Then, by very simply drilling into that alert, they will understand immediately which assets are broken, know the 10 people responsible for those assets, and immediately get them on the phone. Or they can set up a group chat, get them paged, and any number of ways to get the problem taken care of.

The key is offering not just the visibility into what's gone wrong, but also the ability to react, respond, and have full traceability behind that response -- all in one platform. That really differentiates that solution from what else is in the market.

The key is offering not just the visibility into what’s gone wrong, but also the ability to react, respond, and have full traceability behind that response -- all in one platform. That really differentiates the solution from what else is in the market.

Gardner: It sounds like one of the key attributes is the user experience and interfaces that rapidly broaden the number of appropriate people and to get them involved.

Zarenski: You’re spot on. Another extremely important part is the direct log and record of what people did to help fix the problem. Regulations require recording what the disruption was, but also recording every single step and every person who interacted with the disruption. That can then be reported on in the future should they want to learn from it or should regulators and auditors come in. This solution provides that capability all in one place.

Yon: Such post-disruption forensics are very important for a lot of reasons.

Zarenski: Yes, exactly. A regulator will be able to look back and ask the question, “Did this firm act reasonably with respect to its responsibility?”

Easy question, but tough to answer. You would need to go back and recreate your version of what the truth was. This traps the truth. It traps the sequence, and it makes the forensics on answering that question very simple.

Gardner: While we’re talking about the payoffs when you do operational resiliency correctly, what else do you get?

Yon: I’ll give you a couple. One is we don’t have to get a 3 am phone call because something has broken because someone is already working on the issue.

Another benefit impacts the “pull-the-plug test,” where once a year or two we hold our breath to determine if our BCP plans are working and that we can recover. In that test, a long weekend is consumed with a Friday night fault or disconnection of something. And then we monitor the recovery and hope everything goes back to normal so we can resume business on the following Tuesday.

How to Build Resiliency into Operations

When we already understand what the critical business services are, we can quickly hone down essential causes and responses. When service orientation took hold, people bragged about how many services they had, perhaps as many as 900 services. Wow, that seems like a lot.

But are they all critical? Well, no, right? This solution allows you to materially keep what’s important in front of you so you can save money by not needing to drive the same level of focus across too wide of a beachfront.

Secondly, rather than force a test fault and pray, you can do simulations and tests in real time. “Do I think my resiliency strategy is working? Do I believe my resiliency machinery is fit for duty?” Well, now you can prove it, saying, “I know it is because I test this thing every quarter.”

You can frequently simulate all the different pieces, driving up the confidence with regulators, your leadership, and the auditors. That takes the nightmare out of your systems. These are but some of the other ancillary benefits that you get. They may seem intangible, but they’re very real. You can clean out unnecessary spend as well as unnecessary brand-impacting issues with the very people you need to prove your abilities to.

Gardner: Andrew, any other inputs on the different types of value you get when you do operational resiliency right?

Zarenski: If you do this right and set up your service mapping infrastructure correctly, we’ve had clients use this to do comparisons for how they might want to change their infrastructure. Having fully mapped out a digital twin of your business provides many more productivity and efficiency capabilities. That’s a prime example.

Gardner: Well, this year we’ve had many instances of how things can go very wrong -- from wildfires to floods, hurricanes, and problems with electric grids. As a timely use case, how would an organization in the throes of a natural disaster make use of this soluiton?

Prevent a data deep freeze

Zarenski: This specific use case stemmed from the deep freeze last winter in Dallas. It provides a real-life example. The same conditions can be translated over to hurricanes. Before the deep freeze hit back in the winter, we were adjusting signals from NOAA into the EY operational resiliency platform to understand and anticipate anomalies in temperatures in places that normally don’t see them.

We were able to run simulations in our platform for how some Dallas data centers were going to be hit by the deep freeze and how the power grid would be impacted. We could see every single physical asset being supported by that power grid and therefore understand how it might impact the business operations around the world.

There may be a server there that, in turn, supports servers in Hong Kong. Knowing that, we were able to prepare teams for a failover preemptively over to a data center in Chicago. That’s one example of how we can adjust data from multiple sources, tie that data to what the disruption may be, and be proactive about the response -- before that impact actually occurs.

Gardner: How broadly can these types of benefits go? What industries after power and energy should be considering these capabilities?

Yon: The most relevant ones are the regulated industries. So, finance, power, utilities, gas, and telecom. Those are the obvious ones. But other businesses need to ensure their firm is operational irrespective of whether it’s a regulatory expectation. The horizontal integration to offset disruption is still going to be important.

We’re also seeing interdependency across business sectors. So, talking to telecom, they’re like, “Yup, we need to be able to provide service. I want to be able to let people know when the service is going to go up when our power is down. But I have no visibility into what’s going on there.” So, sometimes the interdependencies cross sectors, cross industries and those are the things that are now starting to highlight.

Understanding where those dependencies on other industries are, can allow you to make better decisions on how you want to position yourself for what might be happening upstream so you can protect your downstream operations and clients.

It’s fascinating when we talk now about how each industry can gain transparency into the others, because there are clear interdependencies. Once that visibility happens, you’ll start to see firms and their ecosystem of suppliers leverage that transparency to their mutual benefit to reduce the impacts and the value disruption that may happen anywhere upstream.

Gardner: Andrew, how are organizations adopting this? Is it on a crawl-walk-run basis?

Map your service terrain

Zarenski: It all starts with identifying your critical services. And while that may seem simple at face value, it’s, in fact, not. By having such broad exposure in so many industries, we’ve developed initial service maps for what a financial institution is, or what an insurance institution looks like.

That head-start helps our clients gain a baseline to define their organizations from a service infrastructure standpoint. Once they have a baseline template, then they can map physical assets, along with the logical assets to those services.

Most organizations start with one or two critical services to prove out the use case. If you can prove out one or two, you can take that as a road show out to the rest of the organization. You’re basically setting yourself up for success because you’ve proven that it works.

Yon: This goes back to the earlier point about scale. You can put something together in a simple way, calibrating to what service you want to clear as resilient. And by calibrating what that service map looks like, you can optimize the spread of the service map, the coverage it provides, and the signals that it ingests. By doing so, you can synthesize its state right away and make very important decisions.

The cool thing about where the technology is now, we’re able to rapidly take advantage of that. You can create a service map and tomorrow you can add to it. It can evolve quickly over time.

How to Build Resiliency into Operations

You can have a simplistic view of what a service looks like internally and track that to see the nature of where faults enter the system and predict what might materialize in that service map, to see how that evolves with a different signal or an integration to another source system.

These organizations can gain continuous improvement, ensuring that they consistently raise the probability of avoiding disruptions. They can say, “I’m now resilient to the following types of faults,” and tick down that list. The business can make economic choices in terms of how complex it wants to build itself out to be able to answer the question, “Am I acting in a reasonable way for my shareholders, my employees, and for the industry? I’m not going to cause any systemic problems.”

Gardner: You know, there’s an additional pay back to focusing on resiliency that we haven’t delved into, and it gets back to the notion of culture. If you align multiple parts of your organization around the goal of resiliency, it forces people to work across siloes that they might not have easily forded in the past.

So, as we focus on a high-level objective like resilience, does that foster a broader culture of cooperation for different parts of the organization?

Responsible resiliency collaboration

Yon: It definitely does. Resiliency is becoming a sound engineering principle generally. It can be implemented in many different ways. It can be implemented not only with technology, but with product, people, machinery, and governance.

A lot of this rolls up with being compliant to different regulations. We're providing a capability for virtually anyone to support risk and compliance activities -- without even knowing that you're supporting risk and compliance activities. It makes compliance easy to understand.

So many different people participate in the construction of an architectural capability like resiliency that it almost demands that collaboration occur. You can’t just do it from a silo. IT just can’t do this on their own. The compliance people can’t do this on their own. It’s not only a horizontal integration across the systems and the signals for which you detect where things are -- but it’s an integration of collaboration itself across those responsibility areas and the people who make it so.

Gardner: Andrew, what in the way the product is designed and used helps facilitate more cultural cooperation and collaboration?

Zarenski: Providing a capability for everyone to understand what’s going on is so important. For me to see that something going wrong in my business may impact someone else’s business gives a sense of shared responsibility. It gives you ownership in understanding the impacts across all the organizations.

Secondly, a lot of this all rolls up to being compliant in different regulations. We’re providing a capability for virtually anyone to support risk and compliance activities -- without even knowing that you’re supporting risk and compliance activities. It makes the job of compliance visual and easy to understand. That ultimately supports the downstream processes that your risk and compliance officers must perform -- but it also impacts and benefits the frontline workers. I think it gives everyone an important role in resiliency without them even knowing it.

Gardner: How do I start the process of getting this capability on-boarded in my company regardless of my persona?

Yon: The quick answer is to turn on the news. Resiliency and continual operation awareness are now at the board level. It’s one of the top-five priorities firms say are important for them to survive through the next 10 years.

Witness all the different things that are being thrown at us all -- whether it’s weather, geopolitical, and pandemic-related. The awareness is there. The interest is definitely there. Then the demand comes from that interest.

Based on the feedback and conversations were having with so many clients across so many industries, it is resonating with them. It’s now obvious that this needs to be looked at because turning your digital storefront off is no longer an option. We’ve had too many people see the impact of that over the past year.

And the nature of disruptions just keeps getting more complex. We’ve had near-death business experiences. They’ve had the wake-up call, and that was enough of a motivation to have awareness and interests in it that’s now moving us toward how to best fulfill it.

Gardner: A nice thing about our three-part series is we first focused on the critical timing around the financial industry. We’re talking more specifically today about the solution itself and its wider applicability.

The third part of our series will share the experiences of actual customers and explore how they went about the journey of getting that germ of operational resilience planted and then growing it within their company. Meanwhile, where can our audience go for more information and to learn more about how to make operation resiliency a culture, a technology, and a company-wide capability?

Yon: For those folks who already have responsibilities in this area, their industry trade shows, conversations, and dialogues are actively covering these issues. Second, for those who are EY or ServiceNow customers, talk to your team because they can lead you back to folks like Andrew and myself to confer about more specifics based on where you are on your journey.

Listen to the podcast. Find it on iTunes. Read a full transcript or download a copy. Sponsor: ServiceNow and EY.

You may also be interested in: