The third and last part of my little blog series is all about planning and implementation. Inevitably, we come into contact with project management and other underlying factors. I keep my promise from part one and finally show a blueprint for risk assessment.
I hope you enjoy the read! As always, the following disclaimer applies: Everything without any claim to completeness and universal validitiy. Your milage may vary!
Don’t ask your IT Departement
Where to go when it all comes down to workingplaces at home? To your IT Department?
No way! What to expect from somebody living Groundhog Day every morning, without experience beyond his own horizon? Of course, I’m aware of not making friends with such a sentence. Please let me rephrase:
Where are highly qualified, expensive software engineers, admins or IT experts allowed to play around and experiment freely on at least one weekday per week without any cost- or time-pressure and without any recognisable connection to their company?
The study “Success Criteria for Corporate Digitisation”1 conducted by the Fraunhofer Institute for Industrial Engineering IAO has examined companies of different sectors and sizes throughout Germany:
An IT department is not a main driver of digital transformation
It only plays a role in digitisation campaigns when it comes to operational issues and only then, when…
(…) Tekkies are granted time, space and budget.
Trying things out in as many and different places as possible (…) even if some projects fail.
It is good if there is enough time for playful development without economic needs or incentives for action.
Commitment (of the Top-Managment)
No need to explain how these quotes resonate within the management. Space for free-spirits leads to snap breaths in HR and causes headaches among financial executives. Mid-level management is concerned about their influence. Quite reasonably when self-organising project teams have a say and make decisions on an equal basis. A home-based office is cutting through the a culture of presence, where colorful peacocks see their internal corporate fiefdom threatened.
Of course I am writing in stereotypes and using heuristics. But these are in line with what Sven Rimmelspacher, managing shareholder of Pickert & Partner, says in the same Fraunhofer study:2
We need more leadership than before, but fewer leaders.
He consequently speaks of abolishing mid-level management and traditional departments. At the same time, he is advocating the strengthening of cross-functional and self-organised project teams and freelance individuals without belonging to any department. There is no need for disciplinary management anymore, leadership roles are taken over by agile teams. So why hire a human resources manager when project teams do the job more efficiently, reliably and quicker?
These are the structural weak spots and unspoken underlying factors that resonate in the background when it comes to the subject of home offices. Before swimming with the sharks in unknown waters, everyone should be aware of this.
Digitisation projects usually fail along these breaking points.
Without backup of the top management, nothing will run! A weak, diffuse, half-hearted commitment, and it’s time to leave the ship.
Home Office Project Team
Small and highly powerful teams, made up of individuals on an equal level and with varying roles and representatives on the outside, the product owners3 form the ideal digital cluster4. Multiple teams may also work simultaneously on the same project. Not unusual in pentesting IT infrastructures with a red team as attacker and a blue team as defender. The findings are then brought together and jointly evaluated.
Furthermore, it’s important to gain input and cooperation from the outside world either occasionally or on a permanent basis as coach, mentor or project manager. Last year, for instance, I was called in by a construction company for their BIM digitalisation5 with Autodesk REVIT. The task was to establish and commission an infrastructure that integrates seamlessly into the existing one. This isn’t a job for vendors or any resellers. In strong contrast to bought-in solutions “off the shelf” or from the cloud, the know-how and technology remains within the company.
Communication and Document Management
Let’s assume the commitment of the management and successful formation of a project team. What’s next?
It’s essential for a team to be able to communicate with each other and others, to access common data and to control documents. Without everything must be built up first. Unfortunately, many still use their computers as quite a substitute for typewriters accessing directory structures on SMB-Shares like filing cabinets. In my eyes, the typical QM/QS structured directories are a nightmare, where often files and folders have been given spaces, underscores or A, AAA or AAAAA prefixes in order to make them appear topmost in Windows Explorer.
This creates pain inside me, but simultaneously it is buggy, not flexible, not portable and bears the flaw of classic client-server architectures8: The last one always overwrites all previous versions. Without a version control system, no branches and forks in a course of a project can be represented. Instead of small diffs, whole file and directory structures must be transferred. This is quite toxic for every mobile workstation with a weak internet connection.
As developer I use a proven git9 technology. An own server is quickly set up10 with gitea11 and allows easy access via web frontend even for non-software developers for non-software projects. Once agreed on Markdown12 and UML13 as document formats, all problems with proprietary and binary document formats are eliminated instantly.
Though it doesn’t need to be git. The basic version control of a Nextcloud14 also works. Chats and video conferences are quite close and handy. The integration with other collaborative apps are very appealing.
Of course, tools like Mattermost15 and others are suitable for communication aswell thought they have to be free, self-hosted and without any data flow to third parties. Less is more! The Golem article “An der falschen Stelle automatisiert”16 sums everything up in just one sentence:
We destroy (…) productivity and personal comfort if we constantly try to follow trends and still fail to keep current.
Teams, Slack, Discord & Zoom are not recommended
Tools like Microsoft Teams, Slack, Discord, Zoom & more are not suitable for project management in my opinion due to the fact that:
There are serious security incidents17 and unresolved privacy issues18 However the DSGVO is not my biggest concern at all. Would anybody please explain me how to use something with a signed, penalty-based NDA where, according to EULA and Privacy Policies, the transfer and unrestricted use of data by third parties takes place?19.
Neither of the mentioned products above solve the problem of archiving or compliance. How to deal with the GoBD?20 In a nutshell: Chat histories, transfered files or assets must remain retrievable for 6 or 10 years. Proprietary, non-free file formats or webservices, which are abandoned by manufacturers at their own discretion, are in stark opposition to this requirement. You are not in control of the data. A recent example of this is the management consultancy KPMG. Chat histories including files of 145,000 employees were instantly lost by a single mouse click21.
The business models aiming for a vendor lock-in22 with constantly rising costs. Once one leg in and the “rules of engagement” will be subtly changed over time with a lot of nudging23. This is evident, for example, in important functions, suddenly migrated from an existing “Pro” license to a more expensive, newly created “Enterprise” license. That’s called opportunistic exploitation of information asymmetry24. Greetings from George Akerlov and his downward spiral of death25.
Whatever might be dropped out at the end of a project, nothing happens without coordination with information security. This doesn’t automatically mean that an extensive risk analysis has to be conducted.
Just one example: If an employee at home is supposed to get a computer from his company which is completely isolated from the corporate network and merely retrieves mails via webmailer (with 2FA) then the common market standard is quite acceptable. Even with a thick layer of snakeoil if someone feels more secure with that. Further hardenings and an extensive risk analysis would be a waste of time. The simple rule-of-thumb is: If no danger, then there is no risk.
How is this best described and visualized? Well, quite simply by using the following calculation and a couple of auxiliary charts, which I offer here for download:
Risk = Potential damage x Probability of occurrence
Let us look at the maximum amount of damage to be expected and note the number of points achieved.
Now things become a little more tricky. We estimate the probability of occurrence. The line with the most applicable statements wins. Please note the score as well.
Now let’s multiply both numbers and compare the result to this chart.
In our example I get a value of 2, which means low risk. Applied to the following coloured risk matrix, it is immediately obvious we are in the green segment and clear.
These auxiliary tables make life easier and provide orientation in assessing risks and working out either compensatory measures or more evaluations.
Finally, a note on my own behalf:
I am available for exactly such digitalization projects and can provide all my expertise. I actually really enjoy this, either as a problem solver on a short term basis or as a coach, mentor or project manager on a longer term basis.
The new year 2021 is ahead. Please contact me well in advance for projects in the pipeline, in order to be able to start at full speed this January.