portfolio - sourcing-international.org · 4 how to operationalise the challenges of a modern...

www.sourcing-international.org 1

PORTFOLIO

www.sourcing-international.org

We support our customers in meeting the challenges of the digital revolution using the tried and tested Sourcing International method.

Sourcing International SI1010 GMbH

Palais SavoyJohannesgasse 151010 ViennaAustria

CEO:Dr. Tobias HöllwarthMag. Oliver Lindlbauer

Telephone: +43 664 4060900Mail: [email protected]: sourcing-international.org

Company Registry: FN 441005 m (HG Wien)

Tax Number: 09 257 / 4375VAT: ATU69988524

Bank AccountIBAN: AT90 5300 0060 5500 1675 BIC: HYPNATWW

Data Processing Registration: 4019042


About us

SOURCING INTERNATIONAL is not an exclusively Austrian undertaking. It is a joint venture formed by the fusion of Höllwarth Consulting and 42virtual.

The two companies have existed for many years and have frequently cooperated successfully on large projects.

This is because the previous cooperation among the partners of SOURCING INTERNATIONAL has led them to understand that the combination of their respective strengths, their many years of experience with large consulting mandates, and the country-specific peculiarities allows them to forge an exceptionally strong partnership.

The consolidation of these factors into a close and professional cooperation allows SOURCING INTERNATIONAL to provide excellent efficiency and offer a broad spectrum of services.

3two international partner companies

several locations in several countries

7years of experience in cloud evaluation

11countries with know-how transfer

37total years of IT sourcing experience

48successful migration projects

“The consolidation of experience in a close and professional cooperation allows SOURCING INTERNATIONAL to provide

high efficiency and offer a broad spectrum of services.”

Oliver LindlbauerPartner

5

www.sourcing-international.org4

How to operationalise the challenges of a modern sourcing life cycle.

Hardly anyone will deny that cloud services are a topic that can no longer be ignored by any enterprise, be it a global corporation or a small start-up. There are still uncertainties regarding how best to engage with these new technologies, however.

There are in fact different approaches: IT managers will have a different perspective on outsourcing and the cloud than the executive board. New competencies and organisational structures are required in order to optimally integrate external IT services into a company and save on costs and resources.

Data protection and compliance requirements need to be taken into account, and the introduction of cloud services also requires professional change management accompanying the migration from its first planning steps all the way to its successful implementation.

In order to negotiate these steps, it is helpful to organise the individual challenges into operationalisable work packages and tackle each of the packages in turn.

The digital transformation won’t happen by itself.

A practice-oriented one-day workshop will familiarise you with all work packages that help you manage the strategy, design, transformation and operation of hybrid multi-soucing environments successfully.


Experts will walk you through the various strategic, technical and legal topics, facilitating your approach

to the individual work packages at your company.

“The EU GDPR demands accountability, which in turn requires responsible companies to control their IT

infrastructures and processes. And in order to control, one must understand. Too little attention is frequently

paid to the technical IT infrastructure during GDPR implementation projects. In this regard, our approach

stands out from the offerings of the competition.”

Dr. Christian Laux

“Life Cycle Snapshot”

“Shadow IT”

IT

“Requirement Templates”

“Knowledge Building”

“Data Protection and Sourcing”

“Certified SMS”

Info

rmat

on Security Management System

CERTIFIED

27001

“Transformation Supervision”

“Service Portfolio Management”

“Multiprovider Management”

“Service Management System”

“Roles and Competencies”

“Strategic Cloud Guideline”

“Additional Requirements”

“Sourcing Roadmap”“Social Media Profiling for IT

Services”

“Quality Reviews” “GDPR“


Challenges of the Digital Transformation

The digital transformation entails various challenges and changes for businesses.

To help meet these challenges, SOURCING INTERNATIONAL has developed a model that is based on a life cycle and addresses each of the phases of such a transition: Strategy, Design, Transformation and Operation.

DesignOperation

Strategy

Transformation

“We support our clients in dealing with the challenges of the digital revolution using the tried and tested Sourcing International methodology.”

Dr. Tobias HöllwarthPartner

Digital transformation requires successful innovation management, suitable cloud services

and professional multi-provider management. The Sourcing International methodology prepares your

management system for these tasks.

“Transformation happens. To control it with proven methods, experience and openness is the strength of

our approach and our projects.”

Michael Kramer


“Life Cycle Snap Shot” Package

Regardless of which phase of a transformation process your business is in, the “Life Cycle Snapshot” package is ideal for obtaining an overview of the current situation and your applications and organisation.

What is the current situation, who are the stakeholders and what are the goals? This in-depth analysis allows subsequent service packages to be configured according to your requirements.


“Shadow IT” Package

In most companies, various systems and applications outside of the official IT infrastructure are used by employees for business purposes without the knowledge of the IT department: Social media are used for communication, external cloud services are used for webmail and file sharing, etc. Even confidential information is frequently shared in this way. This “Shadow IT” requires proper risk and benefit analysis.

The “Shadow IT” package analyses the cloud services already in use within the company and the associated risks and advantages.

IT


“Knowledge Building” Package

The use of externally provided cloud services is linked to numerous areas of expertise and thus affects internal knowledge bearers from many different departments. It also requires trans-departmental knowledge in terms of procurement, legal aspects and specialist areas.

Training of internal competence teams by way of company-specific use cases through the “Knowledge Building” package serves to increase understanding and knowledge of the relevant topics across department boundaries, thereby enabling the company to meet the challenges of cloud service usage efficiently and effectively.


“Requirement Templates” Package

Which cloud services can be used in what way and under what conditions at a specific company? The publicly available quality framework “StarAudit Areas and Controls” facilitates the decision for and selection of appropriate cloud services.

On the basis of company-specific use cases, the “Requirement Templates” package defines the fundamental requirements and quality attributes for the selection and sourcing of cloud services, which can subsequently be used for provider pre-selection.


“Additional Requirements” Package

Based on the existing StarAudit requirements catalogue and the “Requirement Templates” package, this package defines additional company-specific controls and requirements.

This also allows company-specific branding in an online assessment tool.

“As a navigator and coach for the necessary transformation of processes, technologies and

employees, we guide our customers safely into the future during their journey of digital transformation.”

Martin Andenmatten


“Strategic Cloud Guideline” Package

A company-wide strategy on the topic of cloud sourcing is essential. Should cloud services be used, and if yes, which ones and in what way? The selection process needs to take organisational, functional, economic, and data protection aspects into consideration.

The “Strategic Cloud Guideline” package aims to develop a framework and roadmap for the introduction of cloud services into the company: identification of success factors, environment analysis, analysis of current state and potential, catalogue of measures, and finally implementation of the appropriate activities. This provides employees with a clearly defined track for the cloud sourcing process to follow.


“Roles and Competences” Package

Cloud sourcing entails new tasks and issues in terms of personnel structure that need to be addressed and organised effectively. The “Roles and Competences” package deals with questions triggered by the use of cloud services: What needs to be done? Who will be doing it? How will it be implemented?

Comprehensive process and task analysis, the development of organisational structures, the definition of roles and the allocation of suitable personnel in combination with necessary adaptations in IT and spatial planning aim to enable efficient management of a multi-sourcing environment within the company.


“Transformation Supervision” Package

In order to implement the adaptations and measures defined in the sourcing roadmap, we initiate and accompany a transformation project. This package not only provides the typical project management tasks like structured planning, status tracking and reporting for the defined areas (governance, organisation, employees, processes, legal compliance and technology) of the Target Operating Model, but also includes training, coaching and coordination for the involved specialist personnel at the relevant interface points.

This is indispensable during the transformation to allow the specialists to concretise the necessary tasks within the overall context and implement them without jeopardising day-to-day operations.


“Service Management System” Package

IT

What is the significance of IT within the company? The IT organisation of a company must strive to become an innovative, customer-focused service provider. Its contribution to the achievement of business goals as well as its risks and costs must be transparent and measurable, which in turn requires a functioning Service Management System.

This package provides an analysis of the existing systems and processes and, based on the sourcing strategy, develops a roadmap for the achievement of a business- and service-oriented IT management system.


“Service Portfolio Management” Package

What are the actual IT systems in question, and in what business processes are they supposed to be used? What are the involved applications, systems and infrastructures? Who will be providing the services, and what are their features and costs?

The “Service Portfolio Management” package pursues a clear definition of the services to be offered and the associated internal and external service components, i.e. a service architecture and a service catalogue in coordination with the involved departments.

All existing and future IT services should be concretely represented in a service architecture blueprint. The service portfolio manages the entire service life cycle from development to efficient operation.


“Multi-provider Management” Package

How are outsourced services and their providers integrated into the remaining internal IT organisation – not just at the technological level, but in day-to-day operation? New operating models require adapted organisational structures in order to fulfil the new processes and tasks.

The “Multi-provider Management” package helps to find a service integration strategy and define roles, tasks, and responsibilities. To optimise cooperation, guidelines for the integration of future service providers and external tools are specified.


“Quality Reviews” Package

Once service management structures and processes have been introduced, they need to be evaluated regularly during the entire service life cycle. The sourcing partner and the quality of its performance should likewise be assessed at regular intervals so as to be able to recognise a need for adaptation as soon as possible and implement the required changes.

Within this package, the maturity of the management processes and the knowledge level of employees are evaluated along with the sourcing strategy, utilised IT tools, and possible risks and security issues.


Info

rmat

io

n Security Management System

CERTIFIED

27001

“Certified SMS” Package

ISO 20000 and ISO 27001 are international standards for professional IT service providers and information security management, thereby forming a quality norm that builds trust between service providers and customers.

A Service Management System (SMS) as well as an Information Security Management System (ISMS) are part of these standards, as are a Service Management Plan, a Documentation Management System and a Quality Management System.

The “Certified SMS” package provides a training concept for employees and support for the development of the necessary certification requirements, thereby ensuring that the result of the audit process will be positive.


“Data Protection and Sourcing” Package

Questions and issues regarding data protection crop up regularly in the context of integrating external service providers. Data protection regulations must be taken into consideration during the development of the sourcing strategy and in the planning phase. This is easier said than done, since data protection laws are currently in the process of changing dramatically. The EU General Data Protection Regulation (GDPR) will come into full effect on 25 May 2018, and will have significant influence on all service contracts.

The “Basics” workshop introduces you to the legal foundations of the GDPR. Besides the general introduction, it focuses on the consequences of the GDPR for sourcing. Based on concrete information on your sourcing project provided by you, the Cross-Check conducts an initial legal assessment in regard to the provisions of the GDPR. In the course of the Legal Implementation, you will receive support for your strategic planning as well as for the design and/or implementation of your sourcing strategy in relation to the General Data Protection Regulation.


“Sourcing Roadmap” Package

Once the decision to use cloud services has been made, a sourcing design needs to be established for the implementation. Following a Target Operation Model, it includes the areas of governance, organisation, employees, processes, technology and legal compliance, as well as partners and suppliers.

Where is there a need for adaptation or training? What must the infrastructure look like? Are the management structures still suitable? How can the observance of compliance requirements be ensured? The “Sourcing Roadmap” package integrates services from various other packages.


“Social Media Profiling for IT Services” Package

Resource Bottleneck: It is becoming more and more difficult for almost all businesses these days to find suitably qualified employees to competently assume responsibility for existing and new IT projects. Experienced and well-trained IT staff are hard to find on the market, and thus increasingly represent a limiting resource factor and critical bottleneck for businesses.

Selective Candidates: Potential candidates with experience are aware of this state of affairs and are choosing their future employers depending not only on salary, but increasingly on strategic factors. These factors include the question of how attractive the IT projects at a potential employer appear.

IT Reputation of Companies: For this reason, companies not only need to present themselves attractively and informatively on the market concerning their core activities, but also position themselves strategically in regard to their ongoing and future IT projects, strategies, cloud projects and digitalization topics.

Solution: Sourcing International supports these activities through targeted Social Media Profiling for IT departments and executive IT staff. Purposeful publications in social media channels support the personal profiling of important persons in the field of IT and promote the creation of a positive reputation for the company in regard to attractive IT topics.


“GDPR Training Course“ Package

In this training course, participants learn: • which are the ten essential GDPR to-dos and why it is

important to deal with them in any case, • how to design a suitable GDPR project in three phases at

the company such that it is commensurate with the concrete framework conditions and manageable,

• that there are 24 work packages, how to structure them sensibly and in which order to process and complete them.

Training material: The participants receive guidelines and an infographic as work materials and are introduced to forms, templates and online tools that help them to achieve an appropriate GDPR status quickly.

Goal of the training course: The participants understand the challenges posed by the GDPR, are able to design a structured GDPR project and know which work packages, templates and tools to use in order to achieve appropriate GDPR status quickly and effectively at their company.

The Sourcing International method guarantees GDPR-readiness within a short time.

Duration of the training course: 1 day


GDPR-READY in 90 DaysHow to design a GDPR project smartly and achieve the best possible result within three months with reasonable effort.

Three goals should be pursued: (1) to achieve an overview of the necessary tasks quickly, (2) to master the challenge as cost-effectively as possible, and (3) to optimize the output of the project over a short period of time.

If a GDPR project is approached in a targeted, structured and systematic fashion using suitable tools and templates, the challenges posed by the GDPR can be mastered quickly without overburdening employees or lapsing into activism, while the risk of penalties can be minimized and a high level of legal compliance assured.

This guideline is intended to help in obtaining a good overview over the ten most important to-dos concerning the GDPR. It shows how to design a GDPR project in three phases and how to structure the individual challenges sensibly into 24 work packages.

Every company must prepare for the GDPR, but not every company needs to prepare with the same intensity. Not all tasks need to be completed before 25 May, and not every activity is mandatory for every business.

The decisive factor is that the implementation of a GDPR project must be adapted to the concrete situation and risk potential at the respective company, i.e. that it is appropriate.


PHASE 1

It is essential to determine the CURRENT STATE first. A gap analysis identifies shortcomings in relation to the GDPR.

PHASE 2

In the next phase, the TARGET STATE can be defined. Implementation measures are taken on the basis of the gap analysis.

PHASE 3

The state achieved after completion of the project is documented in the shape of a final report in order to be able to prove GDPR readiness internally as well as to third parties.

Phases 1 and 2 are carried out according to the proven PDCA methodology:

PLAN Planning of the approach

DOImplementing actions

CHECKGap analysis or effectiveness analysis

ACTFull company-wide implementation and periodic review

Phases and Methods

“The GDPR entails a paradigm shift, with fewer obligations to report and more direct responsibility. Accountability is the new keyword. Time is short to prepare your organisation for the new regulations, and Sourcing International is the ideal professional partner for the necessary changes. Let us travel this road together.”

Dr. Clemens Thiele

What

The Work Packages to Choose From

#1 Initialization of the project

#2 Individualization of initial survey documents

#3 Current state survey: Systems, applications and data

#4 Current state survey: processes and measures

#5 Contractual due diligence

#6 Survey of existing directives and instructions; compliance

#7 Review and completeness analysis of current state

#8 Gap analysis

#9 Definition of target state

#10 Definition of implementation measures

#11 Privacy Impact Assessment: Evaluation of need

#12 Implementation of recommendations for target state

#13 GDPR in IT governance

#14 Establishment of privacy-related directives and instructions

#15 Performance of Privacy Impact Assessment

#16 Training of internal employees

#17 Creation of checklists and tools

#18 Implementation control from a legal perspective

#19 Evaluation of effectiveness

#20 Appointment of a Data Privacy Officer

#21 Ongoing data privacy consulting

#22 Final report

#23 Supplementary compliance documentation

#24 Planning coordination

© 2017 Sourcing InternationalDr. Christian LAUX, Dr. Tobias HÖLLWARTHVersion 2.3 / 29.11.2017 www.sourcing-international.org

What’s Next

BREADTHChoose processes to work on by weighing them according to relevance (importance, impact, risk)

WORK PACKAGESDecide which work packages you would

like to work on for the chosen processes

DEPTHDecide in how much detail to work on processes and work packages

Methodology

Design the Project3

Understand

KNOW-HOWThe organization should have a minimum understanding of the GDPR. Consult our Q+A documents to learn about the GDPR.

Do the Project5

Implement

Phase 3:Documentation(WP #22-24)

Phase 2:Target State(WP #9-21)

IMPLEMENT WORK PACKAGES TO CARRY OUT THE TO-DOS

Phase 1:Current State(WP #1-8)

Location or Target Market within EU Personal Data

Determine Applicability1

How

Workshop to determine the first elements of the status quo, set the expectations and specify outcomes in order to design the project

Initialize the Project2

Define Expectations

COMPLIANCE

INFORMATION GOVERNANCE

Motivation

What is the Baseline?

AUTOMATION

What is the Baseline?

PAPER PROCESS

Results

Specify Outcomes

Get the Tools4

COLLABORATION GUIDELINES

PRIVACY ANALYSIS TOOL

TEMPLATES

CHECKLISTSPROJECT PLAN

Indicates that there is a lot of room for maneuver. In these steps, the customer can and should fine-tune the project design.

MONITOR LEGAL CHANGES

MAINTAIN AND UPDATE

PREPARE FOR CERTIFICATION

Why

The Most Relevant GDPR To-dos

O�cers and Representatives

Representative in the EU (Art. 27 GDPR)

Data Protection Officer (DPO) (Art. 37 GDPR)

Measures

Organizational MeasuresTechnical Measures

Other Protective Measures (e.g. shield against liability)

Policies & Code of Conduct

Minimum

Records of Processing Activities(if more than 250 employees)

Documentation

Standard

Data Protection Impact Assessment

(Art. 35 GDPR)

Control over Processor (Art. 28 GDPR)

Cross-border Measures (Art. 44-49 GDPR)

Data Breaches (Process, Art. 33 and 34 GDPR)

Notices to Data Subjects (Art. 12-14 GDPR)

Requests by Data Subjects (Process, Art. 15-23 GDPR)

Consent from Data Subjects (Art. 6-11 GDPR)

Organisation of Employee Data


Contact

Oliver LindlbauerExecutive Director

Vienna, [email protected]

Dr. Tobias HöllwarthExecutive Director

Vienna, [email protected]

Michael KramerVienna, Austria

[email protected]


Strategic Partners

Dr. Christian LauxZürich, Switzerland

Martin AndenmattenZürich, Switzerland

Dr. Clemens ThieleVienna, Austria

Dr. Jens EckhardtDüsseldorf, Germany


Team

Mark SchieweckZürich, Switzerland

Alexander HofmannZürich, Switzewrland

Rareș PopescuVienna, Austria


Locations

Petar BalkovićBelgrade, Serbia

Keith PoonHong Kong, China

Tibor ŠtrajhBelgrade, Serbia


Publications

GDPR: The 20 Most ImportantQuestions & Answers

Cloud ServicesSelection and Introduction – Processes and Organisation

Cloud and Annual AccountsGuideline for Accountants, Auditors, and Staff

in Finance, IT and Revision of Companies Subject to Statutory Audit

Preparing for the EU GDPRA Pragmatic Approach in Three Phases by

Means of Work Packages

Cloud & Data ProtectionThe Cloud Privacy Check (CPC)

Cloud Computing & Enterprise Mobility Management

Market, Products and Technical Approaches; Relevant Organisational and Legal Aspects

“We leverage the power of digital solutions to disrupt conventional business models, empower organizational culture and allow our customers’ businesses to reach

new heights.”

Keith Poon

“Innovation should proceed at a brisk pace, embracing solutions that integrate seamlessly with the business strategy and dropping those that do not as early as

possible.”

Rareș Popescu

“Technological solutions must go hand in hand with change management to bring a competitive edge to an organization. This is the pivotal point where Sourcing

International can impact your business.”

Tibor Štrajh

“We guide organizations and empower their culture to successfully adopt new digital solutions, making their operational model more efficient while securing their

clients’ trust.”

Petar Balković

The evaluation of cloud services is a massive challenge. The Sourcing International methodology helps our clients to perform an analysis

tailored to their area of application.

Strategic orientation, design and conversion into regular operation: The proven Sourcing

International methodology allows our clients to manage the entire cycle of digital transformation.

“An overview of the data collected and processed by the company is not just a requirement for compliance with the EU GDPR. It is also an overview of existing

assets.”

Mark Schieweck

“For many companies, implementation of the EU GDPR entails a considerable effort. It is therefore

essential to have a clear plan and proceed in a way that leads to real added value for the company—above

and beyond the GDPR.”

Alexander Hofmann

www.sourcing-international.org

Sourcing International

Palais SavoyJohannesgasse 15

1010 Vienna

+43 664 [email protected]

portfolio - sourcing-international.org · 4 how to operationalise the challenges of a modern...

Documents