value of 'software and it' quality-le point du liege science park-29 avril 2016
TRANSCRIPT
© 2014 Deloitte Fiduciaire 1
The value of your ‘so/ware and IT’-‐ quality : what about the investor's point of view?
Geert Janssen, Managing Partner ENTRUST-‐IT 29-‐04-‐2015
L'Interface vous donne rendez-‐vous chaque mois au LIEGE science park, pour faire le point, avec un conseiller en innova=on, sur une mesure en lien avec vos préoccupa=ons.
Une ini&a&ve de
The value of your ‘software and IT’-quality: what about the investor’s point of view
Geert Janssen
29/4/2016
29/04/16
2
Today’s question: what about the quality of your software and your IT organization?
29/04/16
3
Does it affect the value of your
company/investment?
Should you worry about it?
We will cover the following aspects ...
! the need for a consistent approach and tooling to assess the maturity of the company from an IT perspective
! the added value of quality assurance throughout the investment lifecycle
! IT risk assurance dimensions and approach
! expressing risk responses in terms of IT objectives
! the use of software quality assurance in practice (examples).
29/04/16
4
WHO ARE WE? A Quick Introduction
29/04/16
5
My background
29/04/16
6
[founder & managing partner]
[partner]
[senior manager]
[associate partner]
[Master Applied Economics]
‘95 ‘95 ‘07 ‘08 ‘10
29/04/16
7
Strategy & Innovation
IT & Project Management
Governance, Risk & Quality Assurance
• CIO-As-A-Service (IT Management)
• PQA-As-A-Service (Project Management)
• Advisory Services (Transformation Planning) (Business Model Design) (Value Proposition Design) (Capability Modeling) (Package Selection)
• IT Risk & Assurance Services (Quick Scan / Due Diligence) (Capabilty Maturity Assessment) (Software Quality Audit) (Usabilty reviews)
• PQA-As-A-Service (Solution & Delivery Excellence)
IT-driven Business Transformation
THE NEED FOR A CONSISTENT APPROACH AND TOOLING TO ASSESS THE MATURITY OF THE COMPANY FROM AN IT PERSPECTIVE
Why should I worry?
29/04/16
8
The Problem – Technical Debt
29/04/16
9
The Solution – Holistic Approach
29/04/16
10
Industry benchmarks / Roadmap reviews
Landscape analysis
Function Point / Feature Analysis
Maturity Assessments
Application Audits
Skill Assessments
QUALITY ASSURANCE THROUGHOUT THE INVESTMENT LIFECYCLE
A continuous exercise
29/04/16
11
IT Risk & Assurance - Approach
12
What price should we pay? > focus: value for money
Should we invest? > focus: value assessment, risk mitigation
Assure IT is managed well! > focus: continuous improvement / quality control, value augmentation
Provide transparancy! > focus: safeguard value
Similar process across the investment lifecycle however focus differs!
Dealflow phase (1) IT Quick Scan
Due Diligence phase (2) IT Due Diligence
Nurturing phase (3) IT Risk Assessments
Divestment (Exit) phase (4) IT Vendor Due Diligence
IT Risk & Assurance – 4-Step Process
Scoping Preparation & Identification
Research & Analysis
Report &
Remedy
29/04/16
13
- Lifecycle status - Investor focus
- Assess IT Resources & gather evidence
- Perform a scenario analysis
- Assess IT Control Areas
- Generate health factors
- Identify threats / risks
- Analyze frequency & impact in terms of Risk Appetite/Tolerance
- Analyze technical metrics
- Express Risk Responses in terms of IT Objectives (business terms)
- Define remediation plan
IT RISK ASSURANCE DIMENSIONS
What should we be looking at?
29/04/16
14
IT Risk & Assurance - Dimensions
29 avril 2016
15
Value
Maturity
Risk
• Balance IT risks versus risk tolerance (continuity,
compliance, …)
• Value to the Company • Technical Debt
• Organization • Process • Product
• Which risks are acceptable?
• To what extend does IT contribute to the overall
business objectives? • What hidden costs are
present?
• Where are we today and where should
we be?
EXPRESSING RISK RESPONSES IN TERMS OF IT OBJECTIVES
How to communicate?
29/04/16
16
IT Resources
29 avril 2016
17
Strategy
Organization
Processes
Applications
Data
Infrastructure
Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
18
Agi
lity
Acc
urac
y
Acc
ess
Ava
ilabi
lity
Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
19
Acc
urac
y A
vaila
bilit
y A
gilit
y Possess the capability to change with managed cost
and speed
Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
20
Agi
lity
Acc
urac
y A
vaila
bilit
y A
ccur
acy
Provide correct, timely and complete information that meets the requirements of management, staff, customers, suppliers and regulators.
Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
21
Agi
lity
Acc
urac
y
Ava
ilabi
lity
Acc
ess
Ensure appropriate access to data and systems, so that the right people have the access they need and the wrong people do not.
Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
22
Ava
ilabi
lity
Ava
ilabi
lity Keep the systems
(and their business processes) running, and recover from interruptions
Agi
lity
Acc
urac
y
Acc
ess
THE USE OF SOFTWARE QUALITY ASSURANCE IN PRACTICE
Examples
29/04/16
23
Software Quality Audit Process
29/04/16
24
! We follow a 4-step process.
! Continuous improvement is key.
! A typical exercise requires between 5 and 10 man days of work.
! Maximum 2 à 3 iterations per year, mostly only 1 per year!
Opening IT assurance discussions
29/04/16
25
! Developers – Most developers have limited
ideas on the quality of their code. – Hence, a typical eye-opener.
! Management – Easy to interpret quality
dashboard, also for IT illiterate resources.
– Sound basis for enabling discussions on the value of IT assurance, which are typically neglected as focus is on creating marketshare.
Linking payment milestones to improvements
29/04/16
26
! A basis for the investment manager to manage the investment based on facts & figures.
! A means to agree upon improvement actions and potentially linking those to payment milestones.
Mitigating Investment Risk
29/04/16
27
! One should typically run the application audit on a dedicated machine forcing the development team to handover all required source code items (dll’s, certificates, …).
! In most cases compilation is an issue in terms of missing components, hardcoding, …
! In one case it took us 2 weeks to get the platform compiled correctly!
Assuring minimum level of documentation
29/04/16
28
! Code documentation is important as change of ownership during startup years is likely to happen more often than within mature/stable environments.
! Additionally, lack of documentation ‘outside’ the code (e.g. functional design) is typically higher in startups than in more mature organizations.
Assuring minimum level of documentation
29/04/16
29
! Our focus on improving code documentation is especially important for the complex (McCabe Cyclomatic Complexity) code areas.
Identifying organization weaknesses
29/04/16
30
! Code audits often identify weaknesses in the organization.
! As a consequence we agree with the organization to focus on improving their weaknesses through hiring/training.
Assuring continuous improvement
29/04/16
31
! Health factor ‘scores’ as such are relative and often result in discussions.
! More important is to agree upon continued positive evolution and link commitment of continued evolution into a contractual agreement.
!
Being transparent is key
29/04/16
32
! Having ‘red’ scores is not a shame.
! Knowing where to focus on and having insight into areas for improvement is more important.
! Being transparent on weak spots during exit discussions is more important than not knowing where you stand.
!
=> Any weak spot identified during due diligence will jeopardize your negotiation position.
A trigger for re-engineering ! Assessing application quality – as opposed to code quality only –
allows to discover a potential ‘spaghetti’ architecture.
! Resulting in revising the entire architecture and identifying modules / components for renewal.
29/04/16
33
Agreeing upon corrective actions ! Added value of having end-to-end view in limited
time compared to manual audits.
! Limited involvement required from development team.
! Final presentation to present / discuss the results during a half / one day workshop.
! Goal is to confirm / agree upon corrective actions.
29/04/16
34
IS SOFTWARE AND IT QUALITY IMPORTANT FOR AN INVESTOR?
In Synopsis
29/04/16
35
... Yes, it is! ! If you don’t measure you don’t know
! One reaps what one sows
! Moving in the right direction as of day 1 is key
! A means to professionalize the organization
! ‘Conditio sine qua non’ during exit discussions
29/04/16
36
How to contact us?
-‐ for discussion purposes only -‐ 37
www.entrust-‐it.be
info@entrust-‐it.be
+32 2 50 30 620
entrust-‐it CVBA Keizerinlaan 66 1000 Brussels Belgium
29/04/16