BPM in Action

I read with fascination and horror a recent posting by Bennett Hasleton, a freelance programmer based in Seattle who also happens to maintain the Web site and mailing lists for a group called Peacefire.org. That organization advocates for freedom of speech for and against censorship of younger people (who, perhaps coincidentally, are typically too young to vote). The organization has provided useful information for numerous anti-censorship campaigns and lawsuits, some of which have been successful.

But that's another story entirely.

The recent posting by Mr. Hasleton's that thrilled and chilled me appears at Slashdot.org, and is entitled "Why are CC Numbers Still So Easy To Find?" It basically lays out how easy it is to find active, working credit card numbers online. The article also lays out how easy it would be for the credit card companies to curtail or eliminate the problem, via simple alterations of business processes and perhaps a Perl script or two.

That's not the chilling part, though. The chilling part is that when Mr. Hasleton tried to be the good Samaritan, and point out the problem to the credit card companies, most of what he got was "no comment." And when he gave them actual cardholder information, only one, American Express, bothered to contact the cardholder and advise them to change their card numbers.

I'm not finished being chilled, however, and neither should you be. According to comments posted by other readers of Mr. Hasleton's article, merchants are at least as responsible for the fraud that results from credit card number theft as the credit card companies' inability or unwillingness to address the issue. That's largely because merchants are frequently too ignorant of regulations and/or technology and/or the scope of the problem – or too cheap – to take the data protection steps proscribed by already-existing standards. Those would be the Payment Card Industry – Data Security Standards, or PCI-DSS. Penalties for non-compliance can include huge fines, and the inability to process credit card payments, but non-compliance obviously still exists.

Merchants suffer, too. Every time a fraudulent transaction succeeds, a consumer's liability may be limited to $50, but the merchant can lose the merchandise and its full purchase price (plus transaction fees) to the credit card issuer. Merchants argue darkly that this is the real reason why the credit card companies do little to nothing of substance to curtail the problem of unprotected credit card information.

(Clueless IT people share some of the blame here, too, at least according to some posting comments to Mr. Hasleton's article. A strong precedent was set by the "cottage industry" that exploded around compliance with regulations such as Sarbanes-Oxley (SOX). Nonetheless, despite the obvious money to be made consulting with businesses about PCI-DSS compliance, there seems to be little awareness of or interest in providing such help among IT people.)

So there's more than enough blame to go around, and enough worthy recipients of it, where credit card information exposure and resulting fraud are concerned. And there are obvious lessons here, for companies that accept and issue credit cards, and for companies and individuals that use them.

1. Guard your credit card information (and/or that of your customers and/or business partners) as if it were cash. Lots of cash.
2. Demand documentation that your credit card information (and/or that of your customers and/or business partners) is being protected at every point in the value chain that involves you (or your customers and/or business partners).
3. Be aware of the regulations and industry guidelines intended to govern protection of sensitive information in your business and/or industry – and follow them. If you're in IT, make sure the appropriate businesspeople are involved and aware. If you're a businessperson, make sure IT is involved and aware.
4. Be transparent. It's not enough to say you're protecting sensitive information. You must be able to demonstrate that you are doing so effectively and consistently, to avoid the ire and suspicion of business partners, customers, prospects, regulators, and other stakeholders. Put shredders next to the desk of each credit card application or transaction processor if need be.

Effective and enforced business processes at any of several places along the history of every ultimately fraudulent credit card transaction would have likely killed that transaction long before its completion. Bad BPM costs money, directly and in damage to corporate perception and reputation. And who knows how much that really costs?

Posted by mdortch in BPM • Security  |  Permalink  | Comments (1)  | TrackBacks (0)

As part of my "day job" as a Robert Frances Group (RFG) analyst, I had a very interesting conversation with the founders of a very interesting business. The people were Stuart Cohen, former CEO of the non-profit Open Source Development Labs (now part of the Linux Foundation), and Evan Bauer, former CTO at Credit Suisse First Boston (and RFG colleague of mine). The business: the Collaborative Software Initiative (CSI).

The goal is both evolutionary and almost subversively revolutionary. The CSI wants to broker connections among what it calls "like-minded IT leaders," and use the best elements of the open source development model to create business applications. The CSI believes this could reduce the cost of building proprietary applications by huge amounts – from, say, $1 to $2 million to as low as $50,000 for each company supporting collaborative development. A "customer core team" of a few companies would collaborate with CSI principals, who do the actual "heavy lifting" needed to get the software created. Each software project will have a broad audience beyond the core team, and each will be fully supported by CSI and its partners, as released software and/or as software as a service, á la Salesforce.com, Inc.

What I like most about CSI, though, is the ability to bring collective experience, knowledge, proven practices and processes, and perhaps even wisdom to collaboratively developed applications. After all, if CSI can draw top-tier enterprises together, the people from those enterprises should be repositories of some pretty good practices and processes. And if there's anybody who can facilitate translation of those into agile and adept applications, it's Evan, Stuart, and their partners. By the way, on the vendor side, those partners currently include Hewlett-Packard Co. (HP), IBM Corp., Intel Corp., and Novell Inc. – testament to the strength of the ideas and people behind CSI, methinks.

Past efforts at collaborative building of enterprise solutions have been fraught with challenges. I believe this is largely because many such efforts have focused on developers or vendor channel partners, to the sidelining or exclusion of the enterprises that want and need the solutions. By focusing on an alternative to the traditional methods of building business-specific applications, the CSI should be able to avoid those earlier drawbacks. After all, users pursuing solutions to common problems may be easier to coordinate than vendors and resellers seeking larger markets in which to compete while allegedly cooperating.

The CSI has not yet publicly announced any applications or enterprise customers, but that should be coming soon. Meanwhile, if you work at an enterprise that might benefit from an alternative to expensive and slow proprietary internal application development, you should definitely check out the CSI – and please let me know what you think. I think it's an idea that could go from "What the heck?" to "What took us so long?" pretty quickly. We'll see…

Posted by mdortch in BPM • Business Knowledge Management • Collaboration • Software as a Service  |  Permalink  | Comments (0)  | TrackBacks (0)

So – as reported in eWeek and linked to by ebizQ, Oracle Corp. is buying Agile Software Corp. Oracle and some of the reporting of the news cast it as yet another Oracle acquisition, intended to make the company Master of the Enterprise Applications Universe and/or to continue an Ahab-like fixation on application market leader SAP AG.

I prefer to see it another way – although my view may end up no less contentious than those above. I see this as Oracle moving closer to and more deeply into solutions that embody business processes for select, vertical markets. After all, product lifecycle management or PLM, Agile's primary market focus, is simply a focused set of repeatable, coordinated business policies, practices…and processes. In this case, instead of focusing on a particular vertical market, as Microsoft Corp. appeared to do with BPM in health care, Oracle's latest move is focused on a particular subset of more horizontal BPM – PLM. Lots of companies design and manufacture products, across multiple industry segments. But the underlying processes can overlap greatly across those segments. Hence the PLM market, and Oracle's interest in it.

For Oracle, the sustainable business benefit of the deal is more opportunities to create more leverage of the corporate information repositories overseen by Oracle database management software. This will happen whether or not Oracle sells one more bit of application software. For enterprises using Oracle database management solutions, the deal promises greater integration and interoperability between database management and PLM-focused BPM efforts, processes, and solutions. (This is especially true if all of those solutions come from Oracle, but if it is only true then, Oracle and its customers both lose.)

BPM comes in a variety of guises, including what I've referred to here previously as "business knowledge management" (BKM). BPM is even tightly coupled with business intelligence (BI), which relies on managed processes of its own and informs others. PLM, when it's done right, not only brings consistency and greater manageability to product development efforts. PLM can also be implemented in ways that support and are closely aligned with other BPM efforts across an enterprise and its business partners. This can make better use of the information within a bunch of different databases.

So that's why Oracle's interested in Agile, and PLM, at least by my lights? But enough of what I think, at least for now – what do you think?

Posted by mdortch in BPM • Business Knowledge Management  |  Permalink  | Comments (0)  | TrackBacks (0)

If you've read almost any of my previous posts here, you probably know how I think BPM works best. I think BPM – and related functions, including business analytics, intelligence, and performance management – all need to be pervasive and invisible to deliver maximum business value. And I also think one way to make BPM and related functions pervasive and invisible is to embed them into the applications users use to do their jobs every day.

As you may have also read here previously, I believe the more business applications that are created by or in concert with business practitioners, the more likely those applications are to reflect and embed good processes and effective workflows. Who would know these things better – experienced practitioners or professional software developers? My vote goes with the experienced practitioners. I think it's easier to put tools in their hands for building and orchestrating applications than it is to teach good business practices to developers.

So I'm a big fan of two emerging trends – development tools and environments that are straightforward enough for the more business-minded than technologically savvy to use effectively, and online application exchanges. The former encourage experienced practitioners to build and influence applications. The latter encourage entrepreneurial developers of specialized applications to build them, because they don't have to find Windows-sized markets to justify the effort (and the marketing and support costs associated with traditional "bits-on-disks" software).

In this regard, I'm optimistic about two recent developments. Sun Microsystems, Inc. has just released JavaFX, development tools intended to ease and speed development of modern, functionally rich Java-based applications. Now, I share some of the concerns about JavaFX vs. Adobe Systems, Inc.'s Flex expressed by Tony Baer's "Report from JavaOne" here at ebizQ. Nonetheless, I can't help but believe that Java's broad and deep ecosystem of supporters will give JavaFX a significant market presence alongside Flex (and to the likely detriment of Microsoft Corp.'s alternative, Silverlight), if JavaFX delivers on its promise.

But that's not the most interesting BPM-related trend on my mind today. That would be the rise of online application exchanges. The latest of these I find interesting is Red Hat, Inc.'s Red Hat Exchange (RHX). This service combines applications developed by others with Red Hat's Enterprise Linux and/or JBoss middleware, into a single subscription agreement that consolidates acquisition, billing, delivery, and support. Red Hat plans to provide single-source support through unspecified cooperation with its application partners, and via select Red Hat resellers as well. Initial partners include providers of business software solutions for business intelligence (BI), collaboration, communications, and management of enterprise content, customer relationships, databases, and IT infrastructures, among other functions.

If you look at RHX in the context of the exchanges and supporting services already up and running from Salesforce.com and being developed by WebEx, discussed here previously, you'll see expanding sources of growing numbers and types of business applications. Some of these are designed for specific businesses, by and/or in concert with experienced practitioners. These are applications very likely to help the businesses that use them to implement and manage effective processes more consistently and easily – and more are coming…

Posted by mdortch in BPM • Business Knowledge Management • Software as a Service  |  Permalink  | Comments (0)  | TrackBacks (0)

As you may have already read here, I believe the creation and maintenance of BPPs could be a critically valuable and instructive step towards effective, human-centric BPM and business knowledge management (BKM). Several of you have e-mailed your general agreement. However, more than a few of you have expressed curiosity, if not confusion, over what information belongs in a BPP, and how best to capture, create, and organize that information.

I'm about to utter words that industry analysts, consultants, and pundits have avoided, and users and vendors have suspected and frequently longed to hear, for decades. Those words are "I don't know."

Or, to be more precise, "I'm not sure. It depends." (Ahhh – comfortable territory once more.)

To elaborate a bit, below is a list of basic elements that belong in any BPP that's going to provide any significant business value. These are not necessarily listed in any particular order of importance.

• Name of Process
• Owner(s)
• Key Contributors and Affected/Supported Constituencies (including specific people, groups, and lines of business, in order of importance or criticality where possible)
• Supported and Supporting Business and IT Activities, Processes, and Services
• Required and Affected Intellectual Property (IP) Resources (including access information and restrictions)
• Relevant Compliance, Governance, and Risk Considerations (in order of importance or criticality where possible)
• Relevant Effectiveness Metrics (as determined by relevant IT and business decision-makers)
• Recommended/Required Assessment Method(s) and Frequency/Frequencies
• Historical Performance Assessment Efforts and Results

I stand by the above list of BPP element recommendations. However, I also assert that it is beyond my knowledge, and my ability to deliver value to those who ask, for me to go much beyond those recommendations.

That's because while many businesses have processes in common, they often express those processes using different taxonomies and vocabularies. For any BPM-related initiative to deliver maximum value, it has got to be integrated and harmonized with how the business does business now. And this goes as far as the words used to define and document processes and their interconnections with other elements of the business and IT infrastructures.

One company's "customer" is another's "client." One company's "sale" is another's "order." One company's "shipment" is another's "fulfillment." Multiply these differences too many times, and they make clear communication and consensus impossible. And that makes success with BPM and/or BKM impossible.

At many enterprises, the first successful steps toward creating useful BPPs will be in achieving consensus regarding the very terms and rules used to define and describe the processes to be managed. And the processes used to accomplish these tasks must themselves be submitted to the same scrutiny as other processes, to maximize consistency, repeatability, and scalability.

And of course, there needs to be agreement about how all of this is to be captured and stored, and how access to it is managed, to maximize that value of that information. And the processes used to make those determinations should themselves be captured and documented, just in case anyone might want to use them again, or refine them.

[This is now officially one of those times where you who work at larger enterprises can freely envy your counterparts at small and mid-sized businesses. Those smaller companies may have fewer resources to throw at such problems, but I bet their people have to endure far fewer meetings to make decisions.]

If you have or can find recent examples of tools used to profile or describe other business or IT infrastructure elements at your company, by all means, try to adapt these to your BPP-building purposes. However, I'd be skeptical of any purported template or format that promised much more than greater detail focused on areas such as those I have outlined here previously. Remember, your enterprise's goals and processes are unique – just like every other enterprise's.

Reactions, suggestions, or other tangentially related thoughts? Please share them, by posting comments here or e-mailing me. Let's see where this goes...

Posted by mdortch in BPM • Business Knowledge Management • Collaboration  |  Permalink  | Comments (0)  | TrackBacks (0)

Oracle Corp. has made several recent announcements I think are of interest to anyone considering or pursuing BPM, business analytics (BA), business intelligence (BI), and/or related initiatives. These announcements should be of even more interest to anyone pursuing or considering such initiatives at an enterprise using or considering any Oracle solutions, including those it has acquired during the past few months and years. (The company is one of the only leading IT vendors of which I am aware that devotes a dedicated section of its Web sites to so-called "Strategic Acquisitions.")

As reported by ebizQ here, Oracle recently announced an ambitious road map focused on enterprise content/intellectual property (IP) management. As a significant step down the road described by said map, Oracle announced just yesterday Oracle Universal Content Management 10g Release 3, " a feature-rich, hot-pluggable ECM platform that helps organizations effectively capture, store, manage, find, publish and retain unstructured content, while easily fitting into heterogeneous infrastructures," according to Oracle. Since most of that content and IP resides in corporate databases, many if not most of which are overseen by Oracle software, this focus makes sense for Oracle, and should make sense for a number of Oracle customers as well. (The company bought content management solution provider Stellent last year; yesterday's announcement is its first major ECM product release since that acquisition.)

Separately, Oracle also announced the general availability of its Siebel CRM On Demand Integration Pack for Oracle E-Business Suite. This unwieldy name describes a solution that integrates Siebel CRM On Demand, Oracle's subscription-based, software-as-a-service (SaaS) CRM solution, with the back-office Oracle E-Business Suite. (At $30,000 per processor, the solution may not displace many Salesforce.com deployments, but should deliver value to enterprises seeking to extend the value of their incumbent Siebel CRM On Demand and/or Oracle E-Business Suite implementations.)

This announcement follows by five days the debut of Oracle Financial Services Profitability Analytics. This is effectively a pre-built integration of Oracle Business Intelligence Suite Enterprise Edition 10g Release 3 with Oracle Financial Services Applications (OFSA). The result is a business intelligence (BI) application "that delivers actionable insight to employees, helping them improve customer service and drive new levels of profitability [while helping] organizations reduce total IT cost and complexity." A tall order, but one that eliminates the need for enterprises to build their own integrations between the two offerings, according to Oracle.

And both of these announcements follow and build upon the Oracle Application and Integration Architecture the company announced in mid-April. The goal of that initiative is to ease and speed integrations of Oracle and non-Oracle solutions, via a common object model and a platform compliant with the Business Process Execution Language (BPEL), a widely used business process modeling language.

What's it all mean? Well, for companies reliant upon Oracle technologies, especially Oracle Fusion middleware, these announcements are good news for any process-focused initiatives under way or under consideration. Whether you and your enterprise are starting with a focus on application integration, CRM, or ECM, Oracle appears to have a path laid out that links your initiative to its databases via process-enabled, standards-compliant integration techniques. At least in theory. Oracle has its critics and detractors, even among its customers. But no one can say the company doesn't have strategies and plans to add value to (and generate additional revenues from) investments in its database solutions. Got opinions about Oracle and its strategies for support of BPM, BI, and related initiatives? Please share them, and I'll share and comment upon the most interesting and provocative ones I receive.

Posted by mdortch in BPM • Business Knowledge Management • Software as a Service  |  Permalink  | Comments (0)  | TrackBacks (0)