BFM2013_1_09_Knowledge and embedded security

Once the knowledge production is structured, it becomes easier to define a knowledge control/security policy, by assigning a different level of access and responsibility to different organizational units.

A positive side-effect of this definition is: identifying the “knowledge boundaries” for each organizational unit limits the need of cross-functional meetings to those where the subject is new or clearly spans across “knowledge boundaries”.

As each item is classified while being defined, it becomes possible to delegate without losing control : this will reduce the number of resources needed to cope with a larger number of projects, using external resources only when and for how long is really needed, and without any loss of knowledge.

As described above, adopting a sound Knowledge Management policy based on Knowledge Retention makes investment on knowledge and knowledge costing possible.

Why the title of this issue links “knowledge retention” to “embedded security”?

Knowing which items of your knowledge thesaurus are “core” and should be maintained inside your organization ensures that you can improve your business continuity capabilities, also when delegating to third parties one or more processes.

What is “embedded security”? Security management is quite often considered an additional set of processes, almost an afterthought.

But this externalisation of security implies that you try to build up walls (virtual or real), without actually involving those who produce the knowledge and therefore should know its operational sensitivity.

It is true that those above them know how, within the “formal organization”, that knowledge impacts on other areas of business: but also if those managers are promoted from the rank-and-file, eventually they will lose knowledge of the current, real, “informal organization”, and its informal communication flows (more appropriately, “back channels”).

Security (both physical and logical) does not come cheaply, and 100% security is simply impossible.

Our concept of “embedded security” is quite simple: instead of adding security after your processes, try to focus on identifying who is responsible for each specific knowledge subset, and involve them in the definition of the related security profile, with the support of your security experts or “internal audit”.

Maybe you will discover that some of the security can be “embedded” in the actual processes involved in producing the knowledge, minimizing your security overhead.

Knowledge-based security profiling increases the accountability of knowledge producers, while ensuring compliance with your own internal policies.

Further additional layers of security would just (expensively) increase the perceived security, while impeding the knowledge distribution that is needed to actually generate value, and creating a false sense of security in knowledge producers

BFM2013_1_10_Guidelines for action

All the basic items now clarified, how long would it take to achieve these results?

It depends on your expectations- and how you manage them.

As noted above, a “Big Bang” approach is possible if you focus on technology, but then maintaining the knowledge will be more expensive, as the producers will need constant help both to trace back and update the “thesaurised” knowledge.

In any change management activity, you need to change the behaviour of knowledge producers as a whole.

A simple presentation is not enough to produce the change: you also need to reinforce the message with consistent, individual actions.

We suggest a staged approach, using the results from the parameter-definition activities shown above, to build up a schedule of intervention that could produce the first results in few months.

Lowering the expectations (better, managing them) implies identifying which organizational units could produce results faster.

Then, a “viral” model could be used to both improve your knowledge retention policy and spread the activity to other organizational units.

Whenever you want to “evangelise” on something new, identify a first structure with a high chance of success.

Once successful, this structure should “spread the message” to others, reinforcing the message: usually, the growth is not simply linear.

How do you operate? Realistically, identify a homogeneous area to “tune” your approach, and identify the actual “stakeholders” involved in knowledge management processes: production, collection, distribution, and maintenance.

This approach allows finding if there are any further organizational units that should be involved, while negotiating both a process and the associated roles; e.g. organizational units that have already been assigned similar tasks, or that defined their own knowledge retention policies that are worth considering “best practices”.

Just remember: this approach has to be tailored to both your own corporate culture and your aims.

As an example: often, while taking over or merging units, or defining a joint-venture, “promoting” processes already adopted by some units prior to this organizational and cultural change could actually increase resistance to change.

Finally, no knowledge retention policy should allow “loopholes”, e.g. using external resources to bypass standards, using as an excuse that they follow their own rules.

The message to both internal and external resources is quite simple: you delegate the execution of activities, not responsibility, and therefore any organizational unit using external resources should “price” the cost of converting the externally-generated knowledge in order to make it comply with the internal rules, and obtain something whose lifecycle can be managed internally.

Quite often, these additional costs would reduce or remove the economic viability of externalisation, at least for recurring activities.

BFM2013_1_11_Timeframe for delivery

A first project could usually take one-two months to assess the parameters and give an overview, using brainstorming sessions to identify the targets and the first organizational units to apply the process to.

The collection and first structuring, with the building of a reference catalogue, would probably take another four months.

Unless you have already a knowledge retention policy in place, the cultural change management usually would require another six months, with oversight from either the first organizational unit carrying out all the activities, a new structure, external resources, or a team composed by a mix of resources from the three.

Again, staffing choices have to be tailored to your own current and proposed environment.

Thereafter, a “viral spreading” approach (like the one used in Business Intelligence and similar activities) is suggested to deploy the process across the organization.

As for the project team size: the initial team should be as small as possible, while a single resource should be responsible for the first catalogue building, to ensure consistency.

Once the first phase and second phase of the first project have been carried out, and the working rules have been defined, the team could be expanded to activate parallel projects.

Anyway, consider these first phases as part of a long-term cultural and organizational change programme, if you want to produce self-sustainable results.


In conclusion, knowledge retention is not rocket science, but the benefits it can deliver are quite sensible.

Moreover, you can do it yourself.

With different levels of detail, this approach has been applied time and again, both internally and for customers across Europe.

As usual, use the information at your own risk and adapt anything you read to your own environment.

While we had consistent success in applying this approach, we cannot guarantee that it will work for your organization.

BFM2013_2_00_Introduction – Strategic outsourcing

This issue was focused on methods and solutions to manage outsourcing choices, while retaining the capability to keep the evolution of business processes on track.

Outsourcing and BPO (Business Process Outsourcing) are often considered mere economic or technical choices.

Instead, a wrong outsourcing decision could negatively affect your organization’s ability not only to carry out business-as-usual activities, but also to evolve.

As discussed in the previous issue , if you don’t know what is really “core knowledge” of your business, and the associated formal and informal organization, outsourcing could not be the best choice, unless it is a mere output-oriented activity.

BFM2013_2_01_Outsourcing as a magic wand

Since the late 1980s, a constant drive to downsize, rightsize, slice-and-dice businesses pushed many companies toward considering “externalisation of non-core activities” as a routine affair.

Outsourcing became a magic wand to convert fixed costs into variable ones, while improving the level of services received vs. what was previously delivered by internal resources.

But outsourcing is a business process to achieve change, and like any other process it requires a clear definition and understanding of your current position before you can introduce any change.

While introducing change inside your own company without sufficient knowledge could be “fixed” later on, outsourcing is usually supported by water-tight legal writs (this usually wasn’t the case with early 1990s contracts).

The previous issue described how every company works on its own eCI (embedded Corporate Identity), i.e. what is the accepted behaviour within a company, as expressed by processes, organisation, etc.

As the Cheshire Cat in “Alice in Wonderland” said: you need to know where you are heading to before you can decide which way is the right one to go.

Once you know where you are, you can define the destination, and start thinking about the “how”.

Outsourcing is more than just a solution to the “how”, and unless you are able to identify and communicate effectively the current status of what you outsource, all that you obtain is just a long-term restructuring of costs.

Some companies simply outsource out of despair, seeing outsourcing as an easy way out of a history of mismanagement and spiralling costs, while others simply are unable to find the human resources they need on the market.

As it will be discussed later, defining the priorities is obviously a bonus when short-listing outsourcing suppliers- and building the right list of priorities requires a clear understanding on the purpose of the outsourcing: what are the issues that should be solved by outsourcing?

Actually, the way most outsourcing contracts are built, if you do not document correctly the current status, you can expect a short-term decrease in costs, to be more than compensated by unexpected costs whenever you and your supplier find some “extras”.

“Strategic Outsourcing” requires a contract built to ensure the economic viability of the outsourcing activities, as explained in the next section.

BFM2013_2_02_What is outsourcing

Over the years, as the “outsourcing” concept (including the use of software solutions covering different vertical processes, e.g. ERP or CRM) was considered quite appealing and easy to explain, the meaning of the word has been bent and shaped in many ways, both from suppliers and customers.

Some activities often called “outsourcing”:

facilities management
the delivery of a service from a supplier, usually using a mix of your own and their resources, and with an high degree of control on the results, the process to achieve them, and the resources required; the main difference vs. typical body-rental agreements is that a common management team is designed, with a set of service level targets agreed to
joint venture
the delivery of services and products using resources from both companies, but under the management control of a new structure; the revenue is usually generated by a short-term transfer of the existing customer’s budget, eventually to be offset by the delivery the services to third parties; there are two main risks: 1.under-documented existing level of services; 2.constant struggles between partners over business priorities
shared services
usually it is a hybrid, but under the control of the customer, with neither external management or market; the risk is that of a company internal spin-off, with all the disadvantages of a joint-venture but without the same structural independence
the focus is on the outputs, with a clear definition of the inputs, but with a general framework for the service level agreement (SLA) and any additional activities.

All these approaches contain the same risk: transferring a vertical process usually results in loss of knowledge, as operational knowledge ceases to be thesaurised inside the customer organisation.

Obviously, sometimes this is an intended consequence, e.g. for companies that want to expand into new markets they have no operational knowledge of, like cash-based businesses (retailers, insurance companies, etc) entering the retail banking industry to convert their own cash-flow into an additional revenue stream.

As described in the previous issue , this risk can be easily managed by adopting a thesaurisation process that is more common sense than rocket science, i.e. by identifying “knowledge snippets”.

What you outsource is the production of a set of knowledge snippets whose “how” (i.e. the production method) you do not need to keep inside the company.

More on this aspects will be hinted at in the “Strategy and outsourcing” section, and in the next issue of BFM (focused on “Business Continuity Governance”).

BFM2013_2_03_Controlling the process

Outsourcing is quite often considered a financial decision (converting a fixed cost and the related investments and maintenance into variable costs), but quite often the decision-making process does not subject the decision to the same level of scrutiny of a financing decision.

Knowing the content of the outsourced services and processes is required not only to ensure a successful outsourcing, but also to avoid signing a contract that could result in substantial financial penalties… to obtain the same or a lower level of services!

“Outsourcing” comes in many forms and shapes- and my favourite example is what happened when in UK tax offices where given in outsourcing through a “leaseback”.

It is still a popular idea: sell your buildings, get the tax revenue, pay a fee to rent them back.

The idea? As a State, you get immediate cash, plus taxable income from what you pay to the new owner, while cutting down the costs by removing the need to carry out maintenance and “manage” buildings.

Nice idea, but… the company was revealed to be based offshore (goodbye taxation), and eventually said that it needed more income to cover the costs- or otherwise those buildings would be sold.

Can you imagine how it ended?

When outsourcing services that are delivered without technology, customers analyse all the details, sometimes up to a full due diligence.

Which details? How many people are involved, how many events, what are the qualifications of the people involved, the time and materials required, processes, etc.

Usually the quantitative analysis is less well developed when technology is involved, e.g. almost no company checks if every software component or database is properly documented, assuming that if it is working, there is obviously everything needed to make it working.

Controlling the process of outsourcing implies:

  • being able to transfer knowledge to the new organisation
  • identifying why you are outsourcing the service.

Cutting costs is the classical motivation for outsourcing, but “cutting costs” has different dimensions:

  • are you planning to reduce existing costs?
  • do you want to avoid required investments or regulatory hurdles implied in keeping the service in-house?
  • does the company need to expand, but your do not see how you could manage the expansion?
  • etc, etc.

Outsourcing requires a clear definition of the boundaries of the contract, as you can outsource the execution of activities, but you cannot outsource the responsibility of either the activity or the definition of its boundaries.

As previously hinted, some companies outsource complete processes that are not relevant to their own core business, keeping control only of core processes and communication with the outsourced ones.

These companies retain in house the knowledge required to oversee the outsourcing supplier(s), to the degree of detail required to ensure that the SLAs (Service Level Agreements) are respected and that the processes not outsourced are still working properly.

Unfortunately, most companies usually carry out different rounds of outsourcing, constantly enlarging the boundaries of the outsourced activities, but without updating accordingly the knowledge required to retain control.

Retaining the capability to dialogue with the outsourcing supplier is useful also when the customer wants to be able to manage the evolution of the SLAs according to business needs.

Therefore, selecting the right outsourcing supplier requires a clear understanding of what are the real capabilities of your own company to retain the knowledge required to manage the relationship.

Outsourcing suppliers that originate from the same market of their customers (usually as a shared supplier between customers) are able to fill the void left by the loss of knowledge inside the customers, at a price: it becomes like any other utility, and you risk losing influence on the content (and degrees of freedom) of the services delivered.

While apparently a larger, generalist outsourcing supplier could seem to be the best choice, in our experience understanding the mix of skills available inside the outsourcing supplier is the major factor enabling a successful outsourcing.

The most critical requirement is: the supplier must have internal resources that understand your own business, to deliver “backbone” services- otherwise, the supplier will outsource to a third party outside your own control.

BFM2013_2_04_Framing vs. “frameworking”

Sometimes the financial analysis of outsourcing activities is stretched too far, forgetting that any outsourcing supplier in the end needs to deliver services: a case of over-negotiation.

Any failure in delivering the agreed level of service will impact directly on the public perception of your own company, maybe affecting your business.

“Beauty contests” between outsourcing suppliers, where customers ask them to underbid each other are dangerous if the customer lacks the required in-house knowledge of the activities they are trying to outsource.

Usually, the outsourcing supplier that “bites the bullet” either is planning to gain in the long term, or quite simply lacks the knowledge to understand the real costs of the outsourcing contract.

If your outsourcing supplier lacks the resources required to understand the evolution of your business and proactively support your business, probably either you or your supplier will use third party resources to fill a temporary (?) void- usually with unpredictable impact on quality.

A contract is the typical “framing device”- but is having a contract enough?

Financial penalties are not going to recover any business lost due to the failure of an outsourcing supplier that is unable to deliver the service agreed.

Contract definition is usually quite complex, but if the “technical” annexes are properly detailed, this is usually a good sign that one of the following three events is happening:

“the good”
both you and your supplier understand the requirements, and the contract allows to deliver the services you need now, while covering also the management of possible evolutions; yes, this is a “win-win”
“the ugly”
your supplier understands the contract better than you do; probably, you will end up paying more than you expected- also to obtain the services that you assumed to be included
“the bad”
you understand the contract, while the supplier does not; if you are lucky, the net result is that your supplier will deliver services at below the market price; if you are not so lucky, this will have an impact on the long-term viability of the contract and probably a negative impact on the relationship with other outsourcing suppliers, as well as maybe affecting your business.

If a contract is no protection, another device that is becoming more and more widespread is, of course, an insurance policy. But what do you get from insurance?

An insurance policy is built around an assessment of the risk to determine the premium to pay the insurer, so that if any of the negative events covered happen, the insurer pays the agreed amount.

With this (limited) definition, it is quite clear our approach: if a set of penalties embedded in a contract is no safeguard, while should insurance be any different?

The issue is not one of reality, but of perception: unless an insurance company invests in some companies that are able to actually “supply” the services the insurer covers, the business risk is not reduced.

As usual, insurance providers spread across the system the financial risk linked to the policy using re-insurance.

Therefore, while obviously contracts and insurance policies could reduce the financial burden due to the failure of the outsourcing supplier to deliver the service agreed to, we suggest focusing your negotiation on the actual definition of the SLAs.

Reason? If you halt your business due to a continued failure from your outsourcing supplier, no matter how much you are paid by the insurance company- your business is gone.

BFM2013_2_05_The content of outsourcing

In our experience, if you decide to outsource the execution of a service, then the actual details of the execution should rest with the outsourcing supplier.

Defining the results is certainly the easiest way, but it is not so easy to implement: do you really know all the “outputs” produced by your own processes?

By “outputs” we mean not only results from IT-based processes, but also results produced by other processes- including items as number of rooms cleaned, phone calls answered per minute, etc.

If you define the boundaries of your outsourcing contracts and SLAs around outputs, it becomes easier to quantify the level of service and negotiate the price of the contract (i.e. by number of incidents or “time slots required” to execute a process).

And, of course, the price of any additional services that may be required at a later stage.

Some companies outsource only whole processes, A-to-Z, top-to-bottom: if your outsourcing supplier understands your business, probably this approach is less resource-intensive (for you) than the output-based approach we suggest.

However you build the framework for your outsourcing contract, it is important that you thoroughly analyse your business needs.

When you will first transfer a service to an outsourcing supplier, probably you will rely on partially structured and organized information to build the framework of the contract.

Some companies instead rely on the outsourcing supplier to build the framework.

In our experience, this is the worst choice, as neither you nor your supplier will really have the knowledge required to manage the outsourcing contract.

Our approach is to carry out a “due diligence”: both the prospective supplier and the customer document the framework, to confirm that what the customer perceives is what is assessed by the supplier.

Usually, such an exercise is quite expensive, and progressively suppliers started steering away from prospective customers that have a history of “serial proposals”, i.e. requiring new proposals whenever an assessment of internal processes is required- but always ending up giving the business to existing suppliers, or delivering with internal resources.

A common approach is to shortlist prospective suppliers on a limited set of parameters, and then pay the shortlisted prospective suppliers a “fee” to carry out the detailed assessment.

Sometimes, the cost of such an assessment is credited by the supplier if awarded the outsourcing contract.