Working with that CEO, I developed a model called the ACL Life Cycle. Understanding and using the ACL Life Cycle has proven enormously beneficial to clients depending on an M&A strategy for continued growth.
The ACL Life Cycle
The ACL Life Cycle describes the maturation process of companies who grow substantially through acquisitions and mergers. Using the ACL model, we can clearly identify the company's current position. Knowing that position, and then looking forward at the company's financial objectives through the lens of their business strategies, the specific actions that are needed become clear. Those actions can then be formed into an executable plan with associated performance measures, and managed through completion to bring the overall enterprise to heightened levels of financial performance. It is important for acquisition-oriented executives to understand the major phases and characteristics of the ACL Life Cycle.
Businesses who have survived one or more acquisitions and/or mergers are usually left with some degree of disintegration among their processes and systems. A company's success in reaching the financial objectives of the merger or acquisition is directly correlated with the degree to which that disintegration has been replaced by a set of business processes and information systems that are common enough to generate enterprise-wide leverage. Implicit in that commonality is enterprise-level direction and guidance, manifested in company-wide business strategies and performance measures that align all of the combined business units. These businesses move, in this post-acquisition or post-merger environment, from an acquisition-based operating model to one characterized by shared services and a general commonization, to a stage where the enterprise "whole" really is able to become something greater than the sum of its business unit "parts". It is more than the typical cost-reduction synergy anticipated in most of these transactions; it is a new platform for innovation, and an even higher level of innovation-based leverage.
Companies who experience substantive growth as a result of business acquisitions typically follow the ACL life cycle. ACL in this context stands for: Acquisition, Commonization, and Leverage. Many companies never leave the first stage of this maturity scale, and still more remain at the second stage. The most successful companies are usually those who recognize the importance of moving through all three stages, and consistently implement a structured process for doing so.
All companies experience pressures that push them toward decentralized operations, including idiosyncrasies of specific market niches served, the uniquenesses of isolated business processes, unusual needs of specific customer populations, and natural organizational entropy. At the same time, most of the companies that are successful in achieving the financial performance objectives established for the newly merged enterprise manage to overcome those challenges, electing to pursue the advantages of leverage, including:
broad synergistic brand recognition, enabling cross-selling, bundling of products and services, and improving revenue
interchangeability of business process resources, enabling the company to reduce its asset base
commonality and scalability in equipment / skills / facilities, facilitating innovation and growth into additional markets
higher utilization of business assets, reducing unit cost
lower levels of redundancy, resulting in reduced operating costs
These companies also typically find that maintaining compliance with financial reporting standards such as Sarbanes-Oxley requirements are enhanced as a result of strengthened internal controls.
Some companies make a deliberate decision to remain "holding companies", which simply buy and sell diverse businesses that have only marginal relationships with one another. These conglomerates prefer to manage the portfolio through buying and selling components, and allowing the leadership teams at the individual companies to manage ongoing operations from strategy through execution. Companies that benefit most from understanding the three stages of the ACL Life Cycle are those companies who have decided to focus on a single core industry - Aerospace & Defense, Automotive, Chemicals and Polymers, Textiles, Electronics, Telecommunications, Consumer Products, Medical Equipment producers, Healthcare providers, and Financial Services providers are all good candidates.
The Acquisition Stage of the ACL Life Cycle
Companies in the Acquisition Stageof their life cycles are usually focused on revenue growth, and capturing market share. They are characterized by high levels of autonomy in management, in the reporting of site-level data to the corporate parent, and in the design of their business processes and systems. Companies who remain in this stage for long periods of time following acquisitions usually act as holding companies, with the corporation allowing individual divisions or sites to operate almost as independent companies with their own P&L, strategic plans, and market-facing branding. Often, companies in the Acquisition stage lack a common vision of the future of the overall business, and tend to operate at cross-purposes among the operating units. Manufacturing companies in the acquisition stage are usually characterized by redundancies in raw materials, equipment, staffing, and other business resources. Because manufacturing companies are relatively material-intense, a great deal of cost can be tied up in raw materials, work-in-process, and finished goods. Since acquisition stage companies have so little visibility between business units, there is little opportunity for them to reallocate these assets in order to use them effectively. As a result, the most costly resources remain the most underutilized. In addition, acquisition-stage companies have not centralized the management of even commodity-level business processes, such as finance, human resources, and information technology. This lack of centralization leaves additional inefficiencies in place around accounting staff, employee benefits provider subscriptions, business software applications, data centers, and computing equipment.
Telecommunications companies in the acquisition stage also have unrealized opportunities for greater leverage from their business assets, but these more often take the form of redundancies in network equipment, network coverage, retail outlets, partner agreements related to the sale of their products, and interconnection agreements with other carriers. In addition, acquisition stage telecom companies often have a substantial amount of unrealized leverage in the lack of integration among the data bases and information of their various divisions that could enable shared service operations for commodity-type processes such as billing and cross-selling of products and services. Like manufacturing companies, telecom companies in the acquisition stage also typically have unexploited opportunities around the consolidation of data centers and related equipment and staffing.
Healthcare providers in the acquisition stage usually find opportunities in different areas of their businesses, because of the differing cost structure of their operations. The bulk of their costs and their opportunities while in the acquisition stage of maturity in the ACL Life Cycle are related to employee salaries & benefits, and to medical supplies and drugs. It is less common for these businesses to be able to effectively share inventories and equipment, since the nature of their business is rooted in community health care that requires local service provision. The opportunities that do exist, which are typically not exploited well in acquisition stage health care companies, are related to centralizing commodity type business processes such as finance, human resources, and information systems, and leveraging required service and supply procurement across the enterprise.
Financial Services providers, such as banks, brokerages, credit unions, financial planning companies and tax & audit services exhibit yet another cost profile, with the largest elements typically including personnel and occupancy costs. In these businesses, like health care provision, being where the customers are is critical. The companies' ability to understand the changing demographics and match up their branches as well as their skills to the targeted customer base is often a differentiator between the companies that succeed and those that fail. Financial services providers who are still in the acquisition stage of maturity in the ACL Life Cycle often do not have the commonality in fundamental business processes and systems to readily reconfigure their operations to meet the changing needs of their marketplace. Their acquisitions or mergers have enabled them to grow horizontally, typically into adjacent markets. However, lacking an adequate foundation of commonality in processes and systems, there is substantial money left on the proverbial table as a result of ineffective resource deployment, and delays in the reporting of operational performance data that would enable the company to be more responsive. These companies also fail, in their acquisition stage, to take advantage of their larger purchasing power to gain leverage around purchased services spanning items as diverse as employee health care and branch-level office supplies.
The Commonization Stage of the ACL Life Cycle
Companies in the Commonization Stage of their life cycles have usually awakened to the value of focusing on Return on Net Assets (RONA) and Return on Invested Capital (ROIC). In order to begin to capture improvements in these areas, companies in the Commonization Stage often turn to shared service models of operations for selected business processes and systems. Strategies and performance measures begin to crystallize around common themes that span multiple operating units or divisions. Among the areas of focus for a shared service model in this stage are Finance (A/R, A/P, General Ledger, and Financial Reporting), Human Resources (Payroll, Benefits, and Employment Records), and Information Technology (Computer Hardware, Network Administration, and selected Software Applications Management). Some companies in the Commonization Stage also move Procurement and other aspects of Materials Management to a shared service model, enabling the corporation to more effectively leverage its broadest possible purchasing power.
Manufacturing companies in the commonization stage of maturity typically have shared services in place for commodity types of business processes such as finance, human resources, and information systems management. Toward the end of the commonization phase, centralization of work deployment and capacity utilization as well as process quality emerge as companies begin to deploy common processes and systems in customer requirements management, enterprise requirements planning, manufacturing execution systems, and distribution management systems.
Telecommunications companies in the commonization stage of maturity also typically have shared services in place for commodity types of business processes such as finance, human resources, and information systems management. As they advance in maturity through this stage, telecoms also become aware of the available leverage in centralizing the management of some of their most valuable assets. However, unlike the manufacturer's raw material focus, for telecommunications operations those elements are things like spectrum licenses, network equipment, connection agreements, partner agreements, distribution centers, and retail outlets. Centralizing the management of those assets to identify overlaps and redundancies enables telecoms to emerge from the commonization stage with much more effectively leveraged business assets, providing broader market coverage with a lower total asset base and generating much higher earnings on that consolidated foundation.
Healthcare companies in the commonization phase of maturity find substantial benefit in the commonization and centralization of their commodity type processes and systems. This is primarily because of the impact on cash flow and earnings when the employee base is reduced through shared services, and employee benefits and supplies are both leveraged in terms of the broader purchasing power of the company following a business acquisition of significant size. However, there is also an especially rich opportunity available to healthcare companies in the commonization stage that stems form the leverage available related to insurance coverage - not for the employees directly, but covering the potential liability of the company itself. This category of cost is typically about the third largest slice of the pie, and significant reductions there can translate quickly to a meaningful earnings impact.
Financial services providers in the commonization stage of the ACL Life Cycle, like healthcare providers, often find substantial benefit in the commonization and centralization of their commodity type processes and systems. With roughly half of their cost of operations wrapped up in employee salaries and benefits, there is an opportunity for meaningful impact on cash flow and earnings when the employee base is reduced through shared services, and employee benefits and supplies are both leveraged in terms of the broader purchasing power of the company following a business acquisition or merger. The next significant area for financial service providers in the commonization stage is the capability for rapid reconfiguration of the business based on enterprise-wide visibility of operational data and market intelligence.
The Leverage Stage of the ACL Life Cycle
Companies in the Leverage Stage of their life cycles are usually embarked on a fierce drive toward adding real value. They are relentless in their efforts to fully utilize the assets of the entire corporation, driving out redundancy and its associated costs. They are then able to pivot on the fulcrum of those more agile processes and systems to implement innovations that foster organic growth resulting in greater market share, greater revenue, and improved earnings for their shareholders. Leverage Stage companies also establish a structured and repetitive process of assimilating new businesses, gathering and incorporating market intelligence into company-wide strategies, and innovating on the basis of these new combinations to capture additional market segments. These companies are characterized by coordination and centralization of major business functions such as the planning and allocation of R&D, production work, inventories, raw material purchases, personnel, and factories & equipment. They centrally manage a broad spectrum of common business processes and systems, including customer requirements management, product data management, enterprise requirements planning, manufacturing execution systems, and logistics management. They are constantly changing, evaluating and configuring business assets to meet future market needs, acquiring and developing new businesses, and shedding assets that no longer fit their evolving model.
Manufacturing companies in the leverage stage of maturity typically have shared services in place for most of the critical business processes of their company, having reached beyond the commodity level processes and into those which deliver the most value to their customers. Examples include sales & marketing, order entry & customer service, capacity planning and management, production scheduling and shop floor control, and distribution requirements planning. As they move through the leverage stage of the ACL Life Cycle, some of these companies leverage the commonality of their processes and systems to produce innovative new products and services, identify additional market opportunities, and develop industry-changing relationships that reach through their supply chains.
Telecommunications companies in the leverage stage of maturity also have shared services in place for most of the critical business processes of their company, including the seamless provisioning (often called "flow-through provisioning" by industry insiders) of all telephonic services to customers stemming from a single telephone conversation responding to an individual inquiry about a service. This type of capability is only enabled when all of the information from what have historically been disparate data bases is available in an intelligent form through excellent systems integration, based on exceptional levels of commonality and strength in enterprise-wide business processes.
Healthcare companies in the leverage stage of maturity have typically discovered and implemented leverage-based improvements in their major cost structure elements as a result of enterprise-wide information visibility flowing from systems integration and centralized management of critical business processes. Health care companies generally also have uniquely challenging business conditions related to three other areas where leverage level operations can be a powerful tool.
Most health care organizations are spending a substantial amount of money in this regard, with training and documentation of company polices and safety-related practices requiring an increasing amount of company attention. The integration of systems and commonization of processes in a leverage stage health care company offers opportunities to more quickly incorporate internal best practices, externally imposed business requirements, and feedback about lessons learned across the entire health care organization regardless of geographic dispersion. Commonization and centralized management here can result in substantially lower cost, and more importantly, substantially higher and more uniform levels of employee safety.
The integration of customer data, and effectively interfacing a common set of enterprise-wide processes and systems with outside service providers such health maintenance organizations and insurance carriers, substantially reduces the amount of bad debt in leverage level health care companies.
This area is tricky because of legislation related to patient privacy and guidelines recently established for the maintenance and communication of patient medical information. However, one of the fundamental challenges faced by health care providers is the absence of available medical history, particularly when a patient is admitted to an emergency room or urgent care facility. When critical business processes and information systems for the management of this information are brought to an effective level of commonality, the rapid dissemination of the needed information can be greatly improved, while patients' expectations around the privacy of their information are still met.
Financial services companies in the leverage stage of maturity, like health care companies in some ways, must balance the needs of differing local customer geographies against the advantages of centralized management in critical business processes and systems. There is real value in allowing some latitude to local branch officers and customer-facing staff such as loan officers to accommodate the unique circumstances involved in specific cases. However, these companies often find that a significant advantage of the leverage provided by enterprise-wide commonization of processes and systems is the ability to see the nuances of differing markets at a corporate level, and recognize broader trends among those different markets more quickly and clearly than they could before. This improved visibility, in turn, enables management to reconfigure their service offerings, redeploy resources such as sales dollars, and organize sales campaigns for those specific markets more quickly than they could previously.
The best of these companies, regardless of what industry they occupy, utilize their common platform of processes, systems, and information to understand the needs of their customers in unique ways, and fluidly translate those needs into the features of their products and services. The enterprise-wide leverage they achieved as a result of carefully and skillfully handling the post-merger or post-acquisition integration of processes, systems, and data provided the platform from which innovation launched them to new levels of performance. Examples could as easily be provided for companies in pharmaceuticals, retail operations, or the food & beverage industry.
Maturity Scale for IT Data Management
This following blog post has turned into more than just a post. It’s more of a paper. In any case, in the post I am trying to capture a number of concepts that are defining the IT data management market.
When I am talking about IT data management, I am talking about the over-arching market that covers anything from log management to security information management and security event management.
Any company or IT department/operations can be placed along the maturity scale (see Figure 1). The further on the right, the more mature the operations with regards to IT data management. A company generally moves along the scale. A movement to the right does not just involve the purchase of new solutions or tools, but also needs to come with a new set of processes. Products are often necessary but are not a must.
The further one moves to the right, the fewer companies or IT operations can be found operating at that scale. Also note that the products that companies use are called log management tools for the ones located on the left side of the scale. In the middle, it is the security information and event management (SIEM) products that are being used, and on the right side, companies have to look at either in-house tools, scripts, or in some cases commercial tools in markets other than the security market. Some SIEM tools are offering basic advanced analytics capabilities, but they are very rudimentary. The reason why there are no security specific tools and products on the right side becomes clear when we understand a bit better what the scale encodes.
The Maturity Scale
Download Maturity Scales Test for Public Servants (CPNS) Test
Let us have a quick look at each of the stages on the scale. (Skip over this if you are interested in the conclusions and not the details of the scale.)
* Do nothing: I didn’t even explicitly place this stage on the scale. However, there are a great many companies out there that do exactly this. They don’t collect data at all.
* Collecting logs: At this stage of the scale, companies are collecting some data from a few data sources for retention purposes. Sometimes compliance is the driver for this. You will mostly find things like authentication logs or maybe message logs (such as email transaction logs or proxy logs). The number of different data sources is generally very small. In addition, you mostly find log files here. No more specific IT data, such as multi-line applications logs or configurations.
* Forensics / Troubleshooting: While companies in the previous stage simply collect logs for retention purposes, companies in this stage actually make use of the data. In the security arena they are conducting forensic investigations after something suspicious was noticed or a breach was reported. In IT operations, the use-case is troubleshooting. Take email logs, for example. A user wants to know why he did not receive a specific email. Was it eaten by the SPAM filter or is something else wrong?
* Save searches: I don’t have a better name for this. In the simplest case, someone saves the search expression used with a grep command. In other cases, where a log management solution is used, users are saving their searches. At this stage, analysts can re-use their searches at a later point in time to find the same type of problems again, without having to reconstruct the searches every single time.
* Share searches: If a search is good for one analyst, it might be good for another one as well. Analysts at some point start sharing their ways of identifying a certain threat or analyze a specific IT problem. This greatly improves productivity.
* Reporting: Analysts need reports. They need reports to communicate findings to management. Sometimes they need reports to communicate among each other or to communicate with other teams. Generally, the reporting capabilities of log management solutions are fairly limited. They are extended in the SEM products.
* Alerting: This capability lives in somewhat of a gray-zone. Some log management solutions provide basic alerting, but generally, you will find this capability in a SEM. Alerting is used to automate some of the manual trouble-shooting that is done among companies on the left side of the scale. Instead of waiting for a user to complain that there is something wrong with his machine and then looking through the log files, analysts are setting up alerts that will notify them as soon as there are known signs of failures showing up. Things like monitoring free disk space are use-cases that are automated at this point. This can safe a lot of manual labor and help drive IT towards a more automated and pro-active discipline.
* Collecting more logs and IT data: More data means more insight, more visibility, broader coverage, and more uses. For some use-cases we now need new data sources. In some cases it’s the more exotic logs, such as multi-line application logs, instant messenger logs, or physical access logs. In addition more IT data is needed: configuration files, host status information, such as open ports or running processes, ticketing information, etc. These new data sources enable a new and broader set of use-cases, such as change validation.
* Correlation: The manual analysis of all of these new data sources can get very expensive and too resource intense. This is where SEM solutions can help automate a lot of the analysis. Uses like correlating trouble tickets with file changes, or correlating IDS data with operating system logs (Note that I didn’t say IDS and firewall logs!) There is much much more to correlation, but that’s for another blog post.
Note the big gap between the last step and this one. It takes a lot for an organization to cross this chasm. Also note that the individual mile-stones on the right side are drawn fairly close to each other. In reality, think of this as a log scale. These mile-stones can be very very far apart. The distance here is not telling anymore.
* Visual analysis: It is not very efficient to read through thousands of log messages and figure out trends or patterns, or even understand what the log entries are communicating. Visual analysis takes the textual information and packages them in an image that conveys the contents of the logs. For more information on the topic of security visualization see Applied Security Visualization.
* Pattern detection: One could view this as advanced correlation. One wants to know about patterns. Is it normal that when the DNS server is doing a zone transfer that you will also find a number of IDS alerts along with some firewall log entries? If a user browses the Web, what is the pattern of log files that are normally seen? Patter detection is the first step towards understanding an IT environment. The next step is to then figure out when something is an outlier and not part of a normal pattern. Note that this is not as simple as it sounds. There are various levels of maturity needed before this can happen. Just because something is different does not mean that it’s a “bad” anomaly or an outlier. Pattern detection engines need a lot of care and training.
* Interactive visualization: Earlier we talked about simple, static visualization to better understand our IT data. The next step in the application of visualization is interactive visualization. This type of visualization follows the principle of: “overview first, zoom and filter, then details on demand.” This type of visualization along with dynamic queries (the next step) is incredibly important for advanced analysis of IT data.
* Dynamic queries: The next step beyond interactive, single-view visualizations are multiple views of the same data. All of the views are linked together. If you select a property in one graph, the selection propagates to the others. This is also called dynamic queries. This is the gist of fast and efficient analysis of your IT data.
* Anomaly detection: Various products are trying to implement anomaly detection algorithms in order to find outliers, or anomalous behavior in the IT environment. There are many approaches that people are trying to apply. So far, however, none of them had broad success. Anomaly detection as it is known today is best understood for closed use-cases. For example, NBADs are using anomaly detection algorithms to flag interesting findings in network flows. As of today, nobody has successfully applied anomaly detection across heterogeneous data sources.
* Sharing views, patterns, and outliers: The last step on my maturity scale is the sharing of advanced analytic findings. If I know that certain versions of the Bind DNS server tend to trigger a specific set of Snort IDS alerts, it is something that others should know as well. Why not share it? Unfortunately, there are no products that allow us to share this knowledge.
While reading the maturity scale, note the gaps between the different stages. They signify how quickly after the previous step a new step sets in. If you were to look at the scale from a time-perspective, you would start an IT data management project on the left side and slowly move towards the right. Again, the gaps are fairly indicative of the relative time such a project would consume.
The ACL Life Cycle
The ACL Life Cycle describes the maturation process of companies who grow substantially through acquisitions and mergers. Using the ACL model, we can clearly identify the company's current position. Knowing that position, and then looking forward at the company's financial objectives through the lens of their business strategies, the specific actions that are needed become clear. Those actions can then be formed into an executable plan with associated performance measures, and managed through completion to bring the overall enterprise to heightened levels of financial performance. It is important for acquisition-oriented executives to understand the major phases and characteristics of the ACL Life Cycle.
Businesses who have survived one or more acquisitions and/or mergers are usually left with some degree of disintegration among their processes and systems. A company's success in reaching the financial objectives of the merger or acquisition is directly correlated with the degree to which that disintegration has been replaced by a set of business processes and information systems that are common enough to generate enterprise-wide leverage. Implicit in that commonality is enterprise-level direction and guidance, manifested in company-wide business strategies and performance measures that align all of the combined business units. These businesses move, in this post-acquisition or post-merger environment, from an acquisition-based operating model to one characterized by shared services and a general commonization, to a stage where the enterprise "whole" really is able to become something greater than the sum of its business unit "parts". It is more than the typical cost-reduction synergy anticipated in most of these transactions; it is a new platform for innovation, and an even higher level of innovation-based leverage.
Companies who experience substantive growth as a result of business acquisitions typically follow the ACL life cycle. ACL in this context stands for: Acquisition, Commonization, and Leverage. Many companies never leave the first stage of this maturity scale, and still more remain at the second stage. The most successful companies are usually those who recognize the importance of moving through all three stages, and consistently implement a structured process for doing so.
All companies experience pressures that push them toward decentralized operations, including idiosyncrasies of specific market niches served, the uniquenesses of isolated business processes, unusual needs of specific customer populations, and natural organizational entropy. At the same time, most of the companies that are successful in achieving the financial performance objectives established for the newly merged enterprise manage to overcome those challenges, electing to pursue the advantages of leverage, including:
broad synergistic brand recognition, enabling cross-selling, bundling of products and services, and improving revenue
interchangeability of business process resources, enabling the company to reduce its asset base
commonality and scalability in equipment / skills / facilities, facilitating innovation and growth into additional markets
higher utilization of business assets, reducing unit cost
lower levels of redundancy, resulting in reduced operating costs
These companies also typically find that maintaining compliance with financial reporting standards such as Sarbanes-Oxley requirements are enhanced as a result of strengthened internal controls.
Some companies make a deliberate decision to remain "holding companies", which simply buy and sell diverse businesses that have only marginal relationships with one another. These conglomerates prefer to manage the portfolio through buying and selling components, and allowing the leadership teams at the individual companies to manage ongoing operations from strategy through execution. Companies that benefit most from understanding the three stages of the ACL Life Cycle are those companies who have decided to focus on a single core industry - Aerospace & Defense, Automotive, Chemicals and Polymers, Textiles, Electronics, Telecommunications, Consumer Products, Medical Equipment producers, Healthcare providers, and Financial Services providers are all good candidates.
The Acquisition Stage of the ACL Life Cycle
Companies in the Acquisition Stageof their life cycles are usually focused on revenue growth, and capturing market share. They are characterized by high levels of autonomy in management, in the reporting of site-level data to the corporate parent, and in the design of their business processes and systems. Companies who remain in this stage for long periods of time following acquisitions usually act as holding companies, with the corporation allowing individual divisions or sites to operate almost as independent companies with their own P&L, strategic plans, and market-facing branding. Often, companies in the Acquisition stage lack a common vision of the future of the overall business, and tend to operate at cross-purposes among the operating units. Manufacturing companies in the acquisition stage are usually characterized by redundancies in raw materials, equipment, staffing, and other business resources. Because manufacturing companies are relatively material-intense, a great deal of cost can be tied up in raw materials, work-in-process, and finished goods. Since acquisition stage companies have so little visibility between business units, there is little opportunity for them to reallocate these assets in order to use them effectively. As a result, the most costly resources remain the most underutilized. In addition, acquisition-stage companies have not centralized the management of even commodity-level business processes, such as finance, human resources, and information technology. This lack of centralization leaves additional inefficiencies in place around accounting staff, employee benefits provider subscriptions, business software applications, data centers, and computing equipment.
Telecommunications companies in the acquisition stage also have unrealized opportunities for greater leverage from their business assets, but these more often take the form of redundancies in network equipment, network coverage, retail outlets, partner agreements related to the sale of their products, and interconnection agreements with other carriers. In addition, acquisition stage telecom companies often have a substantial amount of unrealized leverage in the lack of integration among the data bases and information of their various divisions that could enable shared service operations for commodity-type processes such as billing and cross-selling of products and services. Like manufacturing companies, telecom companies in the acquisition stage also typically have unexploited opportunities around the consolidation of data centers and related equipment and staffing.
Healthcare providers in the acquisition stage usually find opportunities in different areas of their businesses, because of the differing cost structure of their operations. The bulk of their costs and their opportunities while in the acquisition stage of maturity in the ACL Life Cycle are related to employee salaries & benefits, and to medical supplies and drugs. It is less common for these businesses to be able to effectively share inventories and equipment, since the nature of their business is rooted in community health care that requires local service provision. The opportunities that do exist, which are typically not exploited well in acquisition stage health care companies, are related to centralizing commodity type business processes such as finance, human resources, and information systems, and leveraging required service and supply procurement across the enterprise.
Financial Services providers, such as banks, brokerages, credit unions, financial planning companies and tax & audit services exhibit yet another cost profile, with the largest elements typically including personnel and occupancy costs. In these businesses, like health care provision, being where the customers are is critical. The companies' ability to understand the changing demographics and match up their branches as well as their skills to the targeted customer base is often a differentiator between the companies that succeed and those that fail. Financial services providers who are still in the acquisition stage of maturity in the ACL Life Cycle often do not have the commonality in fundamental business processes and systems to readily reconfigure their operations to meet the changing needs of their marketplace. Their acquisitions or mergers have enabled them to grow horizontally, typically into adjacent markets. However, lacking an adequate foundation of commonality in processes and systems, there is substantial money left on the proverbial table as a result of ineffective resource deployment, and delays in the reporting of operational performance data that would enable the company to be more responsive. These companies also fail, in their acquisition stage, to take advantage of their larger purchasing power to gain leverage around purchased services spanning items as diverse as employee health care and branch-level office supplies.
The Commonization Stage of the ACL Life Cycle
Companies in the Commonization Stage of their life cycles have usually awakened to the value of focusing on Return on Net Assets (RONA) and Return on Invested Capital (ROIC). In order to begin to capture improvements in these areas, companies in the Commonization Stage often turn to shared service models of operations for selected business processes and systems. Strategies and performance measures begin to crystallize around common themes that span multiple operating units or divisions. Among the areas of focus for a shared service model in this stage are Finance (A/R, A/P, General Ledger, and Financial Reporting), Human Resources (Payroll, Benefits, and Employment Records), and Information Technology (Computer Hardware, Network Administration, and selected Software Applications Management). Some companies in the Commonization Stage also move Procurement and other aspects of Materials Management to a shared service model, enabling the corporation to more effectively leverage its broadest possible purchasing power.
Manufacturing companies in the commonization stage of maturity typically have shared services in place for commodity types of business processes such as finance, human resources, and information systems management. Toward the end of the commonization phase, centralization of work deployment and capacity utilization as well as process quality emerge as companies begin to deploy common processes and systems in customer requirements management, enterprise requirements planning, manufacturing execution systems, and distribution management systems.
Telecommunications companies in the commonization stage of maturity also typically have shared services in place for commodity types of business processes such as finance, human resources, and information systems management. As they advance in maturity through this stage, telecoms also become aware of the available leverage in centralizing the management of some of their most valuable assets. However, unlike the manufacturer's raw material focus, for telecommunications operations those elements are things like spectrum licenses, network equipment, connection agreements, partner agreements, distribution centers, and retail outlets. Centralizing the management of those assets to identify overlaps and redundancies enables telecoms to emerge from the commonization stage with much more effectively leveraged business assets, providing broader market coverage with a lower total asset base and generating much higher earnings on that consolidated foundation.
Healthcare companies in the commonization phase of maturity find substantial benefit in the commonization and centralization of their commodity type processes and systems. This is primarily because of the impact on cash flow and earnings when the employee base is reduced through shared services, and employee benefits and supplies are both leveraged in terms of the broader purchasing power of the company following a business acquisition of significant size. However, there is also an especially rich opportunity available to healthcare companies in the commonization stage that stems form the leverage available related to insurance coverage - not for the employees directly, but covering the potential liability of the company itself. This category of cost is typically about the third largest slice of the pie, and significant reductions there can translate quickly to a meaningful earnings impact.
Financial services providers in the commonization stage of the ACL Life Cycle, like healthcare providers, often find substantial benefit in the commonization and centralization of their commodity type processes and systems. With roughly half of their cost of operations wrapped up in employee salaries and benefits, there is an opportunity for meaningful impact on cash flow and earnings when the employee base is reduced through shared services, and employee benefits and supplies are both leveraged in terms of the broader purchasing power of the company following a business acquisition or merger. The next significant area for financial service providers in the commonization stage is the capability for rapid reconfiguration of the business based on enterprise-wide visibility of operational data and market intelligence.
The Leverage Stage of the ACL Life Cycle
Companies in the Leverage Stage of their life cycles are usually embarked on a fierce drive toward adding real value. They are relentless in their efforts to fully utilize the assets of the entire corporation, driving out redundancy and its associated costs. They are then able to pivot on the fulcrum of those more agile processes and systems to implement innovations that foster organic growth resulting in greater market share, greater revenue, and improved earnings for their shareholders. Leverage Stage companies also establish a structured and repetitive process of assimilating new businesses, gathering and incorporating market intelligence into company-wide strategies, and innovating on the basis of these new combinations to capture additional market segments. These companies are characterized by coordination and centralization of major business functions such as the planning and allocation of R&D, production work, inventories, raw material purchases, personnel, and factories & equipment. They centrally manage a broad spectrum of common business processes and systems, including customer requirements management, product data management, enterprise requirements planning, manufacturing execution systems, and logistics management. They are constantly changing, evaluating and configuring business assets to meet future market needs, acquiring and developing new businesses, and shedding assets that no longer fit their evolving model.
Manufacturing companies in the leverage stage of maturity typically have shared services in place for most of the critical business processes of their company, having reached beyond the commodity level processes and into those which deliver the most value to their customers. Examples include sales & marketing, order entry & customer service, capacity planning and management, production scheduling and shop floor control, and distribution requirements planning. As they move through the leverage stage of the ACL Life Cycle, some of these companies leverage the commonality of their processes and systems to produce innovative new products and services, identify additional market opportunities, and develop industry-changing relationships that reach through their supply chains.
Telecommunications companies in the leverage stage of maturity also have shared services in place for most of the critical business processes of their company, including the seamless provisioning (often called "flow-through provisioning" by industry insiders) of all telephonic services to customers stemming from a single telephone conversation responding to an individual inquiry about a service. This type of capability is only enabled when all of the information from what have historically been disparate data bases is available in an intelligent form through excellent systems integration, based on exceptional levels of commonality and strength in enterprise-wide business processes.
Healthcare companies in the leverage stage of maturity have typically discovered and implemented leverage-based improvements in their major cost structure elements as a result of enterprise-wide information visibility flowing from systems integration and centralized management of critical business processes. Health care companies generally also have uniquely challenging business conditions related to three other areas where leverage level operations can be a powerful tool.
Most health care organizations are spending a substantial amount of money in this regard, with training and documentation of company polices and safety-related practices requiring an increasing amount of company attention. The integration of systems and commonization of processes in a leverage stage health care company offers opportunities to more quickly incorporate internal best practices, externally imposed business requirements, and feedback about lessons learned across the entire health care organization regardless of geographic dispersion. Commonization and centralized management here can result in substantially lower cost, and more importantly, substantially higher and more uniform levels of employee safety.
The integration of customer data, and effectively interfacing a common set of enterprise-wide processes and systems with outside service providers such health maintenance organizations and insurance carriers, substantially reduces the amount of bad debt in leverage level health care companies.
This area is tricky because of legislation related to patient privacy and guidelines recently established for the maintenance and communication of patient medical information. However, one of the fundamental challenges faced by health care providers is the absence of available medical history, particularly when a patient is admitted to an emergency room or urgent care facility. When critical business processes and information systems for the management of this information are brought to an effective level of commonality, the rapid dissemination of the needed information can be greatly improved, while patients' expectations around the privacy of their information are still met.
Financial services companies in the leverage stage of maturity, like health care companies in some ways, must balance the needs of differing local customer geographies against the advantages of centralized management in critical business processes and systems. There is real value in allowing some latitude to local branch officers and customer-facing staff such as loan officers to accommodate the unique circumstances involved in specific cases. However, these companies often find that a significant advantage of the leverage provided by enterprise-wide commonization of processes and systems is the ability to see the nuances of differing markets at a corporate level, and recognize broader trends among those different markets more quickly and clearly than they could before. This improved visibility, in turn, enables management to reconfigure their service offerings, redeploy resources such as sales dollars, and organize sales campaigns for those specific markets more quickly than they could previously.
The best of these companies, regardless of what industry they occupy, utilize their common platform of processes, systems, and information to understand the needs of their customers in unique ways, and fluidly translate those needs into the features of their products and services. The enterprise-wide leverage they achieved as a result of carefully and skillfully handling the post-merger or post-acquisition integration of processes, systems, and data provided the platform from which innovation launched them to new levels of performance. Examples could as easily be provided for companies in pharmaceuticals, retail operations, or the food & beverage industry.
Maturity Scale for IT Data Management
This following blog post has turned into more than just a post. It’s more of a paper. In any case, in the post I am trying to capture a number of concepts that are defining the IT data management market.
When I am talking about IT data management, I am talking about the over-arching market that covers anything from log management to security information management and security event management.
Any company or IT department/operations can be placed along the maturity scale (see Figure 1). The further on the right, the more mature the operations with regards to IT data management. A company generally moves along the scale. A movement to the right does not just involve the purchase of new solutions or tools, but also needs to come with a new set of processes. Products are often necessary but are not a must.
The further one moves to the right, the fewer companies or IT operations can be found operating at that scale. Also note that the products that companies use are called log management tools for the ones located on the left side of the scale. In the middle, it is the security information and event management (SIEM) products that are being used, and on the right side, companies have to look at either in-house tools, scripts, or in some cases commercial tools in markets other than the security market. Some SIEM tools are offering basic advanced analytics capabilities, but they are very rudimentary. The reason why there are no security specific tools and products on the right side becomes clear when we understand a bit better what the scale encodes.
The Maturity Scale
Download Maturity Scales Test for Public Servants (CPNS) Test
Let us have a quick look at each of the stages on the scale. (Skip over this if you are interested in the conclusions and not the details of the scale.)
* Do nothing: I didn’t even explicitly place this stage on the scale. However, there are a great many companies out there that do exactly this. They don’t collect data at all.
* Collecting logs: At this stage of the scale, companies are collecting some data from a few data sources for retention purposes. Sometimes compliance is the driver for this. You will mostly find things like authentication logs or maybe message logs (such as email transaction logs or proxy logs). The number of different data sources is generally very small. In addition, you mostly find log files here. No more specific IT data, such as multi-line applications logs or configurations.
* Forensics / Troubleshooting: While companies in the previous stage simply collect logs for retention purposes, companies in this stage actually make use of the data. In the security arena they are conducting forensic investigations after something suspicious was noticed or a breach was reported. In IT operations, the use-case is troubleshooting. Take email logs, for example. A user wants to know why he did not receive a specific email. Was it eaten by the SPAM filter or is something else wrong?
* Save searches: I don’t have a better name for this. In the simplest case, someone saves the search expression used with a grep command. In other cases, where a log management solution is used, users are saving their searches. At this stage, analysts can re-use their searches at a later point in time to find the same type of problems again, without having to reconstruct the searches every single time.
* Share searches: If a search is good for one analyst, it might be good for another one as well. Analysts at some point start sharing their ways of identifying a certain threat or analyze a specific IT problem. This greatly improves productivity.
* Reporting: Analysts need reports. They need reports to communicate findings to management. Sometimes they need reports to communicate among each other or to communicate with other teams. Generally, the reporting capabilities of log management solutions are fairly limited. They are extended in the SEM products.
* Alerting: This capability lives in somewhat of a gray-zone. Some log management solutions provide basic alerting, but generally, you will find this capability in a SEM. Alerting is used to automate some of the manual trouble-shooting that is done among companies on the left side of the scale. Instead of waiting for a user to complain that there is something wrong with his machine and then looking through the log files, analysts are setting up alerts that will notify them as soon as there are known signs of failures showing up. Things like monitoring free disk space are use-cases that are automated at this point. This can safe a lot of manual labor and help drive IT towards a more automated and pro-active discipline.
* Collecting more logs and IT data: More data means more insight, more visibility, broader coverage, and more uses. For some use-cases we now need new data sources. In some cases it’s the more exotic logs, such as multi-line application logs, instant messenger logs, or physical access logs. In addition more IT data is needed: configuration files, host status information, such as open ports or running processes, ticketing information, etc. These new data sources enable a new and broader set of use-cases, such as change validation.
* Correlation: The manual analysis of all of these new data sources can get very expensive and too resource intense. This is where SEM solutions can help automate a lot of the analysis. Uses like correlating trouble tickets with file changes, or correlating IDS data with operating system logs (Note that I didn’t say IDS and firewall logs!) There is much much more to correlation, but that’s for another blog post.
Note the big gap between the last step and this one. It takes a lot for an organization to cross this chasm. Also note that the individual mile-stones on the right side are drawn fairly close to each other. In reality, think of this as a log scale. These mile-stones can be very very far apart. The distance here is not telling anymore.
* Visual analysis: It is not very efficient to read through thousands of log messages and figure out trends or patterns, or even understand what the log entries are communicating. Visual analysis takes the textual information and packages them in an image that conveys the contents of the logs. For more information on the topic of security visualization see Applied Security Visualization.
* Pattern detection: One could view this as advanced correlation. One wants to know about patterns. Is it normal that when the DNS server is doing a zone transfer that you will also find a number of IDS alerts along with some firewall log entries? If a user browses the Web, what is the pattern of log files that are normally seen? Patter detection is the first step towards understanding an IT environment. The next step is to then figure out when something is an outlier and not part of a normal pattern. Note that this is not as simple as it sounds. There are various levels of maturity needed before this can happen. Just because something is different does not mean that it’s a “bad” anomaly or an outlier. Pattern detection engines need a lot of care and training.
* Interactive visualization: Earlier we talked about simple, static visualization to better understand our IT data. The next step in the application of visualization is interactive visualization. This type of visualization follows the principle of: “overview first, zoom and filter, then details on demand.” This type of visualization along with dynamic queries (the next step) is incredibly important for advanced analysis of IT data.
* Dynamic queries: The next step beyond interactive, single-view visualizations are multiple views of the same data. All of the views are linked together. If you select a property in one graph, the selection propagates to the others. This is also called dynamic queries. This is the gist of fast and efficient analysis of your IT data.
* Anomaly detection: Various products are trying to implement anomaly detection algorithms in order to find outliers, or anomalous behavior in the IT environment. There are many approaches that people are trying to apply. So far, however, none of them had broad success. Anomaly detection as it is known today is best understood for closed use-cases. For example, NBADs are using anomaly detection algorithms to flag interesting findings in network flows. As of today, nobody has successfully applied anomaly detection across heterogeneous data sources.
* Sharing views, patterns, and outliers: The last step on my maturity scale is the sharing of advanced analytic findings. If I know that certain versions of the Bind DNS server tend to trigger a specific set of Snort IDS alerts, it is something that others should know as well. Why not share it? Unfortunately, there are no products that allow us to share this knowledge.
While reading the maturity scale, note the gaps between the different stages. They signify how quickly after the previous step a new step sets in. If you were to look at the scale from a time-perspective, you would start an IT data management project on the left side and slowly move towards the right. Again, the gaps are fairly indicative of the relative time such a project would consume.
No comments:
Post a Comment