Download (direct link):
Cost is a key class of application attributes that must be tracked. Common cost attributes include:
Ongoing costs: The expense required to keep an application running. These costs typically include:
Operations: Data center costs associated with running an application, such as personnel, systems management tools, facility costs (e.g., power), and process refinement.
Maintenance: Maintenance fees paid to the application software vendor as well as maintenance fees associated with underlying components such as databases, operating systems, servers, and storage.
Licensing: Costs associated with purchasing the application and periodically upgrading licenses as appropriate. These costs should also include any underlying infrastructure licenses (e.g., database licenses) that the application requires.
Depreciation: Some application project costs are capitalized, and their depreciation should be taken into account as part of the costs of the application. Financial Accounting Standards Board updatesFASB 1134include capitalizing some or all of the costs to retire an asset.
Fixed versus variable costs: A useful way to analyze costs to highlight for business executives which costs vary (and why) versus which costs remain fixed.
Direct versus indirect costs: Some progressive companies recognize there are many indirect costs associated with an application, such as the revenue and productivity impacts of downtime. It is not worth calculating all these financials for most companies, but companies that need to be very complete may need to do this.
Costs to change/upgrade the application: As upgrade requirements become better understood and scoped, these costs should be included in the overall cost of the application.
Replacement costs: In some cases, it is important to know what it would cost to replace a system so that ongoing costs can be properly compared to replacement costs and effective decisions can be made.
Regarding the risk profile, business and IT executives are becoming increasingly aware of risk and are focusing on risk management. Applications exhibit
IT ASSET PORTFOLIO
many different kinds of risk, which should be identified, categorized, assessed, mitigated, and monitored. Primary application risk-related attributes include:
Security: Applications vary widely in their security capabilities, which should be tracked as part of the overall portfolio. This attribute can be as basic as three levels: very secure, secure, and not secure. Companies with significant security concerns are much more sophisticated not only about application security but also about an overall information security program.
Business continuity: Applications should be categorized from a business continuity priority-setting perspective. Ideally, a simple table showing applications that will be restored first versus later can be compared to the overall application portfolio diagram to ensure that proper priorities and expectations have been set. As with security, business continuity represents an entire set of disciplines and an overall program. Applications play a key role in business continuity planning but are only part of the picture.
Vendor viability: The viability of the software vendor that created the application and any professional services firms that may be needed to maintain the application is of concern. In addition, some software packages are tightly tied to specific operating systems, databases, and hardware. The vendors of these underlying products must also be tracked from a business viability perspective.
Regulatory compliance: Many application changes are driven by the need to keep up with regulators (e.g., FDA, FERC, FAA). The level of regulatory compliance is an important attribute to track for applications and information subject to regulations such as the privacy laws and guidelines of various countries.
Technical condition: The technical condition attributes discussed previously feed into the risk analysis, since poor technical condition increases the risk of the application failing.
IT human resources: Focuses on the fact that most organizations have a very small group of people who understand a particular business process well and understand how a particular application automates that process. As applications age, so do the people with these skill sets, creating a long-term risk that nobody will be around to support an aging application.
Project/program: As applications require modifications, projects and programs are developed that carry their own risks of failure, running overbudget, missing deadlines, and possibly introducing defects into the operational ecosystem.
Privacy: The increasing focus on privacy will likely drive many companies to raise this attribute out of the regulatory compliance bucket and make it a stand-alone attribute that is tracked.
166 CHAPTER 4 IT PORTFOLIOS AND THEIR CONTENT IN CONTEXT