By Bob Violino
Winter 2007

Today’s IT infrastructures, systems and applications—as well as the business operations they support — are more complex than ever. The fallout from this growing complexity can be damaging to an enterprise: more system downtime, higher costs, inferior customer service. “Complexity is an enormous problem,” says Robert Autor, executive vice president and CIO of SLM Corp., better known as Sallie Mae. “It’s made more complex not only by the legacy in the proliferation of new technologies, but also by the mergers and acquisitions that many companies go through over time. The risk is that you won’t have a coherent architectural strategy – and even if you do try to maintain a strategy, it’s often disrupted by outside business deals.”

Fortunately, there are strategies a CIO can embrace — involving both technology and processes — to bring IT complexity under control.

To help gauge the level of complexity today, consider these points:

• The median number of applications supported at enterprises rose from 50 to 61 during the past two years, according to the Help Desk Institute.
• More than half of 347 companies surveyed by Forrester Research in 2005 used at least three database vendors for major business applications, and just over 10 percent used more than five.
• Nearly three-quarters of 226 IT and C-level executives surveyed by the BPM Forum in 2004 said their companies have no process for retiring outmoded software. Fewer than half said they conduct regular software audits to determine how much software is on the network.
• Seventy percent of those surveyed by BPM Forum said their companies have redundant, deficient or obsolete applications.

“Evidence of increasing complexity abounds,” says Richard Ptak, principal analyst and co-founder of Ptak, Noel & Assoc., an IT research firm in Amherst, N.H. “Business applications and services are increasingly dependent on the operation of other distributed, remote applications. ”The IT infrastructure that supports business operations, he says, is “more distributed, more integrated, more dynamic and more complex than ever.”

In the past, applications and architectures remained relatively stable over time. Ptak adds: “Stability meant secure and controlled access and operating environments; predictable, managed work loads; stable configurations; and some amount of time between application changes and updates that could be absorbed and accommodated over time. ”Today, he says, all this has changed, both dramatically and rapidly.

Many organizations have applications built across virtually every genre of technology, according to Phil Murphy, a principal analyst at Forrester Research. They often have a greater number of redundant applications than they realize. For example, Murphy cites a banking-industry client that had 18 different travel and expense systems in the organization and its subsidiaries. “That one function should be one system,” Murphy says. “This is more common than most folks realize.” Complexity is also becoming, well, more complex than it was in the past, says Dennis Drogseth, vice president of Enterprise Management Associates (EMA), a Boulder, Colo., research and analysis firm specializing in the management of technology. “Even in the good old mainframe days there were issues of complexity,” Drogseth says. “But as we’ve gone from mainframes to client/server to IP convergence and Web services, there have been growing levels of sophistication in terms of Web applications and business dependencies on IT services.”

Distributed computing has led to countless desktop and laptop computers, servers, networks and other IT assets, Drogseth says. Complicating matters further are moves toward newer technologies such as virtualization, Voice over IP telephony, wireless communications, and the growing size and complexity of the IT organization itself.

Alan Nugent, CTO of CA, says IT complexity is “absolutely on the rise,” in large part due to technological innovations that have emerged recently. “Wireless personal devices and mobility are driving complexity even higher,” he says.

On the operations side, increased complexity comes from ever-growing supply chains that require tighter integration among business partners; globalization; and in particular the frequent mergers and acquisitions that bring together disparate cultures, processes and systems. “If you take any two companies, the chances that both are using similar processes to manage their environment are pretty slim,” Nugent says. So in a merger of two such enterprises, “you’ve taken two messes and are now trying to pull them together. With mergers, there’s always an emphasis on how the businesses align, but generally not an effort [toward] technology integration.”

Outsourcing is another factor that can contribute to complexity, whether for IT or other business processes. While outsourcing can reduce complexity for IT management by offloading tasks, it can also add to the problem by introducing concerns, such as how to manage and evaluate service providers.

Complexity is taking a toll on enterprises in a number of ways. One major impact is system and application downtime. As much as 80 percent of system downtime is believed to be caused by improper management of IT changes. “Complexity contributes to a different kind of investment profile than most CIOs would like,” Nugent says. He estimates that somewhere between 70 percent and 90 percent of the average IT budget is spent keeping the lights on. “That means [companies] have far less to spend on innovative products and services that could help streamline business processes,” Nugent adds. That trend is growing. A 2006 Forrester survey of North American and European enterprise IT budgets and spending found that companies now devote 80 percent of their overall IT spending to maintenance and ongoing operations, up from 73 percent in 2004.

Only 20 percent of spending in 2006 will go toward new investments, the Forrester survey found.

Another negative impact of complexity: IT departments do a poorer job of predicting and tracking fast-changing business requirements. That’s because the more complex the technology environment, the more likely an organization is to create poor-quality data. “When you make changes in a complex environment, it’s very [difficult] to test the full extent and quality of the change,” says Kathy Harris, an analyst at Gartner Inc. “You’re more likely to interject errors into what you’re doing.”

Security Complications
There are security implications to complexity, too. Growing complexities not only impair IT’s ability to track change, but can also introduce new and often-unforeseen security threats. “A lot of security problems come from configuration errors,” Drogseth of EMA says. More sophisticated and widespread IT systems have led to two basic security concerns, according to CA’s Nugent. One, protecting the enterprise environment from the various threats that have emerged in recent years, such as spyware, malware and phishing. And two, ensuring that all users have the appropriate authority to access information.

The more systems there are to manage, the more difficult it is to control access to applications, maintain lists of authorized users and shut down access to former employees. “I know of employees who, for time periods ranging from two days to more than a month after leaving a job, were able to access their company accounts and use the corporate [network],” Ptak says.

One big cost of complexity is the need for more people with specific skills. “The way many companies address the rampant proliferation of IT is by throwing more bodies at it,” says Nugent of CA. “There are a couple of reasons for doing this. One is that environments are so distributed and diverse, and there’s not a single set of tools that help IT organizations manage through all of that mess. A second reason is that the tools that do exist don’t have the intelligence to be able to make some decisions, so there needs to be people in the loop.”

So what’s the solution for too much complexity? Experts advise that CIOs forget about trying to eliminate complexity altogether. That’s unrealistic, given today’s business environment. Rather, CIOs should strive for control.

Enterprises can do several things to bring complex IT infrastructure, systems and business operations under greater control. One strategy: Use technology to tame technology.

Vendors are developing software products, including IT portfolio management tools, which provide dashboard views of many facets of IT. These tools enable enterprises to gain greater visibility into their IT infrastructure, applications and business processes. For example, CA has developed an integrated set of offerings that manage and secure the IT environment, including storage, networks, systems, applications, platforms, services and users. These solutions integrate via a common platform and constitute a vision CA calls Enterprise IT Management (EITM).

“It’s no longer sufficient to manage by asset class,” Nugent says. “The industry grew up with network management vendors and tools, systems management vendors and tools, and database management vendors and tools. But without a suite of tools for infrastructure management, it’s almost impossible to present to the business a set of assets that can be tied directly to a set of services or applications.”

By using an integrated IT management suite, Nugent says, enterprises can know exactly how much they’re spending to conduct a particular business transaction — and what the cost will be to a business if an application is unavailable. “Each of the asset classes spins off [data] about whether they’re healthy, or how they’re performing,” he explains, adding, “While all that’s interesting, it’s the synthesis of all those events that’s important at higher levels [of the organization].”

Also, Nugent adds, enterprises will likely need to implement similar technologies from other vendors. “We’re not approaching this as a rip-and-replace with the entire CA portfolio,” he says. “Instead, it’s very much ‘eat as much or as little as you want.’”

Another strategy: develop a strong IT governance program. This includes creating a program for evaluating and tracking technology investments, developing enterprise wide policies that address repeatable technology solutions, and introducing disciplined operational structures into the IT organization.

Manpower Inc., an employment services firm in Milwaukee, Wis., is using governance as away to slow down what Richard Davidson calls “the natural evolution of things in the world, which is from order to chaos. Rarely does innovation in the IT space lead to less complexity.” Davidson, Manpower’s senior vice president and global CIO, adds, “Governance is a ‘speed bump’ on the journey toward chaos, as it gives us a way to manage this complexity.” While Manpower uses standardized technology throughout its global operation, it has also implemented a common way of doing things, including how projects are managed. The company has also initiated a program to carefully manage IT investments to thwart runaway spending. CA ClarityTM, a comprehensive project and portfolio management solution, provides the foundation for Manpower’s IT governance process.

A good measure of Manpower’s success in controlling complexity is the percentage of IT spending devoted to maintenance, Davidson says. The company now spends 68 percent of its IT budget on maintenance, compared with 78 percent before it implemented a governance process. Manpower now aims to bring the maintenance number even lower.

Governance often involves the adoption of standards and frameworks based on best practices. One of the fast-growing models is the IT Infrastructure Library (ITIL®).Among the practices ITIL calls for is the implementation of a configuration management database (CMDB) that contains details of an enterprise’s elements that are used to provision and manage IT services.

A CMDB consists of tasks including the specification and identification of all IT components. “One of the trends that’s affecting the industry in a profound way—and addressing the challenge of complexity—is the move to a configuration management database,” Drogseth of EMA says. A CMDB, he adds, is a “dynamic documentation of reality:
infrastructure, services, devices, owners, assets. It’s what is needed to integrate disparate platforms.”

Indeed, an EMA study on CMDB adoption, conducted in June 2006, found the technology has achieved a phenomenal level of attention among IT managers. As recently as 2004, few IT managers knew about CMDB, the study found, but as of the second quarter of 2006; awareness levels exceeded those for ITIL itself, at least within the United States. EMA’s survey of 154 organizations worldwide found 45 percent had either implemented aCMDB project or planned to. Another 23 percent had no specific plans, but were interested. But awareness of CMDBs is just a start, Drogseth says. Next, vendors will need to create the architecture for integrating products, he adds. CIOs will need to figure out the best ways to implement CMDBs so that it benefits the entire organization and helps IT get beyond the siloed, standalone management tools currently prevalent in many enterprises. Another popular framework, and one that can be used in conjunction with ITIL, is Control Objectives for Information and Related Technology (COBIT). This is an IT governance model and supporting toolset designed to help managers gain better control of IT and information security environments and business risks (see sidebar below).

Gaining Control
Sallie Mae, the Reston, Va., provider of student loans, relies on both ITIL and technology from CA to help rein in complexity. The firm—whose IT infrastructure includes three mainframes, 12,000 PCs and 1,600 servers — turned to the Service Support processes of ITIL, including Incident Management, Problem Management and Change Management, to streamline processes. “We’re dealing with complexity at many different levels,” CIO Autor says.

Sallie Mae has undertaken a long list of complexity-beating projects, including:

• Application portfolio analysis and the retiring of redundant or overlapping applications.
Rearchitecting some applications, either to bring them into more current technology or to simply “rustproof” them by improving their structure, documentation and, ultimately, maintainability and flexibility.
• Retiring older technologies on both the application and infrastructure side. “Simplifying and standardizing the environment is key,” Autor explains.
• Resetting the enterprise architecture and evolving it toward amore standard enterprise architecture over time, at the data, application, process and infrastructure levels.
• Building a common middleware layer to bridge systems.
• Implementing an IT service management structure using ITIL.

Mergers and acquisitions are another source of IT complexity for Autor. Six years ago Sallie Mae acquired USA Group, a company that was roughly as big as Sallie Mae.

Partly as a result of the acquisition, Sallie Mae’s payroll has grown to 12,000 employees, up from just 3,000 employees in 2000. “Not only do you have to deal with the legacy you have yourself, but now there’s always a new set of legacy technologies to deal with,” Autor says. “They’re not consistent technologies. They’re not things you would ever want to rewrite; they’re far too expensive and important. So we’ve had to work that through over time.”

Sallie Mae has automated several ITIL Service Support processes using CA offerings, including Unicenter® Service Desk, which helped Sallie Mae deliver a higher level of service. In the first few weeks of use, Sallie Mae decreased the length of help desk calls by 40 percent and sharply improved its first-call resolution rate. Adoption of ITIL has also given Sallie Mae greater visibility into its IT environment, improved efficiencies and minimized disruptions to the business, says Jo Lee Hayes, vice president of enterprise technologies. Adds CIO Autor: “CA is a very good partner.” CA’s software has also helped Sallie Mae improve and automate its Change Management process. Prior to the ITIL implementation, communication between what Hayes calls “IT management silos” sometimes resulted in a disconnect between the application development group and the infrastructure and operations group. Sallie Mae had hundreds of disparate processes and systems used by its application development teams. “Now there’s a single process for every application development team,” Hayes says.

Another company, Rio Grande do Sul State Data Processing Co. (known locally as Procergs), is combining technology, frameworks such as ITIL, and governance to achieve greater control. Procergs, an IT services company run by the state of Rio Grande do Sul, Brazil, has built an increasingly complex IT environment to serve the demands of government and business, says Roni Marques Correa, Procergs’ technology director.

The company is investing in tools to monitor and control its IT infrastructure, Marques Correa says. “IT governance, setting practices and tools to improve IT transparency concerning business, is the goal of senior management,” he adds. “We work with a standard framework that sets the technologies and their scope of use in areas [such] as monitoring solutions, databases, development architecture, hardware platforms, network protocols, etc.” As a result, Procergs is able to better manage its environment of more than 500 servers, 350 applications and an enterprise network.

In fact, the company operates with the same size IT staff it had several years ago, when its infrastructure inventory was far smaller.

Educating business users about the value of technology is also important. Mystic Lake Casino Hotel in Prior Lake, Minn., provides education to line-of-business managers through a series of IT courses. “In these courses, we teach the supervisors and VPs about things such as critical business systems by business division, how those systems are interfaced, and what all that should mean to them as managers,” says Jean Ritala, the organization’s president. “It’s our way to teach about complexity.”

Also, CIOs must work with other senior level executives in the business to try to improve processes and control complexity. “Anytime you set out to make a change this significant—and for most companies it would involve significant time and effort to clean up complexity — you [need] all these people engaged,” says Harris of Gartner.

What do these efforts to control complexity gain for an organization? “The end result is an environment that is not risk-free, but has a greatly reduced risk profile,” says CA’s Nugent.

“They’ll have a very efficient operation, and a world-class IT shop that invests in areas that improve the overall business.”

Bob Violinois a freelance writer in Massapequa Park, N.Y. He covers a variety of business and technology topics.

ITIL®  is a Registered Trademark of the UK Office of Government Commerce.