Courion Corporation

Part 2 - Creating Budget Where None Exists

Tweet

  

 

LINK TO PART 1 - Creating Budget Where None Exists 

Last week I introduced "Company X", a Courion customer that is delivering improved risk management and security via automated access compliance and attestation, and automated provisioning for over 100 applications - without spending a single budget dollar.   I discussed understanding the multiple budgets of your organization" as Part 1 of a 4-part process for achieving this.  And now....for the rest of the story.

2. Understand Operations via Activity-based Costing

There is, of course, more to the story of Customer X.  Spending over $1 million with a vendor would surely result in an Expense Budget Impact of over $20,000 in 2009 and $0 in 2010, wouldn't it?  The next thing that Customer X did was evaluate its operations to determine what level of savings was attainable via this project's automation of manual provisioning and attestation processes.

 In the first phase of automating provisioning and access compliance, Customer X knew that the organization was spending over 50 person years' manually adding, changing, deleting accounts across the first 100 applications which they addressed.  They automated the provisioning and access verification for those applications, eliminated the admin staff positions, and booked the savings.

As Company X moved on to begin addressing the other 700 applications used by the organization, they did not have firm figures regarding the cost of administration and verification.   So they did what I would advise every organization to do:  they executed a thorough activity-based costing effort. 

• Document the flow of the work - starting at the business action that drove the provisioning or compliance activity (hiring, promoting, introducing a new application service, SAS70 audit, semi-annual SOX attestation, etc.)
• Identify all activities - who is responsible for them, how much staff time is required to execute them, how much time elapses from start to finish of the activity
• Cost the activities - spread staff members' fully-burdened cost across all of the activities that they are responsible for executing

And once they understood the costs and cost drivers, they took a deeper dive into the company's accounting policies.

3. Understand their Accounting Policies

Disclaimer:  Accounting was my least favorite subject at business school.  Accounting rules seek to provide a comprehensive, accurate view of organizations' financial health, but there are times at which accounting rules drive behavior that is inconsistent with these goals.  I have always found that difficult to accept, but as I repeatedly tell my children:  "just because it doesn't make sense to you doesn't mean that you can ignore it!"

One of your first actions should be to sit down with your finance team, or the finance professionals in your IT organization - and learn about the rules.

What are the rules regarding amortization of capital expenses?  What is the definition of useful life for software (at least software that works!), and is there a maximum useful life?  (For the record, Courion customers have illustrated that the useful life of Provisioning Software (at least software that works!) is at least 10 years....Note that you will probably have a maximum.  Some other areas of focus:

• Software capitalization policies.  Software costs not only can be amortized, but they typically are not applied to your IT Operating Budget until the software is implemented.  In the case of Customer X, Courion has been delivering 50 Connectors over the course of 9 months.  The amortized license and maintenance cost of each connector does not show up on the IT Operating (Expense) Budget report until it is implemented.
• Services capitalization policies.  You may be able to capitalize services consulting expenditures.  Ironically for we in the techie world, this is a situation in which words really do matter!  Services such as design, configuration, testing and installation may be eligible for capitalization.  But be careful of your terms because services such as consulting, project management, data conversion, overhead are typically not eligible.
• Vendor contract options.  Talk to your vendor about providing a term or subscription contract if your organization's policy for "maximum" useful life of software is very short (18-24 months)

4. Step up to the plate - Extract the costs

Now comes the hard part - when you put the budgeting information, Activity-based Costing and Accounting Policies together to create a plan.  In order to "make budget" where none exists, you have to be willing to extract the costs that you have identified via the Activity-based Costing.  And you and your vendor partner will have to commit to achieving concrete objects within agreed upon timeframes - so that you can book savings when you need to in order to not use budget dollars.

In the case of Customer X, they eliminated sufficient manual administrative work by automating the provisioning and attestation process for an additional 100 applications to reduce staff to pay for the entire project.  And while the manual work was most time intensive for applications that were not "Key Financial Applications", by bundling the work for those with Key Financial Applications, Company X was able to significantly improve controls around these key applications and improve their management of risk (and audit position).

So there you have it.  Four simple steps to self-funding IAM initiatives:

1. Understand the budgets
2. Perform activity-based costing
3. Understanding your organization's accounting policies
4. Make the hard decisions and extract the cost

If a CISO follows this approach, he or she will drive considerable value to their organization by reducing risk and streamlining operations.  But more important even than delivering the value of this sort of self-funded initiative, the CISO will also transition from insurance salesman to business enabler.