The Twenty Percent Rule

By Jeffrey Morgan

About twenty percent of people are really good or pretty good at what they do. The other eighty percent are mediocre to poor. This rule unfortunately works across all professions – doctors, attorneys, bartenders, auto mechanics, IT people, grocery store clerks, etc. When I need a professional, especially a doctor or lawyer, I try to choose from those in the twenty percent. I really learned this lesson the hard way during my divorce.  I only got the right attorney on the fifth try.

If you are a manager or supervisor, you are stuck with this reality.

What puts people in the top 20% or the  bottom 80%? Talent, intelligence and aptitude are all part of the equation but these factors only partially account for great work output. Work ethic and attitude are the factors that really matter.

My parents and many teachers tried to teach me about work ethic in my youth but I didn’t really learn the lesson until I was in the army. Almost thirty years later I still remember my moment of work ethic epiphany. My platoon members and I were all in our Quonset hut at Camp Red Cloud in the Republic of Korea cleaning weapons and I clearly remember Sergeant C talking about work ethic. Always do the best job you can do regardless of whether it is cleaning weapons, cleaning the latrines or performing your mission in the field.

This was only a few days after he went on an epic rampage. He had been away for a few days and when he came back and took a look around, there were a few problems. Someone had left a broom out in the motor pool and someone from another platoon had borrowed a tire from one of our Hummers. There were a couple of other minor infractions. This triggered a screaming virtuoso performance in denigration and excoriation in the most impressively profanity filled reaming I have ever received. We all walked away from the 30 minute (seemed like hours) reaming thoroughly demoralized and totally ashamed. But it made us all better people. It was a lesson that has shaped my life ever since.

Sergeant C was trying to drag us all into the 20% and wouldn’t tolerate anyone in his platoon being part of the 80%. In the current climate of PC and positive reinforcement, Sergeant C’s management style probably wouldn’t be tolerated but it was certainly effective. Giving out gold stars for shoddy performance does no one any good.

If you are a manager, you are stuck with your own staff of 20% vs. 80%, but  you can certainly influence those in the 80% to perform better. If Sergeant C could do it, so can you. Have a comment? Need help in improving the quality of output in your organization? Send me an e-mail at

Copyright © Jeffrey Morgan 2016

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , ,

Introduction to Enterprise Procurement Projects – Part 3 – The Business Process Assessment

By Jeffrey Morgan

What is a Business Process Assessment?

Now that you have established preliminary Goals, Objectives and Criteria for Success for your enterprise project, it is essential to conduct a Business Process Assessment to identify the actual business practices in your organization. When I refer to a Business Process Assessment, I am talking about a comprehensive, objective, and assumption-free evaluation of all the activities, processes, procedures and personnel involved in the production of a specific product such as a payroll run, an accounts payable run, or an AR billing cycle, to name just a few.

An Example

Let’s use payroll as an example. An appropriate assessment might begin with a new pay period and should include the examination of all the tasks, steps, people, processes, procedures and paperwork involved in payroll production. How do departments report time to the payroll office? Is it paper based or automated? How much does it cost your organization to produce a payroll check? How many people are involved? How is the payroll produced? Is all the work done in a single system? Are there spreadsheets and exceptions involved? What reports are produced monthly, quarterly, annually? Are there bottlenecks? Excessive mistakes? Recurring problems? Regulatory compliance issues? Problem departments? Problem people?

Do you really know what your process are?

You might think you already know all this and you feel you have a solid understanding of how all your departments conduct business. It is often the case at this stage that executives and managers explain to me what they truly believe to be their business practices and processes. These descriptions are frequently completely wrong.

It is difficult to evaluate new systems if you don’t truly understand your current systems. With systems and staff members that have been running unchallenged and unchanged for decades, staff members, supervisors and managers often perform tasks without questioning the underlying processes. A thorough Business Process Assessment identifies and documents all these processes and establishes a baseline for your current business performance.

Getting Started

Surveys, either paper-based or electronic are a good tool with which to begin but they are no substitute for direct observation and interviewing staff in each department. One possible approach to conducting a system-wide assessment might be to disseminate surveys first and then conduct department level interviews as the next step.

The final product of the Business Process Assessment should be a detailed report describing current, identified practices, processes and problems. This report should also include suggestions and recommendations for improving the processes going forward.

You may find it difficult to perform an accurate assessment using internal staff. Regardless of how well-intentioned, smart and motivated they are, organizational culture, biases, and assumptions are likely to be an obstacle and the objectivity may suffer. If you would like to discuss any aspects of your Business Process Assessment, or any other part of your enterprise project, send me an e-mail at

Copyright © Jeffrey Morgan 2016


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , ,

HIPAA Security Rule Compliance in Municipal Organizations

By Jeffrey Morgan

I am always astonished by the number of organizations I encounter that are not in compliance with the HIPAA Security Rule (45 CFR Parts 160, 162 and 164). If you are running a County government, for instance, there is a high probability that one or more of your departments are covered entities and have an obligation to comply with this regulation. Human Resources, Public Health, Mental Health, Social Services the County Jail, the County Home, Probation, Courts, and Child and Adult Protective services may all be covered entities and may process, store, transmit and manage Protected Health Information (PHI). While many covered entities have complied with the Privacy Rule, my observation has been that many covered entities are not in compliance with the Security Rule. Is your organization in compliance?

Covered Entities

According to the Department of Health and Human Services (HHS), a covered entity is one of the following:

  1. A Health Care Provider
    1. Doctors
    2. Clinics
    3. Psychologists
    4. Dentists
    5. Chiropractors
    6. Nursing Homes
    7. Pharmacies
  2. A Health Plan
    1. Health Insurance Companies
    2. HMO’s
    3. Company Health Plans
    4. Government Programs that pay for health care such as Medicare, Medicaid, and Military and Veterans health care programs.
  3. A Health Care Clearinghouse

In the list above, I have highlighted entities that are likely to exist in a municipal government operation. Do you have covered entities in your organization? If so, are you in compliance with both the Privacy and Security Rules? You can view HIPAA as an onerous compliance issue, or you can view it as an opportunity to address critical security issues in your organization. Regardless of how you feel about it, it is federal law and there may be severe consequences and penalties for failure to comply.

A Brief History

The HIPAA Security Rule was adopted in 1996 and the Final Rule was published in 2003. Compliance for most covered entities was required in 2005. After more than  30 years of dealing with organizational security and Information Security Policies for government entities I have come to the conclusion that the best way to handle HIPAA is to bring the entire organization up the HIPAA Security Rule standards. Why would I suggest this?

A Solid Foundation

The HIPAA Security Rule provides a pretty good foundation and framework for an Information Security Policy even if you are not a covered entity. There are more than 3000 County governments in the United States and more than 19,000 municipal entities. Many of them don’t have any type of Comprehensive Information Security Policy. Even if you are not managing a covered entity, you should have a solid Information Security Policy. You may not be protecting PHI, but you have plenty of other information that should be protected. In my opinion, the lack of a security policy in an organization responsible for collecting, storing, and managing large amounts of sometimes sensitive public  information constitutes organizational malpractice. If you get sued for a catastrophic breach, the courts are likely to agree with this assessment.

Roles and Responsibilities

Who should be responsible for HIPAA Security Rule Compliance or Information Security Compliance in your organization? There is no easy answer to this question, but as the Executive responsible for the organization as a whole, compliance is ultimately your responsibility. At another level, Information Security is everyone’s responsibility. The law has been on the books for 20 years and compliance has been required for the last 11 years. I didn’t know is no longer an acceptable response. But, maybe you really didn’t know? You have a lot on your plate, but now is the time to fix it.

I will provide you with one possible high level look at how responsibilities might be distributed. First, someone in your organization should fill the role of an Information Security Officer. Depending on the size of your organization, this may only need to be a part time role. Nevertheless, you need a Go To person for problems, policies, issues, and questions about information Security. Because of conflicts of interest, this role should never be delegated (in my opinion) to a person on the Information Technology staff. Attorneys, or staff members with backgrounds in law enforcement, security, regulatory compliance or investigation are often good choices for this role.

Privacy Rule issues should probably be handled by individual departments based on their exposure, but there should be some organization-wide privacy policies as well. The HIPAA Security Rule covers physical security, technical and electronic security, and administrative security issues, so those roles will be filled by different, applicable departments or subject matter experts. For instance, compliance with the physical security components may be addressed by someone in your Facilities department, for instance.

As far as technical safeguards and full compliance with the Security Rule are concerned, that is a discussion for another article.

Sample Compliance Matrix

In the table below, I have included a sample compliance matrix. If you are a covered entity, or have departments that are covered entities, your Information Security Policy should contain, at a minimum, these elements.. Take a look at your policy and see if it measures up.

HIPAA Security Rule Compliance Matrix R/A Reference
Risk Analysis R III.5
Risk Management (R) R III.6
Sanction Policy (R) R III.1
Information System Activity Review (R) R III.7
Assigned Security Responsibility ………….. 164.308(a)(2) (R) R III.8
Workforce Security 164.308(a)(3)
Authorization and/or Supervision (A) A III.9.A
Workforce Clearance Procedure III.9.B
Termination Procedures (A) A III.9.C
Information Access Management …………. R
164.308(a)(4) Isolating Health care Clearinghouse Function (R) NA NA
Access Authorization (A) A III.10.
Access Establishment and Modification (A) A III.10
Security Awareness and Training …………. 164.308(a)(5) A III.11.A
Security Reminders (A) A III.11.B
Protection from Malicious Software (A) A III.11.C
Log-in Monitoring (A) A III.11.D
Password Management (A) A III.11.E
Security Incident Procedures ……………….. 164.308(a)(6) Response and Reporting (R) R III.12
Contingency Plan 164.308(a)(7) R III.13
Data Backup Plan (R) R III.13.A
Disaster Recovery Plan (R) R III.13.D
Emergency Mode Operation Plan (R) R III.13.D
Testing and Revision Procedure (A) A III.13.F
Applications and Data Criticality Analysis (A) A III.13.G
Evaluation . 164.308(a)(8) (R) III.14
Business Associate Contracts and Other Arrangement. III.15
164.308(b)(1) Written Contract or Other Arrangement (R) III.15
Physical Safeguards
Facility Access Controls ………………………. 164.310(a)(1) A IV.1
Contingency Operations (A) A III.13.D
Facility Security Plan (A) A IV.1.B
Access Control and Validation Procedures (A) A IV.1.B
Maintenance Records (A) A IV.1.C
Workstation Use 164.310(b) (R) R IV.2
Workstation Security …………………………… 164.310(c) (R) R IV.3
Device and Media Controls …………………. 164.310(d)(1) R IV.4
Disposal (R) R IV.4.B
Media Re-use (R) R IV.4.C
Accountability (A) A IV.4.A, IV.4.B
Data Backup and Storage (A) A IV.4.D
Technical Safeguards (see § 164.312)
Access Control …………………………………… 164.312(a)(1) R V
Unique User Identification (R) R V.1.A
Emergency Access Procedure (R) R III.18.A, V.1.B
Automatic Logoff (A) A IV.3
Encryption and Decryption (A) A V.1.D
Audit Controls ……………………………………. 164.312(b) (R) R V.2.A
Integrity …………………………………………….. 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) A V.2.B
Person or Entity Authentication ……………. 164.312(d) (R) R V.2.B
Transmission Security …………………………. 164.312(e)(1) A V.3.A
Integrity Controls (A) A V.2.B
Encryption (A) A V.5.B
Breach Notification R VI

If you would like to discuss Information Security or HIPAA Security Rule compliance in your organization, e-mail me at I would be happy to discuss your specific case.

Copyright © Jeffrey Morgan 2016





Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : ,

Solutions in Search of a Problem

By Jeffrey Morgan

The Problem

Here is a scenario I frequently encounter in organizations. An executive identifies a problem which he or she believes to be an Information Technology problem and delegates the problem to the IT Director to solve. For instance, one real world example I have seen many times is where an executive tells the IT Director, We have a communication problem. We need better communications. How can you fix it? A slightly different manifestation is where the IT Director approaches the executive management, unsolicited, and proposes a solution that will improve organizational communications. For the sake of argument, let’s forget about how this is begging the question.

The Wrong Approach

The IT Director proposes that the organization implement NoPoint to improve communications. Maybe the IT Director digs up some vendor-written white paper that shows amazing ROI and low TCO. The executive signs off on the project and the organization begins a 5 or 6 figure project to Implement NoPoint. Never mind that the users didn’t ask for it; the new system will solve all communication problems. Never mind that no measurable, demonstrable goals and objectives have been established. Plus, all civilized, up-to-date organizations use NoPoint. The IT Manager will force yet another piece of software with a dubious record for solving business problems on the staff.

Some IT Directors are excellent at solving business problems. Unfortunately, many other IT Directors aren’t equipped to identify root causes and propose appropriate solutions. If all you have is a hammer, every problem looks like a nail. If you came up through the ranks in IT, every problem looks like a tech problem that requires software to solve.

Sadly, this scenario is played out every day in the public and private sector. Massive amounts of money are spent implementing systems without any return on investment or demonstrable results.

A Better Way

The strong IT Director will use a different approach. One approach he or she might take would be to meet with other end users and managers in the organization in order to determine the root cause of the communication problem. Rather than assuming that software will solve the problem, he or she will solicit solutions from the end users and organizational management. In my experience using this approach, it is unlikely that the end users will recommend that NoPoint or any other software system be implemented as the primary solution. However, they might suggest it as a tool after the more pressing issues have been addressed. Rather, they are likely to identify organizational bottlenecks, perverse incentives, and other obstacles to quality communications. This process is also likely to identify specific individuals with poor communication skills. In this case, the strong IT Director will create a plan that includes leadership, training and end user buy-in, in addition to  processes, policies and procedures that improve organizational communications.

An alternate scenario I have encountered is where an IT Director is under pressure to do something. The IT Department is delivering poor customer service and end users are ready to revolt. Rather than addressing the customer service problem, the IT Director, manager, or supervisor suggests a new (and expensive) project that will make the users happy.They think this approach will hide the poor customer service while the new system is under implementation.

How would your IT Director or manager approach these problems?

The unpleasant truth here is that no software will inherently solve business problems. Solving business problems requires leadership, training, policy, process and procedure.

If you have a communication problem you would like to discuss, or any other type of Business Process or Information Technology problem, send me an e-mail at

Copyright © Jeffrey Morgan 2015

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Introduction to Enterprise Procurement Projects Part 2 – Establishing Goals and Objectives

archery-472932_1920By Jeffrey Morgan

Establishing Goals, Objectives, and Criteria for Success may be the most the most important component of your project. How will you determine whether or not the project is successful if you don’t clearly plan for and enumerate your goals? Your Enterprise Project may be an undertaking that requires several years from inception to completion. Management and staff have often lost sight of the original goals by the time they reach the finish line, so document and update goals clearly throughout the project.

We want the goals to be clear and measurable. Some popular goals include “improving efficiency” and “reducing operational costs.” These sound good but you must be more specific. What does improving efficiency mean to you? Do you plan to process more work with the same staff? Do you plan to eliminate FTE’s as part of the project? By attrition or not? Does this project represent a completely new undertaking or are you just re-engineering current processes?

There are many ways to approach the establishment of goals and objectives and I will discuss two possible methods here. Only one of these methods actually delivers consistent results. Before discussing these two methods, I first want to discuss the way some (many?) managers and organizations approach enterprise projects.

The Shotgun Approach

The most commonly used approach to Enterprise Projects I have observed in organizations is what I call the Shotgun Approach – shooting software and technology at a problem in the hope that the software will solve whatever business problems the organization is experiencing. In these cases, software is purchased without much thought and without any significant goal setting, analysis, change management, or input from end users and stakeholders. Sometimes, the goals are vague, such as “implement a new payroll system.” With the Shotgun Approach, the management often purchases a solution without consulting the staff and without studying and documenting the current business processes in order to understand the root cause of problems, errors, poor quality, and excessive costs. Sometimes these decisions are based on price or product reputation alone without consideration of other essential factors.

If you get lucky, the Shotgun Approach might create some improvements, but I have also seen it backfire completely. I worked for one organization where the management tried this approach to implementing a new payroll system and it turned out to be an utter disaster. This was a case where the management didn’t consult any appropriate and available resources about the wisdom of their plan. A few meetings with the appropriate stakeholders and Subject Matter Experts would have prevented a year-long, painful and expensive implementation that was ultimately scrapped. The six-figure loss to the organization was relatively inexpensive as far as failed software projects are concerned. However, the damage to morale and the management’s total loss of face were more damaging than the monetary loss.

Setting Specific Numeric Targets

Some managers would take an approach based on reaching specific targets such as: “20% reduction in FTE’s” or “a 10% reduction in in operational costs.” These are laudable, measurable, and specific goals, so they seem on the surface to be what we want. While this type of approach has many merits, it is not optimal and I will explain why.

If you are building a new system, or are replacing an old one, some aspects of the new system will be unknown and unknowable (W.E. Deming, Out of the Crisis). It is possible you have some methodology for calculating some of the business variables, like staffing or maybe you are creating arbitrary targets. An infamous piece of Federal legislation is currently taking the Arbitrary Target approach by creating the goal of a 25% reduction in Medicaid hospital admissions. Tens of billions of dollars will be spent pursuing this dubious target with no credible evidence that the proposed processes will work. The likely result of this program will be perverse incentives that exacerbate the current problem and will create new problems in the future.

In some cases, numeric targets are possible and desirable. For instance, if your organization has homegrown software supported by an in-house programming staff, the purchase of Commercial-off-the-Shelf (COTS) software may entirely eliminate the need for the programming staff. In this case, it would be reasonable to set a numeric target for the elimination of the staff members in question or they could alternately be reassigned to other critical organizational tasks. The unknowable portion of this example might be the resources required to support the new system, if any.

I am not implying that just because something is unknown that you shouldn’t make a plan – just write the plan in pencil. There are other knowable elements as well.

In one organization I worked with, the payroll department was spending two days per payroll period (over a period of decades!) making manual calculations in spreadsheets. They weren’t using their ERP fully because it was not performing the calculations correctly. Rather than insisting that the software vendor correct the problem, the staff permanently enshrined the workaround as part of their business process wasting at least 20% of an FTE. So, this is another case where a numeric target is knowable and therefore acceptable. Using a fully automated system with correct deduction tables and time and attendance entry at the department level, it might be realistic to expect a 30%+ increase in productivity surrounding payroll production.

In this case, another goal to strive for should be error-free payroll production. Redoing work as a result of mistakes is expensive. In order to achieve this goal, all of the processes must be examined carefully in order to identify the root cause of errors.

Other goals might include the elimination of duplicate data entry and spreadsheets by distributing time and attendance entry to individual departments if your system is currently centralized.

Improving Quality of Processes, Products or Services

In my experience, Enterprise or Departmental projects with the most successful outcomes have been those undertaken by management whose primary objective was improving quality. Generally, if you focus on improving quality, many problems like duplicate data entry and excessive personnel costs will automatically sort themselves out. Solution for other problems will become apparent during this undertaking, especially if you are committed to a cycle of continuous improvement.

One of the best real-world examples I can think of as evidence for quality improvement as the primary objective is a manager I worked with a few years ago. She was completely committed to implementation of processes, policies, and procedures that improved the quality of services in her organization. New software was part of the equation and many of the processes, policies and procedures were built into the new software system. No specific numeric targets were set in advance, but there was a general understanding that the number of FTE’s for processing of data and transactions would go down. As a result, she realized a significant increase in revenue along with a 36% reduction in staff as well as a measurable increase in productivity. Focusing on quality works fantastically well.


When developing goals and objectives, focus first on Quality Improvement and use a cycle of continuous improvement. Let’s take a look at what your goals and objectives might look like using the examples previously discussed.

Objective: Improve the quality and efficiency of Payroll Production.


  1. Identify and correct processes and procedures that create errors and hinder productivity.
  2. Fully document best practices, processes and procedures going forward.
  3. Eliminate the use of Spreadsheets in payroll production.
  4. Achieve error free payroll runs.
  5. Distribute Time and Attendance entry to the department level.
  6. Improve the productivity of payroll staff by 30%.
  7. Eliminate or reassign programming staff involved with payroll production.

As you are following subsequent steps in the procurement process, the details of your goals and objectives are likely to change but the overarching objective of improving quality should remain the same. The process of discovery that you undertake next will reveal many details about your operations that you will want to change.

If you would like to discuss setting appropriate goals and objectives for your enterprise project, e-mail me at and I will be happy to discuss your specific case.

Copyright © Jeffrey Morgan 2015


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Information Security Basics for Executives – The First Steps


By Jeffrey Morgan

Is your information secure?

Are your organization’s information assets absolutely secure? Do your staff and contractors assure you that everything is safe? How do they know? And how about all those paper files? Is confidential data appropriately labeled and stored in a secure, locked and monitored facility? How do you know? How would anyone even know if there was a breach?

The role of IT Staff

I have sat in meetings with IT Staff who have sworn up and down that the network is secure without any facts or data to support that assertion. What are your IT staff and contractors doing every day to ensure that your information is secure? And what about staff that maintain other types of physical instruments and records?

The role of vendors

I have also sat in many meetings with security vendors who have made outrageous and patently false statements, like “our product is HIPAA compliant.” (There is no such thing. The HIPAA Security Rule  is a federal regulation that describes the framework for developing a security policy for certain types of information and organizations. HIPAA is purposely technology and vendor-neutral). Every security vendor wants you to believe that they are selling a magical product that will keep your organization secure from all the evils that result from being connected to the entire world through the Internet.

There are no magic products

The truth of the matter is that there are no products or services that will inherently ensure and maintain the confidentiality, integrity and availability (CIA) of your information. Information Security is about process, policy, procedure, and training rather than about installing products. A successful security program comes as a result of looking closely at both the macro view and the micro details and taking appropriate, thoughtful actions using a cycle of continuous improvement. Security products might be a part of your overall security strategy, but without sensible policies. procedures, and training the products themselves are unlikely to produce the desired, advertised result.

Do you have a Comprehensive Information Security Policy?

If you are larger than a Mom and Pop operation, you should have a Comprehensive Information Security Policy. If you are running a municipality or corporation with dozens or hundreds of employees, the lack of such a policy probably constitutes organizational malpractice or malfeasance at some level. Moreover, your policy shouldn’t be just a dusty book on the shelf – all your employees should have had training on and understand the policy.

You can wait for a catastrophic security event to wake your organization up, or you can take action now to prevent an embarrassing and costly revelation. For instance, if your organization is required to comply with HIPAA, the wake up call could come in the form of a multi-million dollar fine from HHS or civil litigation. Or you might end up paying ransom to buy back your data from data pirates. These risks are real and well documented.

How do I get started with a Security Policy?

There are many options for developing a comprehensive information security policy. You can purchase kits, buy books, hire consultants, etc. You can do it yourself, or contract it out, but the process will be largely the same either way. I will give you a 40,000 foot view and you can decide how to proceed. Other than time, the initial costs should not be high, but securing your information infrastructure will definitely have some impact on your budget, albeit less than the eventual cost of not addressing security. Even if this is a DIY project, outsourcing some aspects is probably appropriate unless you have staff members who have been extensively trained in information security domains and disciplines.

Make sure the right people are at the table!

This is NOT an Information Technology project. It is a critical enterprise business, policy and security project, so you want to make sure you have the appropriate stakeholders at the table. Establish a multi-disciplinary committee to participate in the process. Managers and Department Heads from different departments may provide illuminating perspectives and the group must also include rank and file members of your staff who actually do the work (AKA the minions). Staff members with security and military backgrounds may have much to contribute. People who may have had experience in highly regulated industries, such as Pharmaceutical, Insurance, Medical, Public and Mental Health, and Law Enforcement may also have much to contribute to the process. HR and Legal must be at the table. I am certain that your organization has untapped, expert resources, so find them and use them.

Inventory your Assets

Once your Information Security Committee is assembled, its time to get to work. The first step is going to be a Risk Assessment. Since you have already established your Information Security committee, begin the Risk Assessment process by cataloging and categorizing all your information resources. Information in this catalog may include paper files, network and computer files including backups, archival and historical records, microfilm, tax records, specifications, etc. There are payroll records, health insurance records, possibly protected medical information, HR information, meeting records, AR and AP records. All of these records may contain information protected by local, state or federal statute. There may be proprietary information related to manufacturing or other information such as videos, films, sound recordings that you may want or need to protect in some way. Use an interrogative process to identify, catalog, and categorize all this information. The output of this process should be a detailed document that clearly identifies all of these assets.

It may be appropriate to contract a qualified consultant for the Risk Assessment process. Why? Regardless of how intelligent and qualified the members of your staff are, they are probably immersed in your organizational culture. They may have biases and make assumptions because “we have always done it this way.” Outsiders may be able to see past the assumptions and biases that your staff members can’t

Once you have completed this process, you will almost certainly have found information that you didn’t even know you had. If you found sensitive information without any plan for protecting it, you might have trouble sleeping until your committee comes up with a plan.

Once you know what types of information for which you are responsible, ask yourself and the Subject Matter Experts on your committee what statutes apply. There are at least a handful of regulations that always apply, and there may be dozens of regulations dealing with information-specific data you have to consider. You probably also found information not protected by statute that needs to be addressed. Do your current policies cover all the information in your catalog? In a subsequent article, I will continue with the next steps for securing your information.

Thinking of your staff will not change overnight.

If you have a large catalog of unprotected, sensitive information, changing the thinking of your staff toward privacy and security may take a while – months or years. Also, this is a perfect time to do a Business Process Review of your information collection operations. Maybe your forms are decades old and no longer reflect current practices. For instance, do you really need to collect social security numbers from the public? If you are collecting this information, are you handing a Privacy Policy when you ask for information? Are the people providing information truly giving informed consent?

If you want to discuss Information Security in your organization, send me an e-mail at

Copyright © Jeffrey Morgan 2015

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , , , ,

Business Santa Claus

By Jeffrey Morgan

It is fun to pretend there is a Santa Claus when your children are young. Even the most curmudgeonly person can get a warm feeling from the jubilant innocence and wonder shining out of those big eyes at the thought of Santa Claus.

I have observed many adults who believe in Santa too. I am always amazed by the hard-nosed, otherwise intelligent business people who still believe in free stuff. Business Santa is even more amazing because he brings free stuff all year long! He might pop in with free e-mail, free websites, free software, and free consulting services at any time. And free stuff is always the best stuff in some people’s minds.

Free is usually the most expensive product or service you can buy, or at least that has been my observation over the last twenty two years. If you are getting a product or service for free, you are the product that is being marketed, packaged and sold. Moreover, while the product or service might be free, implementation and support are not. And you might have to redo all that work again if the free product doesn’t work out.

So, beware of free stuff. If you do take advantage of free products or services, make sure you read and understand the license agreement thoroughly and make sure you understand what the Total Cost of Ownership (TCO) is. It is not likely to be free, but sometimes it is hard to figure out what the catch is. What is the motivation to give you something free?

I don’t want to confuse free software with Open Source software. That is a different animal completely, but comes with its own hidden costs, but we will talk about that in another post.

As always, if you need help evaluating the cost of free products, send me an e-mail at I’m not free, but I might help you save some money. And don’t forget to leave cookies and eggnog for Santa.

Copyright © Jeffrey Morgan 2015

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Improving IT Customer Service with Service Level Agreements (SLA)

IMG_0153By Jeffrey Morgan

Does your IT Staff deliver amazing customer service? Do your staff members love your Information Technology Department? If they had a choice, would they choose the in-house staff or would they rather call a contractor? Does your IT Director produce monthly reports on staff productivity and proudly share these reports with your management team? And what exactly does your IT staff do all day anyway?

Maybe you have managers and staff who think that IT services are free because they are included in the budget and the staff is already on salary. Nothing could be further from the truth. IT services are expensive and in-house IT services are often more expensive than comparable contracted services.

In a 21st century Information Technology operation, superb customer service should be the cornerstone  of the operation. To put it simply, there is no longer a place in the industry for IT management and staff who don’t deliver stellar customer service. Before we discuss methods for improving the customer service of your IT organization, we first have to figure out exactly what they should be doing. The root cause of many IT Customer Service problems is a misunderstanding of their business role and a lack of alignment of their mission with executive and organizational goals. Do they have a clear, specific mission statement? Do they understand your business objectives and what they should be doing to help you achieve your business goals?

No business operation can be all things to all people unless you have an unlimited budget. Since real budgets are limited, the focus and mission of your IT Department should be limited as well.

Establish Business Goals

As an Executive, it is your job to define the mission of Information Technology. You don’t need technical skills or knowledge to define their business objectives, but you do need to think carefully about your goals and objectives and document them thoroughly. Left to their own devices, IT staff will probably keep themselves busy with cool technical things that add no value to your business operations. Let’s get them focused on adding value to your business using a Service Level Agreement (SLA).

Following is a high level, executive overview for developing an internal SLA. This is by no means exhaustive but should provide you the general idea of how to get started.

Define the Vision and Mission.

Make it clear, meaningful, short, and tailored to your organizational requirements. The mission statements for a large corporate IT department, a County Government, and a K-12 school district may all be different but great customer service should be common theme with all three.

Memorialize the Mission in a Service Level Agreement (SLA).

A Service Level Agreement (SLA) is a document that defines the 6 W’s and a couple of other things:

  1. What services will be provided?
  2. Who will provide them and for whom are they provided?
  3. When will the services be available?
  4. How much will the services cost?
  5. Why should services be provided?
  6. Where will the services be provided?
  7. Escalation Procedures.
  8. Problem Levels

Let’s take a look at these items in greater detail.

What services will be provided?

Every service you decide to provide should have a solid business case for being included and should have a cost/benefit/value justification. Are you running a help desk? Do your staff members repair hardware? (Let’s hope not!). Do you want your IT staff to support specific software products? Are they supporting an e-maiil and phone system?

Make a list of the services your staff should routinely provide. You may even want to specify what services aren’t provided. For instance, custom software development and hardware repair are a couple of services that are difficult to justify unless you have special circumstances (I will discuss this in a separate post). You should also specify a procedure for contracting these and other special services should they be required.

Who will provide the services?

Which staff members will provide the services? Will contractors and vendors provide some services? This is good information for your customers to have.

For whom will the services be provided? Just to your direct staff? Contractors and vendors? Do you have divisions or other sub-organizations or partners that piggyback off your system?

When are the services available?

Are you providing services 7X24? Eight to Five on business days? What about off-hours emergencies? How quickly will your staff respond to different categories of requests? For instance, if an application is down, what is the maximum amount of time that should pass before a staff member starts working on it?

How much will the services cost?

Does your IT department work on a charge-back basis? Who pays for calls from external vendors? How do you calculate the hourly rate for your in-house staff?

Why will the service be provided?

Why are you providing this service? Your customers (end users) should understand why some services are provided and not others.

The SLA for your IT Staff should be compared with your various vendor SLA’s to ensure there is no duplication of effort. An SLA is included in your contract with every vendor, right?

Escalation and Problem Definitions

Your SLA document should define different levels of problems and an appropriate response time for your staff and contractors. For instance, is an end user inconvenienced? Is an application for an entire department down? In the case of the former, you might define a day, week or month to resolve the problem – this depends on your specific business, goals and objectives. If a critical application is down, you might want to require the staff to drop everything and begin working on the problem immediately.

Use Management tools and techniques to control the output and services.

An SLA will not magically improve customer service, but it is a first line tool that will help set baseline expectations for IT Staff and their customers. When used in conjunction with a Professional Services Automation (PSA) system, Quarterly Goals and Objectives, and honest annual performance reviews, the SLA can help you make a positive change in the IT staff’s delivery of customer service that meets your business objectives. And remember, management is 10% telling people what to do and 90% making sure they do it.

In subsequent articles, I will discuss Information Technology’s mission in more detail and we will examine some additional business scenarios and options for achieving your business objectives.

If your IT Staff isn’t delivering great customer service, or if you need assistance with the development of a custom SLA for your business, e-mail me at and I will be glad to discuss your specific business case.

Copyright © Jeffrey Morgan 2015

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : ,

Reduce the Cost of your operations by improving Quality: William Edwards Deming and Quality Management in a Public Sector Organization

qualification-752049_1920By Jeffrey Morgan

If you improve the quality of your product or service, productivity is automatically increased and costs go down.

I first learned about W.E. Deming while I was in graduate school and also working in the Product Engineering department of a Fortune 500 company. At the time, the company was implementing Total Quality Management (TQM) and I was really impressed by the scope of changes the company was employing in order to improve its product quality.

Deming’s approach to quality and productivity is widely used in manufacturing, but not so well recognized in the Public Sector where I do a lot of my work. However, applying Deming’s concepts and methods to Public Sector organizations can create a profound improvement in the quality of that service while automatically improving productivity and lowering costs.

Combine with a Business Process Assessment

Any time you are working on a business project such as procurement of a new software product, a perfect opportunity to review and streamline all your business processes presents itself. In fact, this may be the only opportunity you have to make improvements in the delivery and efficiency of services for the next decade or two if your organization functions like many in the Public Sector do. There is no software product that will magically improve your business processes – you must analyze the business processes and build your new, improved processes into your new system.

A business process assessment in advance of your upcoming software acquisition can identify the bottlenecks in your business processes that create inefficiencies in your operations. I can provide a few of the many examples that I have encountered with my clients. In one organization, I found a 10-step process for recording of revenue that resulted in a 3 month delay in that revenue being booked. This process should have consisted of a single step with instant booking of the revenue. While doing a business process review in another organization, my client identified a 17-step process that resulted in a lengthy delay in booking revenue and sometimes in the total loss of that revenue. Again, that process should have consisted of a single step.

Bureaucratic Obstacles

Is your organization plagued with bureaucratic processes like those mentioned above? No one knows why the process is that way and no one can remember when it started, but “We’ve just always done it that way.” This is the reason why I do a bottom-up business process assessment. There is no way to capture these processes unless you interview and observe the people who actually do the work. The gulf between Minion and Management is vast and Management often has no idea of what the exact processes are in various departments and functions of a large organization.

Once you identify all of these process bottlenecks, you will want to make sure you build the new, more logical and efficient process into your new software system. Unfortunately, many organizations do what a colleague of mine describes as “recreating all the dysfunctional processes in the new system.” If you are going to take that approach, why bother with a new system?

If you want to read more about improving quality and productivity while lowering costs, try Out of the Crisis by William Edwards Deming (1982, Massachusetts Institute of Technology, Center for Advanced Educational Services, Cambridge, Massachusetts). If you want to discuss methods for increasing the quality of your services, e-mail me at

Copyright © Jeffrey Morgan 2015

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : , , , , ,

Essential Contract Documents: Statements of Work (SOW)

By Jeffrey Morgan

I have been experiencing a frustrating time during the last several weeks dealing with a couple of vendors who don’t want to provide a Statement of Work (SOW)) along with the other contract documents in order to finalize the deals. They keep coming back with something that is less than what I asked for and something that is not in the client’s best interest. Essentially, they are asking for  the contract to be signed on a handshake deal promising that they will do everything necessary to get the projects done without putting specific details in writing. Sound familiar?

Some vendors are willing to comply with the spirit of a contract and will go out of their way to make you happy, and others will barely comply with the letter of the contract. If you haven’t dealt with the vendor before, getting the Statement of Work right is essential. Even if you have worked with the vendor before and have a great relationship, spelling out the project details and expectations is a good idea.

A Statement of Work (SOW) is an essential component of a contract. The SOW needs to define the 6 W’s:

  • Who
  • What
  • When
  • Where
  • Why
  • How Much

Although it is possible to use the original Proposal and Statement of Work from the RFP response as the SOW, sometimes the goals, objectives and the Scope of Work have changed significantly since the publication of the original RFP. In that case, an SOW that agrees with all the contract documents is required. The contract must define which document takes precedence in case there is a discrepancy. In a perfect world, there shouldn’t be any discrepancies. However, in Statements of Work that may run hundreds of pages, it is a possibility.

In both the RFP and in the SOW, I like to see the information in a tabular format so you can use those documents as a checklist during project implementation. There is a high probability that the Project Manager for implementation will not have been involved in the procurement process and subsequent negotiations, so having all the deliverables and expectations in a clear format for the Project Manager is important.

The SOW should define how payments are tied to formal acceptance of specific deliverables and milestones. In the specific cases I am dealing with at the moment, I am looking for specifications of onsite vs. offsite work with a specific schedule of when they will be onsite, for how long, who they will interact with, and what they will achieve during those visits.

There are many resources available for writing a solid Statement of Work. GSA has a resource at and the Canadian Government has published a resource here at:

If you have questions about SOW development or need help putting one together e-mail me at

Copyright © Jeffrey Morgan 2015


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather
Tags : ,