Cornell Project Management Methdology - a good way to get going

I have been a great fan of quality and process platforms all along and over the past 25 years, I was involved in engineering / project management methodologies such as SSADM, SEI CMM, ISO & PMI. The disciplines grew in response to two distinct challenges faced by the IT community. One was managing the technology better and the other was managing the technology project better. Pioneers like Ed Yourdon empowered people to look at software development as a scientific process and took it from the realm of pure art to (at least some) science and the software process methodologies empowered people to see that projects can actually be planned and are not totally an ‘act of God’J. Even by mid-80s, too much software was already circling the globe and folks on the inside were already feeling the pain of bloated software and were looking for help and the situation now is of course significantly more acute.

COBIT, ITIL and 17799 (or NIST for federal organizations) took the tool-set to a new level in that it established best practices frameworks to guide projects as well as programs or development as well as operations. With the regulatory compliance reverberating through the corporate world, other frameworks such as COSO have now entered the mix and have performed a very valuable service by taking (mostly) IT projects mainstream within the organizations.

While each of these has performed a valuable role in providing the community with tools to optimize their project planning and execution process, the community’s acceptance of these tools has been painfully slow. I think most organizations and people have outgrown the stage of ‘we don’t need all these fancy tools’ and want to implement methodologies that will enable them to manage their IT better. However, putting them to actual use has been very difficult. These methodologies, in some ways, overlook the natural and basic process of how people absorb and utilize things. People would typically like to start with a small, low-impact project to get a feel and once sure of the implications and results, they would make the investments to apply the organization wide. Most of the tools are not suited for this approach. You have to invest a lot of time and effort to create the minimum platform before you can get going and the effort feels disproportionate to the experiment you want to conduct. Obviously, this is misleading - if people do implement it with rigor and commitment, they will see the benefits but a lot of organizations do not have the resources or patience to go thru this and end up dropping the initiative and sliding back to ‘wild west’ ways of doing things that some people did not want to give up to begin with.

I recently came across Cornell University’s Project Management Methodology (CPMM). Cornell IT created this custom version of project management to meet their specific internal needs and goals and acknowledge it to be based on PMI BoK. I see several merits in this version from a practical adoption perspective. First, it is a simplified implementation (though certainly not simplistic). Anyone who has done projects for a few years would be able to implement it easily. Secondly, the WBS model is at a level where you don’t have to cross-reference things at a granular level. These gives tremendous flexibility to choose the level of detail you wish to have in your implementation without getting bogged down. Thirdly, it uses very little tech-heavy language or notations and you can involve all the stakeholders in the project that gives a real productivity boost as all people talk from the same document. Most templates are in Word and Excel rather than .mpps and .vsds than only programmers know how to load and read. Then there are some powerful guiding principles like SMART, a visual map of the five-phase process, document templates and constant connection to business case and all stakeholders to ensure that the project is not ‘hijacked’ by a dominant stakeholder (U-know-who). And finally, it seems ready to use irrespective of the size of your project. That will be a big plus for organizations starting out on an exploratory journey.

If you have not seen it already, take a look (projectmanagement.cornell.edu). If you are seeking ways to introduce project discipline in your organization without being too expensive or disruptive, you might get some good ideas. If simplifying the project management process and unifying all your stakeholders are your goals, you might be in for some pleasant surprises how much CPMM will deliver.

Buck Kulkarni

GRC and the business manager

All corporations are doing something about compliance and some are doing more than others. While some are putting in the minimal work that they think they can get away with, others see this to be far more fundamental to the long-term success and profitability of their business and are investing aggressively.

Most companies started their compliance effort with specific Sarbanes Oxley (SOX) compliance requirements or specific weaknesses identified in their operations by auditors. This resulted in many of them ‘passing’ their first yearly audits and they felt they had their arms around compliance.

But it was not to be. Compliance proved to be an equally, or even more, elusive goal in the next year and the realization dawned on many companies that they had created compliance silos that were very rigid, expensive and difficult to maintain.

Over the last 2-3 years, different players within a corporate entity understood what was at stake and how they need to engage in the rather difficult and sometimes nebulous process of achieving compliance. The Board members understood what was at stake. The CEO and CFO understood the serious repercussions on their life and career. Audit and risk management folks knew a lot about it already and were happy to see that their agenda was now getting the attention they always knew it deserved. IT and infrastructure started with an ambivalent attitude ‘tell us what you want and we will fix it’ rather than getting pro-actively engaged. Some of them learned and got on board and some others did not and got run over by risk, security and compliance folks.

But one key stake-holder that has still not showed up in strength is the business manager. An executive running a region or a line of business or a product or a combination is still rather removed from the nuts-and-bolts of compliance. It is a bit un-nerving to watch this unfold in company after company you are work with.

The reasons are many, some obvious and some not so obvious. The simpler ones are that business managers are too busy with critical operations (or making money for the company), they are not legal and accounting savvy, they are not IT savvy etc. But the real reason you learn after speaking with many business managers is that they don’t think it is their job. Business managers are the ‘line managers’ so to speak and compliance, just like accounting, HR, security, facilities, is a ‘staff function’. It is part of the eco-system that the company is supposed to provide to the business manager to run the business.

While not totally wrong, it is increasingly anachronistic in the modern business model. Just as a business manager has to involve herself in HR to ensure her people are happy and productive, has to involve herself in accounting to understand the profit, loss, commissions, incentives, market shares of her business operation, she has to now understand the compliance situation to conduct her business in a safe, uninterrupted and credible manner.

But the business managers need some help. If all they can hear is firewall and IDS protection, COSO framework and material weaknesses, it is difficult for them to get focused on compliance. However, if we tell them that 45% of their customers may have difficulty conducting business on our website if we do not do this (or that), they immediately get engaged and in fact, push compliance far more than many other stakeholders.

I recall some aggressive banks had lists of competitors and their important customers that they would target should a bank fail due to Y2K problems. While we did hear about it actually happening, it is a good pointer of where compliance is headed. Very soon, it is going to be a competitive differentiator and no body needs to worry about it more than the business manager.
Buck Kulkarni