Whitepaper: APO, ITMI, Archer

Whitepaper – APO, ITMI, Archer 01/17/2011

Whitepaper – APO, ITMI, Archer

By Peter Lechner

This whitepaper describes Computer Aid Inc.’s (CAI) products Automated Project Office (APO), IT Management Insight (ITMI) and EMC’s Security Division (RSA) Archer eGRC Solutions. The objective is to provide the reader with an understanding of their key components, key benefits, strengths and weaknesses.

Page 1This document is the exclusive property of Computer Aid, Inc. (CAI) It contains proprietary information and may not be disclosed to others for any purpose without written permission from CAI


Table of ContentsI. Executive Summary Page 3

II. APO, ITMI, Archer at a Glance Page 5

III. Key Components Page 9

a. APO Page 9

i. Scope Management Page 9

ii. Quality Page 9

iii. Integration Page 10

iv. Human Resource Management Page 10

v. Communications Page 10

vi. Risk Management Page 11

vii. Procurement Page 11

viii. Methodology Page 12

b. ITMI

i. Metrics Page 12

ii. Dashboard Objects Page 12

iii. Data Elements Page 12

iv. Data Collection Page 13

c. Archer Page 13

i. Audit Management Page 13

ii. Policy Management Page 13

iii. Risk Management Page 13

iv. Compliance Management Page 13

v. Enterprise Management Page 13

vi. Incident Management Page 13

vii. Vendor Management Page 13

viii. Threat Management Page 14

ix. Business Continuity Management Page 14

IV. Pricing, Deployment, Support Page 14

a. APO Page 14

b. ITMI Page 14

c. Archer Page 14

V. Summary Page 14



I. Executive Summary

The Information Technology (IT) industry is very quick to label a product as a

complete Project Management Office (PMO) support tool. It’s important to first define

what a PMO is. Thomas Clark, founder of Project Success, Inc. (PSI), describes a PMO

as a staff function that builds, maintains, and improves the project management policies

and procedures in the organization. A PMO supports project managers and their teams in

the effective application of sound project management principles and techniques to

achieve project success. PMO’s often perform tasks that are normally the responsibility

of other functional groups, such as procurement, quality assurance, legal, human

resources and financial departments. The bottom line is that a PMO’s mission is to

ensure that projects succeed every time.

EMC’s Security Division (RSA) Archer eGRC Solutions provide the frameworks,

and the services to help enterprises identify and manage different forms of risk through

an automated PMO. Its emphasis is specifically on:

Enterprise Governance

Risk Management

Compliance

Archer provides flexible, powerful tools for managing content, streamlining workflow,

monitoring controls, and measuring and reporting compliance. It can be implemented via

Software as a Service (SaaS) or installed directly at the client site at no additional cost. It

is priced competitively and is very customizable. Archer's SmartSuite Framework

delivers out-of-the-box solutions. It also provides wizards and intuitive administrative

pages that enable clients to model and automate their unique business processes.

Computer Aid Inc.’s (CAI) Automated Project Office (APO) is a PMO tool that

enables the PMO to manage aspects of projects not addressed by any other application.

APO’s concentration is on:

Best Practices

Leveraged Knowledge

Proper Governance

Quality Assurance



Risk Management

Total Visibility

APO is an intellectual system that was designed by industry experts and collegiate

educators. APO starts with questionnaire responses and data fed from these answers to

provide insight into a project’s health. APO has the flexibility to be configured without

programming. APO’s dashboards allow you to manage scope, quality, integration,

human resources, communications, risk, procurement and methodology. Implemented

via Software as a Service (SaaS), APO can be deployed in five business days and costs

approximately ½ a FTE. APO is customizable with other data sources like Microsoft

Project. APO is built on the Advanced Management Insight (AMI) development

platform. AMI is extremely customizable. It allows a customer to create their own

solution.

CAI’s IT Management Insight (ITMI) will focus on all aspects of an IT

organization. Its goal is to improve the effectiveness of IT management. ITMI will

include 20+ integrated ‘applications,’ including APO and project portfolio management.

Additional ITMI applications include: Executive Information System, Issues

Management, Unit and Individual Performance Assessments, Voice of the Customer,

Process Assurance, Cost Benefit Analysis, Capacity Planning and Operations Support

Assessment. The key structural components of ITMI are: metrics, dashboard objects,

data elements and data collection. ITMI defines IT as a collection of domains. Each

domain is broken down into a series of activities. Activities are monitored and measured

by a number of data feeds, assessments and plug-in tools. ITMI will cost less than $1.00

per project per day. ITMI will also be built on CAI’s AMI development platform

allowing it to be very customizable.

Archer and APO are definitely similar products. Especially when focusing on risk

management. Both use targeted questionnaires that are automatically sent out to pre-

defined project stakeholders. APO is only one application within ITMI. The APO

application within ITMI is also similar to Archer. However, there are some applications

within ITMI that aren’t included in any of the Archer solutions. For example: Proposal

Submission, Proposal Validation, Portfolio Balancing and Project Monitoring. The

power behind APO and ITMI is the flexibility of its Advanced Management Insight



(AMI) platform. It allows a customer to tailor their own solution specific to their

business need.

Archer’s pricing is very similar to APO’s. It is apx. 50K-100K a year with a three year

contract. APO’s is 60K a year with a two year contract. Archer allows unlimited users

the capability to view its dashboard reporting. While APO allows 10 named users the

capability to view its dashboard reporting. More are allowed but at an additional cost.

EMC recently purchased Archer and while Gartner states that Archer is a total

risk management solution it also warns that EMC will be challenged to maintain the

independence of the Archer product line because it integrates data from many third

parties. Gartner went on to say that Archer could be challenged to have successful

feature releases because they have acquired too many other products along the way.

This whitepaper will describe and compare the scope and functionality of CAI’s

APO, Clarity and ITMI. It’s a non-competitive market place given the robust PMO

audience.

II. APO, ITMI, Archer at a Glance

a. APO

i. To address the needs of the IT organization specifically application

development, Computer Aid Inc. (CAI) developed the Automated Project

Office (APO) tool. It is implemented as an ‘application’ which is powered

by Automated Management Insight (AMI). The tool offers a unique,

practical solution for managing scope, quality, integration, human

resources, communications, risk, procurement and methodology. These

categories can be displayed in either a data grid or a graphical output

specific to each category.

ii. The core of APO starts with questionnaire responses and data fed from

these answers to provide insight into a project’s health and potential risks.

It is a ‘control room’ that measures health of your project providing early

warning. The question sets were designed around several years of

experience with insight from collegiate educators and industry experts.

They incorporate existing or company-specific practices and processes.



APO has been assembled with the summation of numerous key features

into a unique tool.

iii. APO alerts you to issues before they become catastrophic problems,

giving you the time you need to address them.

iv. APO provides at-a-glance project health and status, letting you focus your

attention where it's needed the most.

v. APO allows you to identify where project costs can be saved, quality

improved, and customer satisfaction boosted.

b. ITMI

i. IT Management Insight (ITMI) is currently in the conceptual stage. It is

really an extension of APO to be used across all aspects of IT

Management.

ii. The ITMI Architecture is based on five domains organized into two

interlocking process loops; one for Service Delivery and one for Process

Improvement.



iii. The two loops above can also be depicted individually as wheels where

each domain is represented by a 1/3 wedge of the wheel. This is shown

below.

iv. Each domain, Project Portfolio Management being an example, is broken

down into a series of Activities (light blue) and these in turn are supported

by a number of data feeds (brown), assessments (green) and plug-in tools

(orange) which provide the substance to those activities.

c. Archure

i. EMC’s Security Division (RSA) Archer eGRC Solutions provides nine

core solutions that are fully integrated and designed to facilitate the



automation and administration of enterprise risk and compliance

management processes. While each of these solutions can be deployed

independently to address specific business requirements, implementing

them together forms a powerful, cohesive system. They are as follows:

Audit Management, Policy Management, Risk Management, Compliance

Management, Enterprise Management, Incident Management, Vendor

Management, Threat Management and Business Continuity Management.

ii. Archure provides customizable services to help enterprises identify and

manage different forms of risk. Allowing for fast access to specific

information so an informed decision can be made. In addition to IT Risk,

its services allow the entire organization to manage all forms of risk.

Their primary focus is on Governance, Risk and Compliance (GRC).

Archure promises visibility and communications across the entire

enterprise.

iii. Archer empowers organizations to automate and manage these processes

through a set of comprehensive, integrated solutions. The main solution is

the creation and delivery of targeted risk assessments to determine an

existing compliance level. It identifies areas of inherent risk. A central risk

repository with project management capabilities, key risk indicators and

loss events allow for this to be made possible.

iv. The question sets were created over years of industry experience. Unique

question sets can also be created.

v. Archer maps policies and control standards to the authoritative sources

that govern your enterprise.

vi. The reports can be filtered in almost any way. A few examples are: risk

rating, date range and business unit.



III. Key Components

a. APO

i. Scope Management

The knowledge area of Scope Management includes the processes

required to ensure that the project includes all the work, and only the work

required to complete the project successfully. It is primarily concerned

with controlling what is and what is not in the scope. APO allows you to

manage scope by monitoring the project’s scope stability and scope

adherence. This is viewed on the APO Score Card Dashboard.

ii. Quality

The high-level views of the performance of the projects within a portfolio

as well as indicators of potential quality problems can be easily reviewed

and leveraged. The drill-down capability of the portfolio management

components allows the manager to distinguish the source of a given

problem and where potential quality problems may reside. This provides

the project manager with an ‘early warning’ of potential problems and at

the same time gives them a method to investigate issues with the proper

level of detail. If quality is slipping the Service Level Agreement (SLA)

will not be met. This is monitored on the APO Dashboard Score Card by



showing whether or not the SLA’s are being me. Quality is also

monitored on the Quality Assurance Graphs showing requirement

adherence, test case success and defects logged.

iii. Integration

Incorporated in the APO is a repository of project data. As projects are

created their attributes provide information for classification and best

practices advice. This classification and advice is based on data that is

collected from the questionnaires. The project integration management

knowledge area ensures that all project components are coordinated.

Areas that are crucial for project completion are most critical. On the

APO Dashboard Score Card this includes Lost Time and Turn Over.

iv. Human Resource Management

Human resource management includes the processes required to

coordinate the human resources on a project. Such processes include

those needed to plan, obtain, orient, assign and release staff over the life of

the project. This is monitored on the APO Dashboard Score Card by

showing turn over, staff capability and morale. This is drilled down even

further via the Staffing View. Items such as task accomplishments,

whether or not the tasks are understood and morale KPI over time are all

monitored. APO allows changes to be made once these items become a

problem.

v. Communications

Each person on the project will be answering the same questions

dependent on their role and the phase of the project. This ensures that

everyone understands what is being asked of them. Communications are

thus clear and consistent. The project stakeholders are selected to answer

these specific question sets via APO. Careful communication planning

and setting the right expectations with all the project stakeholders is

extremely important. Many times today ‘management by walk around’

can no longer occur. Communication can no longer occur face to face.

APO allows ‘management by walk around’ to occur on a consistent basis.



vi. Risk Management

One of the problems with the risks associated with developing and

maintaining applications is that they are often not recognized until they are

realized. Or, if they are recognized early, they are often left to chance.

The APO takes steps to fix this. By providing a base set of intuitive

questionnaires, the APO helps project managers to recognize potential

risks early. The questions are in a simple multiple choice format that

addresses potential risks in conjunction with the current phase of the

SDLC. The answers are weighted, and through a series of thresholds the

APO identifies the areas of the project that are of concern for the well-

being of the project as a whole. In addition, APO provides the user a

series of assessments. The warnings, which are displayed in a simple

‘stop-light’ format, draw attention to problem areas. Customizable

questions can be added to the initial set with weights assigned to highlight

the most critical risks. The question sets apply to all projects of a common

type.

The APO also provides the ability to perform risk analysis from the

viewpoint of different personnel associated with the project. Besides the

primary set of questions that is directed towards the project manager, there

is also the ability to tailor additional question sets for other project

members, such as a quality assurance manager or business owner.

Risk is monitored on the APO Score Card.

vii. Procurement

Project Procurement Management is part of the project management

process in which products or services are acquired or purchased from

outside the existing associate base of which would work on the project in

order to complete the task or project. Physical assets, delivery issues,

contractual situations, vendor management can all be monitored as long as

the question set within APO is modified.



viii. Methodology

A project methodology tells you what you have to do, to manage your

projects from start to finish. For example: did you create a project plan?

What has been the time spent? How many resources are being used and

are they right for that particular project? APO drives adherence to the

methodology that has been set within an organization.

b. ITMI

i. Metrics

Metrics are one of the structural components of ITMI. They are reported

by calculating Risk Scores from assessment results which compute a

defined Risk Score. This includes: A Risk Score for each of the

predefined risk categories; An overall risk score—which is the weighted

sum of the category risks; An Opportunity Score for each of the

predefined opportunity categories; An overall Opportunity Score for the

project—which is the weighted sum of the category opportunities.

ii. Dashboard Objects

Dashboard Objects are a Risk/Reward comparator that plots the inherent

riskiness of projects against their projected benefit. It is another structural

component of ITMI. The size of the data point is indicative of the

financial cost of the project. Charts depicting the distribution of

dispositions for proposals that can be grouped by business unit or other

category variable

iii. Data Elements

Data Elements are generic risk data that is collected almost exclusively

through assessment questionnaires. Project sponsors, PMO and senior

project staff are posed a series of questions that—in aggregate—assess

various categories of risk. Risks are typically not identified until the

project is approved and is in flight. However, any that do happen to be

identified prior to the project starting are logged and added to the risk

profile for the project.



iv. Data Collection

Data Collection is the final structural component of ITMI. It is defined by

project scoring data to be collected via a questionnaire distributed to

assessors who have reviewed the proposal documentation. If there is a

financial justification for the project, that data will typically come from

external sources. It could be collected via a questionnaire if-and only if-

questionnaire data can be used to populate profile fields. If not a web

services call will be required

b. Archer

i. Audit Management

Measures the complete audit lifecycle by enabling governance of ongoing

audit-related activities.

ii. Policy Management

An infrastructure for creating policies and control standards, and mapping

them to corporate objectives, regulations, industry guidelines, and best

practices.

iii. Risk Management

Identifies risks against corporate objectives, evaluate the likelihood and

impact of those risks, and relate them to mitigating controls.

iv. Compliance Management

Enables an organization to automate and manage compliance initiatives.

v. Enterprise Management

Provides a central repository of information on business hierarchy and

enterprise infrastructure.

vi. Incident Management

Provides a case management solution for reporting cyber and physical

incidents, and categorizing them and determining the appropriate response

procedures.

vii. Vendor Management

Facilitates risk-based vendor selection, relationship management, and

ongoing compliance monitoring.



viii. Threat Management

Provides a centralized repository of threat data, reporting of activities

related to threat remediation, and threat management process.

ix. Business Continuity Management.

Provides a centralized, automated approach to business continuity and

disaster recovery planning.

IV. Pricing, Deployment, Support

a. APO

i. $5,000 a month for 1st 10 named users with a 2 year commitment

ii. $2,000 for 2nd 10 named users

iii. $1,000 for each 10 named users there after

iv. Saas (software-as-a-service), standalone installation also available at an

additional cost

v. 5 days or less install

vi. Unlimited Assessment takers in or out of your organization

vii. Robust training & support included

b. ITMI

i. TBD

c. Archer

i. $50,000 - $100,000 per year with a 3 year commitment

ii. Saas (software-as-a-service) or standalone installation

iii. 3 week install

iv. Unlimited Assessment takers in or out of your organization

v. Unlimited users can view all reports at anytime

vi. Training & support included

V. Summary

a. APO is a robust, intellectual system that is very easy to use. The application itself

is fast and easy to implement, requiring minimal startup effort. It can be

customized if needed. APO provides the ability to have ‘project office’ reviews

of all projects. It provides a proactive and quantitative approach for identifying

and mitigating project risks before they are realized. It collects data and shows



metrics based on how pre-defined specific questions are answered. While ITMI

focuses on all aspects of an IT Project. It looks at very detailed metrics. ITMI is

projected to include 20+ unique ‘applications.’ Archer is very easy to use. It

allows you to build an efficient, collaborative enterprise governance, risk and

compliance (eGRC) program across IT, finance, operations and legal departments.

The solution enables users to tailor solutions to their specific requirements.

Archer is very flexible. It allows the customer to have a standard installation or to

pick and choose what makes sense for their organization. There is some overlap

between APO and ITMI with the Project Management Methodology. APO and

Archer are very similar especially when comparing APO to the ‘Risk

Management’ Component of Archer. Like APO there is some overlap between

Archer specifically its ‘Risk Management’ Component and ITMI. APO and ITMI

are implemented by CAI while Archer is implemented by EMC.
