By Tim Zullo, Director of Systems Integrator and Industry Advocate Programs, Deltek
Summary: Organizations should be constantly looking at risk to develop a rational for addressing business change. There are various methods for assessing and prioritizing risk and often businesses use a variety of methods to compare results. Here we explore one model Finance and IT may want to consider to help build a business case for the necessary systems investments to move the business forward.
Last week I happened upon a Harvard Business Review article titled "A 6-Part Tool for Ranking and Assessing Risk" that describes a tool called the CARVER system. Developed during World War II, CARVER was originally designed to support bomber pilots and assist them in identifying the most effective drop targets. Although it was developed nearly seventy-five years ago, CARVER is still useful today as it takes a methodical and logical approach to managing the types of decision points we face in business today. For example, it is still relevant for decision making related to risk management and cyber security. The model can assist organizations in prioritizing systems to modernize based on vulnerabilities to cyber threat or changes in business objectives.
According to the Harvard Business Review article, CARVER draws on both qualitative and quantitative data, and can be applied in almost any scenario where data is analyzed and discussed in an organized, logical way. As you can image, most critical decisions we make in business are approached—or should be approached—in this fashion. For instance, if you take into account the CARVER approach when developing your budget or strategic plan, it would allow you to articulate a rational for the conclusions you have drawn to improve your chances for gaining approval and building a stronger consensus with leadership to get investments you are proposing approved.
In an offensive positioning, employing the Carver matrix can help to identify targets (capabilities) that are vulnerable to competitive threats. For defensive purposes the Carver matrix can be applied to help indicate "High Risk" targets that require additional investment to prevent the degradation or loss of market share of said assets.
What does the acronym CARVER stand for?
- Criticality: How essential is an asset or critical system to your company’s overall ability to operate with business continuity? If a system were taken offline how disruptive would it be to your general business operations? How many people would it affect?
- Accessibility: How difficult would it be for an adversary to gain access and exploit vulnerabilities of an asset/capability/product to disrupt business activity? For example, if your company conducts e-commerce through your website that accounts for 40% of company sales and an adversary gained access to your site, could they damage your business and long-term ability to conduct business on your site?
- Recoverability: How quickly can you recover if something happened to a strategic asset? For example, if an asset was taken offline for an upgrade or a cyber-attack occurred, what would be your recovery time?
- Vulnerability: How well (or not) could the asset withstand an adversary’s attack or an adverse business shift, such as loss of key knowledge? For example, with a shortage of skills in key areas of your business, how would your company fare if they lost certain employees?
- Effect: How much of an impact would there be across your business if something happened to the asset? For example, what would the impact be if skills supporting this asset no longer existed in the organization due to lack of training or attrition?
- Recognizability: How likely is it that an adversary could recognize the asset as a valuable target or impact the value of the asset? In the latter instance, the adversary could potentially be internal business decisions that degrade the value gained from the asset. For example, what if decisions were made that resulted in lack of training, reliance on old versions of software (e.g., no funding for upgrades), or a reduction in force causing lost skills and knowledge?
How CARVER Works
Here’s an example of how the CARVER model works. Create a simple table, which consists of a list of vulnerable systems on the y-axis and "CARVER" across the x-axis, and then rank each target on the CARVER component on a value scale of 1 to 10, with 10 being the highest priority or value.
Applying the Carver Model to Cost Optimization
Cost Optimization is the continuous discipline of obtaining the best price and cost while maximizing business value with no impact or reduction in scope in service delivery. Cost optimization is not just about saving money. It is actually about making the most efficient use of resources - and that is not just money.
For instance, moving applications to the cloud and leveraging managed services can allow organizations to reduce staff or redeploy staff to services of higher value that strategically help the business. You could apply the CARVER model to focus in on systems to reduce risk and drive desired business outcomes. This can help the IT organization take a strategic approach to supporting and protecting the business.
When cost optimization and CARVER are combined it can have a significant impact on transforming an organization. Let’s take as an example an organization that currently has many manual processes that support its finance organization. This supporting system might be the correct system today, but over time knowledge can leave the organization and old, manual processes will increasingly reduce organizational efficiency. In addition, if the organization has not kept up with software patches and updates the system could be vulnerable from a security perspective and not maximizing its full capabilities. In this scenario, the IT organization has identified the finance system as a good target for cost optimization by moving it to the cloud. By examining the supporting systems, processes AND by applying the CARVER model the business can build a strong case to make the necessary investments in systems and training that will modernize how this critical department operates. These investments would reduce the number of IT resources required to manage the systems; maximize how the systems are being utilized; and reduce the cyber risk associated with legacy systems. This in turn could help to flatten IT spend and free up resources for the organization to focus on higher value activities in both finance and IT.
In summary, there is lot of discussion on the topic of cost optimization these days, given budget constraints and the drive to innovate. There is nothing new about this dilemma, but applying the CARVER model might build a better business case to drive the changes needed to gain the desired cost optimization outcomes organizations seek.
Ask your organization…
- Are you using the right system to support your business?
- Have you deployed the latest release to leverage the systems latest capabilities?
- Is your organization fully maximizing the value of the system?
- Does your team have the skills to get the value from the system your business needs?
- Have you conducted a SWOT or CARVER analysis of systems and processes suspected in need of improvement?
- Are you able to prioritize your business systems needs base on impact to the business?
Think about your organization and how you approach cost optimization for IT projects. Are you making decisions to cut cost with the idea to optimize business performance? When organizations take an extra step and overlay the CARVER model to cost optimization, it can result in decisions that deliver greater business value, reduce overall risk and increase the likelihood of success for transforming the organization.
Deltek is the leading global provider of enterprise software and information solutions for project-based businesses. For more information on Deltek solutions for your specific industry visit https://www.deltek.com/en/industries.
About the Author
As Director of Systems Integrator and Industry Advocate Programs, Tim is responsible for leading joint marketing and sales initiatives with Deltek’s strategic consulting and IT partners. Tim’s experience crosses multiple sectors and includes government contracting, aerospace and defense, industrial manufacturing and professional services industries.
A frequent speaker at industry events, Tim’s topic expertise includes cybersecurity, compliance management and supply chain risk management. Connect with Tim Zullo on LinkedIn.
- Customer Experience
- Customer Spotlight
- Data and Analytics
- Deltek Cares
- Deltek Insight
- Deltek News
- Deltek Project Nation Community
- Digital Transformation
- Diversity in the Workplace
- Executive Spotlight
- Financial Management
- Industry Analysis
- MVP Awards
- Organization and Culture
- Partner Spotlight
- Project Management
- Risk Management
- Small Business
- Team Deltek
- Transformational Trends
- User Experience
- User Experience Innovations