Monday, July 08, 2013

The Open Group July Conference Emphasizes Value of Placing Structure and Agility Around Enterprise Risk Reduction Efforts

Transcript of a BriefingsDirect podcast about the how to achieve better risk management with better analysis of risk factors.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect Thought Leadership Interview series, coming to you in conjunction with The Open Group Conference on July 15, in Philadelphia. Registration to the conference remains open. Follow the conference on Twitter at #ogPHL.

Gardner
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout these discussions on enterprise transformation in the finance, government, and healthcare sector.

We're here now with a panel of experts to explore new trends and solutions in the area of anticipating risk and how to better manage organizations with that knowledge. We'll learn how enterprises are better delivering risk assessment and, one hopes, defenses, in the current climate of challenging cybersecurity. And we'll see how predicting risks and potential losses accurately, is an essential ingredient in enterprise transformation.

With that, please join me in welcoming our panel, we're here with Jack Freund, Information Security Risk Assessment Manager at TIAA-CREF. Jack has spent over 14 years in enterprise IT, is a visiting professor at DeVry University, and also chairs a Risk-Management Subcommittee for the ISACA. Welcome back, Jack.

Jack Freund: Glad to be here, Dana. Thanks for having me.

Gardner: We're also here with Jack Jones, Principal at CXOWARE, and he has more than nine years of experience as a Chief Information Security Officer (CISO). He is also an inventor of the FAIR, risk analysis framework. Welcome, Jack.

Jack Jones: Thank you very much.

Gardner: We're also here with Jim Hietala, Vice President, Security, at The Open Group. Welcome, Jim. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Jim Hietala: Thanks, Dana, good to be here.

Gardner: Let’s start with you, Jim. It’s been about six months since we spoke about these issues around risk assessment and understanding risk accurately, and it’s hard to imagine things getting any better in the last six months. There’s been a lot of news and interesting developments in the cyber-security landscape.

So has this heightened interest? What are The Open Group and others are doing in this field of risk assessment and accuracy and determining what your losses might be and how that can be a useful tool?

Hietala: I would say it has. Certainly, in the cybersecurity world in the past six or nine months, we've seen more and more discussion of the threats that are out there. We’ve got nation-state types of threats that are very concerning, very serious, and that organizations have to consider.

Hietala
With what’s happening, you've seen that the US Administration and President Obama direct the National Institute of Standards and Technology (NIST) to develop a new cybersecurity framework. Certainly on the government side of things, there is an increased focus on what can we do to increase the level of cybersecurity throughout the country in critical infrastructure. So my short answer would be yes, there is more interest in coming up with ways to accurately measure and assess risk so that we can then deal with it.

Perception shift

Gardner: Jack Jones, do you also see a maturity going on, or are we just hearing more in the news and therefore there is a perception shift? How do you see things? How have things changed, in your perception, over the last six to nine months?

Jones
Jones: I continue to see growth and maturity, especially in areas of understanding the fundamental nature of risk and exploration of quantitative methods for it. A few years ago, that would have seemed unrealistic at best, and outlandish at worst in many people’s eyes. Now, they're beginning to recognize that it is not only pragmatic, but necessary in order to get a handle on much of what we have to do from a prioritization perspective.

Gardner: Jack Freund are you seeing an elevation in the attention being paid to risk issues inside companies in larger organizations? Is this something that’s getting the attention of all the people it should?

Freund: We're entering a phase where there is going to be increased regulatory oversight over very nearly everything. When that happens, all eyes are going to turn to IT and IT risk management functions to answer the question of whether we're handling the right things. Without quantifying risk, you're going to have a very hard time saying to your board of directors that you're handling the right things the way a reasonable company should.

As those regulators start to see and compare among other companies, they'll find that these companies over here are doing risk quantification, and you're not. You're putting yourself at a competitive disadvantage by not being able to provide those same sorts of services.

Gardner: So you're saying that the market itself hasn’t been enough to drive this, and that regulation is required?

Freund
Freund: It’s probably a stronger driver than market forces at this point. The market is always going to be able to help push that to a more prominent role, but especially in information security. If you're not experiencing primary losses as a result of these sorts of things, then you have to look to economic externalities, which are largely put in play by regulatory forces here in the United States.

Jones: To support Jack’s statement that regulators are becoming more interested in this too, just in the last 60 days, I've spent time training people at two regulatory agencies on FAIR. So they're becoming more aware of these quantitative methods, and their level of interest is rising.

Gardner: Jack Jones, this is probably a good time for us to explain a little bit more about FAIR. For those listeners who might not be that familiar with it, please take a moment to give us the high-level overview of what FAIR is.

Jones: Sure, just thumbnail sketch of it. It’s, first and foremost, a model for what risk is and how it works. It’s a decomposition of the factors that make up risk. If you can measure or estimate the value of those factors, you can derive risk quantitatively in dollars and cents.

Risk quantification

You see a lot of “risk quantification” based on ordinal scales -- 1, 2, 3, 4, 5 scales, that sort of thing. But that’s actually not quantitative. If you dig into it, there's no way you could defend a mathematical analysis based on those ordinal approaches. So FAIR is this model for risk that enables true quantitative analysis in a very pragmatic way.

Gardner: FAIR stands for a Factor Analysis of Information Risk. Is that correct?

Jones: That is correct.

Gardner: Jim Hietala, we also have in addition to a very interesting and dynamic cybersecurity landscape a major trend getting traction in big data, cloud computing, and mobile. There's lots going on in the IT world. Perhaps IT's very nature, the roles and responsibilities, are shifting. Is doing risk assessment and management becoming part and parcel of core competency of IT, and is that a fairly big departure from the past?

Hietala: As to the first question, it's having to become kind of a standard practice within IT. When you look at outsourcing your IT operations to a cloud-service provider, you have to consider the security risks in that environment. What do they look like and how do we measure them?

It's the same thing for things like mobile computing. You really have to look at the risks of folks carrying tablets and smart phones, and understand the risks associated with those same things for big data. For any of these large-scale changes to our IT infrastructure you’ve got to understand what it means from a security and risk standpoint.
We have to find a way to embed risk assessment, which is really just a way to inform decision making and how we adapt all of these technological changes to increase market position and to make ourselves more competitive.

Gardner: Jack Freund or Jack Jones, any thoughts about the changing role of IT as a service and service-level agreement brokering aspects of IT aligned with risk assessment?

Freund: I read an interesting article this morning around a school district that is doing something they call bring your own technology (BYOT). For anybody who has been involved in these sort of efforts in the corporate world that should sound very familiar. But I want to think culturally around this. When you have students wondering how to do these sorts of things and becoming accustomed to being able to bring current technology, oh my gosh. When they get to the corporate world and start to work, they're going to expect the same sorts of levels of service.

To answer to your earlier question, absolutely. We have to find a way to embed risk assessment, which is really just a way to inform decision making and how we adapt all of these technological changes to increase market position and to make ourselves more competitive. That’s important.

Whether that’s an embedded function within IT or it’s an overarching function that exists across multiple business units, there are different models that work for different size companies and companies of different cultural types. But it has to be there. It’s absolutely critical.

Gardner: Jack Jones, how do you come down this role of IT shifting in the risk assessment issues, something that’s their responsibility. Are they embracing that or  maybe wishing it away?

Jones: It depends on whom you talk to. Some of them would certainly like to wish it away. I don't think IT’s role in this idea for risk assessment and such has really changed. What is changing is the level of visibility and interest within the organization, the business side of the organization, in the IT risk position.

Board-level interest

Previously, they were more or less tucked away in a dark corner. People just threw money at it and hoped bad things didn't happen. Now, you're getting a lot more board-level interest in IT risk, and with that visibility comes a responsibility, but also a certain amount of danger. If they’re doing it really badly, they're incredibly immature in how they approach risk.

They're going to look pretty foolish in front of the board. Unfortunately, I've seen that play out. It’s never pretty and it's never good news for the IT folks. They're realizing that they need to come up to speed a little bit from a risk perspective, so that they won't look the fools when they're in front of these executives.

They're used to seeing quantitative measures of opportunities and operational issues of risk of various natures. If IT comes to the table with a red, yellow, green chart, the board is left to wonder, first how to interpret that, and second, whether these guys really get it. I'm not sure the role has changed, but I think the responsibilities and level of expectations are changing.

Gardner: Part of what FAIR does in risk analysis in general is to identify potential losses and put some dollars on what potential downside there is. That provides IT with the tool, the ability, to rationalize investments that are needed. Are you seeing the knowledge of potential losses to be an incentive for spending on modernization?
Previously, they were more or less tucked away in a dark corner. People just threw money at it and hoped bad things didn't happen.

Jones: Absolutely. One organization I worked with recently had certain deficiencies from the security perspective that they were aware of, but that were going to be very problematic to fix. They had identified technology and process solutions that they thought would take them a long way towards a better risk position. But it was a very expensive proposition, and they didn't have money in the IT or information security budget for it.

So, we did a current-state analysis using FAIR, how much loss exposure they had on annualized basis. Then, we said, "If you plug this solution into place, given how it affects the frequency and magnitude of loss that you'd expect to experience, here's what’s your new annualized loss exposure would be." It turned out to be a multimillion dollar reduction in annualized loss exposure for a few hundred thousand dollars cost.

When they took that business case to management, it was a no-brainer, and management signed the check in a hurry. So they ended up being in a much better position.

If they had gone to executive management saying, "Well, we’ve got a high risk and if we buy this set of stuff we’ll have low or medium risk," it would've been a much less convincing and understandable business case for the executives. There's reason to expect that it would have been challenging to get that sort of funding given how tight their corporate budgets were and that sort of thing. So, yeah, it can be incredibly effective in those business cases.

Gardner: Correct me if I am wrong, but you have a book out since we last spoke. Jack, maybe you could tell a bit about of that and how that comes to bear on these issues?

Freund: Well, the book is currently being written. Jack Jones and I have entered into a contract with Elsevier and we're also going to be preparing the manuscript here over the summer and winter. Probably by second quarter next year, we'll have something that we can share with everybody. It's something that has been a long time coming. For Jack, I know he has wanted to write this for a long time.

Conversational book

We wanted to build a conversational book around how to assess risk using FAIR, and that's an important distinction from other books in the market today. You really want to dig into a lot of the mathematical stuff. I'm speaking personally here, but I wanted to build a book that gave people tools, gave practitioners the risk tools to be able to handle common challenges and common opposition to what they are doing every day, and just understand how to apply concepts in FAIR in a very tangible way.

Gardner: Very good. What about the conference itself. We're coming up very rapidly on The Open Group Conference. What should we expect in terms of some of your presentations and training activities?

Jones: I think it will be a good time. People would be pleased to have the quality of the presentations and some of the new information that they'll get to see and experience. As you said, we're offering FAIR training as a part of a conference. It's a two-day session with an opportunity afterwards to take the certification exam.

If history is any indication, people will go through the training. We get a lot of very positive remarks about a number of different things. One, they never imagined that risk could be interesting. They're also surprised that it's not, as one friend of mine calls it "rocket surgery." It's relatively straightforward and intuitive stuff. It's just that as a profession, we haven't had this framework for reference, as well as some of the methods that we apply to make it practical and defensible before.
Once you learn how to do it right, it's very obvious which are the wrong methods and why you can't use them to assess risk.

So we've gotten great feedback in the past, and I think people will be pleasantly surprised at what they experienced.

Freund: One of the things I always say about FAIR training is it's a real red pill-blue pill moment -- in reference to the old Matrix movies. I took FAIR training several years ago with Jack. I always tease Jack that it's ruined me for other risk assessment methods. Once you learn how to do it right, it's very obvious which are the wrong methods and why you can't use them to assess risk and why it's problematic.

I'm joking. It's really great and valuable training, and now I use it every day. It really does open your eyes to the problems and the risk assessment portion of IT today, and gives a very practical and actionable things to do in order to be able to fix that, and to provide value to your organization.

Gardner: Jim Hietala, the emphasis in terms of vertical industries at the conference is on finance, government and healthcare. They seem to be the right groups to be factoring more standardization and understanding of risk. Tell me how it comes together. Why is The Open Group looking at vertical industries at this time?

Hietala: Specific to risk, if I can talk about that for a second, the healthcare world, at least here in the US, has new security rules, and one of the first few requirements is perform an annual risk assessment. So it's currently relevant to that industry.

Same with finance

It’s the same thing with finance. One of the regulations around financial organizations tells them that, in terms of information security, they need to do a risk assessment. In government, clearly there has been a lot of emphasis on understanding risk and mitigating it throughout various government sectors.

In terms of The Open Group and verticals, we've done lots of great work in the area of enterprise architecture, security, and all the areas for which we've done work. In terms of our conferences, we've evolved things over the last year or so to start to look at what are the things that are unique in verticals.

It started in the mining industry. We set up a mining metals and exploration forum that looked at IT and architecture issues related specifically to that sector. We started that work several years ago and now we're looking at other industries and starting to assess the unique things in healthcare, for example. We've got a one day workshop at Philadelphia on the Tuesday of the conference, looking at IT and transformation opportunities in the healthcare sector.

That's how we got to this point, and we'll see more of that from The Open Group in the future.

Gardner: Are there any updates that we should be aware of in terms of activities within The Open Group and other organizations working on standards, taxonomy, and definitions when it comes to risk?
In government, clearly there has been a lot of emphasis on understanding risk and mitigating it throughout various government sectors.

Hietala: I'll take that and dive into that. We at The Open Group originally published a risk taxonomy standard based on FAIR four years ago. Over time, we've seen greater adoption by large companies and we've also seen the need to extend what we're doing there. So we're updating the risk taxonomy standard, and the new version of that should be published by the end of this summer.

We also saw within the industry, the need for a certification program for risk analysts, and so they'd be trained in quantitative risk assessment using FAIR. We're working on that program and we'll be talking more about it in Philadelphia. Follow the conference on Twitter at #ogPHL.

Along the way, as we were building the certification program, we realized that there was a missing piece in terms of the body of knowledge. So we created a second standard that is a companion to the taxonomy. That will be called the Risk Analysis Standard that looks more at some of that the process issues and how to do risk analysis using FAIR. That standard will also be available by the end of the summer and, combined, those two standards will form the body of knowledge that we'll be testing against in the certification program when it goes live later this year.

Gardner: Jack Freund, it seems that between regulatory developments, the need for maturity in these enterprises, and the standardization that's being brought to bear by such groups as The Open Group, it's making this quite a bit more of the science and less of an art.

What does that bring to organizations in terms of a bottom-line effect? I wonder if there is a use case or even an example that you could mention and explain that would help people better understand of what they get back when they go through these processes and they get this better maturity around risk?

Risk assessment

Freund: I'm not an attorney, but I have had a lot of lawyers tell me -- I think Jim had mentioned before in his vertical conversation -- that a lot of the regulations start with performing annual risk assessment and then choose controls based upon that. They're not very prescriptive that way.

One of the things that it drives in organizations is a sense of satisfaction that we've got things covered more than anything else. When you have your leadership in these organizations understanding that you're doing what a regular reasonable company would do to manage risk this way, you have fewer fire drills. Nobody likes to walk into work and have to deal with hundred different things.

We're moving hard drives out of printers and fax machines, what are we doing around scanning and vulnerabilities, and all of those various things that every single day can inundate you with worry, as opposed to focusing on the things that matter.

I like a folksy saying that sort of sums things up pretty well -- a dime holding up a dollar. You have all these little bitty squabbly issues that get in the way of really focusing on reducing risk in your organization in meaningful ways and focusing on the things that matter.

Using approaches like FAIR, drives a lot of value into your organization, because you're freeing up mind share in your executives to focus on things that really matter.
If something happens downstream, and you didn't follow best practice, you're often asked to explain why you didn't follow the herd.

Gardner: Jack Jones, a similar question, any examples that exemplify the virtues of doing the due diligence and having some of these systems and understanding in place?

Jones: I have an example to Jack Freund’s point about being able to focus and prioritize. One organization I was working with had identified a significant risk issue and they were considering three different options for risk mitigation that had been proposed. One was "best practice,” and the other two were less commonly considered for that particular issue.

An analysis showed with real clarity that option B, one of the not-best practice options, should reduce risk every bit as effectively as best practice, but had a whole lot lower cost. The organization then got to make an informed decision about whether they were going to be herd followers or whether they were going to be more cost-effective in risk management.

Unfortunately, there’s always danger in not following the herd. If something happens downstream, and you didn't follow best practice, you're often asked to explain why you didn't follow the herd.

That was part of the analysis too, but at the end of the day, management got to make a decision on how they wanted to behave. They chose to not follow best practice and be more cost-effective in using their money. When I asked them why they felt comfortable with that, they said, "Because we’re comfortable with the rigor in your analysis."

Best practice

To your question earlier about art-versus-science, first of all, in most organization there would have been no question. They would have said, "We must follow best practice." They wouldn’t even examine the options, and management wouldn’t have had the opportunity to make that decision.

Furthermore, even if they had "examined” those options using a more subjective, artistic approach, somebody's wet finger in the air, management almost certainly would not have felt comfortable with a non-best practice approach. So, the more scientific, more rigorous, approach that something like FAIR provides, gives you all kinds of opportunity to make informed decisions and to feel more comfortable more about those decisions.

Gardner: It really sounds as if there's a synergistic relationship between a lot of the big-data and analytics investments that are being made for a variety of reasons, and also this ability to bring more science and discipline to risk analysis.

How do those come together, Jack Jones? Are we seeing the dots being connected in these large organizations that they can take more of what they garner from big data and business intelligence (BI) and apply that to these risk assessment activities, is that happening yet?

Jones: It’s just beginning to. It’s very embryonic, and there are only probably a couple of organizations out there that I would argue are doing that with any sort of effectiveness. Imagine that -- they’re both using FAIR.
There are some models out there that that frankly are just so badly broken that all the data in the world isn’t going to help you.

But when you think about BI or any sort of analytics, there are really two halves to the equation. One is data and the other is models. You can have all the data in the world, but if your models stink, then you can't be effective. And, of course, vise versa. If you’ve got great model and zero data, then you've got challenges there as well.

Being able to combine the two, good data and effective models, puts you in much better place. As an industry, we aren’t there yet. We've got some really interesting things going on, and so there's a lot of potential there, but people have to leverage that data effectively and make sure they're using a model that makes sense.

There are some models out there that that frankly are just so badly broken that all the data in the world isn’t going to help you. The models will grossly misinform you. So people have to be careful, because data is great, but if you’re applying it to a bad model, then you're in trouble.

Gardner: We are coming up near the end of our half hour. Jack Freund, for those organizations that are looking to get started, to get more mature, perhaps start leveraging some of their investments in areas like big data, in addition to attending The Open Group Conference or watching some of the plenary sessions online, what tips do you have for getting started? Are there some basic building blocks that should be in place or ways in which to get the ball rolling when it comes to a better risk analysis?

Freund: Strong personality matters in this. They have to have some sort of evangelist in the organization who cares enough about it to drive it through to completion. That’s a stake on the ground to say, "Here is where we're going to start, and here is the path that we are going to go on."

Strong commitment

When you start doing that sort of thing, even if leadership changes and other things happen, you have a strong commitment from the organization to keep moving forward on these sorts of things.

I spend a lot of my time integrating FAIR with other methodologies. One of the messaging points that I keep saying all the time is that what we are doing is implementing a discipline around how we choose our risk rankings. That’s one of the great things about FAIR. It's universally compatible with other assessment methodologies, programs, standards, and legislation that allows you to be consistent and precise around how you're connecting to everything else that your organization cares about.

Concerns around operational risk integration are important as well. But driving that through to completion in the organization has a lot to do with finding sponsorship and then just building a program to completion. But absent that high-level sponsorship, because FAIR allows you to build a discipline around how you choose rankings, you can also build it from the bottom up.

You can have these groups of people that are FAIR trained that can build risk analyses or either pick ranges -- 1, 2, 3, 4 or high, medium, low. But then when questioned, you have the ability to say, "We think this is a medium, because it met our frequency and magnitude criteria that we've been establishing using FAIR."
Different organizations culturally are going to have different ways to implement and to structure quantitative risk analysis.

Different organizations culturally are going to have different ways to implement and to structure quantitative risk analysis. In the end it's an interesting and reasonable path to get to risk utopia.

Gardner: Jack Jones, any thoughts from your perspective on a good way to get started, maybe even through the lens of the verticals that The Open Group has targeted for this conference, finance, government and healthcare? Are there any specific important things to consider on the outset for your risk analysis journey from any of the three verticals?

Jones: A good place to start is with the materials that The Open Group has made available on the risk taxonomy and that soon to be published risk-analysis standard.

Another source that I recommend to everybody I talk to about other sorts of things is a book called How to Measure Anything by Douglas Hubbard. If someone is even least bit interested in actually measuring risk in quantitative terms, they owe it to themselves to read that book. It puts into layman’s terms some very important concepts and approaches that are tremendously helpful. That's an important resource for people to consider too.

As far as within organizations, some organizations will have a relatively mature enterprise risk-management program at the corporate level, outside of IT. Unfortunately, it can be hit-and-miss, but there can be some very good resources in terms of people and processes that the organization has already adopted. But you have to be careful there too, because with some of those enterprise risk-management programs, even though they may have been in place for years, and thus, one would think over time and become mature, all they have done is dig a really deep ditch in terms of bad practices and misconceptions.

So it's worth having the conversation with those folks to gauge how clueful are they, but don't assume that just because they have been in place for a while and they have some specific title or something like that that they really understand risk at that level.

Gardner: Well, very good. I'm afraid we will have to leave it there. We've been talking with a panel of experts about the new trends and solutions in the area of anticipating risk and how to better manage organizations with that knowledge. We've seen how enterprises are better delivering risk assessments, or beginning to, as they are facing challenges in cyber-security as well as undergoing the larger undertaking of enterprise transformation.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference in July 2013 in Philadelphia. There's more information on The Open Group website about that conference for you to attend or to gather information from either in live streaming or there are often resources available to download after the conference. Follow the conference on Twitter at #ogPHL.

So with that thanks to our panel. We've been joined by Jack Freund, Information Security Risk Assessment Manager at TIAA-CREF. Thank you so much, Jack.

Freund: Thank you, Dana.

Gardner: And also Jack Jones, Principal at CXOWARE. Thank you, sir.

Jones: It's been my pleasure. Thanks.

Gardner: And then also lastly, Jim Hietala, Vice President, Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And this is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leader interview series. Registration to the July 15 conference remains open to attend in person. I hope to see you there. We'll also be conducting some more BriefingsDirect podcasts from the conference, so watch for those in future posts. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast about the how to achieve better risk management with better analysis of risk factors. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Tuesday, July 02, 2013

Cloud Services Help SHI Redefine the Buyer-Seller Dynamic for Huge Efficiency Gains Worldwide

Transcript of a BriefingsDirect podcast on how the networked economy is improving business and sales for an IT provider and its customers.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP Company.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series coming to you from the 2013 Ariba LIVE Conference in Washington, D.C.

Gardner
We're here to explore the latest in collaborative commerce and to learn how innovative companies are tapping into the networked economy. We'll see how they are improving their business productivity and sales, along with building far-reaching relationships with new partners and customers.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout the series of Ariba-sponsored BriefingsDirect discussions.

Our next innovator interview focuses on SHI International, a global provider of IT products, procurement, and related services, with more than $4 billion in annual turnover. We'll learn how SHI teamed with Ariba, an SAP company, to streamline IT product discovery and purchasing processes for large agricultural machinery builder AGCO. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

To hear how they did it, please join me in welcoming our guest. We're here with John D’Aquila, Applications Support Manager at SHI International Corp. in Somerset, New Jersey. Welcome, John.

John D’Aquila: Welcome, Dana.

Gardner: Good to have you with us. Tell me a little bit about the requirements for buying and selling in this era of "fast is better," "more data is inevitable." What’s different now about buying and selling IT products and services than, say, three or four years ago?

D'Aquila: One thing that has really changed is that IT asset management is a hot topic right now. Customers want to track their purchases much more efficiently than in the past, so they can know exactly how much they have at all times. They want to know if they're over-licensed, under-licensed on the software side, or as far as hardware goes, they want to make sure that they have enough hardware in stock, but don’t have too much. You don’t want to have whole closets and warehouses full of equipment.

Gardner: So it's just as we've heard in a lot of other vertical sectors -- fit for purpose, not too wasteful, just in time, not over-inventory, that sort of thing. You have to be very precise, and therefore, you need to have the data about what’s going on across your supply chain.

D'Aquila: Correct. That's where electronic commerce comes in, in IT asset management. I always say that it starts with a great PO, because we want to make sure that when we receive that purchase order, we have as much information that the customer is going to be looking for us to report on downstream.

Years later, if they come back to us and say, how many desktops did we purchase over the last three years and who are they for, the only way we could tell them who it was for is if they told us that information on the purchase order.

Streamlined solution

So the best way to get that is to have a streamlined solution that everyone is using when they're procuring their desktop PC, versus the situation where one PO came over handwritten, one PO came over via fax, and the level of information on each of those POs would be different.

Gardner: How are you doing in terms of getting people to get more digital, more electronic? Is IT a leader or a laggard, or is it all over the map, depending on the individual organization?

D'Aquila: At SHI, as part of every customer QBR or RFP demonstration, we definitely focus on the shi.com portal, which is a standalone website solution to provide them the ability to procure their products from a customized catalog solution.

D'Aquila
Then we show them how we can leverage our check-out question process to collect the information, to make sure that every request and purchase order comes over with that same level of information. If a customer has a solution like Ariba, then we explain to them how we can work with that.

Gardner: This would be a good point, I suppose, to learn more about SHI. Tell us about your organization, how it came about, what you're doing, and why this whole notion of being ultra-efficient across your purchasing processes is essential to your business.

D'Aquila: SHI is a global provider of IT products and solutions. We're headquartered in Somerset, New Jersey, and as you mentioned before, we had over $4 billion in revenue last year. This year we expect to surpass $5 billion.

The number of employees has doubled in four years. So there is definitely an investment internally to enhance the backbone of SHI, which is the sales force and the operations departments.

One thing that I always like to talk about is that as I walk in in the morning -- and all employees walk in -- Above the SHI logo it says "Innovative Solutions and World Class Support." This reminds every employee, as they walk in, that our customers are the reason we're successful, and the way we retain those customers is by providing those innovative solutions and world-class support.

Gardner: Tell me a bit more about how these low-touch orders are executed, and what Ariba’s role is? How are we getting people to be more efficient and more data driven when it comes to procuring their IT services and products?

Customer driven

D'Aquila: The whole Ariba process is typically driven by the customer. In the early stages of evaluating a solution, we can tell them, if they ask us which one have you worked with and what are the benefits of each, but typically the decision has already been made by the time they come to my team.

We'll explain to them our capabilities around that, and how we could seek benefits from little pieces of information on either the punch-out setup request or on the purchase order.

Gardner: Tell us a bit about this example so we can learn more about how a good way to do this unfolds. AGCO -- who are they, how did they become your customer, what are you doing with them, and how do they exemplify what should be going on here?

D'Aquila: AGCO has been a customer of SHI’s for many years. The spend was at some growth, but it was really a slow trend up. Eric Deese is the contractor who is working on the project of enabling Ariba throughout AGCO.

We had a conference call to discuss the requirements and his scheduling and understanding his expectations of what we were going to do. From there, we put the resources in place. We did some testing with Eric, a full test, from the purchase order to invoice, to make sure that everything worked properly. Then, I handed it over to Tammy Wagner, who is the Account Executive for AGCO.
We've tailored a catalog around the requirements that Eric provided to make it easier for his users to find products.

One thing that we really like to focus on with customers is, rather than show them everything we could sell, we show what they actually need and want. So we've tailored a catalog around the requirements that Eric provided to make it easier for his users to find products.

Since we've gone live, the number of products purchased from SHI and the different product lines has tripled. So it's been a great success story.

Gardner: How are these trends around cloud, big data, and more process-driven efficiency goals translated into actual savings or efficiencies? Can we quantify it? Are there any metrics of success even for a company like AGCO? What did they gain when they did this better?

D'Aquila: One thing is that they control their spend. In speaking to Eric, he explained that the AGCO users were buying software from everywhere. Some people would buy a shrink-wrap copy of software, which is really not the right way to buy software. They would use their P-Cards, and then they would just do an expense report, so it wouldn't be captured properly within their cost centers and the internal accounting.

Now, he said, all the employees of AGCO are going into the Ariba application and procuring their software from SHI. So maverick spend has been controlled.

As far the cloud, we're not doing anything today with AGCO in that space. SHI does have cloud solutions, backup-as-a-service solutions, and hopefully in the future we can build that out.

Single-point purchasing

Gardner: Can you prove back to them, when they do this with a single point for purchasing and when they have a standard operating procedure that everyone lines up behind? You must get more data in that regard than you can feed back to the customer to prove to them what they are saving. For example, the P-Card tax, that's not involved. How can you quantify this in dollar terms? Do you have a means to do that?

D'Aquila: We don't know exactly how much they've paid in the past. However, we can show Eric the spend with SHI and how it has grown. We work with you. Your overall spend has helped you secure better pricing with the manufacturers and with SHI, which in the long-term will turn over savings for AGCO.

Gardner: As IT organizations, in particular, are looking to move more towards an operations expenditure (OPEX) approach rather than the capital expenditure (CAPEX), they're looking for services, for leasing, and for outsourcing types of services. How is that impacting your business and how does that also impact the buying and selling process?

D'Aquila: There has definitely been a trend of more operational expense, versus capital. We notice that customers are no longer treating a desktop as a commodity. It's more of a rental. You're going to use it for a few years and it's no longer going to be expected to run the life of an employee.

So the catalog refresh cycles, have changed, as far as the number of items in the catalog. There is definitely standardizing and making sure that everyone in the organization has the same type of product, so they can get better imaging and so forth.
Although it is BYOD, they're still putting minimum specifications that really require a business-type tool. You are not going to get away with a retail laptop, desktop, or even the smaller mobile devices.

There is also a trend toward bring your own device (BYOD) that has been coming our way. Organizations are telling their employees, here is your minimum specifications, you can buy any PC, but it's out of your own pocket. It's up to you to purchase it, but you can bring that to work, whether it's a mobile device or even a laptop.

Gardner: Are you starting to see any trends with BYOD where they would say, you can buy it, but why don't you buy it through these guys because they get a bulk rate? Is there a sort of a hybrid, where it's the corporation managing the buy, getting the benefits of the bulk sale, the organization around that, but having it be done through the end user, the employee, and then managed by them over time?

D'Aquila: When we're involved, that's the BYOD procedure that I see in place. The customer does pick a standard set of solutions and products and say, here is what you could choose from 20 items, and you should buy this from SHI, because we have secured deals through the manufacturer and through SHI to get discounted pricing. Of course, they can go to a retail shop on a weekend and maybe get one of the five that come in that are on sale, but typically that's not going to meet the specifications.

Although it is BYOD, they're still putting minimum specifications that really require a business-type tool. You are not going to get away with a retail laptop, desktop, or even the smaller mobile devices.

Gardner: John, we've been talking a lot about how the buyer from your organization is benefiting from an Ariba relationship. How about on your acquisition side, your supply chain? Is the Ariba Network coming into play on that side as well?

Net new customers

D'Aquila: We use Ariba as a seller, we have seen great benefit in growing customers, and that's really where we focus. We want to get net new customers and grow the catalogs and offerings to the existing customers.

Today, there may be a customer that only purchases software from SHI. We want to introduce them to the fact that although we were Software House International, we are SHI now, because we sell all products that are IT related -- hardware, services, and solutions.

Gardner: And because we are here at Ariba LIVE, what are you hearing that excites you. It may be the spot-buying information. Is that something that would be of interest to you?
We sell all products that are IT related -- hardware, services, and solutions.

D'Aquila: Yes. I've used Discovery in the past. I think there were a lot of empty requests we would respond, and then they wouldn't be viewed. I'm expecting that with the Spot Buy, because it will come directly out of the SAP application and will be someone keying in a request and looking for the bids, we'll get better leads from the solution. I'm looking forward to see what comes of it.

Gardner: I am afraid we will have to leave it there. We've been talking about how SHI has teamed up with Ariba to streamline IT product purchasing, processes, especially for a large agricultural company, AGCO.

Thank you so much to our guest, John D’Aquila, Applications Support Manager at SHI International. Thanks so much.

D'Aquila: Thank you, Dana.

Gardner: And thank you to our audience for joining this special podcast coming to you from the 2013 Ariba LIVE Conference in Washington D.C.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout the series of Ariba sponsored BriefingsDirect discussions. Thanks again for joining, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP Company.

Transcript of a BriefingsDirect podcast on how the networked economy is improving business and sales for an IT provider and its customers. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:


Thursday, June 20, 2013

Millennium Pharmacy Takes SaaS Model to New Heights Via Policy-Driven Operations Management and Automation

Transcript of a BriefingsDirect podcast on how a major healthcare provider has used advanced IT management and operational efficiency processes and systems to keep applications up to date, compliant, performant, and protected.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Gardner
Today, we present a sponsored podcast discussion on how an online pharmaceutical services provider Millennium Pharmacy Systems, Inc. has implemented a variety of software-as-a-service (SaaS) applications and then managed them through a more automated and efficient operational approach.

We'll learn how Millennium Pharmacy has used advanced IT management and operational efficiency processes and systems to keep applications up to date, compliant, performant, and protected.

To hear more detail on how automation and operational efficiencies help them improve their business results and customer retention, please join me in welcoming Leon Ravenna, Vice President of IT and Operations and Information Security Officer at Millennium Pharmacy Systems, Inc., based in Cranberry Township Pennsylvania. Welcome, Leon. [Disclosure: VMware is a sponsor of BriefingsDirect podcasts.]

Leon Ravenna: Good afternoon.

Gardner: We're glad you could join us. Tell us a little bit about your IT state. What was the situation in your organization that made it clear that the way you had been doing it in the past was not holding up and that some new level of optimization, organization automation, improvement was needed?

Ravenna: I'll be happy to. I've been here about 14 months. One of the things that we looked at doing right, when I came in, is taking both the data centers that we have -- one is owned and one is a co-located facility -- and eliminating a lot of the older hardware that we had.

We are now about 85 percent virtualized. Our  primary datacenter is for our customer-facing application, a SaaS application, built on SQL/.Net and Silverlight, for about 250 nursing care facilities on the East Coast. This basically controls all of the medications that a patient would need. It does our medical reordering and passes that information in an entirely integrated fashion back to our in-house systems for billing and filling of prescriptions.

What we looked to doing first was consolidating, getting rid of the older hardware, and moving us to a much better state. One of the nice things about VMware is that it’s just rock solid. We're kind of weary of knocking on wood, but it’s rock solid for us. It gives us the ability to move applications on an as-needed basis. We can upgrade things on the fly. In one data center, we are currently on 5.1, and we're moving the other data center to 5.1.

On our SaaS application, I have 250 separate SQL databases on seven SQL servers, running in a VMware environment and that helps me dramatically cut my licensing cost for SQL server and helps to manage them in a high availability way.

Gardner: Leon, before we get more into what you do and why you have certain requirements, I'd like to get a bit more information about what was different before you went to high virtualization. Everybody talks about the efficiency in cost utilization, but what about the management? Is there something about the way you've done this that has allowed you to be 24x7 up and keeping the performance where it need to be?

More efficient

Ravenna: We had a couple of older Dell blade chassis, and inevitably you would lose the power supply or a server, and I just don’t have that. From an operational standpoint, it just helps to be more efficient. It has the ability to turn new servers up faster. It’s not something that we do all the time, but it helps me be much more efficient. I have a fairly small staff, and my goal is to let them sleep at night.

By having more VMware in place, about 85 percent virtualized, it allows me to do that. If the server fails, they applications move to a different server. I have the ability to upgrade the servers on the fly. It allows me, from an operational standpoint, to be more secure in what we're doing.

And it helps me lower my cost, because I am not as worried about my HVAC. I have less equipment to worry about. I have less break-fix to worry about. All in all, it helps me be remarkably more efficient.

Gardner: Let’s learn a bit more about Millennium Pharmacy. You're in the healthcare field which of course has already got pretty stringent requirements in terms of compliance, regulations, cost, audit trails, and making sure that data is available. Tell us about what you do and then perhaps a bit about why your requirements are pretty dramatic.

Ravenna: As I said, we host a system for about 250 nursing-care facilities. As a patient, you don’t have much time with your nurse. The nurse is typically gathering your drugs. We have our own pharmacies that service those homes. We deliver, in a cellophane sealed package, your medications.
We're working to implement the new HIPAA regulations so we can be even tighter in that space.

These packages say, "Mr. Smith, take this at dinner time." There's a barcode for every drug, and when the nurse gives them the drug, they use a wireless scanner to scan that barcode and it automatically reorders the next set of drugs. We give patients about a three- or four-day supply, as opposed to 45- or 90-day supply, which cuts the cost for the nursing care facility itself. Then, we manage all of that data back to our other systems, that manage the filling of new prescriptions and billing and then we deliver every day.

The healthcare space is fairly stringent, and and getting more so with the new HIPAA regulations. New ones just came out on March 26 of this year, and the enforcement and penalties are much greater. There’s some significant items that have  changed, but really it’s the enforcement and penalties, things around encryption, and protecting customers' data.

We also have to protect confidential information and so we need to be very secure. We're working to implement the new HIPAA regulations so we can be even tighter in that space.

Gardner: This is all done through SaaS and cloud. There are no on-premises installations of your application. Is that right?

Ravenna: Only one facility of our 250 that has their own system. They are large, and one of their requirements was to have their own, but we support the rest of them, approximately 250, all cloud based. They can get to it from their Internet connection.

All SaaS

Depending on what the customer needs, we may set up the entire environment for them, networks, wireless, scanners, and printers, or they get to us through their own equipment and internet connections. But yes, it's all SaaS. 

Gardner: We're talking about being highly mission critical, people getting their medicine. We're also talking about being highly efficient. What were some of the requirements in terms of the infrastructure, particularly as we look now towards managing so many different instances and the ability to be agile and fire up new versions of VMware and to get those apps up and running? What were some of your requirements just from a management perspective?

Ravenna: It had to be easy. I have three system engineers. I only have a couple of network engineers. We support, on the network side, approximately 250 VPN tunnels out to customers, and as you said, it's mission critical. If people don’t get their drugs, it’s a bad day. We take that mission very seriously, making sure those systems are up and running.

From an operational or management standpoint, we really need to be monitoring to know what’s happening and when. Having VMware in that mix gives us the ability to make things consistent, but it also helps to  reduce our cost from a licensing standpoint and helps us manage them better, because we can see what’s happening at any given moment.

Gardner: So as a mid-market organization, you're resource constrained, you just don’t have a huge stuff, and you need automation. You need to have the ability to manage things, perhaps remotely.
It lets us be a lot more efficient with what we are doing. It lets us manage more efficiently.

So it's this notion of total approach to management, rather than silos, rather than integration of different management approaches and products together. That just wouldn’t fly. What have you done? What have you experimented with, as you move towards this more complete notion of management, one-stop shop, one pane of glass type thing?

Ravenna: There are a couple of things that we've done. We're evaluating vCenter Operations Management Suite. One of the things that it has  let us do is dramatically reduce the size of our virtual machines (VMs).

Typically, if you're moving from a physical environment, VMware is a lot more efficient and it’s really kind of surprising seeing some of the reports that come back from vCenter Operations Management that tell you, realistically, you are running this server with six gigabytes of memory, but you are only really using one.

It’s a little bit spooky to look at it and ask if we really want to go that far. In some cases we would say, "Yes, let’s go ahead and do that," and it’s been, for the most part, dead-on. We've looked at a couple of things where our gut didn't say it was the right thing, even though it probably was. There's still a little bit of that old-school mentality that says you need to get more resources, when in fact the server may not even need them.

It lets us be a lot more efficient with what we are doing. It lets us manage more efficiently, because I can put more databases or more servers on each VM host.

Move quickly

Gardner: So when you look at the total picture, you need to be agile and able to move your resources quickly. You have a small staff. You need to be compliant in the tough confines of the healthcare regulatory environment.

Where do you look to go next? Is there a higher vision that you develop? We hear about the software-defined datacenter, for example. We hear about cloud computing where you can actually mirror your entire data center from one location to another, maybe it’s for disaster recovery (DR), maybe it’s just for operational efficiency. Is that on your radar? Is that what you like to see?

Ravenna: Absolutely. I have an overriding philosophy, after doing this for last 20 plus years. The simpler I can make it, the more I get to sleep. Sleep is a recurring theme and realistically, that means fewer calls during the night.

We're looking to move to vCloud Suite, in particular Site Recovery Manager (SRM), and using the vCenter Operations Management Suite to allow us to be more efficient. It just helps us work better and faster. Some of the key components will help me to be as efficient as possible. I may eventually need  to build out virtual data centers, so the VMware vCloud Director helps me.

Those are some of the key things I'm looking for in the future. For me, having multiple data centers, the ability to have VMware SRM, is just a great thing. It’s getting ready to thunderstorm here, and having the ability to move my services to a different data center that’s about 35 miles away is key.
I'm very leery about putting my data just in a cloud with everybody else. It would have to be very specific to the healthcare space.

Gardner: It’s pretty interesting that the notion a one-size-fits-all, plain vanilla, public cloud wouldn’t be attractive to you. What would you like to see and what have you heard from VMware that might lead to believe that they would be in a position to offer such as cloud service?

Ravenna: I don’t know that VMware has that today, but it’s a trusted brand, and I'm very leery about putting my data just in a cloud with everybody else. It would have to be very specific to the healthcare space, because you end up signing a business associate agreement with me.

It would have to be what I would term carrier-class facilities that can prove they are in the healthcare space, dedicated to being there, and abide by all the HIPAA Rules. We have all of the things like PCI and SSAE 16. Those type things really need to be there and geared towards the healthcare space specifically for me to be able to look at them.

Gardner: And completely invisible to the end user. They're still getting their meds, making their orders, and everything is up and running. That’s a great vision. Do you see the vCenter Operations Management Suite as a key stepping stone to getting there? It seems to me that you can’t get to that vision until you really rationalize, organize, and lock down your operational integrity of what you have to play.

Ravenna: Yes. It will be key component. In concert, the VMware Operations Management Suite and the vCloud Suite will help me get there. My whole goal is to be able to make things as simple as possible and as easy as possible to manage, and these tools let me do that and be more efficient.

No choice

I'm not a guy who wants to understand electricity or heating and ventilation, but unfortunately in the world that we live today, in the mid-market space, you have your own data centers. You have no choice. You have to play in that game. Anything that I can do that helps me to address those issues to run cooler or run with less equipment is just all goodness.

Gardner: As you have attained 85 percent virtualization and you're looking for efficiencies in your storage and your resource utilization, is there a payback that you can take to your higher ups? When it comes time to invest and go further down this journey, with that fully realization of cloud and ease of moving payloads, workloads across distances that, do you have metrics? Can you say, "Listen, I'm saving x percent?" How do you convince the bean counter that this is the right thing to do?

Ravenna: It’s not necessarily a metric, but when you're spending less year over year on equipment, that’s evidence. Every server you buy is going to be in the roughly $5-$10,000 range. If I'm not doing that, I'm agile and nimble in being able to say that I can accommodate that.

That's opposed to the old process which was, get the capital done, go to finance, and wait six weeks to get a server, and then put it in. Inevitably there is something that’s constrained. So that six-week lead time becomes eight or ten weeks. It just helps me to move faster and spend a lot less capital money.

One of the things that I mentioned a little bit ago was licensing from a SQL standpoint, but things like backup that are running on a per-processor standpoint within VM drop my overall cost.
Anything that I can do that helps me to address those issues to run cooler or run with less equipment is just all goodness.

One of the things that it’s helpful as well is the dashboarding ability to be able to show what’s going on, what’s happening, and what the environment looks like. vCenter Operations Management Suite gives me that and it's all goodness.

Gardner: Leon, for those folks who might not be quite at 85 percent and who are trying to get there for some of the reasons you just mentioned, what advice would you give them? What are some of things that you’ve learned along the way to smooth that path to more managed, automated and agile?

Ravenna: One of the things that you will inevitably hear is -- and this may be kind of an old school thing -- the application won’t do that. You know what, it probably will. You can’t take no for an answer.

Most of the applications that we have, our applications are all custom .NET and SQL. But a lot of the other applications we have just moved there, because it made sense to us.

It make operations easier for me, but realistically, part of it is not taking no for an answer. If you're comparing the cost of, say, a two processor server, and you are going to go buy four, five, or six servers, take one of those servers and put that investment into VMware and vCenter Operations Management. You're going to be happier in the long term.

Managing the manager

Gardner: It sounds like you've made a lot of progress and I wish you well. My last area of questions is around managing the manager, the vCenter Operations Management Suite. Have you had to do a lot of training yourself? Did you go through it? How do you manage the personnel side in an organization like yours, where you do have still jacks-of-all-trades working in IT? What was the ramp-up in terms of the skills and the running of the management system?

Ravenna: For vCenter Operations Management Suite, it wasn’t too bad at all. We were talking to VMware, and they said it would be potentially beneficial. We started up, ran it, and there really wasn’t that much training that was necessary.

The harder thing was when they came back and said we were over provisioned. That was  making that rationalization that VMware is a lot more efficient than physical hardware. It meant taking some of our servers from 4 GB RAM down to one half that, because that’s where they needed to be. In some cases, you want to be a little bit safe. You ultimately find out that the tool was right, and you were being gun shy.
We started up, ran it, and there really wasn’t that much training that was necessary.

Gardner: So you have more information at your finger tips, but sometimes it can be challenging to know what to do with it. I certainly understand that.

Ravenna: Yeah, a lot of it's interpretation.

Gardner: Great. We've been talking about how online pharmaceutical services provider Millennium Pharmacy Systems has implemented a variety of SaaS and other applications, virtualized them, and then managed that virtualization more to an automated operations approach. And we learned how this advanced IT management operation efficiency can keep these mission-critical applications up-to-date, performant, compliant and protective.

I want to thank our guest for joining us. Leon Ravenna. He is Vice President of IT Operations as well as the Information Security Officer there at Millennium Pharmacy Systems. Thanks so much, Leon.

Ravenna: Sure. Happy to help.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. I want to thank our audience as well for listening, and don’t forget to come back next time. 

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: VMware

Transcript of a BriefingsDirect podcast on how a major healthcare provider has used advanced IT management and operational efficiency processes and systems to keep applications up to date, compliant, performant, and protected. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Tuesday, June 18, 2013

Blue Marble Media Shows How Mid-Market Selling Gains New Life Via Ariba Discovery

Transcript of a BriefingsDirect podcast on how spot-buying capabilities can increase leads and sales for a small company.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP Company.

Dana Gardner: Hello, and welcome to a special BriefingsDirect podcast series from the 2013 Ariba LIVE Conference in Washington, D.C.

Gardner
Last month, we explored the latest in collaborative commerce to learn how innovative companies are tapping into the networked economy. We'll now see how they are improving their business productivity and sales, along with building far-reaching relationships with new partners and customers.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout the series. [Disclosure: Ariba, an SAP company, is a sponsor of BriefingsDirect podcasts.]

Our next innovator case study focuses on Blue Marble Media in Atlanta, and how they've been using spot-buying capabilities on the Ariba Network and Ariba Discovery to find new sales channels and new clients.

Please join me in welcoming our guest to learn more about how agile procurement is working for them on the sell side. We're joined by Cal Miller, Vice President of Business Development at Blue Marble Media. Welcome, Cal.

Cal Miller: Thanks very much for having me.

Gardner: Tell us a little bit about your company -- your size, what services and products you provide -- and we'll start to learn more about how you're selling in a new and innovative way.
One of the real benefits we found out early on Ariba Discovery is we can help educate people on the process of looking for companies like us.

Miller: Even though we're very, very small, less than $2 million in revenue, we have clients like Georgia-Pacific, Verizon, Ariba, and the CDC. We work with a lot of medium-sized companies and even startups, very small ones. So the whole planet is our opportunity, if you will. We develop video, motion graphics, and animation for sales support, marketing, corporate communications, and just about any type of visual presentation that you might need.

Gardner: And is this a large and growing market? Is this not something you are easily able to tap into? Why would you need to go through non-traditional channels to get new business?

Miller: Actually, it’s a very overcrowded supplier sector. We're a little different in that we're a turnkey provider. We're not just a “video house.” There are many of those out there, and they're good firms, but we're much more strategic. We do well when we begin a project and can interface at a C level with a company and help them come up with the strategy and the solution that eventually drives the message.

Our strength quite often is something that people don’t know is even out there. One of the real benefits we found out early on Ariba Discovery is we can help educate people on the process of looking for companies like us and then hopefully they are going to say, "Okay, we'll call you back."

Halfway to goal

Gardner: As someone who is already on the Ariba Network, they need to know and need to acquire, so they're halfway to finding the goal. You're going to need to go halfway toward them with your specific differentiating value and make that understood.

This notion of spot buying however expands that, it allows more than just a structured procurement professional who is looking for services and extends this down to people who are doing ad hoc, occasional, once-in-a-blue-moon types of buying. How has that worked out? Tell me a little bit more about how you even got involved with Ariba Discovery and spot buying at all?

Miller: In our world spot buying is probably half of our total business. Even large companies may only have a need for a high-profile video series once a year, two times a year, or every other year. So the people that are charged with developing that solution quite often aren't the people who are going to be writing the check or making the procurement, and vice versa.

Miller
So the real challenge there is to get these people to understand that there is a vetting process. Ariba has provided this service, so a company like us can sit up and say, "Hey, we're a little different than the other guys. Let’s engage and start some dialogue."

Gardner: What has been the result? Let’s learn first about how long you've been doing this? What’s the timeline on how you have been using Discovery and extending that to that spot buying type of clientele?
We've learned that you still need to respond, because you get that opportunity to almost simulate a face-to-face meeting.

Miller: It will be a year in a couple of weeks. We took a few months to learn the system, ramp up, and get going, but we've already had a very nice project and contract from a national bank that came through the network. And we have kind of a follow-up project with them. So that will be additional revenue.

We have several opportunities that have been presented to us and we are in different stages of developing those projects as they move forward.

Even on a few of the introductions that we've passed up, we've made a response, but we knew it wasn’t a good fit. We've learned that you still need to respond, because you get that opportunity to almost simulate a face-to-face meeting, because they get to learn about you, and you're building a relationship.

One of the biggest challenges that people on this network don't realize is to not look at your computer screen like it’s just another interface computer screen. You're looking through the eyes of Ariba at a real, live person on the other end- who can write you a check, and that changes the dynamic of how you communicate through the Network.

Gardner: And if it’s not a right fit for them, they might have a word-of-mouth, community, or social connection with someone that they could refer you to. So there are concentric circles of engagement.

Circles of engagement

Miller: That happens very often, especially with the larger companies. It’s, "These guys can do this. Here, give them a call in three months or pass this on to Joe, because they are going to need this." That’s worth its weight in gold. You can’t get that by knocking on the door or shooting out a bevy of emails. It just doesn’t happen.

Gardner: Now, as a mid-market company, a smaller company, you are of course price conscious yourself. What was the spend experience when you got involved with Ariba? How did you step into the water?

Miller: We had been a supplier to Ariba for about a year and a half, and then it was suggested that we needed to be on the network.  We looked at it and started at the basic level. Within about four months, we realized that this is really a good deal. So I spent a lot of time learning more about it, and we immediately upgraded to the Premium Advantage level. It's the best investment we ever made.

Gardner: So this was sort of a crawl-walk-run approach, where you didn’t have to spend until you had the commensurate revenue to back it and make it logical?

Miller: Yes. And for us as a small company, and many of you listening may be able to identify with this, we have all these different marketing and sales-support options out there, and they are all good tools in their own right. But if you have limited time and budget, to me it was a no-brainer. This is the best way to make use of our time, get the quality of leads that we need, and make the contacts that we're looking for at a C level.
We immediately upgraded to the Premium Advantage level. It's the best investment we ever made.

Gardner: And that seems to be especially the case when an organization like yours has a significant, maybe even a majority, portion of your sales in that ad-hoc spot-buying type of engagement.

Miller: Very well summarized, Dana. That's very true. For a company like us, we would love to get ongoing contracts, but in our world and with the product and service we offer, it doesn’t come that way. So spot buying is going to be the focus of how we utilize our partnership with Ariba.

Gardner: When you live quarter to quarter and you have to roll that rock back up the hill, it’s nice to have a partner to help you.

Miller: Absolutely. I wish this had been around 20 years ago.

Gardner: Very good. We'll have to leave it there, I'm afraid. We've been talking about how the mounting need for spot buying is benefiting companies who are selling into that type of engagement.

I'd like to thank our guest for joining us. We're here with Cal Miller, Vice President of Business Development at Blue Marble Media in Atlanta. Thank you, Cal.

Miller: Thank you very much. Enjoyed it.

Gardner: And thanks to our audience for joining this special podcast coming to you from the 2013 Ariba LIVE Conference in Washington, D.C.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout the series of Ariba sponsored BriefingsDirect discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Ariba, an SAP Company.

Transcript of a BriefingsDirect podcast on how spot-buying capabilities can increase leads and sales for a small company. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in: