Home / Resources / News and Trends / Newsletters / AtIsaca / 2021 / Volume 19 / Achieving Application Rationalization Using COBIT 2019

Achieving Application Rationalization Using COBIT 2019

Author: Oluwaseyi Ojo, Ph.D., CEng, COBIT 5 Certified Assessor, ITBMC
Date Published: 30 June 2021

How many applications does the average organization use?

Research shows that, typically, an organization with 200 to 501 employees uses 123 applications. This may not sound completely unmanageable; however, a simple application count does not capture the full picture. The same organization would have an average of 2,700 app-to-person connections. Also, the cost of an annual software subscription for an organization with 200 to 501 employees is US$2,756. This does not include other operational costs. Part of this cost can be saved with application rationalization.1

Given the pace of dynamic change, growth in business and developments in technology, the number of applications an organization uses may have increased. Rapid growth can mean more cost (operational expenditure) for the business, not just from a financial point of view, but from an efficiency viewpoint as well.

Every application in an organization’s portfolio needs to deliver business value. This is why application rationalization has become one of the most important initiatives for chief information officers (CIOs) and chief technology officers (CTOs) today.

What Is Application Rationalization?

Application rationalization, sometimes referred to application portfolio rationalization, is the function of reducing the size of an organization’s application portfolio. Simply put, the fewer applications an organization has, the more likely it can improve efficiency and reduce or cut costs, especially operational costs.

Cost, in this context, is total cost of ownership (TCO), which is a calculation of all costs involved over time with IT infrastructure. This includes hardware and software acquisition, management and support, communications, end-user expenses and opportunity cost of downtime of IT equipment, training and other productivity losses.

“Application rationalization, sometimes referred to application portfolio rationalization, is the function of reducing the size of an organization’s application portfolio.”

Why Application Rationalization?

Application costs make up a large amount of an organization’s IT budget. This can be significantly reduced if organizations follow best practices for application rationalization.

Financial cost is not the only advantage that can be gained from application rationalization. Opportunity cost is another. Considering the nature of technological development, an application can cause opportunity costs in 2 on ways:

  1. Retaining older versions of certain software (also referred to as legacy software) prevents an organization from making use of new features and efficiencies as they advance.
  2. Opportunity cost can arise due to simple budgeting. Like other business units within an organization, IT departments have limited budgets, but they face a unique pressure for continual investment. Organizations that want to be on the cutting edge of technology will, by necessity, keep acquiring new applications. This explains why application portfolios continue to expand.

Opportunity cost also ties into increased efficiency. For example, IT departments that manage hundreds of different applications will likely find that this complexity slows everything down. Conducting application rationalization reduces the burden of maintenance and the time involved in training staff to use dozens of unnecessary applications.

Application rationalization is the first step toward better application portfolio management.

“Application rationalization is the first step toward better application portfolio management."

Application Rationalization: Drivers

Organizations may have many valid reasons for performing application rationalization. A few of the most common include the following:

  • Mergers and acquisitions—Merger and acquisition activity is one of the biggest drivers for organizations to start application rationalization. The acquired organization and the acquiring organization often have overlapping applications and business functionalities. Typically, within the first 12 to18 months, the newly formed organization must streamline processes by reducing the duplication of business applications.
  • Cloud migration—Most organizations today are moving their applications to the cloud at a fast pace. Organizations need to catalog applications and make sure they are cloud ready. In many cases, this entails rewriting the applications and retiring older applications, which tend to be extremely time-consuming initiatives.
  • Cost optimization and business consolidation—To keep up with the dynamic changing business landscape and deliver applications with faster time to market, it is important and necessary to consolidate applications to improve efficiency. Few organizations embark on streamlining the existing application portfolio with an explicit goal of lowering the TCO.
  • Response to a catastrophic event—COVID-19 has forced organizations to adapt and be creative in delivering customer experience through digital transformation. The constant pressure on application development and integration teams to do more with less has increased. For example, many restaurants have adopted online ordering to sustain their businesses. Other industries, from banking to insurance to legal, have had to quickly find new ways to run their businesses.
  • Need to create new customer engagement channels—Now more than ever, organizations have been creating newer customer engagement channels for a cohesive customer experience, such as chatbots, mobile channels and websites. It is imperative that organizations have their business applications ready for access across multiple channels and streamlined access, reusable application programming interfaces (APIs) and end-to-end security.

Application Rationalization: Reasons for Failure

Despite their best efforts, some organizations are unsuccessful in their attempts to carry out application rationalization. Although the reasons can vary based on the structure and goals of each organization, a few common causes for failure include the following:

  • Lack of engagement—Application rationalization is an important and significant initiative that requires dialog with all business stakeholders and alignment around the TCO of business applications. Disengaged business stakeholders can derail this effort.
  • Bloated and redundant application landscape—Bloated application portfolios hide redundancy and lock innovation spend to legacy applications. Shadow IT across line-of-business teams acquiring multiple applications and platforms makes it difficult to identify the applications that need to be in scope for the effort. This application sprawl also makes the discovery process and creation of an application heat map challenging.
  • Organizational structure—Competing priorities among different lines of business may create challenges when agreeing on an approach for the future state of the enterprise architecture.
  • Internal politics—Some individuals or groups of people may be benefiting from the lack of application rationalization.
  • Budgets and costs—How does an organization know when to embark on a rationalization exercise? How does it prioritize consolidating its portfolio? A common challenge is determining and committing to the budget necessary to carry out an application rationalization exercise.
  • Lack of credibility—Oversimplified cost and value analyses can undermine trust.
  • Lack of urgency—Build or fix activities often take precedence over application rationalization.

Using COBIT 2019 to Achieve Application Rationalization

COBIT® 2019 is a framework for the governance and management of enterprise information and technology aimed at the whole enterprise (figure 1).

Figure 1—COBIT Core Model

Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018

COBIT 2019 clearly distinguishes between governance and management objectives. In alignment with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 38500, COBIT 2019 presents governance objectives in terms of evaluating, directing and monitoring, and management objectives as planning, building, running and monitoring activities to achieve enterprise objectives. COBIT is a guide, so it is not necessary to implement COBIT as a whole. Instead, it should be adopted and adapted to develop a fit-for-purpose governance and management of information and technology (I&T) solution.

There are 12 steps for using COBIT to achieve application rationalization:

  • Step 1: Develop an application architecture vision
  • Step 2: Define the focus area—In this case, the focus area is application portfolio rationalization.
  • Step 3: Define the design factor(s)—Enterprise goals, enterprise strategy, risk profile, I&T-related issues, the role of IT and enterprise size should all be defined (figure 2).

Figure 2—COBIT 2019 Design Factors 


Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018

  • Step 4: Define the scope of the application rationalization initiative—Apply specific, measurable, achievable, relevant, timely (SMART) goals. Does the organization want to focus on specific applications that support a business process to drive efficiency and effectiveness or application(s) within a particular business domain (e.g., finance, human resources [HR], marketing) to achieve consolidation and manageability within that domain?
  • Step 5: Conduct an application portfolio assessment—Compile application names, the system(s) where each application is deployed, location(s), application owner(s) (stakeholders), the life cycle of the application, usage of the application, application business value and its quality and costs.
  • Step 6: Document the application landscape
  • Step 7: Prioritize governance and management objectives—Select applicable governance and management objectives from the 40 governance and management objectives. For example, an organization may select all 5 of the governance objectives and a selection of applicable management objectives. Such a list might reflect the following COBIT 2019 objectives:
    • Evaluate, Direct and Monitor (EDM) 01 Ensured Governance Framework Setting and Maintenance
    • EDM02 Ensured Benefits Delivery
    • EDM03 Ensured Risk Realization
    • EDM04 Ensured Resource Optimization
    • EDM05 Ensured Stakeholder Engagement
    • Align, Plan and Organize (APO) 01 Managed IT Management Framework
    • APO02 Managed Strategy
    • APO03 Managed Enterprise Architecture
    • APO05 Managed Portfolio
    • APO06 Managed Budget and Costs
    • APO12 Managed Risk
    • APO13 Managed Security
  • Step 8: Cascade goals—Apply cascading goals (figure 3) to support enterprise goals. These goals should also support the prioritization of management objectives based on the prioritization of enterprise goals.

Figure 3—COBIT 2019 Goals Cascade


Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018

For example, organizations have stakeholder drivers and needs, which include improving business operation efficiency, reducing operational costs, improving opportunity costs, enabling faster service/product delivery, supporting better quality of service/product, increasing revenues and optimizing business applications. These cascade to enterprise goals, which include creating a customer-oriented service culture, optimizing internal business process functionality, evaluating the impact of redundant or legacy applications on the business, managing business risk, optimizing business process costs, and managing the digital transformation program. These, in turn, cascade to alignment goals, which include realizing benefits from application rationalization initiatives, managing I&T-related risk, delivering products/services in line with business requirements, developing competent and motivated staff with a mutual understanding of technology and business, and enabling and supporting business processes by integrating applications and technology. These cascade to governance and management objectives.

  • Step 9: Capture value—To satisfy governance and management objectives after prioritization, value must be captured from the components of the governance system: processes; organizational structures; principles, policies and frameworks; information; culture, ethics and behavior; people, skills and competencies; and services, infrastructure and application (figure 4).

Figure 4—Components of the Governance System 


Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018

Examples of how an organization may realize value from governance components, as related to application rationalization include the following:

  • Culture, ethics and behavior deal with mindsets and people practices. To achieve application rationalization, an organization must engage business stakeholders constantly. The key to engagement is a fact-based dialog about the TCO of business applications. This helps to address issues the initiative may cause regarding organizational culture.
  • Processes need to be prioritized to ensure that business processes are streamlined and repeatable.
  • People, skills and competencies mean that leadership must create an environment that attracts the best people, cultivates staff growth, provides training and supports team members.
  • Organizational structure calls for leadership to make sure that organizational structure aids, rather than hinders, improvement efforts of operational excellence.
  • Step 10: Design a tailored governance system—Apply the governance system design workflow (figure 5).

Figure 5—Governance System Design Workflow 


Source: ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018

  • Step 11: Implement the tailored governance system—Adopt the implementation approach, ensuring that everyone in the organization is on board.
  • Step 12: Make application rationalization a continuous process—It is important to continuously maintain the application landscape. A one-time initiative might save the organization some money in the beginning, but the long-term business value that application rationalization offers will be missing.

The continual revisitation of the application rationalization process is just as important as the initial steps.

Application Rationalization: Benefits

There are many benefits to an organization resulting from undertaking a consistent, rigorous application rationalization process, including:

  • Reduction of IT costs
  • Minimization of unnecessary IT expenditures
  • Reduction of IT complexity
  • Elimination of redundancies within the IT landscape
  • Reduction of unnecessary training for applications that are no longer used
  • Improvement of the overall effectiveness of IT
  • Assurance that the IT landscape is actively aligned to business goals and objectives

Conclusion

Understanding the true value that each application (existing, custom-developed, commercial off the shelf [COTS]) has on business outcomes is one way to remove blockers in the application rationalization effort. Applications that provide the most value toward the future state of the business should be a higher priority. Using the COBIT 2019 framework helps organizations achieve value streams such as value creation, value capture and value delivery.

Endnotes

1 Diaz, A.; 2019 Annual SaaS Trends Report, Blissfully, 12 February 2019

Oluwaseyi Ojo, Ph.D., COBIT 5 Certified Assessor, ITBMC

Is an experienced business leader and security architect with a focus on governance, quality, risk management, compliance and deep competencies in cybersecurity management, business security architecture, enterprise architecture, enterprise risk management, IT governance, project management, business continuity management, network security, cloud security, solution architecture, cyberthreat intelligence, information security and assurance. He has been leading transformation initiatives in several organizations since 2003. He can be reached at sameoj@gmail.com or www.linkedin.com/in/sameoj/.