Elevator Pitch
Every capacity management investigation should be focused on business risk, stated as business risk, and addressed as business risk. Join us to discuss the mission you SHOULD be on as a capacity manager or performance manager, leveraging senior level authority to drive ACTION that mitigates risk.
Description
A conversation that explores the investigation mission you SHOULD be on as a capacity manager or performance manager, and shows tools and techniques to leverage senior level authority to drive ACTION. Every investigation should result in some documented action, which includes purposeful inaction. Every investigation should be focused on business risk, stated as business risk, and addressed as business risk. You might think you are doing this now, but if you are not citing internally published policy and standards, this session is for you.
Come join this session, we might just change how you look at capacity management.
Notes
Most capacity management, and information technologists have a difficult time getting the business to address performance problems and resource constraints. The thesis of this session to suggest that the business is not equipped to react to your requests. Not because they don’t care, but because the request is not easily prioritized along with other business priorities. The tools and techniques presented in this session help to evaluate perceived performance problems in business language, and make observations and recommendations that business owners understand and are equipped to deal with. For an added bonus, approach the conversation with the authority of the Office of the CIO (or similar level).
This is done by realizing what the levels of risk are to the business, evaluating against their criteria, and leveraging established business goals to quantify or define the capacity problem. I realized this mismatch early in my career doing IT Security in a high risk manufacturing environment. I was telling the business that not changing their LAN password according to our standard was a HIGH (business) risk. For the security department this may have seemed true, but the business assigns a HIGH risk to “Events that might cause 10 million dollars in direct expense, 3 employee deaths, 1 civilian death, or become a (negative) lead story in the national news.” Imagine the business skepticism when we said “passwords = high (business)risk”. We were mocked openly and with great delight.
We reached an understanding when I show the business a password crack attack, and how trivial the process is, then asked what if I could, as your competitor, read what is on your desktop. Pricing schedules, product formulas, and customer lists. What damage would THAT cause. The business agreed on a HIGH risk rating. Conversely, some of the other items were backed down to medium or low risk - using the BUSINESS definition or risk.
In the realm of getting the business to understand overly busy CPU or undersized servers, they have no way to prioritize that in their list of responsibilities. Our suggestion is to find the performance and resource standards issued by the Office of the CIO (or similar authority), and evaluate against that. The authority has been documented in the articles of incorporation, which gives the CEO the responsibility to hire officers and run the company properly. The CEO delegated to the CIO the responsibility to run the information systems appropriately. Part of that is to delegate to application owners, technology owners, and other directors the responsibility to set standards, directions, and policy for the effective management of resources. In that chain of authority, a document exists that allows for performance standards. Find it, or make it using the authority of the proper office, then enforce that.
The business does not know how to react to, and does not understand you saying there is high CPU. But they do know how to react to and completely understand what you mean when you say: “we have observed that your system is materially out of compliance with a CIO (or similar authority) policy.”
While the process, tools, and techniques of the capacity planner might not change, the motivation (compliance to a published performance standard) does, and the communication of a business risk, stated as a business risk, to a business person, and using the authority of the office that promulgated the standard, changes how the business understands and reacts to the risk. They still don’t know what it means to have high CPU, but at least now they can talk about the risk in a way that lets them react to and resolve the risk.