Aggregated enterprise architecture wisdom
EA site:Enterprise Architecture MattersStrategy Rings frameworkTwitterPresentationsEnterprise Architecture in 3 minutes or soOne Page Generic Business ArchitectureEA value propositionEA roadblocks and remediesThe Cloud, EA and SOABlogsebizQ ITTool…
Investing in the channel innovation, aligned with the customer relation you aspire, is crucial to come and/or stay in the picture of your intended audiences. We underlined this in the blog post in which I reviewed the HBR-article on Four paths of business model innovation. In this blog post we look into the specific case of channel innovation in fast food, were middle man pop-up to deliver chain restaurant food to homes.
Recently a video on Ring ‘n Bring (in Dutch) caught my attention. They deliver products from fast-food chains like Burger King, McDonalds and KFC. They have no official relation with these companies, but just stand in line like everyone else, place the order of their customer, check, pack and deliver. They also have an on demand button, by means of which you can send Ring ‘n Bring to any other restaurant you like and let them place your order. Next to the website, they communicate with customers via email, telephone and WhatsApp.
For McDonalds in The Netherlands it is challenging to deal with this new player. On the one hand, this is an extra channel to the market, but on the other hand, it is a channel they cannot control very well. McDonalds decided to give this entrepreneur a hard time by making him stop using their name and logo. Not very successful, since “Donald’s Place” is still easily recognizable for any customer. Furthermore, Ring ‘n Bring employees are hard to distinguish from any other person waiting in the line for their orders to be taken.
.png)
In the UK, ‘Munchie Man’ Paul Appleby is running a similar concept and seems to be successful.
And also in the UK the fast food chains are not welcoming the new revenue stream with open arms, using arguments on the usage of the brand and trade name and stating doubts about the food quality, without giving proper recommendations or setting requirements for storing and transporting their food.
McDonalds in Europe should (an probably is) considering the options to react to the underlying customer needs that make these services pop-up. Delivering BigMacs is very common in for instance The Philippines, where ‘McDelivery’ is a success since 2005, run by McDonalds Philippines. This neutralizes their arguments about food quality and safety regarding delivery services in the Netherlands and the UK. (Or are health and quality standards of Philippians lower?)
Channel innovations are relatively easy to implement, compared to product innovations and customer innovations. Channels are changing fast and customers are switching channels faster than McDonalds can open new restaurants. Fast food restaurants need very clear insight in the reasons why people are going to their restaurants. The fact that these delivery services pop-up and are successful underlines that a large group of (young) customers is not willing to move themselves in the direction of the food they want, and that they expect the food to move in their direction, whenever and wherever they are. There are clear parallels with how the music and movie industry reacted to channel innovation disrupting their business models. (What will a Spotify for fast food look like?? Is there a market for a subscription to unlimited amounts of fast food from any restaurant?)
If companies are not able to deliver against changed expectations, they will lose a group of customers to any other company that ís. Business model innovations, including the introduction of new channels, are hard to handle by existing (large) companies, but they just cannot be ignored in this era of ever-changing (digital) demands.
For McDonalds, it is a challenge to integrate delivery into their franchise formula. How will franchisees survive when the revenue is moving from their stores or restaurants, to the central website? They should be able to crack this nut, as many delivery oriented (pizza) chains are franchise models. But the McDonalds business model is not only about franchising, but also about renting locations. This part is at serious risk, or at least is changing. Expensive, visible locations are less of a differentiator when delivering the food.
‘McDelivery’ is working in the Philippines, so why push back in Europe? The challenge is known to the McDonalds organization, since I couldn’t have state it better than Ray Kroc on the McDonalds Philippines website. But “The right place at the right time” is defined only by your customers!
.png)
By Dave Lounsbury, Chief Technical Officer, The Open Group A tip of the hat to @artbourbon for pointing out the article “Principles for Open Innovation and Open Leadingship” by Peter Vander Auwera, which led to a TED Talk by Joi … Continue reading →
Trends in building software products, services and solutions indicate that release cycles are becoming increasingly faster to keep up with customer demand, market competition, and technology innovation. Businesses that are not able to deliver with agility and quality fall behind. What businesses are seeking is a platform, a robust assembly line-like process, to accelerate delivery to customers. All while minimizing human error, and maximizing efficiencies through automation, but with enough transparency, control, and governance through […]
If you liked this, you might also like:
Platform-as-a-Service (PaaS) is all about abstraction and automation. Abstracting away from underlying technology layers by automation. That’s basically what is happening on each layer of a cloud architecture, from hardware to IaaS, to foundational PaaS, to aPaaS. All this abstraction and automation is aimed at making application deployment a one-click or one-command experience for the developer. It makes deployment a self-service experience for the developer, which eliminates hand-offs and thus improves.
The post PaaS is lacking a vision on application development appeared first on The Enterprise Architect.
Let’s be clear. Sustainability is about a lot more than just environmental policy. Making our footprint on the planet bearable (for the planet) will only succeed on the basis of social equity and economic viability. And not everyone is delighted about that. All Your Natural Resources Are Belong To Us A few weeks ago I happened […]
The New York times reported that data scientists spend significant time transforming raw data so that it can be analyzed by algorithms implemented in software. A number of startups are
The post NYT Report: ‘Janitor work’ Big Part Hurdle to Insights — What Can EAs Do About This? appeared first on Enterprise Architecture Professional Journal.
Technology is playing a much bigger role in customer’s lives, and is changing the way senior management view the IT department. Historically the CIO’s role was to keep the lights running, now however, IT is considered to not only be the key to unlocking new revenue, but also a way of keeping up with the Read More
When does EA start to care about sociocultural influences? Nick Malik stresses this point. But should we care?True, reality is “messier” than the boxes and lines of an enterprise architecture because it is invariably more complex than the models t…
IASA’s blogs on “Phrases architects have to stop using”.
But should they?
1. “Serve the business” is true if you see IT as a service provider.
1.1 The business can and does increasingly select today external partners that provide ser…
Call for Book Chapters Beyond IT Strategy: Digital Strategies for the 21st Century In the 21st century, the presence of technology is ubiquitous. Computers have moved from batch processing in the back-office through word processing in the front office to being the medium that glues together organisations, supply chains, and customers. Being digital across any […]
Until quite recently, IT security was the exclusive domain of security specialists. However, in the last couple of years, organizations have started to realize that IT-related risks cannot be seen in isolation, and should be considered as an integral part of Enterprise Risk and Security Management (ERSM). ERSM includes methods and techniques used by organizations to manage all types of risks related to the achievements of their objectives.
It is only natural to place ERSM in the context of Enterprise Architecture (EA), which provides a holistic view on the structure and design of the organization. Therefore, it is not surprising that EA methods such as TOGAF include chapters on risk and security (although the integration of these topics in the overall approach is still open for improvement), and a security framework such as SABSA shows a remarkable similarity to the Zachman framework for EA. And as a corollary, it also makes perfect sense to use the ArchiMate language to model risk and security aspects.
The previous blog post in this series outlined a method for EA-based ERSM with ArchiMate. This article proposes an initial mapping of risk and security concepts to ArchiMate concepts, and illustrates how these concepts can be used as a basis for performing an organization-wide risk assessment.
Most of the concepts used in ERSM standards and frameworks can easily be mapped to existing ArchiMate concepts. And since ERSM is concerned with risks related to the achievement of business objectives, these are primarily concepts from the motivation extension.
Any core element represented in the architecture can be an asset, i.e., something of value susceptible to loss that the organization wants to protect. These assets may have vulnerabilities, which may make them the target of attack or accidental loss.
A threat may result in threat events, targeting the vulnerabilities of assets, and may have an associated threat agent, i.e., an actor or component that (intentionally or unintentionally) causes the threat. Depending on the threat capability and vulnerability, the occurrence of a threat event may or may not lead to a loss event.
Risk is a (qualitative or quantitative) assessment of probable loss, in terms of the loss event frequency and the probable loss magnitude (informally, ‘likelihood times impact’).
Based on the outcome of a risk assessment, we may decide to either accept the risk, or set control objectives (i.e., high-level security requirements) to mitigate the risk, leading to requirements for control measures. The selection of control measures may be guided by predefined security principles. These control measures are realized by any set of core elements, such as business process (e.g., a risk management process), application services (e.g., an authentication service) or nodes (e.g., a firewall).
ArchiMate mapping of risk concepts
Using one of the extension mechanisms as described in the ArchiMate standard, risk-related attributes can be assigned to these concepts. The Factor Analysis of Information Risk (FAIR) taxonomy, adopted by The Open Group, provides a good starting point for this.
If sufficiently accurate estimates of the input values are available, quantitative risk analysis provides the most reliable basis for risk-based decision making. However, in practice, these estimates are often difficult to obtain. Therefore, FAIR proposes a risk assessment based on qualitative (ordinal) measures, e.g., threat capability ranging from ‘very low’ to ‘very high’, and risk ranging from ‘low’ to ‘critical’. The following picture shows how these values can be linked to elements in an ArchiMate model, and how they can be visualized in ‘heat maps’:
The level of vulnerability (Vuln) depends on the threat capability (TCap) and the control strength (CS). Applying control measures with a high control strength reduces the vulnerability level.
The loss event frequency (LEF) depends on both the threat event frequency (TEF) and the level of vulnerability. A higher vulnerability increases the probability that a threat event will trigger a loss event.
The level of risk is determined by the loss event frequency and the probable loss magnitude (PLM).
Qualitative risk assessment
The example below shows a simple application of such an assessment. A vulnerability scan of the payment system of an insurance company has shown that the encryption level of transmitted payment data is low (e.g., due to an outdated version of the used encryption protocol). This enables a man-in-the-middle attack, in which an attacker may modify the data to make unauthorized payments, e.g., by changing the receiving bank account. For a hacker with medium skills (medium threat capability) and no additional control measures, this leads to a very high vulnerability (according to the vulnerability matrix above). Assuming a low threat event frequency (e.g., on average one attempted attack per month), according to the loss event frequency matrix, the expected loss event frequency is also low. Finally, assuming a high probable loss magnitude, the resulting level of risk is high. As a preventive measure, a stronger encryption protocol may be applied. By modifying the parameters, it can be shown that increasing the control strength to ‘high’ or ‘very high’, the residual risk can be reduced to medium. Further reduction of this risk would require other measures, e.g., measures to limit the probable loss magnitude.
Risk analysis example
By linking risk-related properties to ArchiMate concepts, risk analysis can be automated with the help of a modeling tool. In this way, it becomes easy to analyze the impact of changes in these values throughout the organization, as well as the effect of potential control measures to mitigate the risks. For example, the business impact of risks caused by vulnerabilities in IT systems or infrastructure can be visualized in a way that optimally supports security decisions made by managers.