Ticking bombs in enterprise land

I believe the enterprise software industry is heading for major problems. It started when I read Francine McKenna  where she talks about what she sees as a doomsday scenario for at least one of the Big Four audit businesses.
Written by Dennis Howlett on

I believe the enterprise software industry is heading for major problems. It started when I read Francine McKenna  where she talks about what she sees as a doomsday scenario for at least one of the Big Four audit businesses. Francine's focus is on questioning the effectiveness of current methods for protecting shareholder interest, most recently declaring that:

I say "when" not "if" since Jim Peterson and I agree most strongly on this:

Another large firm will fail soon.  Soon, to me, means in 1-3 years, not 5-8 or 10-13.

This is a strong statement for anyone to make. In Francine's alternate reality, audit disappears because it is no longer effective as defined by the market. The question comes - what replaces it? No-one has a clear answer. According to Jim Peterson, government most certainly doesn't. On the arguments I've seen so far, I believe Francine and Jim's assessments are correct. They have huge consequences for the software industry.

To date, the audit of software systems has been focused on business controls. Such things as who has access, testing the effectiveness of policies regarding access and so on. Almost nothing has been done to test or question fitness for purpose despite the continuing stream of failure stories outlined by Mike Krigsman and others.

The tenor of Mike's analysis variously points the finger at the industry vendors, consulting ecosystem and buyers. But it misses a fundamental point: there is no truly independent body of work that assesses the fitness or software quality for any particular purpose. Couple that with the fact buying decisions oft times make little objective sense and you have a recipe for disaster. For instance, in the scenario Mike most recently analyzed, he missed the fundamental point expressed by Alan Wilensky that:

This fine example of a 30 year old, family owned and run business of 300+ employees had made it to this stage, and profitably, without the burden of ERP. One of the brothers who inherited the executive mantle was gung-ho to innovate...and good for him, Jack! They had an organically grown process-based business that their dad and uncles built brick by brick.

Their IT was lovingly transitioned from a paper forms method to AS400, then to a custom Oracle system with Power builder, and then some faltering, tentative steps to mobilize the processes, adding partners to the extranet over time. They had many successes and minor setbacks over a 10 year period mirroring the IT boom of the 90's.

It all started falling apart when a slick SAP VAR told the go-getter brother what kind of "efficiencies" he could gain by instituting automation for certain processes (that were not broken), such as their rapid replenishment system.

Given Alan's assessment, you have to ask: why did they bother? Without wishing to diminish Mike's analysis, which is based upon a different agenda to my own, it is worth asking the question: is (at least some) software acquired purely for ego and therefore in an irrational manner? If so then it can only ever be a matter of luck whether acquired systems deliver the value customers expect while providing the controls legislation demands.

In theory SAS70 provides customers with a level of comfort in regard to controls and security, offering as it does a so-called independent review under two types of engagement. However, in a world that is being persuaded to think about cloud computing as a cost reduction alternative to in-house managed systems and data centers, does SA70 assurance cut the mustard? This is a question Vinnie Mirchandani raised in our Irregulars group. The ensuing discussion is disturbing.

Among our group, the feeling is that there is little focus on this issue. Much of what we see going on in cloud computing is restricted to smaller enterprises where controls are not as stringent as in the Sarbanes-Oxley world of big business. Even so, Vinnie is right to ask the question because there are significant advantages to be obtained from the virtualized world, even though that might mean working with many providers in an as yet unconsolidated cloud computing industry.

Vinne and I asked for Francine's opinion. Based on discussions she had with colleagues who specialize in assurance and her own observations, Francine offered this view:

I think that SAS 70s in general have been given short shrift.  I have seen very few companies fully manage this process and make sure the controls they are asking vendors to get opinions on are aligned with the controls they would be testing if the process was managed in house.  In addition when you add the complexity of cloud computing/SaaS, unless there's some up front work done, everyone is going to just produce paper, track paper, and not look deeper unless forced to for some reason.

Francine then goes on to assume the audit industry will step up to the plate on the basis this represents the next step in ratcheting up fees using its time worn FUD approach.

But if in the meantime there is a catastrophic collapse, then doesn't this throw into question what, if any controls and their subsequent testing, can be relied upon? Or can we divorce one set of control questions from other issues? In my experience, catastrophe is always a combination of factors. Couple that with questions over fitness for purpose and you have the ingredients for a perfect storm.

The traditional software vendors, Microsoft, IBM, SAP and Oracle (MISO) will take comfort from the legacy systems via which they are able to draw ever increasing maintenance fees. They will argue 'time-tested' as a pillar for a 'trust me' argument while filling their coffers with service revenues that carry huge margins. That won't cut it because it provides little room to encourage process improvement or increased operational effectiveness. The very thing that business demands from its software investments.

Are there viable alternatives? The SAS70 issue can be addressed but in my opinion requires a different type of audit - one that is informed by systems thinking and not based on financial accounting. The Big Four don't have that expertise in sufficient depth. We will need to see the rise of alternative firms, perhaps drawing from the McKinsey and Bains of this world. That won't help business keep a lid on assurance cost in the short term but could provide the market with an alternative and more reliable source of information upon which to make a wide range of buying and investment decisions.

Let's take this one step further and slightly sideways. Among our group, there is an on/off discussion about the coming consumerization of business software. We largely observe from the sidelines as discussions rage around word of mouth, customer care and the new, socially focused marketing. In truth, many of us are skeptical. But then Ross Mayfield wrote about Apple's mix of sales to service and support and it set me thinking:

Support is viewed as a cost center.  Time to resolution (which we've decreased by as much as 30%) often trumps customer satisfaction or capturing knowledge.  Worst practices are often employed to incent contact center reps to avoid contact.

The problem is far worse with multi-vendor support.  Multi-vendor issues take 3-4 times longer to resolve.  So almost all vendors explicitly do not support these issues at all.  There is some promise in Vendor Relationship Management, or communities that address systemic needs through the demand side supplying itself, but only the beginning of promise.

So I wonder if Apple's vertical integration strategy is what makes this possible.  Is the 50% rule only a rule if you tackle the multi-vendor support problem?  Alignment or integration between Marketing and Support plays a role and some organizations put the same person in charge of Product Quality and Support.  But this opportunity space inherently requires rethinking not just organizational boundaries, but the firm itself.

If Ross's assertion is correct then what does this mean for enterprise software in a consumer aware world? What if a re-alignment of vendor priorities along these general principles helped drive up software quality? Is it even feasible to imagine enterprise software vendors taking on these characteristics or is the complexity of their ecosystems such that the whole sorry mess cannot be realistically unraveled? All it takes is for a clutch of high profile customers to look at their maintenance bills and say 'no more.'

I've long held the view that operating in functional siloes is not the best way to extract business value and hinders the ability to achieve transparency - another currently popular mantra. In my view, process solutions provide a better template for business because - among other things - they force the software vendor to think through the process implications of each step they propose. That should mean improved quality because the process solution has interdependencies which must hang together as a coherent whole.

The nascent process based players like Workday could benefit significantly from this alternative view. As could CODA with CODA2Go and SAP with Business ByDesign.(BYD) However in a recent report I jointly authored with Brian Sommer about BYD, we said that for the time being, such solutions will find their natural homes in the SMB market rather than in very large businesses.

None of this process thinking addresses the welter of in-house developed systems upon which so many companies rely. Neither does it provide a coherent answer to the problem of complexity in both systems inventory or in managing value chains. I hope however that it raises some interesting questions.

For too long, we have not made the connection between catastrophic failure and the links between those who create, those who use and those who assure. It may require yet another collapse for that to come into sharp focus. What is becoming increasingly clear however is that the status quo is unsustainable.


Apple politely explains why iPhone cases are a waste of money
Apple iPhone 13 Pro Max

Apple politely explains why iPhone cases are a waste of money

The 8 best iPhone models of 2022

The 8 best iPhone models of 2022

Delta Air Lines just made a callous admission that customers may find galling

Delta Air Lines just made a callous admission that customers may find galling