Recovery Assessment for a European Financial Services Client

This is how we helped one of Europe’s big financial institutions to understand why their Identity programme was in trouble and what needed to be done to get it back on track.

How it started

The client, a major European financial services organisation, came to us for help having invested substantial time and money in Identity Security software and consultancy services over a number of years, with little or no tangible return on that investment.

The organisation had outsourced the design and implementation of their Identity Security solution to a well-known IT consulting partner, but the programme was €millions over budget and years behind schedule. As with many financial services organisations, improved regulatory compliance was the primary driving force behind the Identity Security programme and the lack of progress, despite many €millions, spent was deemed unacceptable to the Board and a programme review was mandated.

The Results

Comprehensive assessment report of core issues

The output from the programme review and maturity assessment means the customer now has a clear understanding of the multiple influencing factors which contributed to the failure of the original project.

Strategic roadmap for project recovery and regulatory compliance

The customer now has a viable strategic roadmap for both the recovery of the project itself and a route to meeting the organisation’s regulatory compliance obligations, including interim compensating controls and mitigation of outstanding audit remarks.

Detailed stakeholder engagement plan

In partnership with the organisation’s internal Technology Awareness team, we created a comprehensive internal stakeholder engagement plan, complete with an events calendar for outbound communications and templates for emails, presentations and other stakeholder/user touchpoints.

The Full Story

What Was Needed

An in-depth programme review was requested, with Onaware recommended by the software vendor as their expert Identity Security partner. We were commissioned to conduct a maturity assessment on the programme and advise on the viability of the current plans to meet the required deliverables.

What We Did

We conducted a full programme review, a maturity assessment of Identity Security across the organisation and a technical assessment of the existing Identity platform. The deliverable from this exercise was a full and frank report, that would ensure those responsible for the recovery of the programme completely understood the situation they were in, what the recommended recovery plan entailed, and how this could be achieved.

What We Discovered

The findings from our review revealed that this really wasn’t a technology problem in the usual sense. The client’s initial assumption, endorsed by the incumbent partner, that the chosen software solution was in some way deficient was not borne out by our findings. The reality was, the partner had delivered little more than what was effectively an unconfigured, out-of-the box implementation which was vastly underutilised.

The gap analysis revealed a major rift between where the client had been led to believe they were and where they actually were.

The Identity Security solution was drastically underutilised. Many standard Identity Lifecycle Management processes were still relying on labour-intensive manual activities, rather than being orchestrated and automated using the Identity platform.

Applications deemed as ‘onboarded’ into the Identity platform were not, in any meaningful way. In many cases, user access data for those applications was exchanged on an ad hoc basis using files. Access data for these applications could be months out of date.

This was considered acceptable and the application deemed ‘onboarded’ by the partner. The client team, entirely reliant on the partner’s assumed expertise, were led to believe that this was the norm.

Cause & Effect

At the point we became involved, confidence in the programme and in the technology across the organisation was effectively zero. As it became increasingly apparent to those involved that they were veering towards failure, the client’s internal programme and technical teams were delivering status reports that could be considered optimistic at best.

Ultimately, this resulted in a cascading chain of erroneous reporting. The partner team delivered overly optimistic plans to the client programme team. The programme team perpetuated this unfounded optimism by planning and reporting based on the information they were given. The programme sponsor repeated this to the Board, and entirely unrealistic expectations were set.

When the reality of the situation started to become clear to the internal programme team, they found themselves in a position where they were unable to deliver on the plan. They had unwisely given full responsibility for delivery to the partner. In response, the scope was quietly reduced, small wins were claimed as major successes and reporting remained steadfastly green across the board.

How This Happened

We often see similar situations when we are engaged in a Project Recovery situation. Clients find themselves drawn into the partner’s overly-optimistic plans, making it hard for the client programme team to hold the partner to account when things go awry.

Corporate culture and organisational behaviour has a part to play in this, with the ‘on time and on budget’ expectations created by waterfall project management, and an ‘it’s not failing until it actually fails’ approach encouraging optimistic planning and status reporting.

As we dug deeper into the background of the programme it became increasingly clear that there had been little to no stakeholder or application owner engagement across the organisation and the Identity programme was seen as something being done to the business, rather than for the business.

The client had received little in the way of a ‘vision of a solution’ from their partner. There was no real understanding of what the solution they had purchased was capable of delivering for them and consequently, the perception within the organisation was that programme (and by extension, the Identity platform itself) had failed to deliver the expected benefits.

Why Onaware Was The Right Partner

At Onaware, our approach to doing business is founded on total honesty. We delivered a full and frank overview of the reality of the situation, providing the evidence, findings and impact assessment in clear, concise language.

Each area of concern was mapped out with where they were against where they should be, could be and finally where they wanted to be. Onaware was asked to deliver the remediation of the Identity Programme and ultimately became the client’s sole Identity Security advisory and delivery partner.

Technology is often blamed as the source of failure in Identity Security programmes. In this case, we uncovered significant issues with the capabilities of both the partner and the internal programme management culture. The technical issues were substantial, but with the right expertise, they were recoverable. These were mostly caused by the use of out-of-the-box configurations, implemented by a partner team with little understanding of the technology or the discipline of Identity Security itself.

Ultimately, the recovery of this programme (covered in a separate Case Study here) required the entire set of skills upon which Onaware has built its reputation. From our deep understanding of organisational behaviour, vast experience of programme management to the best technical expertise in the industry.

There’s a reason clients, vendors and other consultancies come to us when they need expert help with Identity Security. We succeed where others have failed.

We are Onaware and Identity is what we do.