OIA0094 Review of End User Computing Final Report 2013 Redacted.pdf

Internal Audit

End User Computing Review 2013

(20 June 2013)

End User Computing Review Report 2013

Executive Summary

The scope of this review is to assess the use of End User Computing (EUC) – where
Statistics NZ is now and what is ahead. It identifies future risks and opportunities, and
assesses the appropriateness of strategy, plans, tools, and resources to provide end user
computing as part of the 10 year whole of organisation transformation programme.

This report is on a technical IT subject, and therefore contains technical IT language. The
Executive Summary has been written for a more general audience than the body of the
report, which is intended for IT and methodological staff within Statistics NZ.

This review finds that the strategies in place to deliver the End User Computing tools by which
non-programmers can carry out their duties to deliver statistical outputs are in the most part
appropriate.

In the current state, there are instances where generic legacy and unsupported applications
are is use, which are integrated to individual business unit functions and outputs.  In many
cases, the end user is required to apply programming skills in the use of tools in order to
effectively complete their work.  This leads to support, sustainability and management
challenges based on the flexibility that it implies.

There is an organisation wide technology plan in the form of an Enterprise Architecture which
connects business needs to the tools required to deliver statistical outputs. Through wide
consultation it ‘identifies IT enabled capabilities that can be standardised and reused across
the organisation’ and evaluates ‘emerging technologies’.  There is a high level of
communication and education of users on the over-arching technology plans and strategies.

The IT Strategy has evolved over time and has a number of supporting policies, guidelines
and forums.  These policies and guidelines have introduced disciplines and promoted
ownership by the business of systems and applications for which they are the sole or main
user. The IT Solutions strategy promotes ownership and accountability for IT systems back
into the business. This strategy is not intended to avoid IT responsibility, but is more
commonly used in industry best practice to ensure that the user community at senior levels
shares interest in their IT infrastructure.

The reviewer expected to confirm that implementing the Enterprise Architecture will result in
the tools and applications used at the desktop and other end user devices, providing an
appropriate End User Computing environment. That environment will support the
transformed methods of delivering statistical outputs. This expectation was based on early
Page 4

End User Computing Review Report 2013

evidence which suggested that the level of maturity of the long term IT strategy was high.
Having completed the review, I find that this expectation has been met and is valid.

A hierarchy of documents build a picture connecting the organisational strategy with an IT
vision, consider external and internal influences, and describe a Statistical Architecture. This
Statistical Architecture describes business outcomes in terms of technology, and groups or
‘clusters’ stages in the generic Business Process Model as ‘Platforms’ which are aligned to
organisation functions.  Language used in the documents is clear and in keeping with the
Stats 2020 transformational direction.

The diagram above shows the layers of the Enterprise Architecture and how they align with
the generic Business Process Model to deliver statistical outputs using End User Computing
tools provided through platforms.

The platforms are at various states of implementation.  At this stage some platforms are well
established, some are a collection of legacy applications, and some are collections in that
their outputs are produced by standalone and bespoke applications which are logically
grouped to reflect the future EA blueprint. There are roadmaps and change programmes
which describe a plan of change from current state to a stage where no more legacy
applications are used and where the Enterprise Architecture has been fully implemented.
Those roadmaps extend through to 2018.

There is a top down transformational change approach and a bottom up methodical approach
to cleaning up the legacy environment. This has been made practical through the
implementation of a Windows 7 common operating environment (implemented between 2010
Page 5

End User Computing Review Report 2013

and 2012) and associated policy enforcement, and the Legacy Mitigation programme.  Both of
these measures provide general control to prevent unapproved EUC applications from being
installed in the network and undermining the overall strategy.

The approach taken on the Legacy Mitigation programme was reviewed and found to be
effective. There is a level of engagement with the business and there is evidence of informal
but repeatable process.  The programme would benefit from revising its communications
strategy to raise its profile and this has been provisionally planned for July 2013.  Publication
and reporting on progress was found to be acceptable, but would benefit from more
categorisation to provide visibility and ensure that any trade off of responsibilities (i.e. to
business led changes) are transparent.

Platform ownership is assigned to the relevant business area and delegated to a Tier 3
manager.  A platform may also be delivering functions to other business units.
This requires cooperation and a wide degree of communication and trade-off.

There is an established forum for Business Platform Owners that meets on a regular basis. It
is attended by the majority of the responsible owners and is used as an informal
communication channel. It has more recently been used as a vehicle for the wider business
to engage with platform owners as a group on current and future issues.  The forum members
have recognised that they would benefit from more structure and purpose, and this review
has provided some proposed agenda items for consideration.  This review also considered
the role of the platform owner, including what to expect in terms of service delivery from IT
Solutions and the need to solicit feedback from the wider community of platform users. It
should be recognised that not all platforms are the same size, and process and
communication flow needs to be tailored for each platform whilst considering the overall
organisation wide strategic priorities of sustainability and efficiencies of centralised functions.

Recent work in the Review of Architectures, Clusters and Statistical Models Project, within the
Statistical Infrastructure Programme, has identified a method of measuring the level of
standardisation in the delivery of statistical outputs. This work highlights that there is currently
a limited view, and no organisation wide measurement of the level of standardisation and
platform implementation and adoption.  The project itself has only reviewed a small portion of
the Micro Economic Processing platform and is currently under resourced and low in priority.
The future of EUC is dependent on the delivery of an implemented Enterprise Architecture
blueprint with standardised delivery of outputs.  Considering the extended term of the
programme of transformation, a measure of standardisation should be established as a
baseline to monitor transformational delivery.

Page 6

End User Computing Review Report 2013

The IT Strategy does identify the need to extend performance metrics. This aligns with
several of the identified goals and planned work for 2013/14 as well as considering
requirements of the BASS (Better Administrative and Support Services) programme.  There is
an opportunity to consider customer facing and output driven performance reporting. In
addition to considering standardisation and Activity Based Costing, the metrics review should
consider approaches like  DIFOT (Delivered in Time on Full) or OTIF (On Time in Full)  which
are used in supply change performance measurement to represent end to end service
delivery in terms of products or outputs. This alignment would focus attention on the outputs
for which Statistics NZ is funded.

The governance of project delivery is light, with the Enterprise Architecture Team having to
actively direct projects to maintain focus on each new design aligning with the longer term
Enterprise Architecture Blueprint. Once a project moves to later stages, Quality Management
processes are applied, which require approval from the Enterprise Architecture Manager
before implementation. The Architectural Review and Standards Governance Boards review
standardisation and alignment with long term enterprise wide plans. However, awareness of
these forums and their role in governance is variable across the business. This means that
Statistics NZ relies heavily on steering committees and management functions catching
expectations instead of project outputs being managed and tracked through Project and
Programme governance.

Documentation is hard to find. Information relating to latest documentation and process relies
heavily on knowledge sharing and networks. Culture supports this but it can be an inefficient
model.  From informal engagement with Statistics NZ this would appear to be a widely
supported view. Information architecture is heavily nested and complex to navigate. It may
be fairly straight forward to find some material related to a particular subject, but it is often the
case that other relevant material is stored in other locations which may lead to duplication.
This factor has added considerable complexity and time to this review.

In summary, this review finds that the IT strategies in place are suitable and appropriate,
consider relevant external factors, and align well with the whole of organisation transformation
programme.  In order to deliver an effective End User Computing environment for the future,
additional measurement of progress in the context of statistical outputs and standardisation,
in conjunction with additional governance control at key decision points, would provide better
assurance on alignment with organisational plans.

Purpose
The purpose of this review is to provide assurance to the Government Statistician that  the
strategies, plans, tools and resources in place for End User Computing are appropriate and
sufficient as part of the 10 year whole of organisation transformation programme.
Page 7

End User Computing Review Report 2013

Background
This review was included in the recommendations of the ‘IT Stocktake Review 2009’
conducted by
. This review was prioritised by the CIO from that list of
recommendations.
Scope of Review
The review evaluates and comments on:
•  where Statistics NZ is now with End User Computing
•  what is ahead of Statistics NZ
•  what current and future risks and opportunities can be identified
•  are Statistics NZ’s strategy, plans, tools, resources, etc. appropriate and sufficient for
the successful use of end user computing as part of the 10 year whole-of organisation
transformation programme.

The review was performed by
, Assurance Consultant (General Manager –
Assurance) of Qual IT Solutions Ltd on behalf of
, Internal Auditor

Key to abbreviations
Definition (as required)
End-user computing (EUC) refers to systems in
which non-programmers can create working
applications. EUC is a group of approaches to
End User
computing that aim at better integrating end
EUC
Computing
users into the computing environment. These
approaches attempt to realize the potential for
high-end computing to perform in a trustworthy
manner in problem-solving
Enterprise architecture (EA) is the process of
translating business vision and strategy into
effective enterprise change by creating,
Enterprise
EA
communicating and improving the key
Architecture
requirements, principles and models that
describe the enterprise's future state and enable
its evolution
Delivered in Full on  These are terms used often used in supply chain
Time/
DIFOT/OTIF
management to express performance in terms of
On Time in Full
end to end service delivery.

Sparx Systems Enterprise Architect is a visual
modelling and design tool used by businesses
and organizations to not only model the
SparxEA

architecture of their systems, but to process the
implementation of these models across the full
application development life-cycle
Micro Economic
MEP
Processing

Platform
a group of software development methods based
on iterative and incremental development, where
Agile

requirements and solutions evolve through
collaboration
Page 8

End User Computing Review Report 2013

DSL

Definitive Software Library
This is the central repository for all the
Classifications and
CARS
classifications, concordances and code files used
Related Standards
by collections within Statistics NZ.
Page 9

End User Computing Review Report 2013

ACTION PLAN – Organisation Development Group
Residual

Person

Risk
Target
Ref
Recommendation
Group Response
Responsible
Priority
Rating*
Date
1
That the CIO initiates a review of the “Scope, responsibility and secure
use of our IT Environment“ Policy to include reference to the Enterprise
Moderate
Agreed.
CIO
3
TBC
Architecture at a high level to explain to new employees the reasons
for not attempting to deviate from the standard operating environment.
2
The Programme Manager, IT Investment Plan reviews the status of the
Programme
outstanding actions from the Windows 7 Project Closure Report by 1
Moderate
Agreed.
Manager, IT
3
TBC
August 2013 to ensure they have been addressed.
Investment Plan
3
That the CIO initiates a review of the Software Ownership Framework
with a view to direct inclusion of applications and platforms to ensure
consistent ownership responsibilities are established and include the
Moderate
Agreed.
CIO
2
TBC
commitment and scope of the DSL. This may result in the creation of
additional framework(s).
4
That the CIO directs that the outstanding Platform Roadmaps are
published and base lined and that annual review of all Roadmaps is
Moderate
Agreed.
CIO
2
TBC
monitored.
5
That the CIO initiates a review of how Information Management
strategies are applied in IT Solutions to communicate complex end to
end concepts like Enterprise Architecture and delivery processes. This
Moderate
Agreed.
CIO
2
TBC
should consider the inflight work in the capture of documentation in
SparxEA , SmartMethod and Team Foundation Server and ensure that
information is practically accessible to the wider audience.
6
That the CIO includes customer or service delivery metrics (DIFOT) in
the IT metrics review to measure service performance to the business
Moderate
Agreed.
CIO
2
TBC
units.
7
The CIO initiates a review of the Legacy Mitigation Programme
Communications Plan including monthly reporting on progress to a
Moderate
Agreed.
CIO
3
TBC
level of granularity which is appropriate for the wider audience.

Page 10

End User Computing Review Report 2013

ACTION PLAN – Standards and Methods Group
Residual

Person

Risk
Target
Ref
Recommendation
Group Response
Responsible
Priority
Rating*
Date
8
That DGS Standards and Methods raises the priority and focus of the
Review of Architectures, Clusters and Statistical Models (or its
replacement). It should provide a measurement baseline of the level of
Moderate
Agreed.
TBA
2
TBC
standardisation applied on each platform considering the adoption of
the Business Platforms and alignment with EA. This measure should
also be fed into the transformational programme to track progress.

ACTION PLAN – Transformation Group
Residual

Person

Risk
Target
Ref
Recommendation
Group Response
Responsible
Priority
Rating*
Date
9
That the DGS Transformation ensures there are appropriate control
Manager
points throughout the project delivery cycle, especially at the early
Moderate
Agreed.
Transformation
2
TBC
stages and pre-launch to ensure that the IT component of a project
Office
aligns with the enterprise architecture.

Page 11

End User Computing Review Report 2013

ACTION PLAN – Organisation Direction Group
Residual

Person

Risk
Target
Ref
Recommendation
Group Response
Responsible
Priority
Rating*
Date
10
The Internal Auditor considers including in the 2013/14 Internal Audit
Work Programme a sample controls review of a small selection of
Moderate
Agree
Internal Auditor
3
30.9.13
projects to identify the depth of compliance.

* Related Strategic Priority: SP4: Sustainable organisation.
* Related Strategic Risk: SR3: Not achieving the comprehensive transformation promised (End User Computing)

Page 12

End User Computing Review Report 2013

Findings
1.  Policies on Software Usage and Installation
1.1 Expectations
I expected to see policies relating to the use and installation of software in the end user
computing environment that are appropriate, applied and enforced.
1.2 Findings Summary
Findings in this section relate to three key areas which are expanded in further detail:
1.  IT policies were found to be in place.
2.  A common operating environment has recently been implemented to provide a baseline
for the transition to the target Enterprise Architecture and future End User Computing
environment.
3.  Ownership and responsibility for software that is in use is documented and is in line with
good practice.
1.3 Detailed Findings
1.3.1  General IT Policies
There are a family of connected policies which provide appropriate control around the
management, ownership and deployment of software and hardware.  There is an IT security
policy (“Scope, responsibility and secure use of our IT Environment”) which is issued to all
employees during induction and there is the overarching “Software and Applications Usage
and Management Policy”.

Access to software is limited to that provided in the standard image (the set of software tools
and in-house applications that are deployed to all Statistics NZ staff), as deployed in the
Windows7 refresh.  This is enforced from within the network software as part of the Windows
Group Policy and applied through Active Directory and supporting IT security software.  A
practical test of the group policy, at the desktop, confirmed that an unapproved executable
could not be downloaded from the internet or installed.

The relevant policies are highlighted in the introduction of the Software and Applications
Usage and Management Policy, which has been included here for reference. The content
and tone of these policies is appropriate. However there is no reference in the “Scope,
responsibility and secure use of our IT Environment" Policy to the Enterprise Architecture,
even at a high level, to set the expectation and explain the underlying reasons for control:
Page 13

End User Computing Review Report 2013

The following guidelines are aimed at protecting the integrity of data, keeping the IT
environment free of malicious software, ensuring we safeguard our intellectual property and
complying with the laws of New Zealand, such as copyright restrictions.

Introduction to Software and Applications Usage and Management Policy

This (2011) policy updates and consolidates:
o
the previous Software Use Policy - approved in 2001
o
the Guidelines for introducing software  - published in 2005
o
and ownerships principles outlined in the Software Ownership Framework - paper to ITAG
in November 2008 ( These Principles were introduced in Software Ownership Discussion
Paper - presented to CMC in June 2007)

This Policy was developed in consultation with the Software Owners Forum - through 2011,
and endorsed by the IT Advisory Board in April 2012.

This Policy supplements the Scope, responsibility and secure use of our IT Environment
Policy, and supports the Software Ownership Framework

This Policy is managed by IT Solutions on behalf of Statistics New Zealand.
Approved on: 21/12/2012, Review Due: 21/12/2013

Recommendation 1
That the CIO initiates a review of the “Scope, responsibility and secure use of our IT
Environment“ Policy to include reference to the Enterprise Architecture at a high level to
explain to new employees the reasons for not attempting to deviate from the standard
operating environment.

1.3.2  Standard Operating Environment

Statistics NZ initiated and completed a Standard Operating Environment project within the
Capability Portfolio. The Windows 7 66207.17 project started in July 2010 and ran through to
October 2012.

The majority of benefits claimed by this project relate to supportability and sustainability of the
desktop operating system. The most relevant but intangible benefit (in the context of this
review) is that the project applied an updated standard operating environment which can be
used as a baseline to support the transition to the target Enterprise Architecture.

A closure report was issued with a list of outstanding actions which have been assigned
owners and are being worked through to closure.  Exceptions have been managed or
mitigated appropriately.  There are five remaining actions which need to be confirmed as
cleared.

Page 14

End User Computing Review Report 2013

Recommendation 2
The Programme Manager, IT Investment Plan reviews the status of the outstanding actions
from the Windows 7 Project Closure Report by 1 August 2013 to ensure they have been
addressed.

1.3.3  Software Ownership
There is a mature discussion (documented back to June 2007) on the principles of software
ownership.  This has been under discussion at IT Advisory Board since November 2008. A
Software Ownership Forum was established formally in June 2010 with agreement to sit
quarterly.

There is a strategy of promoting ownership by business unit managers for systems and
applications of which they are the sole or main user.  By promoting ownership and
accountability for IT systems back into the business this is intended not to avoid IT
responsibility, but to ensure that the user community at senior levels shares interest in their IT
infrastructure, and has clear influence on operational and strategic decisions relating to their
IT systems.  This is accepted as good practice.

The Software Ownership Forum has been established and sat until September 2011, then
due to other initiatives taking priority did not sit for 18 months. It recently reconvened - the
fifth meeting was held on 22 May 2013 and there is commitment to continue.

Principles of software ownership are now well established, but although platform ownership
obligations are implied in the framework, they have not yet been applied. A platform is
essentially a collection of applications, with its presentation layer being software or an
application which determines the way it calls/consumes/uses other applications.  Therefore all
constituent applications should be subject to the same framework as their platform.

The Software Ownership Framework recognises platform and generic applications however
does not directly address responsibilities.  It states that ‘For most in-house applications the
ownership responsibilities of the associated business owner are already established.’  Some
ambiguity exists in who has the responsibilities for platforms. In discussion with the IT
Portfolio Director, reviewing the Software Ownership responsibilities with platform owners is
planned for later in 2013 and is part of the IT Strategy implementation plan.

Ownership of software and applications is listed (by name or position) in a central database
called the ‘Definitive Software Library’ (DSL). This includes information relating to the
applications, licencing arrangements, support information including packaging and server
location, as well as a Lifecycle classification (Discovery, Emerging, Current, Legacy and
Page 15

End User Computing Review Report 2013

Graveyard). In addition there is a ‘point of difference’ field which is intended to justify the
additional software as part of the approval process.

This database is not complete with some fields not populated.  Not all deployed software is
recorded in the DSL (this is apparent from numerous DSL updates managed by the Legacy
Mitigation Programme). For these reasons it cannot be considered a reliable source for
configuration or software management. The identification of named individuals as owners of
software applications contravenes the Software Ownership Framework principles.

The term DSL is often used as part of Information Technology Infrastructure Library (ITIL)
practices and is extended to include:
‘A secure location, consisting of physical media or a software repository located on a network
file server, in which the definitive authorized versions of all software configuration items (CIs)
are stored and protected… All related documentation, related to any software stored in the
DSL, is also stored in the DSL’ from http://en.wikipedia.org/wiki/Definitive Software Library

The software itself is stored in separate locations each of which are subject to different
controls.  In house developed applications use Team Foundation Server as a repository and
are promoted to production through an internally developed Change and Release
Management Lotus Notes workflow/database.  Other development platforms (such as Lotus
Notes) use their own environments to manage the source code.

The DSL is not a full Configuration Management Database (CMDB) and does not trace
application installations through to statistics business outcome. It is noted that might not be a
practical or cost effective outcome, but should that level of granularity relating to end to end
service management be required, it is a potential home.  At present visibility of end to end
service delivery over IT systems in the context of statistical outputs is not available.

Recommendation 3
That the CIO initiates a review of the Software Ownership Framework with a view to direct
inclusion of applications and platforms to ensure consistent ownership responsibilities are
established and include the commitment and scope of the DSL.  This may result in the
creation of additional framework(s).

Page 16

End User Computing Review Report 2013

2.  Enterprise technology plan and architecture
2.1 Expectations
I expected to see evidence of an enterprise technology plan and architecture, considering
organisation penetration (specifically governance) and overall state of implementation, which
describes the future desired state of End User Computing.
2.2 Findings Summary
There is a well written IT Strategy and Implementation Plan, supported by an Enterprise
Architecture blueprint.  Several documents in the document family (platform roadmaps) have
not been published or are overdue for review. If implemented, the EA will deliver an
appropriate EUC environment.
2.3 Detailed Findings
There is an organisation wide technology plan and strategy, supported by a series of
documents. There is an Enterprise Architecture (EA) which is based on a shared-
services/common use applications approach and is supported by a ‘strategy of identifying and
delivering capability via tools and services that that are standardised, centralised and shared’.
The EA connects business needs to the tools required to deliver statistical outputs. Through
a number of external reviews and wide consultation it ‘identifies IT enabled capabilities that
can be standardised and reused across the organisation’ and evaluates ‘emerging
technologies’.

The EA Blueprint is based on the concept of a Statistical Architecture which describes
business outcomes in terms of technology, and groups or ‘clusters’ stages in the generic
Business Process Model as ‘Platforms’ which are aligned to organisation functions. This
directly aligns to the generic Business Process Model (gBPM) which is the accepted
operating model.

Considerations and reference to external influences are being monitored or contributed to as
appropriate. Those influences include Government ICT initiatives such as Desktop as a
Service and Infrastructure as a Service (DaaS and IaaS), and the impact of cloud computing,
and the Better Administrative and Support Services (BASS) programme.

The EA blueprint demonstrates alignment with all four Strategic Priorities from the Strategic
Plan 2010-2020, with direct connection to the strategic priorities and the Statistics 2020 Te
Kāpehu Whetū Transformation Programme. The EA Blueprint describes the EA approach
which considers Risk (Stabilising our systems), Value (Developing new operating platforms)
and Efficiency (Standardising production of groups of statistical outputs).

Page 17

End User Computing Review Report 2013

‘The EA and implementation approach undertaken to date (and proposed for the next three
years) is a model with ever-increasing levels of standardised capability being introduced via
the platform approach. It is supported by a strategy of convergence, to ensure we continue to
develop foundation capabilities that can be used by many business units.’

With reference to SP3: Transform the way we deliver statistics:
Statistics NZ’s EA will support and enable this strategic priority through: A responsive and
flexible organisation enabled by a suite of capabilities aligned to the generic Business
Process Model (gBPM) accessible via statistical platforms. This will provide the ability for
statistical clusters and business units to lower the Total Cost of Ownership (TCO) by
maximising the efficient use of resources.

Both of the preceding statements outline the intent to provide standardised platforms through
which Statistics staff will carry out their duties, in the delivery of statistical outputs. It is a
reasonable assumption that the platform model will effectively replace the current model
where end users use generic tools to collect, process, analyse and publish their work.

There is a hierarchy of documents which form an Enterprise Technology Plan. The
relationship between key documents, End User Computing, and the strategies and plans is
outlined at Section 7 Document Hierarchy and Future Plan for EUC in the context of the
Statistics New Zealand Strategy and Plan.  Those key documents are as follows:

•  An IT Strategy for 2012-2016 which follows on from the previous IT Strategy for 2009-
2012. The previous strategy was reviewed as part of the approval of the 2012
strategy and found to be 86% complete.
•  The IT strategy Implementation Plan v1 approved March 2013.
•  The Enterprise Architecture Blueprint.  Version 1.0 was approved in June 2012 and
supports the Statistics NZ Strategic Plan 2010-2020 and the implementation of the
Strategic Plan through Stats 2020.
•  Enterprise Architecture principles, standards, and conceptual models which are
published through the EA page.
•  Capability specifications.
•  A draft of the end-to-end capability roadmap outlining future capabilities and
timelines.
•  Roadmaps for each platform.  These are intended to breakdown the EA Blueprint into
clusters of like activity aligned with both the organisational structure and the gBPM.

The Roadmaps are at various levels of maturity. As a collection they were drafted in March
2012 and the EA Blueprint states that the roadmaps will be reviewed annually, therefore they
Page 18

End User Computing Review Report 2013

As a supporting component of the Enterprise Technology Plan, the overall structure of the EA
is appropriate and in line with good practice. This is supported by an approved IT Strategy
and Implementation Plan which outline the high level technology components of an
appropriate EUC environment.

Note – these documents include action plans at a lower level, but as an architectural plan
they describe the building blocks at a high level only.

Recommendation 4
That the CIO directs that the outstanding Platform Roadmaps are published and base lined
and that annual review of all Roadmaps is monitored.

3.  Education and Communication of the Enterprise
Architecture
3.1 Expectations
I expected to see evidence of appropriate organisation-wide education, communication and
training in support of the enterprise technology plan and architecture.

3.2 Findings Summary
If the EUC environment and tools of tomorrow are delivered through the EA then it is
essential that there is a shared understanding and appreciation of the plans that stretches
organisation wide. This would ensure that any responsible person would understand the
value of aligning with EA and the implications of deviating from the EA Blueprint.  These
concepts are supported by wide communication and consultation of the EA and the IT
strategy, which is aimed at various levels of the organisation and communicates the vision for
IT Solutions and the EA.
3.3 Detailed Findings
There is a high level of communication and education of users on the over-arching technology
plans and strategies.  The EA is communicated to the wider organisation through a number of
methods including (but not limited to):
•  Documentation through the EA Blueprint and the IT Strategy and Implementation
Plan.  Approved and committed to by Senior Management and accessible to all.
•  Platform Roadmaps.
•  Posters and Visuals which can be seen in most locations, reinforcing the concepts
and interpreting the alignment of business outcomes delivered by projects with the
EA as a framework.
Page 20

End User Computing Review Report 2013

•  Regular IT Solutions road shows.
•  Bulletins and publications.
•  Engagement in project activity.

Overall, the document is well written and based on best practices and principles.  Language
used in the document is clear and in keeping with the Stats 2020 transformational direction
and style.  Commitments from the Chief Executive and the CIO preface the document. The
document is long and complex, so there is also an 18 page Executive Summary document
and a presentation version of the IT Strategy which appear to be effective in communicating
the content of the EA.  The principles which underpin the EA were found to be well
established, as referred to in the EA Blueprint:

Statistics NZ’s EA has been evolving for a number of years. The majority of artefacts,
concepts, and diagrams in the detailed EA Blueprint are widely known and have been used or
developed across the business…. The vision associated with the EA blueprint is “Successful
partnering across the organisation to achieve our strategic objectives through aligning people,
process, and technology”.

The IT Solutions Road Shows provide updates and connect with Statistics staff and
management. The last road shows took place between October and November 2012 across
all three centres. The content related to various IT Solutions functions, providing updates and
explaining the IT Solutions visions and plans. The next round of road shows is scheduled for
July and again in late 2013. These road shows appear to be well received and reasonably
well attended.  They are an important opportunity to engage with the IT user community to
share plans and solicit feedback.

The platform roadmaps align with the general communication theme, although as noted in the
previous section, these documents should be updated.

The theme of promoting ownership and accountability for IT systems back into the business
was found to be generally understood. This strategy is not intended for IT Solutions to avoid
responsibility, but is more commonly used in industry best practice to ensure that the user
community at senior levels shares interest in their IT infrastructure.

Engagement in project activity is an opportunity for individuals to reference and apply the EA.
This would be led by the project charter or business case which would normally include
drivers which align to the strategic priorities and, for technology changes, would refer to
alignment with the EA.

Page 21

End User Computing Review Report 2013

One opportunity to reinforce the messages relating to the IT Strategy and EA blueprint would
be to reference the EA in the ‘Scope, responsibility and secure use of our IT Environment
Policy’ to support the initial on-board training and set the tone for new employees, see
Recommendation 1 in section  1.3.1, page 13.

Documentation is hard to find. Information relating to latest documentation and process relies
heavily on knowledge sharing and networks. Culture supports this but it can be an inefficient
model. From informal engagement with Statistics NZ staff this would appear to be a widely
supported view. Information architecture is heavily nested and complex to navigate. It may
be fairly straight forward to find some material related to a subject, but it is often the case that
other relevant material is stored in other locations which may lead to duplication.  This factor
has added considerable complexity and time to this review.

Whereas this may well be worked around by experienced staff, new starters and those less
proficient struggle to find the absolute version of documents.  Intranet pages which provide
updates or process information are not consistently linked and are difficult to navigate. Good
examples of information management portals connect with the audience through a front end
visual and then allow connected drill through to areas of appropriate detail. This visual might
be the gBPM or Stats2020 themes. In the opinion of the reviewer, the Te Matapihi
implementation does not present a clear and connected information architecture.

Recommendation 5
That the CIO initiates a review of how Information Management strategies are applied in IT
Solutions to communicate complex end to end concepts like Enterprise Architecture and
delivery processes. This should consider the inflight work in the capture of documentation in
SparxEA, SmartMethod and Team Foundation Server and ensure that information is
practically accessible to the wider audience.

4.  Effective Change Programmes for EA Implementation
4.1 Expectations
I expected to see effective change strategies and programmes to implement the approved
enterprise technology plan and architecture.
4.2 Findings Summary
There are programmes of change within the overall Stats2020 Transformation Programme
that are addressing the prioritised technology changes, with discovery and feasibility projects
helping to determine the necessary work to implement the Platform roadmaps.  Evidence was
not available of direct correlation between high level roadmaps and an overall technology
roadmap with key interdependencies and an overall critical path.
Page 22

End User Computing Review Report 2013

Central to the implementation of the EA is the concept of Business Platform Ownership.
Roles and Responsibilities for Platform Owners are still being established. The wider
responsibilities of platform ownership and the support and trading relationships with IT are
essential to sustainability and the delivery of the target EA (and implied ideal EUC
experience).

Measuring progress towards the target EA would benefit from some form of review or base-
lining of standardisation or platform adoption against statistical outputs. This baseline could
be used to track progress over the extended transformation programme.  In addition, if the
review of IT metrics includes service performance metrics which represent performance and
availability of statistical outputs and business platforms, this would enhance the platform
ownership model.

4.3 Detailed Findings
The following comments relate to the current Portfolio arrangements; for additional comments
relating to the single Transformation portfolio refer to the findings in section 6.3 on page 30.

In the context of Best Management practice from the guidance published by the Office of
Government Commerce, UK government the change activity at Statistics New Zealand is split
across six segmented portfolios, with the complete portfolio forming an overall
Transformational Change Programme.  There is clear hierarchy and delivery governance
structure for Portfolios, Programmes and Projects.

Planned change to the platforms inside the EA framework sit in five out of six Portfolios, with
programmes that span multiple years. The correlation between platform change and
evolution is not immediately apparent and would require a deep understanding of the
complete Transformation Programme.  Although the high level documentation around the EA
and supporting roadmaps provides a line of sight between current state and target technology
for future use, this could not be tangibly correlated from the Projects, Programmes and
Portfolios.

Although this visibility may well exist it has not been transparent or available during the
course of the review.  Programmes and Projects are built around business cases which
through the approval process are validated by Steering Committees which have responsibility
for ensuring planned and prioritised change is line with the EA Blueprint and the overall
transformational programme.  The change programmes need to deliver their identified
outcomes, which need to include a plan of change from current state to a stage where no
more legacy applications are used and where the Enterprise Architecture has been fully
implemented. Although this may not be the primary driver, it needs to be integrated in the
Page 23

End User Computing Review Report 2013

outcomes. Ideally, an absolute mapping between roadmaps and evolution of technology to
deliver the target EA, with detailed interdependency mapping would provide visibility.

As well as the transformational change, there is a bottom up approach to cleaning up the
legacy environment. This has been made practical through the implementation of the
Windows 7 common operating environment and the Legacy Mitigation programme.

The platforms are at various states of implementation.  At this stage some platforms are well
established, some are a collection of legacy applications, and some are collections in that
their outputs are produced by standalone and bespoke applications which are logically
grouped to reflect the future EA blueprint.  Platform ownership is assigned to the relevant
business area and delegated to a Tier 3 manager.  That platform may also be delivering
functions to other business units.  This requires cooperation and a wide degree of
communication and trade-off.

At the discovery stages of the review it was identified that there was a need to more clearly
understand the responsibilities of the platform owner and the support arrangements that
related to the platform.  This had already been recognised and external consultants (Fronde)
were engaged, to complete a review focusing on the MEP platform, but relevant as a model
for consideration across each platform. This demonstrates that both IT Solutions and several
of the business functions have recognised that the platform ownership model needs to be
developed.

As part of developing those responsibilities, there is an established forum for Business
Platform Owners that meets on a regular basis. It is attended by the majority of the
responsible owners and is used as an informal communication channel. It has more recently
been used as vehicle for the wider business to engage with the platform owner forum on
current and future issues.  The forum members have recognised that they would benefit from
more structure and purpose and this review has provided some proposed agenda items for
consideration.  Although, earlier meetings have been informal, more recently the Statistical
Infrastructure programme has provided some structure

It should also be noted that the preference of several stakeholders is to maintain this group as
an informal forum, which informs other decision making forums. Providing that those
participants recognise the additional role that requires them to play, then this is appropriate
and will facilitate the overall target EA implementation.

This review considered the role of the platform owner, including what to expect in terms of
service delivery from IT Solutions and the need to solicit feedback from the wider community
of platform users.  As the Fronde assignment was not completed in time to contribute to this
Page 24

End User Computing Review Report 2013

review, a more generic view of platform support considerations was used to support
discussions with platform owners.  It should be recognised that not all platforms are the same
size and process and communication flow needs to be tailored for each platform whilst
considering the overall organisation wide strategic proprieties of sustainability and efficiencies
of centralised functions.

Section 10 (Business Platform Ownership Supporting Material) includes proposed agenda
content for the on-going Business Platform Owners forum as well as general considerations
for support and management of platforms, which may provide context for the platform owners.

Note:
The platform owners should consider introducing additional structure to the Business Platform
Owners forum.

As the business platforms are developed through change programmes, this will move the
organisation closer to the target EA. During the review it was very difficult to gauge a
measure of how well each platform was implemented or its alignment with the EA.  Recent
work in the Review of Architectures, Clusters and Statistical Models Project, within the
Statistical Infrastructure Programme, has identified a method of measuring the level of
standardisation in the delivery of statistical outputs.

This work highlights that there is currently a limited view and no organisation wide
measurement of the level of standardisation and platform implementation and adoption. The
project itself has only reviewed a small portion of the MEP platform, and is currently under
resourced and low in priority.  Considering the extended term of the programme of
transformation and that the future of EUC is dependent on the delivery of an implemented
Enterprise Architecture blueprint with standardised delivery of outputs, it is recommended that
some form of this work be applied across all platforms.

Recommendation 8
That DGS Standards and Methods raises the priority and focus of the Review of
Architectures, Clusters and Statistical Models (or its replacement). It should provide a
measurement baseline of the level of standardisation applied on each platform considering
the adoption of the Business Platforms and alignment with EA. This measure should also be
fed into the transformational programme to track progress.

The IT strategy does identify the need to extend performance metrics.  This aligns with
several of their identified goals and planned work for 2013/14 as well as considering
requirements of the BASS (Better Administrative and Support Services) programme. There is
an opportunity to consider customer facing and output driven performance reporting. In
Page 25

End User Computing Review Report 2013

addition to considering standardisation and Activity Based Costing, the metrics review should
consider DIFOT (Delivered in Time on Full) or OTIF (On Time in Full) approaches which are
used in supply change performance measurement to represent end to end service delivery in
terms of products or outputs. This alignment would focus attention on the outputs for which
Statistics NZ is funded.

By communicating IT service performance on a platform by platform basis with transparency
of performance of the business outputs (statistical outputs through the gBPM), this may
highlight standardisation and/or implementation gaps across the EA as well as strengthening
the platform ownership model.

The challenges faced in the platform model and suggested measurement focus (both IT
service performance and standardisation) are shown in the diagram at Section 8 Platform
Challenges and Relationships to End-to-End Service Delivery on page 34.

Recommendation 6
That the CIO includes customer or service delivery metrics (DIFOT) in the IT metrics review to
measure service performance to the business units.

5.  Effective Strategies for Legacy Mitigation
5.1 Expectations
I expected to see effective strategies and a repeatable process for the migration from the use
of historical or legacy applications to the desired target or future state.
5.2 Findings Summary
The approach taken on the Legacy Mitigation programme was reviewed and found to be
effective. There is a level of engagement with the business and there is evidence of informal
but repeatable process.

The programme would benefit from revising its communications strategy to raise its profile
and this has been provisionally planned for July 2013.  Publication and reporting on progress
was found to be acceptable, but would benefit from more categorisation to provide visibility
and ensure that any trade off of responsibilities (i.e. to business led changes) are transparent.

Page 26

End User Computing Review Report 2013

5.3 Detailed Findings
Early strategies and discussion papers were well communicated and used as bases on which
to build the programme of work.  The programme is planned to run through to 2016 with a
repeating annualised business case for the duration.

From the Legacy Programme Business Case 2013:

Statistics New Zealand relies on approximately 200 unsupported legacy applications to
produce a number of its key business outputs. In the Business Case for Statistics 2020, it has
been deemed an essential priority for Statistics New Zealand to address these legacy issues
and the risks they present...In the Statistics New Zealand context, Legacy Software is defined
as Software that is either no longer supported in the market place, and/or does not form part
of the current or future enterprise architecture for Statistics New Zealand.

A Legacy Mitigation Roadmap was developed and endorsed by the Statistics NZ Board in
2009. This roadmap sets out the work streams required to replace legacy systems which are
not covered by other business led development projects, with the aim of having all legacy
systems removed by 2016. The roadmap was updated in 2010 to reflect the better
understanding of the environment, and subsequently revised in February 2012.

This roadmap and its subsequent revisions are appropriate and support the overall IT
Strategy.  The agreed scope of the programme, as outlined in the 2013 Business Case, is
split into the following streams:

•  Delivering Legacy replacement solutions for remaining Centura applications.
•  Migration of Sybase to SQL-Server.
•  Replacements for Microsoft Access applications which are currently ‘hosted’ in the
controlled ‘Museum’ environment.
•  SAS – Replacement of AF and Insight, and migration to SAS Enterprise Guide. This
transitions client applications on numerous versions to an Enterprise Licence with
additional server controls.
•  Updating Lotus applications to allow access via current technologies.
•  Archiving of legacy data and source code in coordination with Information
Management.
•  Consolidation of other legacy tools.

As a migration or roll-out programme, a standard approach is often to create repeatable
processes that are iterated through to run through the programme of work and sequence
activity. This is true in many other instances for the programme, which has created
Page 27

End User Computing Review Report 2013

processes and sub-routines for identifying locations and last use or access of legacy
applications or databases. This is done through sweeping the Statistics New Zealand EUC
environment to identify installation or recent access to identified legacy applications.

Those regular sweeps both confirm known instances which are sequenced to be migrated or
mitigated, or identify new instances which have been accessed since the last sweep and
require attention.  The programme manager provides an engagement point with the business
to address those new instances. The approach or strategy to address retiring or controlling
usage of listed legacy applications is usually captured by means of meeting records and
commitments.

As an example of repeatable process, to address stream 2, Migration of Sybase to SQL
Server, the programme has applied a seven stage approach which has been agreed in a
paper to the IT Advisory Board. In practice, during execution of this approach, circumstances
were highlighted where it would not be financially viable to execute on all seven stages. There
is currently a recommendation to pause at stage 3, leaving the interim stages (4-6) to be
picked up by transformational redevelopment activity.  This would be on a case by case basis.

The seven stages as applied to the Sybase to SQL migration are as follows (to provide an
example of the process followed):
1.  Complete CARS (Classifications and Related Standards) conversion (to confirm
estimates for manual conversion), and acquire tools to facilitate further migrations.
Complete Stand-alone database migration.
2.  Isolate Household Frame/GeoFrame and connected databases.
3.  Migrate Household Frame/Geoframe and connected databases.
4.  Migrate those Sybase databases connected to CARS.
5.  Migrate the databases for Centura translated processing applications.
6.  Migrate the IRD and allied databases.
7.  Migrate remaining database groups connected to Business Frame.

There are repeatable processes in the Information Management stream which is focused on
archive or deletion activity.  As is often the case with migration and roll out programmes, as
you start to work through the later stages (by volume remaining), many of the quick wins have
been taken and the clean-up activity is a long process.  For that reason, it is the opinion of the
reviewer that more of a checklist process with some collateral would facilitate engagement
with the programme.

The programme has engaged with a number of business led programmes to negotiate and
agree strategies for mitigation. The general approach of the programme is like for like
replacement of functionality delivered over EA compliant technologies. There are instances
Page 28

End User Computing Review Report 2013

where this is not cost effective and individual projects have taken the lead (e.g. SDDM, Time
Series Management).

In addition to migration activities, there is a mitigation strategy aimed at applications which will
be replaced or no longer required in the foreseeable future and/or will be replaced by planned
development.  This is a ‘Software Museum’, which is a controlled environment which is
planned to remain until June 2016.

Regular reporting on progress includes ‘Legacy Counts’ graphs which include percentage
complete information by individual technology being used.  It focuses on total number of
instances, the number classified as ‘Done’, and the balance remaining. The categorisation of
‘Done’ includes instances which had been mitigated or transferred to business led initiatives.
These instances had not strictly been completed although they were moved out of scope for
migration within the programme.

The risks here are mitigated by the fact that the Legacy Programme is still responsible for the
decommissioning activity and so tracks completion by the receiving programme.  After initial
feedback the reporting has been expanded to categorise between business led initiatives and
work completed within the programme.

The programme would benefit from revising its communications strategy. In the early stages
of the review there was a very incomplete communications strategy. The IT Portfolio Manager
and the Programme Manager recognise that the profile of the programme needs to be raised.
There have been various bulletins and leaders communications reminding the management
community of pending changes or removal of capabilities. Although the communications
strategy has recently been republished, with additional focus on reaching out to business unit
managers to promote the programme’s objectives, in the opinion of the reviewer additional
communication channels should be explored. This communications review, including input
from Strategic Communications to align with the overall transformational messages and
communications plan, may include progress reporting that includes more granularity.  This
would provide visibility and ensure that any trade off of responsibilities (i.e. to business led
changes) are transparent.

The legacy programme itself is a key bottom up strategy to providing a clean baseline for the
future EUC environment to be deployed.  To that end its success and organisation wide
commitment is essential.

Page 29

End User Computing Review Report 2013

Recommendation 7
The CIO initiates a review of the Legacy Mitigation Programme Communications Plan
including appropriate monthly reporting on progress to a level of granularity which is
appropriate for the wider audience.

In general, the programme has taken all reasonable steps to capture and address areas of
non-EA compliance.

6.  Management of Remediation and Non-Compliance
6.1 Expectations
I expected to see managed remediation plans for any areas of non-compliance against an
organisation wide enterprise technology plan.
6.2 Findings Summary
The Windows 7 implementation and the legacy programme are providing general control and
management of non-compliance in the EUC environment. In terms of new implementations,
there are Architectural Review and Standards Governance Boards which provide review of
standardisation and alignment with long term enterprise wide plans.

However, awareness of these forums and their role in governance was variable across the
review audience. This again relies heavily on steering committees and management
functions catching expectations versus Project and Programme delivery governance
managing and tracking the project outputs.

In the absence of an end to end integration plan across the EA and the programmes of work,
there is pressure from individual business units to deviate from the EA to deliver their own
prioritised needs.
6.3 Detailed Findings
The focus of this area of the review was that non-compliant applications and systems are
identified and mitigated appropriately, to ensure that the path to the target EA and EUC
environment is maintained.

This can be considered in two dimensions:

1.  Existing deployments
2.  Planned future deployments and change (projects and programmes).

Page 30

End User Computing Review Report 2013

Existing deployments are predominantly addressed by the previously referred to Windows 7
deployment, IT policies and the Legacy Mitigation programme which are covered in earlier
sections.

Planned future deployments and changes use project and programme management
disciplines to apply controls and manage non-compliance.  With the recent appointment of a
dedicated Transformation Director and a review of the governance arrangements for Statistics
2020, there is a newly established Transformation Programme Board to replace the existing
Portfolio Committees.

From the announcement by the Chief Executive, 10th April 2013:
Further details on the revised governance arrangements and the responsibilities of the DGS
Transformation and the Transformation Programme Board will be communicated later.
Sponsorship responsibilities for projects and programmes will not be changed, though some
clarification of expectations will be provided. The revised approach is yet to be approved and
published.

The Transformation Programme Board has since been established and had its first meeting
on 12th June. Terms of Reference have been agreed and signed by the board members.
Communication and establishment of this new governance arrangement has not yet been
published.

Currently, the governance of project delivery is light, with the Enterprise Architecture Team
having to actively direct projects to maintain focus on each new design aligning with the
longer term Enterprise Architecture Blueprint. Once a project moves to later stages, Quality
Management processes are applied, which require approval from the Enterprise Architecture
Manager before implementation. The Architectural Review and Standards Governance
Boards review standardisation and alignment with long term enterprise wide plans. However,
awareness of these forums and their role in governance is variable across the business. This
means that Statistics NZ relies heavily on steering committees and management functions
catching expectations instead of project outputs being managed and tracked through Project
and Programme governance.

The project controls and processes are focused on the management products (project
baselines, records and reports) versus the specialist products (the deliverables or outputs of
the products including designs). This provides a light framework to support the Agile
approach, however there would be benefit in capturing and recording strategic alignment as a
control at the early stages (not just business case) and again at the pre-launch stages to
ensure that any new technology deployments are compliant and do not compromise the EA.
Page 31

End User Computing Review Report 2013

As a result, there is a risk that some system change initiatives may be missed from
architectural and standardisation governance.

The establishment of the Transformation Governance Board is an opportunity to govern the
Transformation Programme as a single portfolio, which may be segmented but still aligns the
streams of programme activity which are joined only by EA intent at present. The outputs or
commitment to recommendations included in sections 2, 3 and 4 would support an overall top
down re-plan of integration activity to ensure that sequencing of changes is in step with the
target EA roadmaps and strategies.

At present there is a collection of high level roadmaps which do not show end to end
interconnection across the portfolios of change, which makes prioritising and sequencing very
difficult and subject to short term business goals. As part of the wider appreciation of
business ownership, compromise on technology roll out which may or may not align with
business functions timelines will be necessary.

To address this, the terms of reference for the Transformation Programme Board include the
authority and purpose of:
1. Ensuring the whole Transformation Programme and the component parts are integrated
and aligned with the strategic direction…
5. Approving the delegated component parts of the Transformation Programme

The reliance on steering committees for Project Governance would be improved by including
additional control points in the project delivery cycle confirming alignment with the EA
Blueprint. In line with best practice, in the future should additional frameworks or
architectures be established there would be an opportunity to add appropriate control points
to ensure their integrity is maintained.

Recommendation 9
That the DGS Transformation ensures there are appropriate control points throughout the
project delivery cycle, especially at the early stages and pre-launch to ensure that the IT
component of a project aligns with the enterprise architecture.

Recommendation 10
The Internal Auditor considers including in the 2013/14 Internal Audit Work Programme a
sample controls review of a small selection of projects to identify the depth of compliance.
Page 32

End User Computing Review Report 2013

7. Document Hierarchy and Future Plan for EUC in the context of the Statistics New Zealand Strategy and Plan

Page 33

End User Computing Review Report 2013

8. Platform Challenges and Relationships to End-to-End Service Delivery

Page 34

End User Computing Review Report 2013

10. Business Platform Ownership Supporting Material

At the discovery stages of the review it was identified that there was a need to more clearly
understand the responsibilities of the platform owner and the support arrangements that
related to the platform.  This had already been recognised and an engagement had been
initiated with external consultants (Fronde) focused on the MEP platform, but relevant as a
model for consideration across each platform.  This demonstrates that both IT Solutions and
several of the business functions have recognised that the platform ownership model needs
to be developed.

This review considered the role of the platform owner, including what to expect in terms of
service delivery from IT Solutions and the need to solicit feedback from the wider community
of platform users. It should be recognised that not all platforms are the same size and
process and communication flow needs to be tailored for each platform. The implementation,
support and management of the platforms also needs to consider the overall organisation
wide strategic priorities of sustainability and efficiencies of centralised functions, versus any
business unit driven specific arrangements.

10.1  Business Ownership and Support of a Managed Platform
Many of the disciplines and activities which are listed here are in place now for some
applications and systems. Many of the disciples require skills and experience which currently
sit inside the IT functions.  The intent should not be to re-build capability within the business
units, but to harness the capability within IT and arrange to call on the resources, skills and
experience to committed service levels that meet reasonable and balanced needs of the
business. That no doubt would necessitate compromise.

The following is a high level view of what would normally be expected of a shared platform or
application within an organisation, where multiple platforms are in use across a wide user
community to deliver business outcomes. It is not an exhaustive list, but has been included to
support discussion.
10.1.1 Change Control and Environment Management
As maturity and scale increases there would be the following services and functions required
to sustain the platform:
1.  Basic break/fix support arrangements – assigned individuals who administer the
applications and ensure they are available for use.
2.  Change and configuration management – formal approval arrangements for
acceptance of changes to the applications and systems with planned and controlled
changes being applied to the platform.
Page 36

End User Computing Review Report 2013

3.  Environment Management – assigned individuals who administer the environments
and ensure they are available for use.  Note that this assumes an increase in
complexity and recognition of several environments in the delivery of change and
enhancements into the production environment through at least development and
staging environments. The level at which those staging environments replicate
production will determine the risk and certainty profile of implementations.
4.  Change and Release Management (End to End and Enterprise wide) – this
considers the integration of a number of environments and how change is sequenced
and planned over an extended timeframe.  The outcomes can be used for operational
planning and to inform interdependency management.

At the higher levels there is a need for capacity management across the systems to ensure
that they are capable of supporting the business needs. All four levels may not appear across
the enterprise and if they do may only consider a subset of the enterprise, but as maturity
rises they would be established with environments moving from uncontrolled into controlled
states.

Examples of effective operation would include working to a Calendar of Work (CoW),
supported by a plan of intent (Roadmap) and with close to real time published view of activity
in flight (an operational view of what is happening now to support planned
change/configuration and to establish the capacity to receive change).

10.1.2 Platform Operational Management and Development
Day to day operation and configuration of a business platform would include delegated and
role based administration of user rights and permissions within the platform environment,
where business users can self-manage many of the functions of the platform.

When this is the case there are a number of principles which should be considered:

•  Integration and use of Identity and access management capabilities. This ensures
that capabilities are not unnecessarily reproduced and that organisation wide
principles are maintained. In the practical sense this is likely to enable a single sign
on and authentication experience which makes the platform more user-friendly.

•  Management of shared data sets. As platforms use or build data which may be
shared for a number of purposes there is a need to apply elements of change control
around creation and deletion of data structures. This would ensure good practices
are applied and that data is not deleted by one user if still required for by another.

Page 37

End User Computing Review Report 2013

•  Documentation of the current build to support both operational support and as basis
for future enhancement. This would extent to making appropriate entries into
centrally managed libraries or repositories such as a DSL (Definitive Software Library
or List) or CMDB (Configuration Management DataBase). Documentation also
considers agreed support agreements.

•  Guidelines and standards are applied. These can be through Centres of Excellence,
specialist user forums, or published principles and standards. This might relate to the
application of an appropriate business process or method or be as simple as a
naming convention that is understood across the organisation.  Equally this would
apply to the quality and fitness for purpose of the code that is developed.

In Statistics NZ there are a number of forums and user communities including the SAS
Reference group and Methodological Networks as well as standards and principles which are
referenced in the Enterprise Architecture Blueprint.

10.1.3 Programmes and Projects of Change
There should be a programme of change planned for the evolution of the platforms. In order
to simplify, the focus in this section is on the impact on business as usual support and
operations of the systems and applications:
•  Planning and sequencing of change activity including a method of capturing,
interpreting and communicating the interlock and dependency outputs generated by
the change control and environment functions. This may be achieved by contributing
to a wider integration plan or dependency map that allows an overall view of the
critical path to be established.
•  Business Process improvement and/or Business Analysis input. This captures and
interprets the User and Senior User requirements.
•  Solution Architecture/Design input to consider integration and interfaces for correct
operation and to ensure that future development aligns with target architecture at a
platform level. This needs to consider practical support constraints and lifecycle
costing of maintenance or changes to new technologies.

With planning and sequencing it is likely that there will be a difference between ideal
scheduling to meet business needs now versus aligning with longer term goals. This trade off
needs to be managed and exposed, so that decisions which do not duplicate cost and commit
the organisation to technologies are taken through appropriate governance.

Page 38

End User Computing Review Report 2013

10.2  Platform Ownership Meeting Structure
The Platform Owners forum is just one engagement point.  Before considering its structure
there is benefit in considering the other key stakeholder groups.
10.2.1 Engagement of Key Stakeholder Groups
There should be forums that provide a channel for discussion. The following stakeholder
groups should be involved as required to ensure balanced and informed decisions can be
made:
•  Representation from the Senior User community, where responsible owners of the
business outcomes can represent their requirements and participate and offer their
influence to the priority and sequence of planned changes.
•  Representation from the user community which considers the practical application of
changes in use and day to day operation of the applications or systems. Users can
share learnings, establish day to day needs and raise concerns – this is the voice of
the user community which is then channelled up to the senior user group. This
includes discussion relating to communication and education of the planned changes
at different timelines, considering immediate and long term activity
•  Representation from the IT support wider community to communicate planned
changes that will impact availability of business systems and obtain feedback from
the user community on performance.
•  Representation from Centres of Excellence or best practice. This role applies to
Standards and Methods in the Statistics NZ context, but can also apply to user
communities as representatives of the subject matter area or to the IT support
community to ensure standardisation and reuse of agreed best practice.

Some of the communities may engage informally and outside of formal governance
processes, but should be a means of ensuring that there is a shared and common purpose.
In this case one or more of the representatives should be included in formal governance
processes to ensure that the collective voices of the communities are represented.

10.2.2 Proposed Content for Platform Owners Forum Meetings
After engaging with platform owners, it was recognised that there is a desire to engage as a
community of interest, to share in an open forum, both the challenges that are being faced
and activity which is in flight or being planned.

It should be noted that the preference of several stakeholders is to maintain this group as an
informal forum, which informs other decision making forums. Providing that those participants
recognise the additional role that requires them to play, then this is appropriate and will
facilitate the overall target EA implementation and transformational goals.
Page 39

End User Computing Review Report 2013

The following content/structure is proposed for the meetings:
1.  A channel for the wider business to socialise initiatives that may touch on more than
one business function:
a.  New initiatives that may impact platforms (for example Statistics2020 cross
platform initiatives, Integrated Data leadership, privacy, Government ICT and
AoG initiatives).
b.  Spotlight on specific business initiatives from within the forum membership,
highlighting new concepts which can be leveraged.

2.  Round table programme update in the context of change impact to the business:
a.  What supporting activity is the business doing to get ready for change and
how is change being received by the user community.
b.  What obstacles are being faced, problems/issues that are being managed
alongside the programme and needing support from the business.

3.  Standardisation update (presumes a plan of activity to move towards standardisation
or measurement of standardisation). This would include recent activity and what is
planned next with an overall dashboard approach.

4.  Platform support or service delivery update including a view of legacy activity in flight
and relative cross referencing to each platform, i.e. legacy changes taken place or
planned on a platform by platform basis. This input to the forum may be provided as
a service delivery report or dashboard.

A more in depth service performance forum may exist, however there would be value
in the platform owners being able to consider the implied load and service
performance across the statistics network.

Page 40