The time has come to raise awareness of IT Governance issues surrounding the Lotus Notes application platform one of the most popular collaboration tools in history. Tens of billions of dollars have been spent worldwide by corporations on this asset. Governance issues need to be addressed now.
Firstly, to be clear on what we mean by governance, some definitions from a recent Gartner white paper: IT governance specifies decision making authority and accountability to encourage desirable behaviors in the use of IT. Teamstudio believes the corollary to this is: Successful IT governance enables managers to deliver efficient, cost effective IT that aligns with your business needs within acceptable risks and in compliance with corporate policies (including those on compliance with external regulation).
Let us now put this into the context of the Lotus Notes world.
Lotus Notes: The Good, The Bad & The Ugly
Well the good news is impressive. The platform offers, flexible, effective software for email, calendaring, group scheduling, and managing data. The self service nature of Notes enables any user to build their own business applications quickly, often within weeks rather than months. The platform is feature rich allowing surprisingly sophisticated applications to be built and deployed.
Here are two remarkable examples:
A major retail organization employs a Notes application to process 3000 employee requests daily for everything from office supplies to vacations. Once the request is submitted, Notes handles the workflow required for management approval and even goes as far as placing orders for items like office supplies automatically upon request approval.
A major auditing organization employs Lotus Notes to electronically manage audit working papers from one year to the next. In addition audit reviews by managers can happen off site increasing the efficiency of the whole audit process. Technically, the developers of the application have to roll out up to 30 templates with the proper configuration for different countries and languages to 30 servers worldwide.
Exciting as these stories are, sadly as with all IT, there are some downsides. Firstly, the infectious nature of Notes means that proliferation has gone unchecked. Secondly, business-critical applications are being built with no or minimal application lifecycle processes. Finally, the Lotus Notes environment is the only development platform at an enterprise level that offers minimal automated process controls, limited security reporting, weak usage reporting, and no source code and version control.
These downsides have grave implications for the platform. Before exploring some solutions lets be clear on the implications of doing nothing.
Security Control Compliance Efficiency
The Wild West: Lotus Notes without Governance or Control
Lotus Notes is easy to use and allows rapid application development, but very few organizations know how many applications are in place, where they are, or what they do. Further, changes to applications are made ad-hoc and often directly in production with no accountability.
Here are some of the possible corollaries of this lack of control:
- Lack of automated processes leads to errors and bottlenecks
- End user satisfaction from the application is weak
- Change requests are not turned around quickly by development
- Costly downtimes happen more often
- Developers struggle to work as a team with no version control system
- Regulatory audits are time consuming, lack automation, lack audit trails and are costly
- Lack of global visibility into security & ACL settings across the entire enterprise increases risk
This leads to wasted resources, wasted space, and wasted opportunity for business benefits. Ultimately the potential ROI from Notes will not be achieved, which sadly has the effect of causing management to consider other platforms. However, given the cost of rip and replace strategies, the only sensible option is to establish a new fresh policy for your Lotus assets.
Bringing Lotus Notes out of the Wild West
We are at an interesting inflection point with the Lotus Notes platform. Significant investment has taken place by IBM to place the platform on a bed of Java, the Eclipse platform – Notes 8. The launch of Lotus Notes 8 introduces composite application capabilities to Lotus Notes environments. Enhancements to web services capabilities will form part of the new rich feature set. Data provided by Lotus Notes applications will become exposed to other business processes & applications increasing business risk. This new power brings with it new responsibilities.
However, before exploring possible policy changes and new practices let’s be careful we execute with balance.
Great development work is completed with talented developers without serious control, roadblocks, frameworks, and policies.
On the other hand, nailing all processes down with highly comprehensive controls, checks and balances especially automating those controls is not a bad thing either. We need to find a way in each environment, whether that’s a bank, a pharmaceutical group, a software house or a government department, to fan the flame of innovation whilst keeping IT governance policies at an acceptable level.
CIOs need to sit down with their management teams and execute a policy of bringing order to the Lotus Notes asset but with a sensitive touch to the issues in that particular environment. In this spirit we would suggest that a health check will be needed of existing applications before they become exposed to the bigger IT world.
Security Control Compliance Efficiency
As part of this policy of bringing order, a first step on the way is a health check of existing policies and practices. Ask yourself does my organization have Lotus Notes application lifecycle policies on the following:
- Collect and document requests
- Validate and authorize requests
- Prioritize requests and issue work order
- Analyze requirements, assess security, business, and other implications
- Decide development strategy
- Create functional and user acceptance tests
- Authorize and issue instructions
Development Environment Policies
- Coding practices
- Source code control
- Version management
- Unit testing
- Functional testing
- User acceptance testing
Production Environment Policies
- Security management
- User management
- Application inventory & usage management
- Data management
- Agent management
- Server & domain consolidation
- Domino upgrades
Only by establishing best practice policies consistent with established industry IT governance frameworks (ITIL, COBIT, ISO 27001, etc) can an organization bring essential control and order to this great collaborative platform called Lotus Notes. By executing these policies with precision (using automating technologies) you will allow developers and administrators to build Lotus Notes application secure in the knowledge that control, compliance, efficiency and security are integrated into the application.
Security Control Compliance Efficiency
Governance isn’t optional … it’s imperative. It is clear that professional managers recognize the business benefits of being in control of their IT assets including:
- Making sure IT is aligned to your business needs
- Delivering IT the most efficient way possible
- Managing risks at an acceptable level
- Complying with external regulations
All this will be achieved through leveraging existing IT assets … so organizations need to bring control to their software assets / applications. Without IT Governance, Lotus Notes reduces its credibility within the large scope of the IT world.
IBM is making a serious commitment to the Lotus platform. Notes 8 will be a paradigm shift compared with previous versions of the platform. Investing in the correct level of IT governance now is essential. Creating a robust enterprise platform is not only possible but essential. There is urgency to this matter. Before you plan your Notes 8 upgrade, take a step back and consider all of your Lotus asset management issues. Now is the time to assess your existing strategy. Exciting new levels of cost efficient collaboration are coming to the platform but they need to be harnessed to be effective.
Ian Smith is president of Teamstudio, Inc. His experience has been gained over the last 25 years building both private and public corporations mainly in the IT sector. He has worked at senior management level with Thomsons the Canadian Publishing giant, Mercury Asset Management and Capita, the European outsourcing Group.
Since joining Teamstudio five years ago, Ian has broadened Teamstudio's technology beyond its core tools expertise into advisory and configured software work. Educated in Scotland, he holds degrees and professional qualifications in economics, marketing and finance.