The last Blackberry user
For years, I have had a few old Blackberry shares in my portfolio, which I have kept for sentimental reasons. It reminds me of the good old days when smartphones stood for the beginning of a new era in collaboration, information and innovation. Blackberry was one of the most important players in the market as a device manufacturer until the iPhone came along and Blackberry's business model crumbled like an old rusk.
Needless to say, the share price plummeted and no longer had any monetary significance for my portfolio. In 2011, Blackberry controlled 20% of the global smartphone market and 50% of the US business. The business model was predominantly focused on hardware sales, software was important but played a subordinate role. By 2016, the business model had eroded to the point where smartphone production was discontinued and sold to TCL. What remained were a number of software patents and ideas about what to do with what was left of the company. This is usually the point where companies involuntarily have to critically question and rewrite their business strategy.
BUSINESS INSIDER How BlackBerry went from controlling the smartphone market to a phone of the past Alexandra Appolonia, 21. November 2019 |
When I looked at Blackberry's share price again today, I was surprised to see it galloping into the green with double-digit percentage gains. What happened, had Blackberry won some patent litigation and received several hundred million dollars in damages again and the bull run is quickly coming to an end?
UKDISS.COM Core Value, Mission, Vision - BlackBerry is “no longer just about the smartphone, but the smart in the phone.” John S. Chen, 09. December 2019 |
The article gives an exciting SWOT analysis of how Blackberry has realigned itself as a software company. Blackberry has adjusted its business strategy to focus on a consistent digital strategy. A key element of the strategy is the ability to develop good software. One element of this is BlackBerry QNX. This is a proprietary POSIX-enabled unixoid real-time operating system that can be used as an operating system for vehicles and is now installed in more than 175 million vehicles.
AWS FOR INDUSTRIES AWS and BlackBerry QNX join forces to accelerate auto innovation with BlackBerry IVY, a new intelligent vehicle data platform David Mifsud & Brett Francis, 01. December2020 |
In addition, a strategic partnership with Amazon AWS was announced last year and the new Blackberry IVY platform was promoted. Based on QNX and IVY, connected vehicles become rolling IoT devices that can form the basis for new IoT use cases for car manufacturers. With IVY, a global, scalable, cloud-connected platform has been created that can cover a wide range of scenarios and meets high security standards. Operating system updates can be rolled out, the available database provides the basis for training models for autonomous driving, optimising the driving experience or driver information that can be pushed in real time depending on location, weather and other environmental conditions.
To turn back to the stock market price, the market seems to be honouring the change in business strategy and the resulting business cases. Whether it bears fruit financially will be seen in the next few years. But it shows that the right business or digital strategy can lead a company from ashes to phoenix, but also that it takes four to five years for a new strategy to have a noticeable impact.
Internal audit and the audit of the IT strategy
What I am asking myself here, and now I am taking off my investor's glasses and putting on my audit glasses, is the assessment and audit of the IT strategy or the business strategy as a whole a field for internal auditing? My experience is that strategic topics are an area that internal auditing usually gives a wide berth to, even if there is a high degree of uncertainty for the board of directors about the direction that digitalisation is taking. The current environment shows that we are living in a time of disruptive transformation and not incremental change.
The pandemic has proven to be a catalyst for digitalisation. The CIO and the IT department have been able to demonstrate their leading role in the management of the COVID 19 crisis. Their main merit was to support the business by promptly adapting and scaling up the infrastructure or providing new digital or remote services. The digitalisation+pandemic in particular has ensured that the CIO no longer has to sit at the management's cat table, but instead plays a formative and supporting role in the company. Digital tools are gaining.
Companies are required to review their strategy and pursue a digital roadmap. These developments and the digitalisation of business processes require a strong link between IT and business strategy. Many organisations struggle to combine the two effectively and, above all, consistently. Often there are organisational and cultural differences. There are barriers to effective engagement between IT and the business functions, driven in part by a traditional mindset. But a good strategy is a catalyst for business development, contributing to competitive advantage and innovative customer offerings. And this is where internal audit can play its part. Internal audit can play a role in demonstrating the robustness and completeness of the approach around digital strategy implementation.
What speaks against an audit of the IT strategy by the internal audit department?
Since the audit usually tends to be critical, I first list all the reasons against including an IT strategy audit in the audit plan and try to find counter-arguments.
The time - is never actually correct in the revision. Does one come at the end of the strategy cycle, during the elaboration phase or after approval by the management. No matter when, the timing is by definition not appropriate and should therefore not matter.
The Knowhow - An essential prerequisite is that internal audit is fundamentally able to assess overarching risks and challenges. This requires a strong understanding of both IT and business strategy, a perspective on the complexity of the existing IT environment and knowledge of possible emerging technology trends. All elements that require a great deal of internal audit maturity. At this point I always casually interject, if an auditor can do this, why does he work in internal audit? I then recommend the involvement of experts who have gained experience in strategy definition themselves.
Framework and structure - The advantage of a good framework is its comprehensive mapping of a subject area. Based on a framework, the audit areas can be narrowed down and sharpened. Which areas are not relevant and for which ones the answers are rather vague. I will go into the framework later, but in principle there should be a workshop at the beginning of the audit in which the areas to be assessed can be sharpened.
Architects and architecture - In times of high technology frequency, many companies find it difficult to establish suitable architecture governance. One minute Kubernetes is the latest hype in the cloud environment, the next Gartner is adjusting the technology map and putting new topics on the trend radar. And the golden rule applies: two architects, four opinions and seven approaches. How is one supposed to arrive at a good audit opinion here? However, the complexity and the historical ballast that is dragged along place high demands on the organisation and generate high costs of legacy clean-up, any nuclear power plant operator will nod sympathetically. "Is the issue of legacy management sufficiently reflected in the strategy?" is a key question that needs to be challenged in an audit.
Agile transformation - Many companies are moving from agilising individual IT processes to agilising the entire IT organisation and parts of the business. The process is painful, lengthy and changes the company very quickly. Existing governance structures rapidly disintegrate on contact with agility. Governance in the agile context requires the experience of internal audit, here the added value from the audit can be more noticeable.
The audited organisational unit - The development of the IT strategy usually takes place directly or at least very close to the CIO. With findings and criticisms here, one moves through a corporate policy minefield, whereby as an auditor one sometimes has the feeling that someone has strapped the mines to the backs of euphoric meerkats during mating season.
In order not to let an audit become too large and to deal with manageable audit areas, different audit approaches are possible, e.g.:
- reviewing the strategic direction of IT and its alignment with business objectives.
- the review of the processes for updating the IT strategy
- The dark side: Shadow IT identification and assessment
1. Review IT strategy and alignment with business objectives
In many cases, too high business expectations of digitalisation put pressure on CIOs to act quickly and lead digital transformation initiatives. The danger here is that these programmes react to the market without having taken integration with the existing technology stock into account. Laying the right foundations, such as addressing existing technology vulnerabilities, before embarking on such initiatives would be key to success and to avoid unnecessary complexity that would increase the risk of the entire enterprise.
The appropriateness of the strategy itself, as well as the timeliness and maturity of related control frameworks and implemented governance practices are also key areas on which the audit can take a stand. The prerequisite is a framework that can cover a broad range of strategy elements.
A comprehensive assessment of all elements is a great challenge for a revision. Therefore, we recommend a workshop to sharpen and highlight essential elements. This helps to identify blind spots or less relevant elements. In terms of audit methodology, the elements in scope can then be deepened with structured interviews and or survey-based. Eraneos uses the Audit 360° method for this purpose to obtain a cross-organisational picture.
Based on the framework, quantitative assessments of the individual dimensions can be used to determine the current situation and specific focus topics. Based on the findings of the maturity analysis, SWOT analyses can be carried out and weaknesses of individual elements can be identified.
2. Review the processes for updating the IT strategy
If the strategic considerations have not been questioned for some time and the impression arises that the associated facts no longer correspond to reality, a review of the updating processes is a test option. A review of current plans to refresh the IT strategy needs to take place at an appropriate time, especially in light of changes in the broader market and operating environment (end of cycle of the strategy, parting of the ways of the company). Particular attention should be paid to how the IT strategy is synchronised with the business strategy and whether existing governance structures are considered as part of the refresh.
In particular, disruptive approaches that influence traditional IT operating models, such as cloud migration and the introduction of DevOps operating models or an agile transformation of the entire (IT) organisation have a high risk potential. Robust IT governance arrangements that include efficient resource and vendor management, contingency plans, active legacy management, robust policies and operating procedures should be part of the strategy update.
3. Identification and assessment of shadow IT
We are entering the dark side of (audit) power, because here the meaningfulness of the IT strategy is assessed by determining which evasive moves the business is making and which means and methods are used to circumvent the strategy in the organisation. The prerequisite here is also a very good knowledge of the organisation and the IT landscape in order to identify elements of shadow IT. A good approach is the cost analysis to see which (additional IT costs) are incurred in the business areas.
Conclusion and a few questions
So what to do? Is the audit of the IT strategy or the business strategy an issue for internal audit? Questions for my peers:
- Should IA review the IT strategy?
- When is the right time for the review? At creation, after approval or in the middle of the strategy cycle?
- Has anyone had the experience of the CIO himself approaching the IR with a request for an audit?
- Who of you also still has Blackberry shares?