Business Analyst Careers - is Industry Experience more important than Analytical Skill?

Business Analysts often delve into business requirements, gathering, understanding and documenting business processes and functions. An analytical mind and detailed information gathering are considered to be essential; one wonders though, if industry experience is a must for good business analysis skills. After all, if you knew well the ins and outs of the industry you were in, that’s good, right? The answer is probably, but not always. Why is that?

First, industry experience means less time is wasted knowing the industry environment – the general models the business follows, what regulatory and competitive arena it is part of and some common terminology. Secondly, business process flows are easier to understand, say, if one was documenting business process flows for a financial transaction, if that person had already worked in a financial services firm in a financial transaction environment (e.g., Front office, where the deals were made, or the middle office, where financial and regulatory processes were checked or filtered, and the back office, where the transactions were processed and settled – and where exceptions were followed up for closure).

That of course, brings up an interesting question – if a business analyst goes into an unfamiliar environment, how much time should be spent learning the business environment? Wouldn’t that leave less time for focusing on the essentials of requirements, elicitations and documentation? And how valuable would all that be, anyway? After all, time is money – and with workloads being what they these days, such knowledge, while good for a progressive and open mind, would be quite expensive indeed, wouldn’t it?

The answer is that depending on the timeframe, it would be beneficial to get the most important work done first, which would mean skipping the overview on the business. In a limited time frame, a “bullet-point” information dissemination method (summary) might work. Asking questions in the right environment is healthy, but learning important concepts on one’s own time is a better idea. After all, stakeholders have limited time available even for requirements – they might not have the patience for an extended basics class. On the other hand, workflows and the reasoning behind them should be questioned to extract the maximum value for optimization and better business.

What about the times when it might be beneficial to hire a business analyst who is sharp and curious, but not industry-knowledgeable? When the existing patterns are so constricted and “inside the box” that a fresh perspective is needed, hiring analysts without a lot of presumptions and insider’s knowledge is actually a good idea.

I worked in a firm once where I was asked to interview, evaluate and recommend IT candidates (mostly developers, some analysts). At the end of the face-to-face interview, I would ask the candidate to solve a problem on pen and paper. The rules were clear – no writing code, simply writing out the solutions – a diagram was acceptable as long as it wasn’t too complex. Additionally, the answer had to be limited to 1 page and be completed in about 30 minutes.  I was amazed at how the smartest candidates failed this written “test” – it was actually quite simple, for it did not require deep industry knowledge and did not put the candidate on the spot by testing coding knowledge. I simply wanted to know how the candidate thought about solving problems and whether he/she was able to put it on paper. I often got several pages of answers, written code and requests for extending the time available, though all the requirements for the written test were explained before hand. Needless to say, these candidates were not hired.

Business analysts, like developers and solution architects, are trained to think logically and focus on specific issues at hand. Once in a while, though, they need to step back, and like a painter evaluating and assessing his painting-in-progress, assess their progress on the task at hand and be prepared to explain it to a wider audience in plain talk. That, in my opinion, is an essential skill of the modern analyst.

Secure Hosted systems - a primer

What are secure systems? Basically, as per Information technology best practices, Hosted systems are secured to minimize unauthorized access and possible tampering. Most people already know about server rooms (or data centers in larger organizations) allowing card-swipe only access with approved permit, escorted by personnel, limited access etc.

How about virtual access? To begin with, the systems should be built (I don’t mean physically built, but initialized or configured by the Systems Administrator – “build” is a common terminology in infrastructure areas for this process). There should be a SOP (Standard Operating Procedure) for building a server in a networked environment – and it should list all the must-have packages or software that the system must, at a minimum. These include basic I/O limited access, anti-virus and malware prevention, and limited or no insecure services (FTP, RSH in Unix systems) etc.  Depending on the type of server being built (Web, database, application, middleware or other), special packages may be installed – for example, Tectia SSH package software might be installed on web servers to prevent user passwords from being communicated in clear text – in case the network and/or host is compromised, passwords in clear text could then be easily stolen and misused to cause much wider damage than the initial hacking.

Additionally, a checklist is often used to ensure that all the above mentioned processes were completed successfully and is signed and dated, either on a paper or electronic copy – these are considered official documents and may be requested (demanded?) from auditors.

Hosts (servers) should also ensure that access is limited to complete specific tasks by authorized personnel (and access through a configuration management system should require a request with complete details and approval by a manager and another group, say, Change control). Universal access (such as World writeable files and directories) should either not be allowed or kept to a minimum.

Functional IDs (“DB operator”, “SysAdmin1” etc) should also be allowed minimally or not at all as they cause tracking and auditing issues (“DB Operator” is much harder to track than “JSmith”).

Server logs should also be available, confidential and have data integrity – that is, not corrupted or incomplete – to the greatest extent possible. This is part of the “Confidentiality, Integrity, Availability” mantra of IT best practices. Log backup and retention and retrieval should conform to regulatory and corporate standards as well (here’s a question – how often are log backups tested – that is, retrieved and checked for completeness – other than during an audit?).

Developers’ access to production servers or data (known as DAP) is another area with conflicting demands. Security and Compliance policy generally dictates that developers not be able to access production data; but in the real world, developers are also in the line of support – often times, they may be the first level of support, especially if the application in question is very complex and is not established. Furthermore, the various levels of support may not have the in-depth expertise required to solve some urgent production problems. Anticipating this, an “emergency access to production” policy should be ready – at the least it should specify:

·         The process for obtaining emergency access to production servers, data and logs

·         Approval process (be realistic – if a developer offshore needs a senior manager’s approval at 4 am EST, what does he do?)

·         Specific, time-bound parameters – access to say, production server DBPROD1 will last from time approved for 4 hours” and be limited to view only specific areas (e.g., “\app\bin\userlogs\”).

·         Follow-up – once the issue has been resolved, follow-up communications and resolution items should be done by the owner of the process in question.

One note – the process above should generally try to avoid listing specific people’s names or contact numbers as these might change frequently – instead, a  more useful email distribution list with a descriptive name such as “Emergency approvers for brokerage app 1” might work better.

Another issue dealing with privacy and data segregation is that developers often need access to huge volumes of real-world data to test various scenarios and parameters in their apps. To do so, they sometimes take production data (e.g., last week’s brokerage transaction master file). This is considered a breach of privacy as well as frowned upon by Auditors – a malevolent developer might take a real user’s details and possibly misuse it or send it to a friend outside the firm.  Enter the ETL (Extract, Transform, Load) software – otherwise known as “data obfuscation” software. This would take all the data in a specified data file, and fudge the details so that real names, SSNs, and account numbers are masked by made-up data.  This might be more suitable to larger organizations – the cost and complexity of enterprise level ETL software is high. Cheaper alternatives are also on the market though, and are getting better.

As networked systems grow more complex, they grow more vulnerable to mistakes and misuse - and the points above are a starting point for securing them.

Capacity Review - IT Assets planning

IT Asset management - One of the core principles for Information Technology best practices is "Confidentiality, Availability, Integrity" (ok, that's three, but they are grouped as one). As business fluctuates and product and transaction cycles speed up ever more, it is very important, useful and in the vested interests of IT Management to perform a Capacity review periodically - due to the cost and complexity an annual review might be sufficient in most cases. What exactly is Capacity review anyway? In its simplest form, it is ensuring that IT assets - hardware, software and connected links (networks, telecommunication access to/from the internet, cloud etc) and storage - are sufficient to meet peak demand as defined by company policy or best practices. If one doesn't exist at your organization, review best practices at similar firms in your industry and define it and seek approval. As an example, one brokerage firm that I worked at had a policy that required that the main brokerage applications had to be capable of handling twice the capacity load of the busiest day of the year. So if the servers on the busiest day were at 45% of capacity for an extended period of time, then as per management's requirement,  the capacity of those servers had to be able to work at 90% load.

One of my roles, in the many hats that I wore, was to do a capacity review for all the distributed applications at the end of the year. To prepare for this, I first went to our metrics site, where I sifted through reams of data on all the web servers, application servers, database servers etc.  Then I organized the data into spreadsheets where I sorted through page views, server resource loads etc. Based on the data at hand, and using algorithms developed in-house, and by looking at the back-end (mainframe, database) data and connectivity analysis, I had a map of how much capacity was used on the distributed side and in-bound and out-bound feeds. That gave us an idea of whether the distributed servers could handle the capacity required for an unusually busy day (think of a very volatile day in the markets - major business collapse, terrorist attacks etc).  This is only an example of a specific industry - but such capacity reviews are de rigueur in every industry - telecommunications, transportations, and retail are some that come to mind.

On the software side,  analysts and reviewers could simulate many things - online transactional processing simulation, for example, is common.  But it might be more useful to ask about the connectivity - sure, the retail front-end web site can take 10,000 orders a second, but can the back-end handle it? Can the connections to the credit checks work successfully and simultaneously at that level? How about order fulfillment - do the fulfillment centers/warehouses have the capacity to handle huge backlogs - if not or unsure, how long would it take and more importantly, can orders be tracked adequately? Can the supply chain handle it - can it be tested? Has it been tested? If these processes are outsourced, does the vendor make any explicit guarantees in the contractual agreements? How often do they test, and how willing and able would they be to do a simulated test (note: these are different from a disaster recovery test, which normally only simulate average loads at a backup site or offer an alternate way to do the same thing you already do).

Capacity reviews are also useful in incorporating forecasts into future budgeting and for justification purposes. Additionally, as technology moves forward at an ever faster pace, old IT assets can be updated, upgraded or replaced by incorporating these reviews ("These 25 servers operating at 90% capacity can be replaced with 5 new ones operating at an average of 50% - and a payback period of 1.5 years"). This will also show management that you and your team have done your homework with substantiated facts.

Another way such reviews can assist is in finding underutilized resources - and at a time of budgetary pressures, might come in handy. For example, for a new application project with limited budget, I was able to point to underutilized servers (which, of course, I knew from my capacity planning exercise) which could host the new app. By sharing resources (servers, existing software licenses on those servers, and storage and network charge backs as well as backup site servers) costs were mitigated.

Capacity Review is a tool that business analysts and business / IT / process / operations managers can use to plan, streamline and optimize their assets and thereby provide more value to the business.

Project Risk Management: Estimating Techniques

 Business-IT projects are often large and complex and very expensive. To ensure that projects come in under budget, many techniques are used to make decisions; here are some techniques to manage risk in business-IT project management:
EMV process is used in the Decision Tree analysis, which visually maps out activity decision paths. As an example, if a deliverable for a project has two suppliers, and it is known that any delay in the crucial deliverable will result in additional resource idling/alternative costs of $1,000 per day, and that supplier "A" price is $20,000 and supplier "B" total price is $22,000, and that using "A" has a 10% risk of being 3 days late and that "B" has a 5% chance of being 2 days late, then the Decision tree would look like this:
Supplier Selection
--- {Supplier A
---{Risk of being late: .10 x $1000 x 3 = 300
---{Total EMV: $20,000 + 300 = $20,300 
--- {Supplier B
---{Risk of being late: .05 x $1000 x 2 = 100
---{Total EMV $22,100
Sorry, the boxes didn't copy over from my MS-OneNote - but I think you get the concept.
As you can see, Decision trees are very numerical, but in real life, numbers don't tell the whole story -  perhaps supplier "A" has other benefits such as better support (hopefully that has been factored into the overall supplier risk rating).

Business projects carry risk - for time, cost, scope and quality - but they can all be expressed in monetary terms, for in business everything is Dollars (or Euros or Yen or other currency). Project managers and risk managers for businesses need to quantify risks and estimate costs for budgets, forecasts and management reporting.  How do they do that? Here are some ways:

SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis is often used to describe at a high level the risks faced by a project. Strengths and Weaknesses deal generally deal with internal and project specific areas and Opportunities and Threats are more external or market facing environmental issues.

The risks are detailed in the Risk Management knowledge area of the PMBOK guide from PMI.

The risk register is a list of all the major threats to a project, and is an output of the Identify Risks process, and is then used as an input to other processes to further qualify, quantify and assess threats.

Qualitative Risk and Quantitative Risk assessment methods are used to assess the priority, urgency and impact of risks; as with many other things, some subjectivity is involved in deciding probability of risks.  One of the tools and techniques for performing Qualitative Risk analysis is the Probability-Impact matrix, which rates the possible threats on their likelihood of occurring and then the impact if they did happen.  Quantitative analysis then assigns monetary and impact measurements to the threats.

The PERT or three-point estimate is widely used and works this way:
3 likely scenarios - Pessimistic, Optimistic and Most Likely estimates - are gathered from experts, and then a weighted average is used:

(Pessimistic Estimate + (4 x Most Likely Estimate) + Optimistic Estimate)/ 6
Note: the 4 for the Most Likely Estimate is to give it a 4x weight in the weighted average - hence the term - as per the other two.
Example: Estimates for a software application range from 10 weeks(Pessimistic) to 7 weeks (most likely) to 5 weeks (Optimistic).
So the three-point estimate would be: (10 + (4x7) + 5)/6  => (10+28+5)/6 => 43/6 => 7.15 weeks.

Monte Carlo simulation is a complex modeling technique, and not one that many Business analysts and PMs are likely to have to work through.

Sensitivity Analysis looks at various project objectives and  measures how uncertainty would impact each objective. It is also known as a Tornado diagram due to its funnel like shape.

Expected Monetary Value (EMV) is used to capture cost and benefit of an uncertain outcome, based on statistical probability. As an example, if  a person has to pick a winning athlete in a four way race (and assuming all 4 are more or less equal in their abilities), and it costs $1 to bet and a $2 payoff (if he guesses correctly), then EMV for this outcome could be expressed thus:

1 in 4 chance of winning (25% or .25), 3 of losing (75% or .75):
(.75 x 0) + (.25 x 2) =  0 + .5 = 0.5 (50 cents)

Net EMV =  -1 + .5 = -0.5 (the -1 is the cost of the bet).

A negative EMV is a risk and a positive EMV is a benefit. However, don't use this as a reason to blow your savings at the casino :).

Career Possibilities for Business Analysts-expanding your horizons

Career Possibilities for Business Analysts-expanding your horizons

Business Analysts define business requirements and steps and process to define and deliver solutions, especially, but not exclusively, in Information Technology areas. For example, if a business has a complex process, say, a need for customers to login and buy items from a catalog that the business is selling, the business analyst would gather, and detail all the requirements included in that need, specify the details and drill down to the solution. What follows is a possible career map for business analysts:

You have achieved your short term BA goals. You want to expand your horizons and see what else is out there and how you can progress in your career and gain knowledge and keep your career up-to-date as well. What are some of the possibilities out there that won't force you to re-learn something new from scratch? Some possibilities for career and knowledge expansion in areas related (or of possible interest) to Business Analysis:

Project Management: The PMP (Project Management Professional) certification from the Project Management Institute (www.pmi.org) is valued by many employers. Business Analysts, I believe, are well-suited for project management, which aims for successful completion of projects from inception to closing, while managing (juggling?) competing constraints of time, cost and scope. The PMBOK (Project Management Body of Knowledge), which is similar to BABOK, is a framework used in implementation of best project practices regardless of industry or project scope. The concepts used in PMBOK would be familiar to anyone who knows BABOK - for example, processes in the knowledge areas have inputs, tools and techniques and outputs. The PMP certification is valid for 3 years and may be renewed by obtaining training or other credits known as PDUs.

Information Systems Security: The Certified Information Systems Security Professional (CISSP) certification from the International Information Systems Security Certification Consortium Inc - "ISC2" for short (https://www.isc2.org/) - is also in demand for professionals catering to security related aspects of Information Technology - from IT systems architects to developers to Audit, Compliance and Risk managers. The CISSP Common Body of Knowledge (CBK) covers 10 domains - Information Security Governance, Security Architecture and Design, Cryptography, Physical Security, Access Controls, Applications Development Security, Legal-Regulations-Compliance and Investigations, Business Continuity and Disaster Recovery Planning, Operations Security. The aim is to instill a comprehensive overview of the various aspects of the IT environment and how they all relate to security and best practices. Like the PMP, the credentials need to be renewed every three years through training, volunteering in ISC2 programs or other related knowledge.

Some other certifications from ISC2 that may be of interest:

Certified Secure Software Lifecycle Professional (CSSLP): As the name implies, the certification is for those involved in the software lifecycle and is concerned with building security into the entire Software Development Life Cycle. It deals with secure software knowledge in the design, implementation/coding, testing, acceptance, deployment, operations, maintenance and disposal domains.

Systems Security Certified Practitioner (SSCP): According to ISC2, this title is good for Network Security Engineers, Security Systems Analysts and Security Administrators. So Business Analysts who want to learn more about the security area and become experts may consider this.

The CISSP certification can also be obtained, in addition to the general CISSP described above, in specializations ("concentrations") below:

• Architecture
• Engineering
• Management

Other certifications currently in demand include:

ITIL (http://www.itil-officialsite.com/home/home.asp) - (Information Technology Infrastructure Library) which is a set of concepts and practices for Information Technology Services Management. It deals with management , delivery and support of IT services to business - which would be ideal, for say, managing a hosting area, data center, software as a service, change management and well..you get the idea.

Certified Information Systems Auditor (CISA) from ISACA (originally Information Systems Audit and Control Association, now known by its acronym only)

For Business Analysts who think they have a knack for probing IT systems and ensuring that process conform to policies and want to pursue an IT audit/Compliance career, the CISA might be a good bet.

Other certifications from ISACA in a similar vein include:

• Certified Information Security Manager (CISM) - for those who design, build or manage IT security programs.
• Certified in the Governance of Enterprise IT (CGEIT) - for those involved in IT governance.
• Certified in Risk and Information Systems Control (CRISC) - for those involved with risk assessment/evaluation/monitoring/response etc.

Information on the above certifications can be found here: http://www.isaca.org/CERTIFICATION/Pages/default.aspx

There are many other paths to expand one's career horizons, depending on interest, time and inclination - Solutions Architects, Enterprise Architects, Database analysts and Network specialists are only a few - business analysts, due to the detailed nature of their work, are well positioned to transition or acquire new skill sets.

The emerging field of Wireless application specialists - mobile apps, application security (wireless protocols, app security design etc) is also lucrative. As mobile technology and gadgets (smart phones, tablets etc) get more mature, more business functions will add on mobile functionality.

If there are other interesting accreditations, certifications or knowledge programs that I have missed, I would love to hear about it…Thanks

HS.