optima have joined forces with Simula Research Laboratory, Norway, and with additional support from the University of Cambridge Judge Business School, are carrying out some research into the characteristics of successful projects – and we need your help.

One size doesn’t fit all when it comes to maximising return on investment in IT for our clients, but we do believe there are certain practices that lead to better outcomes.

We continually apply the learning from our engagements to the benefit of our clients. This marks the first of what will be an annual survey to more formally capture the relationships between practices and different measures of project success.

We are interested in experience (as client or provider) on business transformation projects, which include an IT element and were completed (successfully or cancelled) more than six months ago. 

Please follow the link below to take the survey, it should only take 10-15 minutes – answers will be completely anonymous. There will be a separate opportunity at the end to register your interest in receiving the results.




No, not the lottery I’m afraid. The recent data breach at the NCT goes to highlight once again that SMEs should take Cyber Security seriously.

It is easy to think that only banks or organisations with ‘valuable’ data are at risk. But as the NCT breach demonstrates, the organisation itself isn’t always the main target. The prize could be access to other services where your customers have reused the same login credentials or potentially a more convincing phishing attack on your customers, based on the data that has been stolen.

Increasingly, an SME with poor security and a list of customer email addresses and other details, is a much more attractive Cyber Crime opportunity than a well defended larger organisation.

So SMEs need to take Cyber Security seriously, but this is not a council of despair. Start by getting some basics right.

  • Install software updates promptly
  • Install Anti Virus on company machines and keep it updated
  • Use strong passwords 8 or more characters and including capitals, numbers and symbols
  • Delete suspicious looking emails
  • Train staff and raise awareness e.g. highlighting what phishing emails look like
  • Issue an internet use policy to staff, making it clear what types of sites can and can’t be visited from work devices, what files and software can be downloaded
  • Put in place a backup process to protect your assets should disaster strike

That’s not a long list to get the basics right, and they are pretty simple things to do even for an SME with a tight budget.

The next step is to take a simple and structured risk management approach to understanding risks to your business and how to manage them effectively.

  1. What assets do you have that could be at risk?
  2. What is the threat and what form could it take? E.g. theft or damage; from criminals or accidental/deliberate action by employees.
  3. What would the impact be and what is the likelihood?
    • You can consider this qualitatively with a scoring system – high, medium, low.
    • Or try and quantify the asset value (AV), the exposure factor (EF) – e.g damage would cost 50% of the asset value, and the annual rate of occurrence (ARO) – the likelihood of this happening in a given year, to get an annual loss expectancy (e.g. £100,000 AV x 50% loss EF x 10% ARO likelihood per year = £5,000)
  4. Rank risks to create an ordered list for actions to improve the protection of certain assets.
    • In the example above the calculation suggests it is worth spending up to £5,000 to protect that asset and no more. 

It seems that Cyber Security scares have a tendency to make SME’s stick their heads further into the sand. Following some of these simple steps can significantly reduce the risk to your business, your customers and your reputation.


Well yes, but only in and on their terms. 

What CEOs all care about is maximising returns on their IT investments, or in some cases minimising their spend on IT (this latter might be short sighted but I’ll return to that in a minute). To do so requires prioritisation of IT spend.

In my experience, no one has ever come up with a silver bullet for this prioritisation. I’d suggest there isn’t a specific one that suits all, because your IT priorities have to be tied to your organisation’s priorities. (I’ll post on a few frameworks for structuring priorities here soon). Indeed why should IT spend be any different to other business functions in this respect? Sales priorities directly align with your agreed business priorities, as does your spend on marketing.

Where IT differs is that whilst many organisations work hard on their business strategy in relation to sales and marketing, aligning IT strategy to business strategy tends to rely on the quality and resolve of your IT team!

A good IT team can use the concepts of Enterprise Architecture in a way that suits their organisation and budget (more on this in future posts), but all the time with a focus on prioritising and delivering the right IT, aligned with, supporting and even enabling organisational strategy.

And if the CEO believes they should be minimising spend on IT? Absolutely, this is a valid IT strategy that suits some organisations at some points in time. But it should be made as a result of alignment, knowingly. Ideally as part of setting out an IT roadmap, (including IT Security choices) using just enough Enterprise Architecture to explore the best alignment. I’d suggest that in most cases, that alignment will see appropriate, prioritised IT spend managing risk, delivering bottom line benefit and offering significant ROI.


So, a CEO should care about Enterprise Architecture on their terms – as alignment with their strategy – and in their terms – as a mechanism for this alignment, used by their IT team, and available as a one pager for them to dip into as and when they want. 


See how optima can help with IT Strategy, Enterprise Architecture and IT Leadership Coaching under Services.