Uncover a New ITAM Risk Management Framework with ABB & Anglepoint

Anglepoint: Welcome to our 4 Steps to ITAM Risk Remediation with ABB and Anglepoint. We’re so happy to have you all joining us today. I’d like to introduce Sarah Marriott, who is a director here at Anglepoint. Sarah, thank you for joining. And one special shoutout to her is that she recently won the ITAM Review’s Consultant of the Year award. So, I’d like to welcome her and go ahead and pass it on to you, Sarah. 

Sarah Marriott: Thanks so much, Kirsten. I appreciate the shoutout, and thanks so much for joining, everyone, and welcome to our very special webinar for today: The Four Steps to ITAM Risk Remediation. 

I’m particularly excited about this webinar because it hits at the crux of everything that we do in ITAM. How do we make sure that our recommendations—remediating risk and realizing those cost savings and avoidance—actually lead to action? How do we ensure that someone does something about it and that the recommendation is followed through? 

I’m sure we’ve all experienced frustrations at different times where risks are raised and nothing happens, or no one’s read it, let alone done anything about it. But today, I will be talking to two wonderful people from ABB, Hery and Andrzej, about how we have partnered to overcome some of these challenges and enacted real change at ABB. 

Hery, do you want to go ahead and introduce yourself? 

Hery Rason: Yeah, sure. Good afternoon, everybody. I’m a Senior ITAM Manager or IT Asset Management Global Lead at ABB. I’ve been with the company for about eight or nine years, but I’ve been in the ITAM space for over 15 years. And with us today is Andrzej. I’ll let him introduce himself. 

Andrzej Skrundz: Hello everyone, I’m Andrzej, I’m from Krakow, Poland. I’ve been with ABB for almost two years. I’m the Process Manager for the Discrepancy Process at ABB right now, and that’s what we’ll be talking about today. 

Sarah Marriott: Wonderful. Well, thanks so much for coming along and sharing your insights with our audience today. 

We’re going to first talk a little bit about the context of the ABB and Anglepoint partnership. We will then do a deep dive into the process itself and talk about the impact and some of the results since implementing that risk remediation process. 

So, starting from the beginning, Hery, this all started much earlier when you first joined ABB. When you first built the SAM program, what was the primary reason, do you think, that executives gave the green light to engage with Anglepoint to have this much broader SAM managed service program? 

Hery Rason: So, there is a skill set in your company or ABB, or with our friends on the line, whether they are from France, Spain, Poland, or Switzerland. In your company, when you assess what skill sets you have, you can only go so far. 

Then, when you look at your software asset management or your hardware asset management, you realize there’s more to it than the skill sets you currently have. As competent and excellent as your internal colleagues are, there is an overwhelming amount of information to analyze and understand. This is where services, such as those provided by Anglepoint, come into play. 

In a sense, you’re not just buying a service, you’re buying time because you don’t have the time or the skill sets to develop everything in-house, yet you’re under pressure. There’s that pressure: we’ve got to deliver, but if we don’t have the skill sets, we need to find a different way of doing it. 

So, the journey starts with you, as SAM practitioners or IT asset management practitioners, looking internally to see what is most important and whether you can deliver with the skills you have. Once we did that assessment, we had to look outside because we didn’t have those skill sets. 

Sarah Marriott: I think the most common response we get from clients is around capacity and also the specialist expertise that our teams have. The way we try to approach things is with a partnership mindset. It’s like we’re embedded in the team, and it’s really lovely watching presentations where people don’t know who is from ABB and who is from Anglepoint. 

We’re just one team trying to push forward and improve SAM maturity by remediating risks, realizing those optimization opportunities, and everything else. When we first came on board, quite a few changes were happening at ABB, one of which was the introduction of what’s known as “The ABB Way.” 

Essentially, this is where the operating model changed from being centralized to being very decentralized, with the business areas and divisions now having full power to make decisions about their business strategy, along with full P&L responsibility. The role of the global ITAM team as a central function changed from being decision-makers to becoming enablers, making sure that the business areas had all the information they needed to make decisions for their area, division, or country. 

Crucially, if they decided to accept certain risks, that was their decision to make. They had the authority to make those decisions. So, Hery, when The ABB Way first came into place, I think this is relevant to many on the call today because there is that trend across industries globally toward decentralization. What was the most challenging part from your perspective in your approach to working with the business in line with The ABB Way to remediate risks and enact change? 

Hery Rason: Yeah, so, one of the biggest challenges we faced, given the size of ABB—we’re in over 40 countries, with four different businesses, and more than 105,000 employees (at one point, we had over 130,000 employees)—was managing over 200,000 devices. When it comes to IT asset management, specialists and practitioners start with governance—corporate governance and policies. 

As we were going through the journey of understanding and embedding The ABB Way within our teams, we also had to develop a corporate procedure that aligned with and was linked to The ABB Way. This meant determining how we would manage our assets, reduce our risks, maximize opportunities, deploy methodologies, and train people so they could manage asset management at their level based on their responsibilities. 

So, not only did we need to establish a governance approach, framework, and processes, but we also had to be able to roll these out and explain them to our colleagues. We needed to make it flexible enough so that, from a corporate view, the model worked across the board, but from a business or country view, the model worked for them, aligning with their specific needs and resources. 

You don’t have to over-engineer or over-complicate everything. The idea is to roll out a process that works for software deployment, audit defense, measurement, and optimization—processes you’re all familiar with, like EOPs and Rovers, which we’ll discuss more later with Andrzej. 

As we became more familiar with these processes, our colleagues in the businesses and countries also became more familiar, so they could manage their operations locally. They could replicate what had been done at the corporate level but applied to their specific business or country area. 

This allowed us to act as high-level consultants who could assist with request processes, audit defense mechanisms, and optimization paths, given that we have skill sets that are often beyond average, and sometimes significantly above average. 

And that’s been our journey. 

Sarah Marriott: All right, so now let’s get into the details of the four steps to ITAM risk remediation. I’m going to walk you through what this process looks like, and then Andrzej will jump in with his parts of what he manages. Throughout this, there are parts that Anglepoint will deliver, and there are parts that ABB is responsible for managing, but we’re always in lockstep, helping each other to ensure we can move forward. We use this framework at Anglepoint for all of our managed service clients as part of our continuous service delivery, but of course, each client has its own nuances, which is why we’ll show you how Andrzej manages this for ABB in just a second. 

At a really high level, if we zoom out, we measure and deliver a risk and opportunity assessment report. These risks are registered and prioritized by the steering committee in the internal GRC tool. In parallel, we have all the details related to these recommendations registered in Elevate, where we track them on a regular basis. 

We upload all the necessary details, segmenting them by business area, including device names and other critical information. This allows us to move forward when it’s time to do the next report, which may have different frequencies depending on the deliverable. For example, IBM might be quarterly, Microsoft user profiling might be monthly, a Green IT report could be every six months, and OpenText might be yearly. It depends on the client’s priorities. We can then measure changes and celebrate the collaborative wins that the team has achieved since the previous report. 

We dive into the next level of detail, which starts with the initial Effective License Position or whatever report it happens to be, and the risk and opportunity assessment report. At Anglepoint, the report captures the summary financial values and the detailed, actionable recommendations. We collaborate with our clients to take those numbers from potential savings to realized cost savings and cost avoidance. It doesn’t really matter what type of report this is—while most often it will be the publisher ELPs, it could also be a SAM tooling report, Green IT, FinOps, or ITAM program transformation deliverables. 

The key point is that the report contains actionable recommendations for our clients. After that report is delivered, Andrzej will review the PowerPoint and register these risks into the GRC. 

Andrzej Skrundz: Of course. 

Andrzej Skrundz: Based on the information I have from the report, I always meet with the GSAM, who has a good understanding of what’s happening and can give me some insights. We always try to collaborate. We also invite Anglepoint to join the meeting if they have additional input. I then enter the risk into our GRC tool. It’s grouped by the vendor, and for each vendor, there might be multiple scenarios or just one, based on the report findings. Each scenario includes details about the problem, what’s going on, the issue, and the risk statement. There is also information about which business area is most impacted—it might be one or more, as ABB is decentralized, so it’s not always obvious which one it is. 

We determine the priority based on the financial impact, the likelihood (what are the chances of this risk occurring), and the velocity (how fast it could affect us). Based on these three factors, I determine the priority of the scenario. Of course, we treat every scenario as important, as we want everything to be clean, but there are larger and smaller risks to consider. 

For each risk scenario, we have a response plan. Based on the recommendation from the report (which is attached to each risk), we have a response. There might be multiple responses. A response is basically how we will manage the risk—it’s the task that needs to be done to mitigate the risk. Each response is attached to each scenario, and that’s how we manage it. We determine a due date and assign the task owner who should be responsible. 

I then track the progress of the response—is it in progress or implemented? We meet on a monthly basis to track the responses. It depends on the risk, as each risk might be different. Some might be contractual, requiring action within a month, so we need to address it accordingly. It’s not something where we can just say, “Each month we check this and that.” Each risk is different. 

That’s how it looks in the GRC. And of course, we have the tool provided by Anglepoint, which is Elevate. In Elevate, it’s much more complex and detailed. As Sarah mentioned, there are many more tasks in Elevate, because the GRC tool handles high risks, while Elevate manages both high and lower risks and is used more for tracking purposes. In Elevate, Anglepoint creates tasks for us after each report. During our meetings, the GSAM and I address those tasks, ensuring they are assigned to the right people, whether from the business, infrastructure, or other teams. 

We set due dates, and I track the progress of those tasks—I’m sort of a “policeman” here. We send notifications, track progress, and escalate to the business if needed. 

Andrzej Skrundz: That’s how it works in Elevate. We share files and notes, constantly tracking progress. When the risk is remediated and the task is done, we close the task, but only with evidence of what has been done. If the task has not been completed, we don’t close it. If any files need to be shared, we share them in Elevate as well, so there is evidence. Anyone can check if the task was truly completed as expected. Afterward, in the next report, we will see a note indicating that the task was completed, and the risk will no longer appear. That’s the ultimate proof that the work is done. 

Sarah Marriott: That’s what we’re all trying to achieve. 

Yeah. 

Sarah Marriott: So Andrzej, you’re essentially Mr. GRC man. I say that as a joke, but we do call you that sometimes because you’re overseeing all of the risks that are registered from a GRC perspective. And you’re right, you know, our reports might contain non-financially based recommendations—things like we need to have a product owner for this workstream, or we need to do X, Y, Z to best prepare for the next contract negotiation. That’s not necessarily a risk that should be registered in GRC, but it’s something we want to track and make sure is managed through to closure. 

That’s where we use Elevate for everything, and we use the GRC tool for those higher-impact items. So, going back to the GRC—who at ABB has access and visibility to GRC? Who else is looking at the tool? 

Andrzej Skrundz: Management, higher management. Basically, everybody can have access if they ask me, but they should not be tracking it. And of course, I will not give access to everybody, but the GSAMs also have access to it. They can track it, see what’s going on, but they cannot make any changes. That’s something done by me only because I’m responsible for that. Also, high-level management—C-level management—is looking into it and checking what’s going on and what progress we are making. 

Sarah Marriott: We… 

Andrzej Skrundz: …are dealing with it. And I think… 

Sarah Marriott: It’s so important and critical that the CIOs from each of the different business areas, as well as the core IS CIO, have visibility. They do actually look at it because it’s categorized by what’s critical, what’s high, and what’s medium impact as a summary of the risks that are registered. If I’m in one business area and I see, “Oh my goodness, why do I now have a high risk here, and why is it still there? Who from my team is working on it?”—then they have that visibility and can make sure something gets done. 

Andrzej Skrundz: In terms of escalation, they can have the data and everything—they have visibility. If we need escalation, we have the information for that. 

Sarah Marriott: I agree, because unfortunately, escalations are… and you’re kind of the middle person because you’re responsible for the GRC part, but you’re working closely with the GSAM, who is the Global Software Asset Manager. 

At ABB, they’re aligned to publisher workstreams. So there’s one for Microsoft, one for engineering apps, and so on. They are the ones working with the different areas of the business or the end stakeholder—whoever needs to take the action. They make sure that the stakeholders have the information and education they need to understand why this is so important. I think it’s also helpful that, from a GRC standpoint, you’re looking at it on a monthly basis. So, less frequently, but that gives you a high-level view to monitor all the detailed actions happening in Elevate on a day-to-day, week-to-week basis through our workstreams, making sure we are all on track and nothing is slipping through. 

As Andrzej mentioned, our Anglepoint SME copies across all those recommendations—no matter how big or small—and they put them into Elevate. Now, Elevate is our proprietary tool that we use for project management during our engagements. This is for each ELP and ROAR cycle. This is where we have all our data requests, where we add all the stakeholders, and where timelines are tracked. In the background, there’s built-in automation that helps process large data sets, maximizing efficiency and accuracy. We use Elevate for many different purposes, and in this case, it’s used as a task management tool. We have hundreds of people from ABB who have access to Elevate, and they can log in to see the details relating to their tasks and the actions they need to take. But we’re mindful that there’s a lot of information, so we’ve set up access restrictions so that only those who need to know can see the tasks they are assigned to. That’s been really important from a data privacy perspective, making sure that the Elevate project reflects ABB and who is responsible for what. 

There might be groups by topic, for example, and we can track progress over time. The task owner is really important, as is the timeline. Before we publish the report, we work with the Global SAM Manager to confirm who is responsible and the timeline for completing it. Andrzej, you then reconfirm that as part of your GRC conversations when updating GRC after the report, to ensure alignment. So, when we ask the task owner, “Can you help us with this? Can you do this?”—there’s already alignment on who should be responsible for taking action and driving that accountability. 

It’s really important, especially in the context of the ABB Way, to make sure task owners have all the information they need. If they have questions, they can ask in the notes, and we’ll respond. Each task includes instructions and options to consider because we want to put the power in the task owner’s hands to decide the best course of action in line with their strategy. Rather than us saying, “You need to do X,” we say, “You have options A, B, and C—it’s up to you which one to choose.” Ultimately, an option must be chosen by the right owner so we can move forward. 

We’re working together with different people and stakeholders to ensure progress is being made on a daily and weekly basis. And the other key piece that Hery alluded to earlier is the SAM procedure document. 

A few years ago, we rewrote the SAM policy and procedure documentation to reflect the ABB Way. It includes a very detailed RACI outlining who is responsible, accountable, consulted, and informed for each step throughout the process, from data collection to confirming stakeholders, through to risk remediation and cost savings opportunities. 

Essentially, what this means is that the risk owner, once assigned in line with the RACI and aligned across the board, is then obligated to take action. If their action is to remediate, or if they choose to accept the risk, they can register it in the GRC. That’s completely up to them. This empowerment is critical because we don’t want to boil the ocean, as Andrzej said. There are different ways of prioritizing, so we need to ensure everything is documented. Then, during the next ELP and ROAR, we’ll remeasure and celebrate the success of the actions taken and risks remediated in that prior period. Because, as Hery likes to say, “What happens between the ELP and ROAR is what’s most important.” 

All right, so let’s talk about the impact of all this. We’ve set up the education piece. Andrzej, could you tell us a little bit more about the impact of creating the policy and procedure documentation outlining who is responsible for what? 

Andrzej Skrundz: Sure, four years ago, we created the policy and procedure documentation outlining who is responsible for what. But then, what’s the impact?  

Sarah Marriott: How has having Elevate and the GRC changed your conversations with the BAs? Who are you working with, and how has this process—working with three different levels of app managers to remediate risks—made it easier for you or for them to convince you to do it? 

Andrzej Skrundz: Yes, it’s made things a lot easier for me because it’s all visible. 

We track it. We see the priority. If it’s high, it catches the eye, and we meet on a monthly basis, or during the ROAR cycle—it depends. For the risk owners or task owners, for example, in Elevate, I don’t have to look for the person because I have the assigned person right there. When I add notes, everybody is actually responding because they receive a notification. It’s really, really helpful. You don’t have to go through tons of emails searching for the person responsible because everything is in one place. For me, that’s a great win. I don’t have to chase people or send emails, and you know how it is with emails—when they start to pile up, you might miss something. But here, for each task, each workstream, there are clear notes. If someone responds, great. If not, then we can have a meeting to discuss what’s happening. 

Sarah Marriott: And Hery, how about you? How has this process changed the conversations you’re having with your executives? 

Hery Rason: What’s important for me—and maybe for the company and other companies—is that post-ROAR and before the next ELP, there are operational activities that are continually being challenged and monitored to improve the situation. I’ve been saying this to our colleagues and Anglepoint for ages: this is where the service really is. When you make those changes and you are a change enabler, that hits the bottom line. 

A real example, coming back to what Andrzej was saying about risks: everyone is using Microsoft, right? It’s easy to relate. We all know Microsoft products have life cycles, and they come to an end. You hear about it two years before it happens, but inside your company, you don’t do anything about it—thinking, “Oh, we have two years or five years; we’ll just extend the support.” But financially, if you keep extending or wait until the last minute, you’re missing investment opportunities that could have been taken care of earlier by being proactive. 

In your ELPs and ROARs, recommendations often highlight what’s going to happen. If you act now, in most cases, the solution is less risky and cheaper. For example, when evaluating different license models, a standard license might work for a small unit, but as you grow, you might need to move to an enterprise model to optimize costs. So, these discussions with ABB and the consultants or SMEs from Anglepoint are critical. You have to sit down and figure out your options. 

When the action is recognized and the investment pays off, it validates the decision. The reward isn’t necessarily a trophy, but the recognition comes from your CIOs understanding that you know what you’re talking about. Your proposals are taken seriously. It makes convincing them easier, though you still have to justify things in terms of return on investment, timelines, etc. We all want everything done yesterday, even if we’re planning it for next month. 

Building that credibility is key. And that’s achieved by pushing for remediation or optimization services. It helps when an audit comes around. When your numbers validate the decisions you’ve made—give or take 5% for human interpretation—it reinforces that you know what you’re doing. Your credibility is on the line, and that’s important. 

Sarah Marriott: I agree. Earlier today, one of the Global SAM Managers said that, for the first time, we can talk to anyone in the business about big topics because we now have visibility into the importance of these items. For me, that speaks volumes. 

So, a big thank you to everyone. Overall, I think the key to success is working together, leveraging the tools we have, and using Elevate to track all those recommendations to completion. We’re driving toward business outcomes, and by continuously delivering these services, we unlock the value of ITAM for the rest of the business. Thank you so much for your questions. We’ll be in contact afterward, and we’re happy to follow up. I hope you all have a lovely rest of your Thursday, wherever you are in the world.