2. Readiness
“Am I ready for shared services? What do I have to do here to be successful? Are my partners up to
the challenge? Am I?”
Experienced CEOs raise these questions often, and properly so. Whether in our
fieldwork or in our classrooms at Harvard, executives want a clear-eyed view of what they’re
likely to give, and get, by sharing. They want to understand not just the promise, but also the
risk. “Can I get what I’m promised when I need it?” “Can I deliver what I have promised?”
“Will it cost me more to produce than what I charge for it?” “Will my partners act responsibly
with what I give them? “How do I gain political support and financial capital for the move?”
“Who will settle any disputes that arise?”
We have captured what many CEOs have told us, and what we have observed. We
have distilled them here as the twelve capabilities of effective shared services enterprises. To be
successful at sharing products and services, every organization, no matter what product or
service they share, must have these capabilities to a specifiable degree
How capable they must be is another question altogether. For we also know that
every sharing scenario has different and even unique requirements for success. For an
organization to be ready for shared services, its particular capabilities must match up to the
requirements of its sharing scenario. Many don’t, and that is the problem.
Take any three organizations, for example – one uniquely proficient at sharing
vehicles via a motor pool, another at sharing health services in a medical facility, another at
sharing data over a network in a flu pandemic. We would not expect either to be much good
at the other’s business. But as sharing organizations, we would expect them each to have the
same twelve capabilities, in very different constellations, each tailored just right to the
requirements of running a motor pool, or a health facility, or a pandemic alert network.
In this paper we identify those twelve capabilities. We provide a framework for
classifying those capabilities to match up against diverse sharing requirements. We don’t
analyze particular industry requirements, except in a cursory way. That is work for particular
industries to do. The corporate “line of business” owners of motor pools, or health facilities,
or natural disaster response, for example, can come together, using these twelve capabilities,
to agree on the requirements for any enterprise to share products or services successfully in
that domain.
What we do offer is a framework by which those groups can define the capability
requirements for successful sharing, and by which any individual organization can assess its
own capabilities for sharing against those requirements. With that knowledge, when the call
comes to share products and services, every executive can know whether his or her
organization is truly ready to share.
What We Mean When We Speak of Shared Services
When we speak of “shared services,” we often think of classic back office
operations like payroll processing, where a centralized unit handles all payroll matters for an
organization. We can also think of enterprise-wide services like human resources, which host
IT infrastructure to handle employee benefits and attendance records and queries, and also
2
3. provides enterprise-wide sourcing and staffing services. We can also think of agencies who
share their records with others -- like motor vehicle records, criminal histories, and school
attendance. We can think of extended enterprises sharing data on pandemic flus, others sharing
data on ships, crews and cargoes comprising the maritime domain, and others still on supply
chain movements in disaster responses.
Each of these represents a different mode of sharing.
What gets shared can vary– from data and information, to expertise and services, to
tangible products. Organizations share everything from weather forecasts and fire risk
advisories, to legal services and health services, to print shops, landscaping, and motor pools.
How these products and services get shared also varies greatly. It can be over
computer networks; or delivered in person; or handled by a call center, or interoffice mail,
for example; or via web sites, web services, or email. We can think of these as the platforms
for sharing. Each platform has its unique infrastructure and rules, each in turn unique to a
particular product or service.
Who shares services can vary, too. Individuals and units within a single agency can
share services. Agencies within the same organization can share; or across organizations and
within the same jurisdiction; or across jurisdictions but within the same sector; or across
sectors but within the same political unit, or globally, across political units. There are
examples for all.
In every instance, however, there is a producer of a product or service; and a consumer.
The producer might be a single agency, or organization, or jurisdiction, or even nation. The
consumer might be a single agency, or multiple organizations, or governments. Every shared
product or service involves a producer-consumer relationship.
When services or products are shared varies as well. It might be on a one-time basis,
never to be repeated; or an “on-demand” basis, available upon request; or an “always-on”
basis. It might be by prior agreement; or under compulsion. It might be as a result of a
decree of a governing body, or by a one-to-one agreement. It could be ad-hoc, or regular, or
constant, perhaps in the regular course of business; or perhaps only under extraordinary
circumstances.
Why organizations share services – the rationale for sharing – varies, too. Often, it is
economic: it’s cheaper to do it once rather than many times, so organizations consolidate
services. Sometimes, it’s quality: it’s better to do it one place the same way than many places,
different ways. Other times it is to enhance coordination: By giving or getting access to a
service or product, an individual organization can improve its own response to a situation,
for example, or the enterprise’s overall response.
There are times, also, where the rationale for sharing is transformation: By pooling
services together, for example, organizations create something entirely new and much more
valuable than any could do on their own. When five agencies combine their data about the
ships, crews and cargos on the world’s oceans, for example, the new view from this new
service transforms the individual data streams into a much more valuable product useful to all.
Transformation “is to” coordination as chemical reaction “is to” physical reaction in the
laboratory: we get something entirely new.
There are thus a great many varieties and dimensions of shared services. There are
also some important commonalities. There is always a producer and a consumer of the product or
3
4. service, for example. The product or service always represents an asset – a thing of value –
that is the subject of an exchange via a platform of some kind – a computerized alert network,
for example, or a walk-in health facility, or a vehicle maintenance garage, or a weekly meeting
of designees. Every platform has its own infrastructure and rules, some simple, some incredibly
complicated. Every exchange takes place within some larger political economy of individuals
and organizations where sharing behavior observes social norms, is subject to political power
and process, and has economic costs. All exchanges, lastly, reflect some element of
producers’ and consumers’ organization strategy: they engage in sharing in order to achieve
results that they can’t without sharing, either by giving or getting a product or service.
Take any of these common dimensions away – producers and consumers, an
exchange involving valued assets via a platform with unique infrastructure and rules, the
political economy of the exchange, the organization strategy of producers and consumers –
and we stop understanding shared services, generally, or being able to explain a particular
shared service.
With so much at stake and involved in sharing, managing its risk is very important to
organizations. Fiscal savings, work quality, workplace happiness, effectiveness at mission,
safety and security of people – all can be shaped by whether sharing is done well or badly.
The dimensions of risk in any sharing environment are therefore important to articulate.
And, it is important for any organization that is contemplating a move to shared services, of
any kind, to understand and manage those risks. “Am I ready for the move to shared
services?” asks about the gaps between requirements and capabilities, and the risk that
results.
What Makes Sharing Work? Key Capabilities
Our research with practitioners in many cross-boundary environments suggests that
there are twelve major risk areas for organizations making the move to shared services of any
kind. These risks most often manifest themselves when capabilities for shared services fall
short of requirements. Sometimes, risk arises, oddly, when these capabilities exceed
requirements. Both kinds of risk are possible.
We can therefore speak of the twelve capabilities for success in shared services as a
foundation against which leaders can assess their readiness for shared services, whether as
producer or consumer. As each sharing environment has a unique constellation of
requirements, assessing readiness -- and risk -- means being clear about those requirements
and how one’s own capabilities match up against them.
The Twelve Capabilities of Effective Shared Services Enterprises
In our experience, executives understand risk intuitively: it’s what they lose sleep
over. To introduce the twelve capabilities, we will use the negative language of risk, below,
without much explanation. Following, we will revert to a positive explanation of each the
twelve capabilities of effective shared services enterprise.
The Twelve Risks of Shared Services Enterprises
4
5. 1. Platform Access Risk Producers and consumers cannot access sharing platforms
2. Data Readiness Risk Data to be shared is not visible, usable, understandable
3. Legal, Regulatory Risk Sharing behaviors violate law or regulation
4. Agreements Risk Partners fail to meet each other’s promises or obligations
5. Political Management Risk Leaders fail to navigate political, social and economic shoals necessary to
gain authorization, resources, and support
6. Financing Risk Financing is inadequate to support the sharing strategy
7. Governance Risk Governance structure and process fail to address disputes, joint decision-
making
8. Strategic Risk The organization strategy has embedded failure: sharing fails to result in the
promised value
9. Communications Risk Messages fail to reach or affect critical players in desired ways
10. Dynamic Auditing Risk Sharing develops gaps and problems in critical success factors that go
undetected; opportunities for improvements are missed
11. Change Risk Change that is required to assure success is not undertaken
12. Resiliency Risk Critical infrastructures, people, or facilities for sharing are exposed to
failure by attack, accident, or natural disaster
The Twelve Capabilities of Effective Shared Services Enterprises
1. Capability #1 (Platform Access): Producers and consumers have access to enterprise
platforms for sharing. Producers and consumers, for example, require network access
to use an ERP system. A producer of medical services requires facilities’ access to
keep doctors stocked and supplied, and patients must be able to reach the front
door. A producer of motor pool services must have access to a vehicle
maintenance and storage facility; consumers of those services must have drivers
who are appropriately trained and licensed. How much access, when, and at what cost
will vary greatly by platform and service. Platform access is a required capability for
sharing: producers and consumers must have access – physical, rules-based, or
logical -- to the platform over which a service or product is to be shared.
2. Capability #2 (Data Readiness): Data to be shared is visible, usable, and
understandable. Certain platforms involve the exchange of data, information, or
analysis. Even if there is platform access – say, data producers and consumers all
have access to an enterprise service bus that enables them to publish-and-subscribe
to data services – still, producers’ data might not be visible, usable, or
understandable. That becomes an issue for many data sharing enterprises. Assuring
platform access is not sufficient: data must be available.
5
6. 3. Capability #3 (Legal and Regulatory): Producers and consumers share and use
products and services legally, in compliance with regulations, and ethically. Statutory or other
restrictions on an exchange of products and services can create legal liability,
regulatory violations, or other compliance problems. Unlicensed drivers or medical
service providers, for example, may ruin insurance coverages; letting non-secured
individuals onto computer networks may cause networks to lose valued security
certifications. Sharing of confidential health data, data on juveniles, secret or top
secret data, criminal history data, and competitive commercial and industrial data
can create significant legal liabilities. It is important to understand the legal and
regulatory issues involved in sharing products and services, and be prepared to
address them.
4. Capability #4 (Compacts and Agreements): Producers and consumers use compacts
and agreements to clarify expectations and obligations. Exchanges create promises and
obligations between producers and consumers. Will producers provide what they
promise so that the consumer can use the product or service as hoped for? Will
consumers honor their sides of the bargain by using the service or product
correctly, so that they create no unanticipated issues for the producer? Who will fix
or be responsible for repairs and upgrades? What understandings might be best to
lock in by written, verbal, or other agreements? What force will they have, what
issues might intervene when invoking them, and how might we assure compliance,
and how would we resolve any disputes that arose?
5. Capability #5 (Political Management): Leadership navigates the political,
economic, and social/cultural shoals to gain authorization, resources and support for the sharing
enterprise. Social, political, and economic forces – comprising a defined political
economy for the sharing enterprise -- can accelerate or impede attainment of goals.
Leadership frames vision and the rationale for action, gains external and internal
support, forges alliances and addresses conflicts; resources needed capabilities, and
energizes “troops” to move along the chosen path. As the operating environments
for sharing services are variably dynamic, ranging from staid corporate networks to
in-the-wild multi-party extended enterprises crossing jurisdictions and nations in
times of crisis, leadership may need to be variably adaptive, depending on the
particular requirements of the sharing relationship and its exigencies.
6. Capability #6 (Financing): The enterprise adequately funds needed procurements
and acquisitions. What investments do we require to assure that the exchange can
take place as planned? Such investments could include improving partner platform
capabilities; assuring interoperability of devices and systems; undertaking systems
development and standard setting. Individual organizations might fund such
development, or there could be some kind of joint or multi-source funding.
Addressing such issues is important.
7. Capability #7 (Governance): The sharing enterprise provides an authority structure
for critical decisioning. Governance pertains to decision-making over the sharing
arrangements – including ratification of agreements, managing disputes, adding
new partners, overseeing measurements and metrics, managing costs and
procurement. Governance of a shared service enterprise can be a matter between
individuals or groups or even among nations. Structure, processes and rules for
governance are issues that leaders need to address.
6
7. 8. Capability #8: (Organization Strategy): The enterprise goals are clear, its strategy
to attain them sound, and the pathways for action marked. All sharing has a value rationale
and an intended outcome. Sometimes it’s a financial savings; other times a quality
gain, an improved service capability, or even a complex social outcome (like,
“better health” or “safer children”.). Organization strategy is the means by which
they propose to attain their goals by correctly aligning resources, authorities, and
competencies.
9. Capability #9 (Messaging and Communications): The sharing enterprise
communicates effectively with stakeholders and opinion-makers. All shared service enterprises
require some ability to create messages about the sharing and to communicate
them to stakeholders or interested observers. Sometimes producers and consumers
will want to message and communicate with each other; other times to their
respective oversight and authorizing bodies, their employees or service recipients,
or to news organizations, internal staffs, or government leaders half way around
the globe. How best to message and communicate to help achieve the overall goal
of sharing a product or service is an issue leaders must address.
10. Capability #10: (Dynamic Auditing) Sharing organizations have awareness of
operational performance, scan horizons for issue and opportunities, and are aware of their progress
towards goals. In a shared service enterprise, managing overall performance risk is an
important issue. Organizations develop and use sensors, measures and metrics.,
and monitor the status of sharing infrastructures, process, and relationships. They
prize awareness of any issues or opportunities and take action as required.
11. Capability #11 (Management of Change and Remediation) : There is a process,
structure, and accountability to remediate when change is required When issues arise in
measured performance – perhaps costs are running too far ahead of plan, or results
too meager against milestones – the sharing enterprise must address this issue. This
involves taking steps to assess what is broken, design and implement fixes, and
validate their results. Executive sponsorship to repair any tears and remediate any
gaps in performance can be essential to success.
12. Capability #12 (Enterprise Resiliency): Critical sharing infrastructures (including
people and facilities) are monitored and if degraded by attack, accident or disaster remediated.
Some sharing relationships involve critical infrastructure, people and work.
Understanding their exposure to attack or disaster, planning for their priority
restoration, and monitoring critical systems for aberrant signs can be important.
How Much Capability is Required?
In sum, enterprises who wish to share must have certain capabilities - capabilities to
provide accessible platforms, make data available, assure legally and compliant conduct,
provide for enforceable agreements, provide leadership through political means, assure
financing, specify adequate governance, test and validate outcomes, message and
communicate around critical issues, audit operations, change when need be, and provide for
resiliency.
How much of a particular capability is required will vary from sharing scenario to
scenario, and depend on many factors. As leaders consider sharing, they will naturally ask,
7
8. “Am I ready to share services, whether as producer or consumer?” The answer is, “Depends
on the scenario, and your capabilities.”
Some sharing, for example, really is not all that complicated. All it takes is a
handshake between two executives and the rest will fall into place behind them. If there is
failure in execution, perhaps not much was at stake, and not much really matters in success
or failure.
But some sharing is very complicated, with large systems integration, vast
consolidations, global reach of data and services – and with tremendous consequences at
stake for people, finances, and performance. If a leader ventures to introduce a shared HR
consolidation, for example, there are certain capabilities for governance, leadership, and
financing that he and his partners must have to meet that challenge and be successful. If a
leader ventures to stand up an extended enterprise of data producers and consumers to
address an anthrax attack on a mail system, there are certain capabilities which that enterprise
will require to succeed. Capabilities for platform readiness and data availability, messaging
and communications, and compacts and agreements will all be tested.
We will discuss capability requirements, further, shortly.
Summing Up So Far: What We Can Say
1. First, there is great structural commonality among sharing enterprises. We
always find producers and consumers involved in an exchange of a product
or service, for example, a platform for sharing, a political economy as the
sharing environment, and other common structural features.
2. Second, there is a great variety of actual shared products and services. These
vary by who produces and who consumes, what product or service is shared,
with whom, when, with what intended outcome, among other variables.
3. Third, there is a great commonality among the generic capabilities and risks
that sharing enterprises must address to be successful. We have identified
twelve.
4. Fourth, there is great diversity as to how capable any particular organization
must be to succeed. This depends on the particular sharing scenario and its
requirements.
III. The Capability Maturity Model Integration® Approach2
When a leader of an organization asks, then, “Am I ready for shared services?” he or
she is asking, “What capabilities are required of me to be successful in this particular service?
Am I capable in needed respects? What must I do to ready myself further?”
We can now go on to describe ways to address those questions. Important work has
been done in framing these challenges at Carnegie Mellon University, under contract to
2
CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University
8
9. DARPA.. While researchers have not specifically focused on shared services, the CMU
approach – called Capability Maturity Model Integration (CMMI®)-- is valuable as an analogue
and framework.
The CMMI® methodology describes certain capabilities that organizations can be
said to have, and to require, to manage any set of complex challenges – from fixing software
to fixing bicycles to developing new combat platforms for America’s fleet. A process capability
is a way of approaching a problem to deal with it. CMU’s work describes processes as increasingly
“mature” -- ranging from ad hoc – we invent a solution on the fly to deal with a problem that
arises, for example, – through defined and quantitatively managed, to highly systematized, that is,
anticipatory, formalized, repeatable, geared towards total optimization for all interests with
stakes in the solution, and measurable as such.
Software engineers developed the CMMI® methodology to solve quality problems in
software development. Before we can use it in the services sphere we must adapt it to that
world so that we are not stuffing square pegs into round holes. We need to observe seven
features of our shared services terrain, in particular, which are relevant to the models’ use.
First, sharing enterprises must articulate their own requirements for success. Every
shared service enterprise has requirements which can be specified in terms of the twelve
capabilities that we have brought forward.
For some enterprises, we know a lot about those requirements – there have been
many successful attempts, and some failed (and sometimes many failure and only a few
successes!).
For example, the challenge of standing up a centralized HR operation is fairly well-
known, as is that of consolidating a motor pool or print shop. However, novel sharing
arrangements may have unknown or poorly defined requirements. In these instances, the
task of assessing readiness requires that enterprise partners take the time to specify those
requirements. Individual organizations can assess their own capabilities against them, and
take action to remedy any over- or under-readiness.
Second, in addition to understanding the generic requirements for sharing, enterprises
are obliged to articulate the unique local requirements. That is because the local constellation
of factors that determine success – the local issues of financing, governance, or political
management, for example – give decisive local “flavor” to the political economy of any sharing
scenario. While most sharing scenarios have generic capability requirements – all “HR ops”
consolidations have certain “nuts-and-bolts” recurring features, for example -- every sharing
scenario also has great local variation. There is no “one-size fits all” in this game. The lights
will flash “Game Over” if leaders proceed as if Duluth were Des Moines, or Newport News
were New York.
Third, there is always some gap (except, see below) between the capabilities that are
required, and what an organization, or an enterprise, is capable of.
For example, governance is one of the twelve capabilities that any sharing scenario
requires. Looking at their capabilities, partners to a HR consolidation might notice that they
don’t yet have a governance arrangement mapped out. Whoops! We know that ad hoc
governance arrangements create real problems in the environment of a HR consolidation.
Managing the governance risk appropriately for a HR consolidation requires having a much
more sophisticated capability – a capability for governance that is proceduralized,
9
10. systematized, and can be said to optimize, in its own process, for the benefit of the
enterprise. Until these partners work out a more sophisticated governance plan, they are not
ready for the HR consolidation.
Just as importantly, in another example, the FBI and a city police department may
plan to cross-designate investigators (another sharing mode!) for the purpose of a joint law
enforcement investigation. The CMMI® models let us see that, looking at all the capabilities
that are required, they may be able to get along just fine with an ad-hoc governance process.
That is, their process capability for governance is adequate to the requirement. They don’t need more
process than they have. In terms of governance risk and capability, rather, the FBI and the
local police department are “good to go”.
Fourth, not all gaps “are created equal”. Some matter a lot, some not much at all;
some are really expensive in terms of resources and time to fix; some are easy. There will
always be gaps, because performance must be understood in human terms, and that is not
always wonderfully or precisely measurable. Which gap you work on first or hardest depends
on your tolerance for risk, your sensitivity to cost, and other factors.
Fifth, capable organizations seek the correct fit between capabilities and requirements.
They do not seek to optimize of all processes, for example – just those that require it. It is
entirely possible that success may require only ad-hoc processes capability in some capability
areas, but optimizing capability in others. Organizations can over-prepare by seeking
optimization, for example, where ad hoc will do just fine.
Correlatively, it is entirely possible for an organization to be variably ready across the
twelve capabilities. Think of the twelve capabilities as your readiness portfolio. You can be ready
in some capabilities, but ill-prepared in others. Sharing may require no more than ad hoc
governance capability, for example, and that’s exactly the capability level of the enterprise
partners. However, their enterprise may require more systematic approaches to platform
access, data readiness, or outcome assurance, for example, and cannot settle for ad hoc
capability. An organization can be variably ready across the twelve capabilities.
Sixth, there is a commandment here, and it works as well for organizations and
enterprises as it does individuals: Know thyself. The known requirements for success, weighed
against capabilities, create an imperative for leaders to assure overall readiness. Whether just
starting out, expanding, or winding down sharing, readiness is the obligation of leadership.
These known requirements in effect caution leaders, “Look, if you’re going to take this on,
here are the requirements of success. Are your capabilities up to it? Get ready before you
move.” So requirements have a normative aspect to them: they impel leaders to assure that
their enterprise is ready.
Summing up then, the CMMI models give us a framework for assessing capabilities for
sharing as against requirements. They give us a view, in other words, to enterprise readiness. The
CMMI® framework can and should be used both descriptively and normatively, in three
ways:
• First, to describe the requirements of the sharing scenario for the
capabilities of the sharing participants
• Second, to describe the sharing participants’ actual capabilities
10
11. • Third, prescriptively, to assess how the capabilities of participants match
up against the requirements of the scenario – that is, whether the
partners are ready to share.
Conclusions
We have described a great variety of sharing configurations, and twelve capabilities
of sharing enterprises. We have suggested that the CMMI® framework gives us a good way,
further, to map actual organization capabilities against sharing scenario requirements on a
process spectrum ranging from ad hoc to optimizing. We have noted, further, that for each of the
twelve capabilities, organizations may be “good to go” for some capabilities (i.e., they’re at
ad-hoc governance and need nothing more) to “better hold” for others (i.e., they’re at ad-hoc
governance but need to be optimizing). Lastly, we have observed that a sharing scenario can
require a different process levels for each of the twelve capabilities – some ad hoc, others
not, for example. Similarly, an organization is likely able to deploy only ad-hoc processes for
some capabilities, and optimizing processes for others.
11