The blog

Assessing IT solutions with CORA

Introduction
IT vendors are often very capable in showing the functional and commercial capabilities of their solution. However it is often unsure if these solutions can be integrated into existing IT landscapes properly. Already many examples have shown that the CORA model can be very useful with regards to assessing this type of (non-functional) capabilities. How this works is described in this blog post based on a real-life example.

A global manufacturer of consumer goods faced a very common challenge, being the addition of a new IT solution to their existing IT landscape. Based on a Request for Information, four major software vendors showed to have the functional and commercial capabilities to deliver the IT solution. However it was still unsure if these solutions would be able to support (parts of) the functional end-to-end process properly while simultaneously be governed and deployed centrally (being the IT Strategy).

To investigate this an assessment was performed by using the CORA model and method. Part of the CORA method is a questionnaire containing 75+ questions which can be used to depict application capabilities as indicated by software vendors. Five examples of these questions are:

Channel Access

  • CH3. It is possible to access the solution  through a rich internet application ?

Security & Compliance

  • SC8. Does the solution provide non repudiation capabilities (i.e. through the use of digital signatures)?
  • SC11. Does the solution provide user authorization on process-level?

IT Governance

  • IT13. Does the solution provide capabilities to integrate with configuration management solutions?

Architecture

  • AT1. To what extend are standards supported?

After a briefing the questionnaire was sent to every individual software vendor. The answers were plotted into a matrix (Green = part of the solution, Blue = not part of the solution, Red = risk).

assessment

To derive risks the answers in itself  were not sufficient because:

  • a capability was part of the solution but didn’t support any standard;
  • a capability was not part of the solution but could connect easily to existing capabilities.

This was resolved by using the ISO 25010 standard. ISO 25010 is a standard for the quality dimensions of an IT solution. It has two main dimensions being ‘Quality in use (characteristics relative to human use of the product)’and ‘Product quality (characteristics intrinsic to the product).’ To assess the results, for every CORA application capability the relevant ISO 25010 quality attribute(s) with respect to product quality were used as a checklist (see figure).

iso

Based on the use of the ISO quality attributes in conjunction with the CORA questionnaire, a number of solutions lacked:

  • meta-data maintenance and capabilities which could result in extra effort to maintain data-import interfaces and keep them reliable (“Reliability”)
  • data quality capabilities which could result in ‘poor’ data (“Compatibility”).
  • change management capabilities which could result in more effort to transport components through the different IT environments properly (“Portability”)
  • configuration  management capabilities which could result in poor control over application content and therefore more effort in maintaining the application (“Maintainability”).

This assessment resulted in a preference for solution D. mainly because of having ‘better’ integration capabilities. Regarding the risks using this solution different mitigations were proposed.

Concluding remarks
This type of assessment has been performed several times and the results are time and again very interesting. For customers because it shows that non-functional capabilities are equally (or maybe even more) important than functional requirements.

Besides this, for software vendors it can be very helpful to have their solutions checked with regards to capabilities to integrate their solution in customer IT landscapes.

For final decision making this assessment is only one (important!) input. Besides non-functional capabilities other main topics like functional and commercial fit should also be taken into account.