Print Magazine | Share | E-mail
Nov. 2014: Volume 2, Issue 3
inMotion Logo


ING’s Business Transformation

Learn about how ING Netherlands is transforming its business to achieve its goal of holding a leadership position in innovative distribution.


The Complexity Sweet Spot

See how innovative companies find the right balance between product and process complexity to add value and realize above-average profit margins.


The New Cybersecurity Paradigm

Gain insight from Richard Clarke on how firms and their boards can mitigate risks associated with today’s growing cybersecurity threats.


Leading Transformational Change

Get practical advice from FIS’ CIO on how successful transformations are led including how to minimize conflict and transformation fatigue.

Welcome – Nov. 2014: Volume 2, Issue 3

InMotion Logo

Transformation Courage

Rob Heyvaert photo

Rob Heyvaert

Corporate Executive Vice President, Global Financial Institutions, Capco Founder and CEO

Welcome to this issue of FIS InMotion, which focuses on the theme of “Business Transformation.” Business transformation has never been more relevant in our industry and can enable financial institutions to fundamentally change to adapt to daunting challenges that lie ahead, such as an increasingly demanding and tech-savvy customer base, enormous regulatory pressures, and mandates to drive efficiency and find new profit pools as existing ones dry up.

Although we could be pessimistic about threats to our industry, I am inspired by the amazing readiness for business transformation that already exists and the massive opportunities to reconnect with customers through technology. No one else is better positioned than financial institutions to earn and keep their customers’ trust when it comes to financial matters – despite the unprecedented number of outside forces that are shaping our industry landscape and our futures.

For financial institutions, having the courage to pursue business transformation will be fundamental in developing a proactive strategy. Financial institutions must be prepared to leverage new opportunities that are in sync with changing customer needs, to defend their position of leadership and trust in securely managing customers’ finances, and to discover new ways of creating value.

I want to thank this issue’s contributors for providing their thought leadership and pragmatic perspectives on the complexities of business transformation. I also want to thank our readers for the thoughtful comments we have received on previous issues of FIS InMotion and welcome your feedback on “Business Transformation.”

Client Profile – Nov. 2014: Volume 2, Issue 3

InMotion Logo

ING’s Business Transformation

Peter Jacobs Photo

Peter Jacobs

Chief Information Officer
ING Bank Netherlands

Peter Jacobs is the chief information officer and a board member of ING Bank Netherlands. He is responsible for all application development and maintenance activities within the bank in the Netherlands. His scope includes customer data, lending, mortgages, payments, savings, branches, call centers, and Internet and mobile banking. In this interview, Jacobs shares his insights on executing a four-year core banking transformation that he is overseeing for ING Bank Netherlands.

How are customer trends affecting banks’ abilities to meet their customers’ expectations today?

Jacobs: During the last few decades, we’ve seen how changes in technology have heightened customers’ expectations of how quickly banks respond. In the 1980s, we saw what I call the Connective Era of banking emerge. Customers with modems could electronically connect directly to bank IT systems, but usually only to a single account. Then, the explosion of the Internet in the 1990s forced banks to start integrating individual banking applications so that customers could see their entire banking relationship in one place. That was the Integrated Era.

The Internet created enormous challenges for banks because customers now expect to make changes – such as a change of address – online and have it recognized throughout the system immediately. But most systems are still batched, and although customers expect real-time responsiveness, activities such as making payments, changing addresses and opening accounts are often not recognized for two or three days. I call this the Real-time Era. Banking is still working its way through the challenges of real-time responsiveness because of dated mainframe systems with batch processing.

Customers want a bank that foresees what could happen to them in the next month.

On the horizon, I foresee the Predictive Era – especially applied to wealth management – when customers will expect their banks to anticipate future needs. Customers not only need to understand what happened today and yesterday with their accounts; customers also want a bank that foresees what could happen to them in the next month.

As we move through these eras, one of the biggest challenges is configuring banks’ systems to respond in real time and enable anytime, anywhere banking.

ING has a stated goal of holding a leadership position in innovative distribution. How do you execute this?

Jacobs: I think we hold a leadership position in terms of both what we do and how we do it. In terms of what we do, it’s implementing our customer promises throughout the organization.

  1. Clear and easy: We have simple product offers.
  2. Anytime, anywhere: We enable anytime, anywhere access.
  3. Empower: We empower our customers to stay a step ahead by helping people with their decisions of tomorrow.
  4. Keep getting better: We work to keep getting smarter and faster about serving our customers.

In terms of how we do it, in IT we work as craftsmen with enormous pride with mostly internal engineering tools to implement the customer promises. It is our goal to become the No. 1 IT company in the Netherlands and the employer of choice for engineering graduates and experienced professionals alike. This is critical to efficiently delivering innovation to the marketplace.

What benefits does ING hope to achieve through its core bank transformation?

Jacobs: The best business case for a core bank transformation, of course, is to grow your business and lower your costs. Our core bank transformation required that we step away from a silo approach in account administration. At one time, savings account, mortgage account and current account administrations were all different. Consolidating them into one core bank allows ING to have an umbrella offering that makes it easier to cross-sell and promote product packages to drive new revenue.

Real time is a very important benefit. Customers want transactions cleared within seconds, and many will go away if we don’t provide it. There is such enormous momentum today of customers using mobile and other digital channels, and it is absolutely impossible to deliver an anytime, anywhere proposition without having a real-time core bank.

We also reap cost savings over the long term from consolidating systems and technologies. The age and structures of many of the mainframe applications make them very expensive to keep running.

What are the key considerations that go into a core bank transformation business case?

Jacobs: The significant challenge is the one-time investment. The question is not as much about whether you should do it. It’s more about how to get the core bank transformation in place with a predictable solution and predictable timing..

How do we get the core bank transformation in place with a predictable solution and predictable timing?

In our transformation, we apply multiple rules around the business case. First, we understand that this is a four-year journey, but the journey must be split up in order to mitigate the risk. We divide the transformation tasks into plateaus, which are never more than a year long. At the end of each plateau, we evaluate whether commercial value has been delivered – that is rule number one. This allows us to step back at the end of each plateau and determine if we want to continue or modify the transformation.

The second rule is that each plateau must focus on three or four epics that will be delivered to clients. An epic is a big user story – a clear illumination of what a customer does or needs from the bank in order to achieve some goal. This guides the functionality of the system being developed. So on day one of a plateau, we announce the epics that need to be completed during the plateau. They are broken into three-month projects. Then we break the work down further into sprints of two weeks so we maintain a strong focus on completing tasks to meet the project goals.

Rule three is that we don’t outsource the core bank transformation, but we also do not want to underestimate the value of our technology partner. Using a co-sourcing strategy, we work in teams – sometimes composed of more ING members and sometimes of more vendor members. Where ING has more knowledge, we do the code sourcing, and where we feel a technology partner has more knowledge, the bulk of the work is done by their team members, but ING is still engaged on that team.

For ING, the key to success in a project of this magnitude is “Continuous Delivery,” which is a process to improve and automate software delivery. We worked with our technology partner to build an automated deployment pipeline where we now receive code two to three times a week and within four hours have it fully deployed and tested on our systems. Removing the manual processes reduced the elapsed time from 11 days to four hours. The result is a step change in the way we work and enormous agility for ING.

Copyright © 2014 FIS and/or its subsidiaries. All Rights Reserved.

Thought Leadership – Nov. 2014: Volume 2, Issue 3

InMotion Logo

The Complexity Sweet Spot

Jeanne W. Ross photo

Jeanne W. Ross, Ph.D.

Director and Principal Research Scientist
MIT Sloan School of Management,
                      Center for Information Systems Research
Martin Mocker photo

Dr. Martin Mocker

Research Scientist,
MIT Sloan School of Management,
                      Center for Information Systems Research

The gut feeling among most executives is that more complexity is bad. But that isn’t necessarily true. It’s a company’s combination of product and process complexity that determines whether value is destroyed or created. In this article, Drs. Martin Mocker and Jeanne Ross explain how top-performing companies find the right balance between the two – their “complexity sweet spot” – with high product complexity and low process complexity. For example, Amazon found its complexity sweet spot by offering a highly complex assortment of goods spanning multiple product categories while minimizing process complexity throughout the customer journey – searching, comparing, ordering, payment and delivery.

Introducing Business Complexity

Thriving in today’s competitive environment requires constant innovation. But as businesses add products, channels, markets and customer segments, they become more complex. Some of this complexity adds value. But some ends up confusing customers or distracting managers and employees. The challenge is to reduce value-destroying complexity while keeping and maintaining value-creating complexity.

We define business complexity as the degree of variety and connectedness of a company’s products, organizational units, geographies, channels, customer segments and vendor relationships.

  • Variety implies that elements (products, channels, etc.) are different in one or more characteristics that are important to customers.
  • Connectedness means having dependencies or links between those elements.

Both variety and connectedness can increase benefits such as product/service differentiation and revenues. However, they often simultaneously make it more difficult to get things done inside a company and increase the cost of an organization’s business processes. Taken together, the two effects help distinguish “good” from “bad” complexity. If the increased benefit to customers outweighs the increased internal difficulty, the complexity creates net value (good complexity). If the internal difficulties created exceed all benefits for customers, the complexity is destroying value (bad complexity). Ultimately, management’s job is to widen the gap between the benefits derived from complexity and the difficulty introduced as a result.

Sources of Business Complexity

Through our research1, we have found three major sources of business complexity:

Fig 1. - Sources of Business Complexity

Product and service complexity and the business process aspect of organizational complexity have the biggest impacts on financial performance. Complex products are generally not the problem, however. Our research shows that successful companies provide customers with plenty of variety and links while effectively managing the second – and troublesome – source of complexity: process complexity.

Process Complexity

Business processes determine how companies and their customers get things done. While product complexity is an opportunity to add value, complexity in a company’s processes mostly destroys value. Everyone has grappled with a complex process that might force customers or employees to contact multiple people, replicate login or data entry, or phone distinct call centers for different products from the same company. It’s frustrating!

Companies with complex processes are difficult to deal with and work for. Therefore, executives need to simplify both customer-facing (sales, customer service) and internal (operations, logistics, product management) processes. The goal is to improve the customer experience and employees’ ability to deliver on the company’s promise.

Finding Your Complexity Sweet Spot

Companies can create value from product complexity, but they can’t sustain it without promoting process simplification. We found that companies that capture value from product complexity while maintaining simple processes were the top performers in their industry (see figure below). About a third of the 195 companies we surveyed found this complexity sweet spot. And it paid off: They had three-year average profit margins that were 6.3 percentage points above their industry average.2

Fig 2. - Complexity Sweet Spot for Top-Performing Companies

To maximize profitability, focusing solely on value creation from product complexity is not sufficient. Companies with both high product and process complexity either suffer from excessive internal process costs or impede customer access to their products and services. The result is profitability 1.9 percentage points below their industry average.

It is also ineffective to maintain simple processes without offering customers product variety and links; these companies had profitability 2.0 percentage points below their industry average.

The worst case is having both low product complexity and little process simplification. These companies don’t meet customers’ needs, are difficult to work with and had profitability 3.5 percentage points below their industry average.

To find your organization’s complexity sweet spot, we suggest that you:

  1. Determine your company’s current complexity sweet spot.
    Start by evaluating whether your customers’ needs match your products and services by asking three questions:.
    • Do your best customers buy from companies similar to yours? Why?
    • Is your customer satisfaction score lower than competitors that offer more product variety and links?
    • Are there products or services you could integrate to reduce work for your customers?

    If the answer to any of these questions is a strong yes, there is opportunity to add more product variety and linking.

    To assess your company’s process simplification, several classic measures help, including a review of business process cost, time and variance for core processes. To assess the impact of simplification efforts in customer-facing processes, executives must find ways to amplify the voice of their customers inside the company, e.g., by measuring Net Promoter® or Customer Effort scores.3

    Depending on your assessment, your organization will need to work on one or both of the following steps.

  2. Increase value from product complexity without increasing process complexity.
    Getting more value from product complexity involves increasing variety and links between products to create more choice, including:
    • A wider variety of product options
    • One-stop shopping
    • Individual products bundled into integrated solutions
    • Customization to accommodate market or customer differences

    Adding or enhancing products is relatively easy; making them work together with what you already have is much harder.

  3. Work toward more process simplification.
    Companies typically achieve process simplification in two ways: (1) by reducing process complexity or (2) by building tools, roles and other mechanisms that make complex processes easier for employees and customers to execute. Practices like Lean and Six Sigma work to reduce complexity in internal processes, but they are big commitments. In many cases, those initiatives will need to be driven from the top down.

    Although reducing process complexity sounds like a good idea, it is not always feasible. There are situations when increased process complexity is a necessary consequence of increased product complexity, at least temporarily. But great companies don’t just leave employees and customers unassisted. They cross-train employees, coach them continuously and support them with integrated information systems so it is easier for them to perform more complex processes.

Companies striving to find their complexity sweet spot must prepare for cultural change to embed complexity management into their DNA. The good news: There are almost always quick wins, and the rewards are, well, “sweet.”


This article is based on the publication “Revisiting Complexity in the Digital Age,” MIT Sloan Management Review, Summer 2014, Vol. 55, No. 4, pp. 73 – 81 by Martin Mocker, Peter Weill and Stephanie L. Woerner from MIT’s Center for Information Systems Research ( and on the MIT CISR research briefing “Rethinking Business Complexity” by Martin Mocker and Jeanne Ross released in February 2013.

Learn more about managing business complexity – including case studies of USAA and ING Direct Spain – by registering (for free) on the MIT CISR website and downloading:

  1. This article is based on a two-year research study conducted at the MIT Sloan Center for Information Systems Research. It included 35 interviews with senior executives in 28 companies about the challenges of managing business complexity, a survey of CIOs from 195 companies and 45 interviews with senior executives as part of four in-depth case studies (USAA, ING Direct Spain, DHL Express and Royal Philips).
  2. We used operating income as a percentage of revenue, adjusted for industry, as our profitability measure.
  3. Dixon, Freeman and Toman: “Stop Trying to Delight Your Customers,” Harvard Business Review, July 2010

Copyright © 2014 FIS and/or its subsidiaries. All Rights Reserved.

Risk Focus – Nov. 2014: Volume 2, Issue 3

InMotion Logo

The New Cybersecurity Paradigm

Richard A. Clarke photo

Richard A. Clarke

Chairman and CEO of Good Harbor Security Risk Management, LLC

Richard A. Clarke is an internationally recognized expert on cybersecurity, national security and counterterrorism. He teaches at Harvard’s Kennedy School of Government and is the author of “Cyber War: The Next Threat to National Security and What to Do About It.” Clarke served the last three U.S. presidents as a senior White House advisor. The following interview with Clarke examines the actions required of executive leaders to transform approaches to protecting their companies in the new cybersecurity paradigm.


Given today’s environment of escalating cybersecurity risks, how should a company go about protecting itself?

Clarke: Executives must accept that the threats have evolved and the defenses have to evolve with them. The old paradigm of cybersecurity was perimeter defense and trying to figure out who is attacking you and trying to get in. The new paradigm assumes that eventually an attacker is going to get in and, therefore, places increased emphasis on securing the insides of the network.

The first step toward better protection in this new paradigm begins with the risk discovery process. Individual companies have unique risks. Companies might think they know all of their risks, but it has been my experience that going through the process of risk discovery often uncovers nonobvious areas of risk.

The process of risk discovery often uncovers nonobvious areas of risk.

The first question firms need to ask, at the board level, is: What are our crown jewels? What is it that we really need to protect from being taken over or copied? Maybe the crown jewels are customer lists or sensitive mergers and acquisitions information or something else. Whatever the crown jewels are entirely depends on the nature of the institution’s business.

The second question firms need to ask is: What is the worst-case scenario? What are the two or three things that could happen as a result of a cyberattack? Don’t just think about what has happened. Think about things that could happen.

Then, gauge your risk tolerance. Every financial institution has a different risk tolerance. No outsider can tell an institution how much to spend to mitigate the risk or how much inconvenience to employees and possibly customers the firm is willing to bear as a result of cumbersome procedures that may need to be put in place to mitigate risk.

At least within the boardroom, be explicit about the firm’s risk profile and where pain points reside. It’s much better to plan in advance in order to make constructive investments based on a risk analysis than to react after a breach occurs. Firms almost always waste money when reacting to an unanticipated crisis.

Fig 1 - Questions for Boards to Consider

How can firms better prepare for data breaches to mitigate the damage if they do occur?

Clarke: Companies that plan ahead for breaches, including obtaining sign-off on the plan by the board, are able to walk through their playbooks, deal with situations efficiently and react competently. Participation in simulation exercises helps ensure that all players learn their roles in responding to breaches and provides opportunities to improve upon the plan.

Companies also should plan for zero-day threats – not threats that have happened in the past such as stolen credit card data or an insider threat – but those threats that have never before happened but could occur. We often find that risk managers worry too much about what happened to someone else yesterday and not enough about what might happen to them tomorrow.

In the new paradigm, what should companies do from an IT standpoint to shore up their defenses?

Clarke: Companies need a continuously evolving IT security road map that changes in response to new technologies and threats. The road map should be keyed to the company’s risk tolerance and include its risk mitigation plan.

Becoming knowledgeable about the latest defense technologies and mapping them to evolving risks are critical to wise budget allocation. Although most information technology security officers agree that systems for perimeter defense based on intrusion detection and antivirus solutions and firewalls are outmoded for today’s threats, they continue to spend the lion’s share of their budgets in this area.

Budgets must include adequate support for securing the insides of an institution’s network – not just the perimeter.

The new data security paradigm assumes that people will break into anybody’s network regardless of the strength of their perimeter defense. Once they get in, they will look at what’s going on inside the network unless the company has put interior defenses into place. My recommendation is to sit down with the IT team and IT consultants to discuss re-architecting the network by setting up subnets and internal firewalls on those subnets.

Finally, encrypt everything. It’s amazing that so many companies use encryption as little as they do to protect information so that only people who need to use it can get access to that information. Use encryption now. Don’t wait to be compromised.

How can companies more effectively defend against insider attacks?

Clarke: Whether it’s in the government or in the private sector, some sort of vetting is usually conducted during the hiring process. If people pass the background check, they get hired and no further monitoring occurs. When we look back on cases of criminal activity perpetrated by an insider, we often find that an employee has gotten into some kind of trouble – financial, personal or emotional – during the course of their employment, but the company doesn’t learn about it soon enough to prevent the insider attack.

Every company has people in sensitive positions, and all too often, it’s one of those employees who walks out with company secrets on a thumb drive and sells it to the competition. To mitigate insider threats, human resources departments should continuously monitor the behaviors of people who are in sensitive positions and be proactive about getting them out of harm’s way if they are in trouble.

Nobody needs to see everything on the network, and yet almost all IT people can see anything they want.

Companies also need to adjust their access control and administrative rights policies to mitigate the risk associated with superusers – employees who have been given access to virtually everything on the network. Nobody needs to see everything on the network, and yet almost all IT people can see anything they want, can assume the identity of anybody on the network and can erase logs to cover their tracks to prevent forensic experts from figuring out who did the misdeed.

It is possible to design networks that limit what IT staff can access. For example, data can be encrypted and access to the encryption key can be highly limited. Or, certain changes to the network can require two IT people with credentials agreeing to make a particular change.


Hear fresh ideas on risk and compliance management at FIS’ 2015 Enterprise, Governance, Risk and Compliance Summit from Jan. 26 – 28 at The Westin San Diego Gaslamp Quarter.

Copyright © 2014 FIS and/or its subsidiaries. All Rights Reserved.

Strategic Perspectives – Nov. 2014: Volume 2, Issue 3

InMotion Logo

Leading Transformational Change

Ido Gileadi Photo

Ido Gileadi

Chief Information Officer,

Ido Gileadi provides pragmatic perspective on leadership actions to drive successful transformation programs. At FIS, he leads information technology and computer systems in support of the company’s global business goals. He previously served as a partner for Capco, where he structured and delivered transformation programs for large banking clients. In this article, Gileadi highlights five transformation leadership guidelines for aligning strategy, people, finance and process with business goals.


Setting the Transformation Vision

Too often, transformational projects are driven by the technology unit of an organization without full consideration of the broader business goals the company is trying to achieve. It’s critical at the outset of a transformation project to articulate the specific goals – whether it’s changing the way customers are serviced, the way the technology environment is controlled or how business is conducted – and map the goals to specific outcomes the organization expects to realize in both the short and long term.

Fig. 1 - Articulate the goals at the outset of transformation project

As the vision for goals and outcomes is documented, it’s important to develop principles to guide the transformation process. Regardless of how carefully people plan upfront, changes in the marketplace, regulations and technology will always occur during the course of a three- to five-year transformation implementation. The organization must build flexibility into the plan to account for such developments and take stock regularly to determine the need for course corrections. Having guiding principles that link back to the overarching transformation tenets allows the organization to stay on track. Conversely, if one adheres to the initial plan rigidly while the environment changes, one is likely not to achieve the desired business goals.

Fig. 1 - Articulate the goals at the outset of transformation project

Managing the Business Case for Change

Oftentimes, the first line of business that needs a transformation is the one that pays for it. That model usually fails. It is better to build the business case for the overall transformation instead of for just the first adopters. This approach benefits the entire organization, since various components of the foundational investment can be leveraged across lines of business.

Although this approach requires obtaining a shared commitment from the lines of business, it ultimately produces more favorable results:

  • It doesn’t discourage a line of business from adopting the transformation because it doesn’t overly burden the first on board.
  • It incentivizes all lines of business that are sharing in the allocation of the foundational cost to participate in the transformation so they can reap the benefits quickly. This accelerates the pace of change.

Another way of addressing this challenge is to fund the transformation investment at the corporate level and hold off on allocating the costs for a year or two so lines of business gain tangible benefits from the transformation.

Once created and approved, the business case is not a document that you park in a dark room and never revisit.

The business case is a living document that needs to be adjusted to reflect changes that occur during the course of transformation. It must also include benefit tracking mechanisms for the major initiatives and their respective milestones such as code and technology releases and process or organizational changes. It is also important to track what I call a “benefit release.” A benefit release identifies milestones that are required for a tangible business benefit to be realized so you can start measuring the incremental benefit throughout the program. It’s important to be able to differentiate business benefits that are realized through the transformation versus those realized from regular market growth.

Running the Day-to-day Operations while Transforming

Some level of conflict naturally exists between day-to-day operations and programs designed to change day-to-day operations. While external organizations can help facilitate change, ownership of the change has to come from within to be successful, even if it means backfilling some of the day-to-day tasks to free up resources.

Change is one of the hardest challenges to execute in an organization.

In order to induce change from within, it’s critical to get early engagement from key influencers and the leaders who will be impacted by the transformation. They need to participate in the steering committees and be incentivized to change. The same leaders who are accountable for the day-to-day operations should also be accountable for executing the transformation. Without this dual accountability, it is very difficult to achieve the escalation and prioritization of resolution required to drive the transformation.

Transparent Communications

If you don’t communicate, then you should assume that rumors will drive the agenda and that people will assume the worst scenario. It is easy for executive leaders to get caught in the trap of not having the perfect communications because they don’t have all of the details. But it is essential to communicate early, even if you don’t have all of the details. I find that you can gain buy-in from the organization and relieve a host of anxieties and defensiveness with an early communication where you say:

  • We’re looking to transform the organization.
  • Here are the high-level objectives we’re trying to drive.
  • This is the process that employees and our customers will experience.
  • We will be developing our strategy in the coming weeks and will get back to you with updates.

Many employees have limited trust in top management and will turn to other influencers within organizations for information. It’s important to identify the influencers early, get them on board with the program and turn them into program champions.

Be as transparent as possible because people see through smokescreens very quickly. If there is a cost-cutting measure to make the organization more efficient, let people know that there will be new roles and different jobs.

Fighting Transformation Fatigue

Transformation doesn’t end with the transformation

The only way to keep an organization tuned and performing well is by putting in place a continuous improvement process and team that enables evolution over time. For me, transformations include two phases:

  • The big transformation that drives a step function change
  • Continuous improvement to attain incremental gains over time

It’s challenging to implement transformation without suffering from some level of transformation fatigue, and it’s easy to rationalize not making additional investments after the big transformation project has drawn to a close. However, if you don’t build in a mechanism to continue to improve and evolve, benefits realized from the transformation and executed at a high cost can plateau quickly, resulting in stagnation for the organization.

Copyright © 2014 FIS and/or its subsidiaries. All Rights Reserved.

Market Insights – Nov. 2014: Volume 2, Issue 3

InMotion Logo

FIS InMotion Archives

View IssueNov. 2013: Volume 1, Issue 1 – Banking Everywhere

View IssueFeb. 2014: Volume 2, Issue 1 – Engaging the Digital Consumer

View IssueJune 2014: Volume 2, Issue 2 – Shaping Customer Journeys