Fischer Identity Suite™
Best Practices for Rapid End-User Adoption
Identity Management is nothing new. Yet after all this time on the market, organizations new to Identity Management are still achieving only mixed results for end-user adoption, and many organizations that rolled-out Identity Management years ago still haven’t achieved their goals: end users must actually use the automated system and stop calling the help desk for processes available through self service. While most organizations have diligently assessed vendor offerings, fewer have adequately planned how to achieve utilization objectives. Many organizations assume that end users will automatically start using the Identity Management solution without any planning or incentives, but that’s proven to be false. With user acceptance rates ranging from under 25% after one year to nearly 100% within a few months, it’s clear that successful Identity Management rollouts rarely just happen; they involve executive sponsorship, planning, education, setting measurable objectives, metrics, and a variety of “incentives” for achieving the goals. Fortunately, these activities will improve user adoption when launching, or even when “re-launching” Identity Management.
This paper discusses some of the options available to organizations wishing to maximize the value of their investments without disrupting operations. These techniques can be utilized whether the organization is new to Identity Management or has been using it for many years.
Planning and executive sponsorship are vital for user adoption: organizations must plan the changes and ongoing activities required by focusing on the organization’s unique cultures and resources, and by creating measurable objectives. Like all projects that involve significant changes, executive sponsorship and active executive participation in the progress of the rollout plan are critical to success. Fortunately, Identity Management provides true win-win scenarios for the company and for users, and organizations should capitalize on natural enthusiasm for the project while working to overcome resistance to change. Since user awareness and understanding are important, executives must communicate the importance of the project and its expected outcomes.
An organization’s objectives for rapidly rolling out Identity Management must be balanced with the possible negative effects of choosing inappropriate methods. While few organizations publicly admit their mistakes, anecdotal evidence clearly shows some approaches are better than others. For instance, laissez-faire approaches to deploying Identity Management rarely recoup investments since few people use the system. At the same time, excessively harsh or inflexible approaches have ultimately reduced employee morale, productivity and financial benefits.
A combination of education with both positive and negative incentives has proven to maximize both the end user experience and financial benefits. The best practices for a particular organization depend on a variety of factors such as the size, culture and geographic distribution of the organization, the types of end users (technical, administrative, mobile, highly-compensated, etc.), the organization’s previous experiences rolling out applications, as well as objectives for using the system. Proper planning, as well as budgeting a sizable percentage of
Fischer International Identity: Best Practices for Rapid User Adoption 3
the projected first-year savings for incentives, can significantly improve the financial benefits for the entire project. Planning is required for multiple phases: education, registration and ongoing use.
Since the registration process can be a significant hurdle, when possible, choose a product that can automate the pre-registration process. For example, the product should automatically register users and correlate users with their existing accounts. If password management is part of the solution, it should extract personal information from HR and other sources to answer initial challenge-response questions for password resets and it should also require users to create / answer additional questions during their first use of the product. If the product does not support these activities, choose another product or simplify the registration process as much as possible and increase your use of incentives.
Training and awareness are crucial to the success of Identity Management. Training requirements are typically minimal and can be delivered using a variety of methods, but should always answer the user's question “What’s in it for me?”
The first challenge is to convince busy people to invest a few minutes up front to save much more time later. Successful organizations have generated awareness (and even excitement) through pre-launch campaigns that highlight the advantages to end users:
- Use one password for all accounts
- Reset forgotten passwords faster
- End embarrassing password reset calls to the help desk
- Simple process for requesting access to resources ¡V no more guessing who to contact
- Easily update profile information such as mobile phone number
- Able to view the status of requests
- Always available ¡V no waiting on the phone or waiting for help desk to reopen
The most successful training is performed immediately prior to rollout, and can be performed using a variety of techniques.
- Live or automated demonstrations
- Training documents with screen shots of each activity
- Posters with simple illustrations of the password reset and resource request processes
- Articles in the organization¡¦s newsletter
It’s vital that end users can quickly locate password reset instructions when needed or they’ll become frustrated and revert to calling the help desk. Methods include a link from a web portal (if accessible without login), posters, paper memos, login screens, etc.
Metrics and Incentives
Metrics and incentives are pivotal for success and can provide ongoing leverage for continued attainment of objectives, but they are often underutilized. Metrics must be easily understood in order to provide an objective basis for positive and negative incentives that reward (or punish) users and their managers based on actual performance.
Incentives are important enough that organizations should budget a sizable percentage of projected first-year savings for positive and negative incentives, as each type of incentive requires resources. It’s also important that any incentives are designed for the unique culture and resources of the organization as inappropriate incentives can do more harm than good.
Many organizations resist using positive incentives because of the belief that “end users should simply do their jobs without added incentives.” However, significant financial and morale improvements can be achieved by including positive incentives since people typically do what they are rewarded to do. More commonly, organizations use only negative incentives to achieve their goals. While negative incentives are an important part of the equation, especially in maintaining high adoption rates for ongoing use, care must be exercised since excessive reliance on negative incentives can negatively impact productivity, morale and financial benefits.
Positive incentives have the most value during the startup phase, and are especially important if a manual registration process is required, usually in the form of answering personal questions to be used for password resets. Organizations can successfully use a variety of positive incentives for the initial phase depending on their corporate culture and their end user types:
- Reward business units: provide rewards based on the percentage of all people in the business unit who perform the required initial tasks ¡V the higher the percentage, the better the reward, e.g., time off work, group entertainment, group lunch, monetary, etc.
- Contests for business units: provide a more substantial reward to the business unit(s) with the highest attainment of their objectives. Organizations with a competitive culture will likely find this option most favorable.
- Reward individuals: provide a small reward (free lunch, cash, gift certificate, etc.) for all persons who perform the required initial tasks.
- Drawings for individuals: randomly draw for larger prizes from the list of people who have completed the required initial tasks. Highly-compensated persons such as doctors and sales people are often more inclined to participate for the chance at a substantial prize that provides "bragging rights."
- Reward managers: provide rewards or contests for managers whose people have the highest attainment rates.
Depending on the culture of the organization, negative incentives or a combination of positive and negative incentives can be more effective than positive incentives alone. In addition to impacting the initial setup process, negative incentives address the ongoing use of Identity Management.
Initial Setup Process: Organizations use a variety of approaches to accelerate the required initial tasks.
- Create peer pressure by publishing a list of who has not performed the required tasks. This is best combined with positive group incentives that depend on the percentage of people who perform initial tasks for Identity Management.
- Send email messages to end users reminding them to perform required tasks (including instructions) or asking end users to explain why they haven't registered. Repeated messages could become less friendly, could openly copy the person's manager, etc.
- Have an impartial liaison, such as your organization's trainer, contact persons who have not performed the required initial tasks. This personal touch is especially effective for individuals who might need additional training. Alternately, ask managers to follow-up with noncompliant team members.
- Have the help desk guide callers through a first-time use of the required process so the users can immediately reset their passwords or request resources. This option requires planning for adequate help desk staffing since it could require extra time per help desk call.
- Automatically revoke access to applications for end users who have not registered for Identity Management after some period of time. Organizations taking this approach should plan to revoke access for a manageable number of end users per day so that the help desk is not overwhelmed, and so that no single department, business function or location is significantly impacted by the access revocation.
Ongoing Use: For an organization to continue meeting its objectives, it often must encourage users to not revert to calling the help desk by reminding users of the speed, ease of use and cost savings of the automated solution.
- Ask managers to contact persons in their workgroups who call the help desk for processes available through self service.
- Automatically send emails to end users and their managers when the users call the help desk for processes available through self service. The emails could note the cost per call to the help desk (typically $30 or more per call). Optionally, tie a department's help-desk costs to performance measurements or to compensation for its users and/or managers.
- Make calling the help desk for processes available through self service increasingly onerous: Publish separate numbers for processes available through self service and instruct help desk representatives to immediately transfer these calls to the appropriate phone number. Callers must listen to a recording that explains how to reset one's own password or how to request resources before any help desk representative takes the call.
- Publish a policy for the help desk to call back end users after a specified period of time rather than taking their calls immediately for processes available through self service. Gradually increase the waiting period for callbacks. Organizations should use caution with this method since it could create undue hardships for traveling end users.
- Temporarily revoke access to applications for end users who have not changed their passwords through the password management facility according to your policies (e.g., must change passwords every 90 days). Consider a phased approach so that a manageable number of end users per day would experience revocation, the help desk would not be not overwhelmed, and no single department, business function or location would be significantly impacted by the access revocation.
- The exception to the above would be when a manager needs to revoke all access for a person. The help desk should immediately revoke access but later follow-up with the manager to confirm adequate understanding of the process.
Identity Management solutions and implementation methods vary widely. Choose a solution with the right functionality for your organization’s requirements. Whether your organization is new to Identity Management or installed a product years ago but experiencing inadequate utilization, proper planning and execution of solution launch (or re-launch) activities can dramatically improve utilization rates.
Fischer Identity quickly extends Identity and Access Management to end users across locations and across enterprises, and is available as on-premise software or as a SaaS solution. Modules include Password Reset & Synchronization, Automated Role & Account Management, Access Termination, Privileged Account Access Management, Federation, Web Single Sign-On and Identity Compliance.
Document: MCW-07-190B May, 2012
Copyright © 2009-2012 Fischer International Identity, LLC. All rights reserved.
Fischer International, Fischer International Identity, Managed Identity Services, Managed Identity Services Technology, Identity as a Service, IaaS, the Fischer International Logo, Global Identity Architecture, Built for Business…Yours, and all other Fischer product or service names are the trademarks and/or registered trademarks of Fischer International Identity.