Thanks for sharing the source. I would not say that “not going according to plan” equals failure, but the figure is disturbing to say the least. My take is that most BPM products out there simply do not work, for they are not products, but rather frameworks that only consultants paid by the vendors themselves can actually deploy into production, and that is when these consultants are actually good.

A couple of months ago, I had a discussion with an analyst at one of the top analyst firms. I mentioned our BPMS Challenge — which by the way no vendor managed to complete, contrary to what they claimed — and I asked her if she could name one BPMS vendor — beside Intalio — which product had been successfully deployed without any help from the vendor itself. She admitted that she could not. As a point of reference, this analysts conducts over 300 customer briefings on BPM every year, and personally covers all BPM products you and I could think of. To me, this tells the whole story.

More on this later.

Best regards
 -Ismael

Actually, the failure rate is 59%, not 41% as I quoted. “A recent survey by BPM Magazine advised that vendors and consultants fall short in delivering on the promise of BPM systems -– only 41% of the companies surveyed reported that their BPM system implementation went according to plan.” The source is BPM Magazine’s Survey on BPM Implementations.

You can subscribe to get a copy of that report in the BMP magazine.

Best regards,
 -Francis

Where did you find this statistics about the failure rate of BPMS projects? I believe it must be close to the reality, but I would like some reference for it. Also, the quality of documentation for Open Source projects varies greatly, and is up to the commercial Open Source vendors to improve. Feel free to join us if you want to help.

Best regards
 -Ismael

Glad to see you write that. I think so too.

Best regards
 -Ismael

I believe that you may get somewhere with your security models. Please submit them to ISO to enhance its standard — Common Criteria (CC): ISO/IEC 15408. CC (C2) was derived from DoD’s Trusted Computing System — the Orange book. After its publication, many governments in the world adopted it as security standard for ADP (Automatic Data Processing). There are many levels of certification, the minimum is C2. The highest one is A1, which no one has been able to achieve as of yet. Instead of maintaining the Orange book to incorporate feedback from other governments, DoD turned it over to ISO to evolve and maintain it as an international standard. When software is C2 certified, governments can purchase it without questions.

When BPMS matures to be an EPMS (Enterprise Processes Management System), it needs to be C2 certified before large organziations will use it. The current statistics for the failure rate in BPMS implementation is 41%, even with help from BPM consultants and vendor specialists. Many organizations question the real benefits as touted by BPMS vendors. The concept is fantastic, but the software falls short in realizing the benefits claimed!

Going down the Open Source route is a good way to promote BPMS. When a facing high failure rate, BPMS is another venture like ERP implementation — expensive and with a lot of headaches and heartaches! There is no free lunch, even if the cost for the software is a big fat zero. An organization still needs to invest in hiring external expertise and training its staff to plan, design, configure, execute, and maintain the BPMS.

In essence, it is about more than just security in deploying BPMS within an organization. Open source vendors make money by offering training and support services. Moreover, it is a general practice that Open Source software’s documentation is at the lowest level of quality. The best documentations are from IBM and Microsoft. DEC and Tandem were too, but they no longer exist, as they are part of HP’s operations! IBM’s Principles of Operations for the 360 Mainframe was the best computer architecture document ever published in the sofware arena!

-Francis

I have a few models for security, based on the level of paranoia required by the organization. Military systems have a high level, Ismael’s Blog a low level. My solution is to have a process-based system that is open to access by anyone, the process system then determines how the process should run, not if it should run. This way, security is embedded in the BPMS. You can still be paranoid if you like, and add a firewall, but it should not be necessary.

Cheers
 -Bob

If BPMS is as powerful and versatile as most vendors claim, it needs to be C2 certified, for it can potentially interface with many, if not all, enterprise systems. Let us say that a BPMS can interface with the systems for an intelligent building to monitor system activities at a high-level. In its current form, it is not too difficult to tap into a BPMS and take control of the security and environmental control systems of a building! Imagine that you could gain access to virtually everywhere in the building by bypassing all surveillance devices such as CCTV and motion detectors. In essence, a Chief Risk Officer, not the CIO, must be able to verify and ensure that the BPMS is not a loophole that poses security threats. SOA and AJAX are vulnerable to many forms of attacks over the Internet in their current forms!

-Francis

You’re right in saying that revenues generated by SugarCRM and vtiger will be a lot less than the ones generated by Salesforce.com. But what interests me is the disruptive power of such solutions. In the end, they make a difference, much like the availability of a good Open Source J2EE application server (JBoss) completely reshaped this industry, to the customers’ benefit.

If you look at the time it took for the RDBMS to go from idea (ealy 70’s) to working implementation (early 80’s), BPM seems to be on a faster track. But you’re right in saying that too many vendors are confusing the message. In the end, I trust customers to be smarter though, and to focus on what will really solve their problems. I do not believe that a revamped workflow solution will make the cut there…

Thanks for the clarification. Very helpful.

-Ismael

This I believe, but how much revenue will the accounts generate vs. CRM seats? And will they really dent the core CRM base & growth rate? All accounts of course not created equal.

A very Happy New Year to you.

I’m not sure how secure the future of BPM is at times. It seems that there has been a bit of a lack of innovation in this space, considering how long it has been around. I realize it is often hard to turn the excitement and promise of a new technology into revenue, and I expect that has a major impact on developments.

Because of this, it seems that many vendors have created alternative approaches (largely because they don’t understand BPM properly). This just adds to the confusion of potential customers. So I’m not so sure how much time ‘pure’ BPM has before some of these alternatives become too embedded in the minds of those customers.

But I remain optimistic.

Cheers

-Bob

The main thing lacking from an Open Source point of view is security certification of applications above the OS — but this is not just an issue with Open Source. The current list of Common Criteria evaluated products contains only a few products that are not OSes or security-related products, and most of those are middleware (e.g., Oracle, WedSphere).

However, achieving Common Criteria validation, though not trivial, is not an insuperable obstacle either (it basically takes a couple of years and on the order of $1M or more, depending on assurance level), so think the expectation of seeing Open Source applications achieve CC validation within five years is a reasonable one.

I like the concept for an EPMS… We might used that term at some point.

Happy new year to you!

-Ismael

That would be great. BPMS should then be renamed as EPMS (Enterprise Processes Management System), only if it can really support all enterprise activities, with a generic template or model, as depicted in Professor Porter’s “Value Chain” model.

Have a prosperous 2007!

-Francis

I could not agree more, and here is an other inference for you: a BPMS will receive C2 certification within the next five years, and it will be based upon an Open Source code base.

I believe that you might have missed several emerging trends that could have a significant impact to the IT arena. They are:

1. SysML, DoDAF, and ISO AP233 have been converging as a de jure international standard that could replace BPMN and the like.

2. CMMI has replaced CMM for a long time. CMMI 1.2 will come in 3 variants, namely: Development (already released), Services, and Aquisition.

3. Until BPMS can support operational processes (not just business processes) and EDI (X.12 and EDIFACT) similar to BizTalk, not many large organizations will jump on the BPMS bandwagon anytime soon. This has to do with supply chain management processes using RFID technology in large enterprises such as WalMart and DoD.

Don’t forget, DoD is the largest IT buyer and user in the world. When it buys products from a vendor for the whole department, many other government agencies follow. A good example is the US Congress that uses Microsoft’s Exchange for e-mail management. Would US Congress adopt Open Source software? The answer is highly unlikely, as none would pass the C2 certification. An example is that IBM rewrote AIX to get the C2 certification. Microsoft’s NT-based OSes have been C2 certified. When DoD wants something as standard, DoD always gets it from standard bodies such as ANSI (MUMPS, Ada, etc.), EIA (EVMS), IEEE (POSIX), and now OMG and ISO for DoDAF!

-Francis