Overall coverage
Transitional
52%
67 / 120 points
Coverage = unweighted mean of the 10 dimension coverages (not points ÷ max)
Maturity distribution
Modern 3Transitional 6Tech Debt 1
Headline finding
PD BYOD is a mobile application, so some assessment questions may not be directly applicable. Items such as Infrastructure as Code, automated vertical and horizontal scaling, or recent production rollback/deployment practices are more relevant to backend or infrastructure-managed components than to the mobile app itself.
Primary modernization lever: Resilience & Recovery
Coverage vs. portfolio
app vs. avg (dashed)Score vs. gap by dimension
Prioritized remediation
Ensure all secrets and cryptographic keys, including private and public keys, are properly managed using an approved central vault or secrets management solution.
Access to secrets, keys, and privileged permissions should follow least-privilege principles, be regularly reviewed, formally certified, and rotated or revoked when no longer required.
Ensure the system follows approved internal standards like Mobile Research Platform blueprint.
Define and maintain measurable SLAs and SLOs (that make sense) and aligned with business criticality and stakeholder expectations. These should have clear ownership, and a regular review cadence.
Define documented RTO and RPO targets. These targets should be aligned with business impact and approved by system owners.
Per-question assessment
click a dimension to expand · colored answer chips▸ FAIR & Discoverability 0 gaps 33%
The dataset or system is findable in a searchable catalog or inventory.
N/AA named data owner or steward is formally assigned and documented.
YesAccess and usage conditions, including legal and compliance constraints, are documented and available to users.
N/AWhat is the percentage of the data uses standardized terminologies such as RTiS.
0.0Data lineage is captured for key data flows and is maintained over time.
None▸ IAM, Privacy & Security 3 gaps 58%
The system uses the approved corporate identity provider for user authentication (e.g., Roche SSO via PingFederate, OAuth 2.0, OpenID Connect).
NoData is encrypted in transit.
YesData is encrypted at rest.
YesSecrets are managed in an approved central vault (e.g., HashiCorp Vault or AWS Secrets Manager).
PartialAccess rights and permissions are reviewed and formally certified at defined intervals.
NoNo shared or generic privileged accounts exist in the production environment.
Yes▸ Platform / Hosting / Infrastructure 1 gap 50%
Infrastructure is provisioned declaratively using Infrastructure as Code.
N/AThe system uses approved shared internal platforms or Golden Paths, where applicable. (e.g., Minerva Application Blueprint)
Partial▸ Architecture & Interoperability 3 gaps 38%
Can we swap in and out components without modifying the system.
PartialAll application services are exposed through clear and defined interfaces.
NoData contracts are documented and governed.
YesAPI lifecycle management is actively implemented using Gravitee.
No▸ Reliability 2 gaps 33%
All critical services have defined SLAs and SLOs.
NoMajor incidents are followed by systematic postmortems, and resulting corrective actions are tracked to closure in the backlog.
YesSLIs are defined and calculated for all established SLAs and SLOs, and are visible to stakeholders and system owners.
No▸ Scalability & Performance 1 gap 50%
The system supports automated vertical and horizontal scaling based on real-time demand, where applicable.
N/ALoad and performance testing are performed routinely and included in major release cycles.
Partial▸ Deployment Automation 0 gaps 100%
Core workloads are supported by a complete CI/CD pipeline.
YesBuilds, tests, and deployments are executed through fully automated processes.
YesAutomated quality gates are enforced before production deployment. (e.g., SonarQube)
YesProduction rollback or deployment occurs regularly and within the last 6 months.
N/ABuild artifacts and dependencies are managed in a traceable and controlled manner.
Yes▸ Observability 2 gaps 67%
All critical services generate standard telemetry, including logs, metrics, and traces.
PartialObservability data is available through approved central monitoring and observability tools.
YesIncident analysis can be performed across upstream and downstream dependencies.
Partial▸ Resilience & Recovery 2 gaps 0%
Critical services and data have defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.
NoBackup, restore, and recovery procedures, including assigned roles and responsibilities, are documented and tested.
No▸ Cost Transparency & FinOps 0 gaps 92%
Cost visibility is available at component, system, product family, or domain level.
SystemCost is reviewed regularly together with usage and business value by the owning team.
YesArchitectural decisions explicitly consider cost as a primary decision variable.
Yes