Governance 101: The role of effective Service Management governance in an IT services organisation and the key features of a governance framework

Delivering consistent and quality IT services for customers is not easy – and can be even more challenging – if they are not governed effectively. For example, how can an IT organisation look to improve if it doesn’t measure the amount of service-impacting incidents properly?

Take the high profile service outages of several major banks in recent years for example. Their customers were unable to make transactions or access services for periods of time. Even in such a highly regulated environment as financial services, where IT is governance is generally tighter, there are no guarantees that the outages could’ve been prevented by governance alone.

Equally, too much governance could be seen as overly bureaucratic. A complicated – and lengthy – change control process could drive the wrong behaviour from some members of the IT organisation in that they may simply bypass the process.

By order of the management, doesn’t always mean effective governance!
By order of the management, doesn’t always mean effective governance!

In any case, a business is often dependent on its IT services, and as such, there needs to be controls in place to not only protect – but gain value for – their customers. This of course needs to be appropriate as not all businesses are financial service providers needing tight control.

What is governance and why is it important?

Before implementing any type of governance, it is worth understanding what it actually is. According to Wikipedia, “governance refers to all processes of governing undertaken…and relates to the interaction and decision-making among the actors involved in a collective problem”.

The Harvard Business School describe IT governance as “specifying the decision rights and the decision-making mechanics to foster the desired behaviour in the use of IT”.

A key thing to note is that governance is not the same as management. Ultimately, ITSM governance is concerned with control, compliance and performance.

It is important that ITSM governance has effective decision-making in place; drives the right behaviours (and, by implication, discourages the wrong behaviour); and has policy and processes are in place so that it is easier to discover issues and remedy them quicker.

Going back to our banking example earlier, HSBC had an issue with ATMs and Online Banking in 2011 but were able to pinpoint it and restore service within 2-3 hours. If they didn’t have good governance in place, it feasibly could have taken considerably longer to obtain information and decisions.

What are the different aspects of ITSM governance?

In order to understand, design and communicate effective ITSM governance, Harvard Business School suggests “a decision, rights and accountability framework” should be created that covers aspects like:

  • What decisions should be made and what information should be considered
  • Who can make decisions and who is accountable for them
  • How can decisions and governance be measured?

You might also want to consider different aspects like those the in the table below:

Aspects Questions or things to consider
1.      People Communicating with guiding principles that inform and involve all relevant staff; leverage their expertise; and ensure strong input from Senior Management
2.      Process Governance should be controlled and executed through policy, process, ownership and performance
3.      Technology What technology and tools are required to support the process?
4.      Information What data such as measurements and metrics are required to inform decision making?
5.      Services What are they; how much do they cost; and how do they add value to the business?
6.      Suppliers What are their processes and metrics and how are they involved in your governance?
7.      Customers Who are your customers and how do they benefit from your governance?

How can you evidence your governance improves service costs, their perception and value delivery?

8.      Corporate Governance How does your governance align to the corporate governance, strategic objectives and architecture; and are IT involved at the right level within the organisation in this regard?

How is ITSM governance executed?

After considering what aspects to include in ITSM governance, it is equally important to consider how to design and execute it in practice. The following are some suggestions you might want to consider when implementing ITSM governance.

Firstly, identify the types of frameworks and methods to be used – particularly if you are starting from scratch. Whilst not exhaustive, the following are some common methods and how they can be applied:

  • COBIT is an IT governance framework that focuses on what should be covered in processes and procedures and they can be directed and controlled.
  • ISO/IEC standards like 20000 (Service Management), 27000 (Security) and 38500 (IT Governance) are international standards provide specific advice and controls IT can be audited against to gain industry recognised certification
  • TOGAF is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise and service orientated architecture
  • Other specific best practices for governance such as PRINCE2 for projects; USMBOK and ITIL for service; MoR for risk management; CMMI for benchmarking and maturity.

Secondly, ITSM needs to be involved with – or even own – certain internal governing bodies like:

  • IT Pipeline and Portfolio Board to understand the upcoming projects and be ready to design, transition and operate the services being delivered as necessary
  • Architecture Governance Board to influence and ratify all architecture designs and decisions
  • Change Advisory Board to review/approve changes – particularly to the live production environment
  • Other Governance or Steering Groups involving the business to ensure IT is represented appropriately

Thirdly, ITSM Governance needs to ensure key policies, processes and metrics in place. This may vary depending on the needs of the organisation but things like incident, change and release policies should be created to ensure service-related issues or changes are controlled, evaluated, measured and resolved in appropriate way to ensure minimum risk and impact to the business.

Finally, and arguably, the most important thing is to build an improvement culture that involves the support of the whole IT organisation. By establishing quick wins; involving staff in the policy development; and empowering them to take ownership as appropriate; and using improvement techniques Deming’s Plan Do Check Act cycle; ITSM governance is more likely to be established accepted and acted upon by the IT organisation.

Summing Up

The key things to remember when implementing ITSM governance are to:

  • Ensure it is appropriate for your organisation and limit bureaucracy were possible
  • Remember that governance is not management and is primarily about driving effective decision-making and ensuring control and performance of services
  • Make sure it aligns to the strategic and corporate governance and objectives of your organisation
  • Control, improve and mature governance through policy, process, benchmarks and measurements using industry best practice if practicable to do so.
  • Develop and maintain an improvement culture within the IT organisation so that staff understand the value of – and contribute to the success of – ITSM governance

References:

Image Credit

Jon Morley

 

This article was contributed by Jon Morely – Vice-Chair of the itSMF UK Service Transition Special Interest Group and  IT Service Transition Manager at the University of Nottingham.

 

 

Live from LEADit, Conference Review

Meeting April Allen (@knowledgebird) at LEADit - the itSMFA conference
Meeting April Allen (@knowledgebird) at LEADit – the itSMFA conference

DAY ONE

I’m at the itSMF Australia LEADit conference in Melbourne. It started with a buzz of excitement with a healthy turnout of 674 expected during the 3 days.

The opening ceremony from itSMFA Chair Kathryn Heaton and Australian politician Gordon Rich-Phillips were very positive about the state of ITSM in Australia and the future plans for even better cooperation between IT and the Government. Gordon Rich-Phillips stated, “IT is an enabler of productivity and employment” and emphasized and the importance of holding events like these in Melbourne where it is commonly accepted as the hub of IT particularly in the State of Victoria.

The keynote from Peter Nikoletatos on Accelerated Connectedness was an entertaining and insightful look at how to maintain the basics (Hygiene IT) whilst introducing an agile approach.  The second keynote from Nigel Dalton was a well constructed debate and case study on whether adopting The Cloud is ‘all about money’ or is it actually the opportunity to succeed (albeit with a different approach to organizational structure) with his role as CIO at The REA group proved as a case study.

The main focus of the day from the perspective of the keynote and breakout sessions was the high level discussion on the ability to take Service Management beyond IT into other areas of business so they are integrated and not separate entities.

Some feedback from delegates suggested that more was needed in terms of how to implement ITSM outside IT. Some of the tool vendors I expressed concerns that the event had to develop this offering or miss the huge opportunity of being part of the larger business operation.

Peter Hepworth from Axelos provided an update on the 60 strong team now running the ITIL and Prince2 best practice frameworks including Prince2 for Agile.

Overall the first day of the LEADit conference has been incredibly productive and I have been very impressed by the amount of social interaction and discussions between end users, speakers and vendors alike in very relevant topics that many in Service Management face. This event is highly regarded by many of the attendees as one of the top five of itSMF events globally and at this stage I can only agree.

DAY TWO

Another really good day at the LEADit conference for ITSMF Australia in Melbourne. The keynotes in the morning were two of the best I have seen at any event and will live long in the memory.

The first keynote was from Jason McCartney, an AFL hero who was badly injured in the Bali bombings in 2002 and his story of how he overcame injuries to marry his wife ( less than 2 months later) and return to his passion of playing football at the highest level when doctors said he wouldn’t ever play again. It was a great uplifting speech and one of the best I have ever had the pleasure to watch. Jason held our attention from start to finish which most presentations rarely do.

“It’s not what you are dealt in life – it is how you deal with it” ~ Jason McCartney

The second keynote was also very good from ITSM Ambassador Malcolm Fry. His keynote was very original and was based around looking at various famous types of artwork like Banksy, Salvador Dali and Monet and how they relate to ITSM in that sometimes Service Management isn’t about the little details its about the bigger picture and that you can look at things in a different way especially how the Service Desk works.

The Breakout sessions were well attended again today and lots of positive and informative contributions from the speakers. A lot of focus of the event has been the whole ITIL vs Cobit and ITIL versus Agile debates with justified arguments on both sides. A lot of the end users I spoke to today were focused on delivering customer satisfaction and getting the basics right and were attending the courses relevant to these topics.

The final keynote of the day showcased the key findings of a collaboration between itSMFA and ISACA into problems faced when developing strategic IT plans (the ebook is available from the itSMFA or ISACA website).

Caption
Left to right: Peter Hepworth (CEO, Axelos), Kathryn Heaton (itSMFA Chair), Bruce Harvey (itSMFA) at the LEADit Gala dinner.

Evening entertainment was the Telstra Gala Dinner and ITSMF industry awards. A well attended evening (they could have filled the hall twice) to celebrate the successes of the year and show gratitude to long standing members to the itSMFA. Congratulations to Karen Ferris of Macanta Consulting for here lifetime achievement award.

Change Management – Surviving Implementation

253914822_f34c961bd6_z
The super power of a change manager is an “invisible shield”, just like Violet from The Incredibles

One of the things I’m getting asked about most this year is about getting the basics right – how to actually do change management in the real world. We all know that having good processes in place protect us all, ensures we meet regulatory guidelines and are generally just common sense, but what about using them so that we can build a better, stronger IT organisation? In this article, I’m going to talk about getting started and surviving the implementation phase. I’ll then follow it up with another article on how to actually run your change management process.

Let’s start from the beginning. change management sits in the transition stage of the service lifecycle. ITIL states that the objective of change management is “to ensure that changes are recorded, evaluated, authorised, prioritised, planned, tested, implemented, documented and reviewed in a controlled manner. In a nutshell, change management is about putting things in, moving things round or taking them out, and doing it safely and without setting anything on fire.

When describing the change process, I call change managers the guardians or protectors of our network. They ensure all changes are sanity checked, tested, reviewed, approved and scheduled at a sensible time. Their super power is an invisible shield (like Violet in “The Incredibles”) that protects the rest of the organisation from the adverse impact of change.

Getting started: Common Excuses and Ways Around Them

Change management is an incredibly important process because it enables you to manage, control and protect your live environment. Since the credit crunch, I’ve had more and more people coming to me saying that their change departments would either have to endure massive cut backs or stop improvement works. Here are some of the most common excuses I’ve come across for this along with some possible ways around them.

Excuse number 1: “We don’t have the time”. Ok, what about all the time wasted dealing with the impact of failed or unmanaged changes, firefighting incidents and dealing with the big angry mob camped outside the IT department waiting to lynch us for yet another mistake? Let’s be sensible, having a strong change process in place will lead to massive efficiency savings and the use of standard changes, models and templates will make the work involved repeatable.

Excuse number 2: “We don’t have the resources”. What about all the time spent going cap in hand to the rest of the business explaining why a key service was unceremoniously taken out by a badly executed change? Spin doctoring a major incident report that has to go out to external customers? I’d argue that you’re wasting resources constantly firefighting and if you’re not careful it will lead to stressed out departments and key individuals burning out from the stress of trying to keep it all together. Instead of wasting resources and talent – why not put it to good use and start getting proactive?

Excuse number 3: “We don’t have the money”. What about all the money spent on service credits or fines to disgruntled customers? Then there’s the less tangible side of cost. Reputational damage, being front-page news, and being universally slated across social media – not nice and definitely not nice having to deal with the fall out. Finally, what about compliance and regulatory concerns? Failing an audit could be the difference between staying profitable or losing a key customer.

Excuse number 4: “We can’t afford expensive consultants”. Ok, hands up. I used to be a consultant. I used to work for Pink Elephant UK and for anyone out there looking for an amazing consulting / training company then go with Pink – they rock. That aside, if you can’t afford outside help in the form of consultancy, you still have lots of options. Firstly, you have the itSMF. Again, I’m biased here because I’ve been a member, as well as a speaker for, and chair of, various sub groups and committees, all in an attempt to champion the needs of the IT service management community. Here’s the thing though, it’s useful war stories, articles, white papers and templates written by the members for the members. There’s also ISACA which focus more on the governance and COBIT side of things. There’s the Back2ITSM movement – lots of fantastic help support and information here. There’s the ITSM Review and blog sites from the likes of The IT Skeptic – lots of free resources to help you sort out your change Management process.

Excuse number 5: “I’m probably going to be made redundant anyway so what’s the point?” Yes, I am serious, this is an excuse I’ve come across. There’s no way to sugar coat it, being made redundant or even being put at risk is (to put it mildly) a rubbish experience. In that situation (and believe me, I’ve been there) all you can do is keep doing your best until you are told to do otherwise. Having a strong change management process can be a differentiator on responses to bids. Tenders as SOX compliance, or ISO 20000 accreditation can set you apart from competitors. Bottom line, we have to at least try.

Planning for Change Management

So how do you get started? First things first: you need to get buy in. Most management guides will tell you to focus on the top layer of management as they hold the purse strings, and that’s very true, but you also need buy in from your guys on the front line – the guys who will actually be using your process. Get their buy in and you’re sorted, because without it you’re stuffed.

So, starting with the guys at the top, you need to speak to them in their language and that means one thing – a business case! This doesn’t have to take forever and there are lots of templates out there you can use. The key thing is to explain clearly, in their language, why change management is so important. Things to cover in your business case are introduction, scope, options, deliverables and benefits. Now get your techies on board. There’s no “right” way of doing this. As someone with a few war stories to tell, things that have worked in the past include:

  • sitting down with your techies
  • templating everything
  • using the umbrella argument (more on that later)
157147622_3b79fa7cab_z
Krispy Kremes can help

I’ve also found that bribing support teams with doughnuts can be very effective, as a former techie I can confirm that Krispy Kreme ones work particularly well.

Once you’ve got your buy in, gather and confirm your requirements.  At the risk of playing management bingo here, a good approach is to set up workshops. Engage with both IT and the rest of the business so that there are no surprises. If you have an internal risk or audit department now is the time to befriend them! Using the aforementioned donuts as bribery if necessary, get their input as they will have the most up to date regulatory requirements you need to adhere to such as SOX or Basel 3.

Define the scope otherwise it will creep! Plan what you want to cover carefully. Do you want to cover all production equipment? What about test and DR environments? Whatever scope you agree, make sure it is included in any SLAs, OLAs or underpinning contracts so that you have documented what you are working to.

Keep your end users in mind

When writing your policy, process and procedures, keep your end users in mind. Don’t try to cover everything in red tape or people will find ways to circumvent your process. Let’s start with your policy. This is your statement of intent, your list of “thou shall” and  “thou shall nots”. Make sure it’s clear, concise and is in alignment with existing company standards. I know this might sound counterintuitive but also, prepare for it to be broken. It might sound strange but there will be times where something will need to be fixed in the middle of the night or there will need to be an urgent update to your website. It’s important that changes are raised in enough time for them to be reviewed and authorised, but exceptions will pop up so plan for them now when you’re not under pressure. Examples of when an emergency process could be used are:

  • Something’s broken or on fire (fixing a major incident)
  • Something’s about to be broken (preventing a major incident)
  • Major commercial reasons (in response to a move by a competitor)
  • A major risk to compliance has been identified (e.g. base rate changes, virus patches)

When looking at your process, make sure you have all the bases covered. This will include:

  • Recording and processing the change
  • Change assessment
  • Change Advisory Board (CAB)
  • Build and test
  • Implement
  • Review and close

I’ll talk about these in lots of detail in part two of this article.

Training & Communications

You’re about to go live with your sparkly new change management process and you want it to be a success so tell people about it! First, attend every team meeting, management huddle and town hall that you can get away with! Get people onside so that they know how much help change management can be and to reassure them they won’t have to go through lots of red tape just for the sake of it. Another way of getting your message out is to use posters. They’re bright, cheerful and cheap – here is one that I’ve used often.

2650056763_2a7cd6b746_z
Pelt front line teams with coloured balls if necessary! Not too hard though!

In terms of training you need to think about your change management team and your stakeholders, the people that will be raising changes using your process. For your change management team there are lots of practical courses out there that can help – a few examples could include:

  • ITIL Foundation
  • ITIL – Service Transition
  • ITIL – Release Control and Validation (RCV)
  • COBIT
  • SDI Managers Certificate
  • ISO 20000

Other important considerations include:

  • On the job training
  • Shadowing

But what about your front line teams who will be raising the changes and carry out the work? Again put some training together – make it interactive so that it will be memorable – in the past I have been pelted by brightly coloured balls by a colleague in the name of explaining change management so there really is no excuse for death by PowerPoint!

Things to cover are:

  • The process, its scope and the definition of a change
  • Raising a change record to include things like implementation plans, back out plans, testing, risk categorisation (“no it is not ok to just put medium”) and DR considerations
  • Templates & models
  • Benefits

I’ve done a fair few of these in my time so if you would like some help or examples just ping me on my contact details below.

Go Live

So you’re good to go. You’ve gathered your requirements, confirmed your scope, got buy in and have written up your policy, process & procedures. You’ve socialised it with support teams, ensured everyone has been trained up and have communicated the go live date. So deep breath time, go for it! Trust yourself, this is a starting point, your process will improve over time.

Metrics

I’ve written lots about metrics recently and have spoken about the basics in a previous article on availability, incident and problem management but in short:

You need to have a mission statement. It doesn’t have to be fancy but it does need to be a statement of intent for your team and your process. An example of a change management statement could be “to deliver changes effectively, efficiently and safely so that we put the customer at the heart of everything we do”.

Next come the CSF’s or critical success factors. CSFs look at how you can achieve your mission and some examples for change management could include:

  • To ensure all changes are carried out effectively and safely.
  • To ensure all changes are carried out efficiently, on time and with no out of scope emergency work.
  • To work closely with our customers & stakeholders to ensure we keep improving while continuing to meet their needs

Finally, we have Key Performance Indicators or KPIs. These give you the detail on how you are performing at the day to day level and act as an early warning system so that if things are going wrong, you can act on them quickly. Some example KPIs for change could include:

  • More than 98% changes are implemented successfully
  • Less than 5% of changes are emergency changes
  • Less than 10% of changes are rescheduled more than once
  • Less than 1% of changes are out of process

So you’ve survived your change process implementation – smile,  relax and take a deep breath because now the real work starts! Come back soon for part two of this article which will give you some practical advice on running your new change management process.

Image Credit 1

Image Credit 2

Image Credit 3

Eight Principles for Transforming Cybersecurity

5267355952_c10d5272fe_z
Enterprises today not only have to defend their assets – they must hunt.

This article was contributed by Robert Stroud, Vice President at CA Technologies.

Just five short years ago, cybercrime represented just 1% of all economic crime (source: PricewaterhouseCoopers, Global State of Information Security Survey, 2011). By 2011, that number jumped to 23%, and we can continue to expect those numbers to climb.

The numbers aren’t the only thing increasing – so too are the complexity and persistence of these crimes. According to an ISACA survey of more than 1,000 security professionals, more than 9 in 10 respondents believe advanced persistent threats (APTs) represent a credible threat to national security or economic stability. Among the enterprises that have experienced an APT attack, one in three were unable to determine the source (source: ISACA, Advanced Persistent Threat Awareness Study Results, 2014 (publishing in April).

There is no question that cybercriminals are more sophisticated than ever before. Enterprises today not only have to defend their assets – they must hunt. Detection and response, rather than prevention, are becoming the focus. But with a growing skills gap, still-lean budgets and constantly evolving threats, where can enterprises start?

Eight principles

In its Transforming Cybersecurity Using COBIT 5, global association ISACA recommends starting with these eight principles:

  1. Know the potential impact of cybercrime and warfare. Make sure you are aware of the potential damage a cyber attack can cause and the wide-ranging impact it may have. The organization must decide the risk level it can tolerate in order to ensure the appropriate level of cybersecurity governance.
  2. Understand end users, their cultural values and their behavior patterns. As the ISACA guide notes, “Business impact and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture.” The culture – and the resulting end-user behavior and patterns – should be accounted for in the enterprise’s strategic, tactical and operational security measures.
  3. Clearly state the business case for cybersecurity and the risk appetite of the enterprise. The business case outlining expected value and tolerable risk will drive the overall cybersecurity strategy. As a result, the business case must have depth and definition. Among its contents, it must include cost-benefit considerations and the organization’s culture and values pertaining to cybersecurity.
  4. Establish cybersecurity governance. There is no need to reinvent the wheel here. Adopting and customizing a governance framework such as COBIT will give you the tried, tested and proven governance guidance you need. By effectively governing cybersecurity, an organization provides a clear sense of direction and boundaries.
  5. Manage cybersecurity using principles and enablers. The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.
  6. Know the cybersecurity assurance universe and objectives. Cybersecurity covers multiple areas and aspects within information security. To provide adequate assurance over cybersecurity, the cybersecurity universe must be well defined, and the assurance objectives must be clear and manageable.
  7. Provide reasonable assurance over cybersecurity. This principle requires all three lines of defense within an enterprise to be defined and managed. This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.
  8. Establish and evolve systemic cybersecurity. Cyber attacks target the weakest link in the system. As a result, cybersecurity must be looked at as a system of interdependent elements and the links between them. To optimize cybersecurity, the enterprise must have complete understanding of this dynamic system and must be fully aware that security governance, management and assurance cannot be viewed in isolation.

Using COBIT

While no company can be 100% secure, regardless of the controls and security measures it has in place, companies that use good practices such as COBIT are off to a good start. COBIT treats cybersecurity systemically. It helps ensure that an organization has end-to-end policies and processes in place, which helps them recover more quickly and effectively after a breach.

Using COBIT 5, enterprises approach cybersecurity as a business process that is aligned with the enterprise’s governance, risk management and compliance arrangements.  They divide it into four phases: prepare, investigate, remediate/respond and transform. The “transform” phase is especially key, as it ensures that the post-incident analysis leads to key insights and improvements that are put into practice. By using COBIT 5 to transform cybersecurity in your enterprise, you can help ensure that cybersecurity is transformed systemically.

Consider this sobering statistic from the ISACA APT survey: one in five enterprises have experienced an APT attack. That number is only going to grow. Take advantage of the excellent guidance out there and make sure your enterprise is following these eight principles; to make sure you are ready to prepare for, detect and respond to a cybersecurity attack.

Image Credit

People and products: we all get old eventually

ivor graphWe all know that as we get older we lose some of our faculties and our usefulness changes. One interesting aspect of ageing workers is that it isn’t just about being good, bad, better or worse. In many jobs – and jobs as diverse as consultancy and bricklaying come to my mind – the actual deliverable usefulness changes as our strength and endurance fade but knowledge and experience grow to compensate and allow us to deliver continued, albeit different, value.

I suspect this feature, seen in the human species, is widely applicable, and extends even to best practice frameworks.

Let me try and explain what I mean.

For those of us who are parents, the first step to accepting the inevitable path to obsolescence and replacement is when we find ourselves asking our children to get something for us – because bending down or going upstairs is easier for them than us. Once past that point you have accepted not only aging but your progeny being better at things than you are. Inevitably that superior ability will spread from minor physical capability, like getting upstairs quickly, through to intellectual and perceptive ability such as understanding the world and innovation. For professional footballers, this tends to happen around 30, after which experience and positional understanding need to compensate for sheer speed and strength. For non-manual workers it is much later, but it happens just the same. The positioning of senility in best practice frameworks is less precise and perhaps still open to discussion.

Like parents, ITIL was originally young and fancy-free, and the only go-to place for building ITSM processes and practices. But in due course, ITIL spawned progeny (like COBIT, MOF and ISO2000[1]) – or alternatives if you prefer to see it that way. And some of those newcomers have now matured, as children do, to offer stronger options than ITIL for some aspects of the ITSM best practice world.

So, maybe ITIL has started to show its age, the joints are creaking a bit and we see some really interesting challenges from the next generation who understand the new environment a little better and maybe still have the flexibility to adapt more. More crucially, we see initiatives that don’t have to be bolted on to a historical behemoth of existing products and commitments.

Of course ITIL still has massive value. Like experience in craftsmen, the years of refinement, the market pervasiveness, global understanding and more mean ITIL still leads and delivers real value to those who use it to help them get better at service management. But like the aging craftsman with good apprentices, have we reached the point where ITIL has something to learn from the newcomers, rather than trying to stick to the idea that age and longevity equals right and correct and form the only way to go on?

Certainly it seems to me that some of the new ideas being floated challenge established ITIL detail in many ways but not ITIL’s experience, position and reputation. Preserving that (for want of a better word) authority in the industry will rely, to some degree, on accepting where others might now be better. Most of what originally went into ITIL came from elsewhere. Quite deliberately there was very little original put into ITIL guidance – the whole point of best practice is that it is out there working in the best organisations. Since ITIL’s launch we have seen, in turn, ITIL’s ideas instigate and invigorate new best practice ideas. That’s the good part of getting older, seeing your children be successes, perhaps even seeing them outdo your own efforts.

In practice, I wonder about ITIL in two ways.

  • It should be no surprise that in terms of basic mechanics and core strengths – like process details – ITIL is falling behind its younger children, friends or competitors. But the breadth and broader strategic focus that came with the later versions still sets it apart and gives it value – but perhaps a different kind and less exclusive value – experience taking over from strength? It is encouraging to hear Axelos talk about new white papers discussing the integration of ITIL and others best practices. But where does ITIL go? Should it compete head on with other process approaches, seek an overarching integration role, or simply claim it is the original and best?
  • Is ITIL flexible enough to take on new ideas, or should those ideas look to younger backs to carry them and just point out to them? As just one example, recent discussions questioning the merits in retaining a separation between incident and problem make real sense. But where will they get properly documented to gain broad acceptance? Because, for sure, we need a well documented alternative approach for any degree of acceptance. (Interestingly much of that idea has come from old human heads rather than young upstarts. I suspect that once the young upstarts do get going in our industry then the degree of challenge to established idea might go up by a few orders of magnitude. I’m rather looking forward to it all!)

As an ageing parent myself, I know the best chance of contentment lies in accepting my children’s now superior abilities, and in letting them do things for me. Certainly they now solve more challenges for me than I do for them. There is satisfaction that your genes – and lots of work – are actually firmly embedded into the future – the quickest route to immortality may indeed be via your children?

Of course, analogies should not be pushed too far and we need to see best practice use in its own right. We should expect much more overlap, some competition and hopefully a bit of mutual support. Oh, hang on; maybe they are like families after all?

The golden rule

But the golden rule for using best practices – be they for ITSM, cooking or anything else – has always been to look at all the relevant ideas and build what is best for you. In ITSM now we are both lucky and challenged to have a wider range of ideas than ever before. That might actually lead to diversity of ITSM approaches rather than the convergence to one (ITL based) view as we have seen in the last 20 years.

ITIL is the product in charge still, its market position makes it well placed to lead and inspire. Integration would be wonderful, but unlikely, coordination would be helpful, competition would be disappointing. Whichever way things go, ITIL made this happen, and should be proud of that. Learning from your children is a good trait, I’m learning a lot and enjoying the experience, hope ITIL will too.



[1] All of these acknowledged their basis on ITIL in their early versions

The itSMF Norway conference – it’s the one that I want!

DSC_0022
itSMF Norway Conference

Last week I had a last minute opportunity to attend the itSMF Norway conference in Oslo, and I have to say the stress of booking a flight, packing a bag and leaving my house within the space of an hour was completely 100% worth it. This was easily one of the best ITSM events that I’ve ever attended, both in terms of quality of content and overall experience, and one that I would highly recommend to others.

It’s also worth noting that I say this without really experiencing the entire event, as there was many sessions in Norwegian that I couldn’t attend (my Norwegian is a little rusty you see) all of which received great praise from the more local attendees. I was particularly sad that I couldn’t attend the session by Henrik Aase as it was literally all anybody was talking about throughout day one. However, the good news is that we are going to work with itSMF Norway to get some of the Norwegian sessions written in English as ITSM Review articles.

I couldn’t pass up on the opportunity to share some of the key takeaways, advice and tips coming out from the event, and so I hereby present to you my summary of some of the sessions that I attended along with general thoughts about the conference.

The conference key messages

Bearing in mind that I didn’t attend all of the sessions (my takeaways may differ to other attendees. However, from the sessions that I attended and my conversations with other delegates I found three key reoccurring messages:

  • We can’t keep ignoring DevOps. The benefits are too great to miss out on
  • Be honest in everything that we do, both with ourselves and with our customers
  • We must work on continual service improvement to maintain success

Interestingly, ITIL barely came up in any of the presentations that I attended, nor was I party to any conversations (bar a quick catch up with AXELOS) discussing ITIL. I know it was discussed during the “future of IT service management” panel at the end of day two, but by that time I’d left for the airport and so I only picked it up on Twitter. I found this particularly refreshing, I can’t remember the last time I didn’t get stuck in a conversation going round and round in circles on the topic of ITIL. In fact, I heard ‘COBIT’ mentioned more often than ‘ITIL’. Perhaps this says something about Norway’s adoption of the best practice framework (but I guess not given that the conference tagline was “ITIL – tell me more, tell me more”), or perhaps I just don’t understand ITIL in Norwegian (although I still question that I understand it in English).

However, a topic that did come up on a number of occasions was one that I’d not personally heard being discussed in a long time. Project and portfolio management (PPM) seemed to be a key focus for many of the delegates that I spoke with, with their primary reason being that it helps them make faster and better business decisions.  Again, this could speak more about the country than a new trend, but when I spoke with some of the international delegates they seemed to be in agreement of its new found importance.

Other messages

To avoid this particular article becoming incredibly long, over the course of this week I will publish supplementary articles of the key takeaways and advice from the following sessions:

We have also invited speakers to write articles based on their presentations, which we hope to publish over the coming weeks.

The conference itself

I could easily write paragraph after paragraph about just how good the itSMF Norway conference was, but for everyone’s sake I will try and summarize my thoughts in bullet points:

  • The content overall (granted I can’t really speak for the Norwegian sessions, but talk amongst the delegates leads me to believe that my assessment is fair) was far superior to anything that I have seen at any other ITSM event
  • The atmosphere was much nicer than at any other event I have ever attended. It was relaxed, laid back and fun – there were no stressed out organizers either, they enjoyed every second of the conference just as much as any other delegate
  • The theme was brilliant (although I don’t know how many more days I can take of continuously having “Summer Nights” stuck in my head) and was consistent throughout the event, from the sessions to the entertainment to the roaming hotdog vendors dressed in full 50s attire.
  • The organizers were wonderful, in control and most importantly ­– happy! P.S. Thanks for extending the services of your 50s hair and make up artist to me!
  • The food was yummy (this is huge praise from me, I never touch the food at conferences) – many will tell me this is irrelevant, but it’s all part of the event experience as far as I am concerned
  • The entertainment was fantastic (although there were a few groans from some who could understand the Norwegian “dinner entertainer” – i.e. not me – that he wasn’t on par with the standard of previous years).  Who knew that dancing to Grease tunes with Tobias Nyberg, Kaimar Karu, Dagfinn Krog, Andrea Kis, Rae Ann Bruno and a bunch of Norwegian people that I don’t know could be so much fun?

My only criticism of the event, which I (and others) have already shared with the organizers, and I am already 100% confident will be fixed for next year, was that for those of us who couldn’t understand Norwegian there were often long periods of time when we were left with no English content (two hours and 15 minutes each day to be exact). Whilst, I wouldn’t expect a Norwegian conference to be delivered 100% in English, as itSMF Norway has become a victim of it’s own success with more international attendees each year (I met with delegates from Finland, UK, USA, Italy, and Germany just to name a few), it would be nice to find a way to ensure that we could still benefit from the Norwegian sessions.

This conference easily has the scope to become one of the biggest itSMF events in Europe. It’s inexpensive to attend compared to other ITSM events (even with flights from long haul destinations) and the quality is of an exceptional standard. To be honest, even with the gaps for non-native speakers I will still be recommending this conference to everyone that I speak to.

If you want to learn, pick up practical advice, meet amazing people, and all whilst having a huge amount of fun then make sure you get your tickets booked to next year’s itSMF Norway conference. I know for a fact there is no way that I intend to miss it.

The Coming Workforce: A Case for IT Service Management

millenial
Welcome to the Millenial generation

With the Boomer generation set to retire en mass, IT organizations are faced with the unprecedented brain drain of institutional knowledge. Generation X and Millennials have decidedly different work styles and career expectations than previous generations.

At the same time, expectations of productivity and customer value generation have never been higher. IT organizations must find ways to deliver increasing levels of service while embracing the next generation workforce.

Forbes.com contributor Jeanne Meister recently wrote that Job Hopping is the ‘New Normal’ for Millennials. She cites the staggering finding that 91% of Millennials plan to stay in a job “less than 3 years”, and will have 15 – 20 jobs  in their career. They are also quick to leave a position that is no longer meeting their needs.

While much has been written about organizational cultural changes to engage and retain millennials, I’m going to talk about working on the other side of the equation.

What can IT organizations do to thrive in the reality of the Two Year Employee?

The 2-year Employee

Most agree that it takes around six months for a new employee just to reach the break even point – where they’re producing more than they cost. Beyond that, the complexity of IT environments, and the amount of deep knowledge that takes years to learn makes it very hard for new staff to reach the ‘fully trained point’ even in the space of two years, let alone making a significant contribution. Imagine if your most senior IT staff have been on board less than three years!

And that’s the problem.

If it takes two years to bring Two Year Employees up to speed, something needs to change

And fast.

Rather than fight a losing battle against a culture we can’t change, we need to build an organizational culture around the Two Year reality.

Millennials bring a high level of self-motivation, initiative, and performance. They are eager to make a contribution to an organization that shares their values. If they aren’t allowed to do meaningful work quickly, they will leave for an organization that better meets their needs.

We’re currently burning a lot of that positive energy teaching them ‘how-we-do-it-here’.

A Comparison

Let’s take a brief look at an industry that has already dealt with rapid on-boarding:Construction.

A General Contractor is engaged to build a home. She works with the customer to understand their requirements, and coordinates with a wide assortment of sub-contractors for various parts of construction – foundation, framing, electrical, plumbing, heating, roofing.

The sub-contractors show up with their crews to complete their part of the project, and the General Contractor has a high degree of confidence in a quality result.

Why?

Because there is a body of how-it’s-done in the various trades, guided by:

  • Building codes (governance)
  • Tricks of the trade (best practices)
  • Customer expectations (business outcomes)

I’ll spare you the how-it’s-like-ITIL analogy.

This is the nature of the construction business. The General Contractor has to be able to bring in workers who can immediately produce value. She doesn’t have time to teach them ‘how we do it here’. Whether you’re a framer or electrician, you are expected to know how to apply your knowledge of the codes and tricks of the trade to get the job done here.

Don’t get me wrong – I’m not saying IT is like the construction industry. But the need for immediate value from short-term workers has driven a different model that’s worth exploring.

Time To Value

For the sake of argument, let’s say it takes two years for a new IT employee to be fully contributing. If they stay for 20 years, we’ve invested roughly 10% in their long-term productivity. Not a bad investment.

But the math doesn’t pencil out for a 2-year employee. The same 10% investment means they have to hit max productivity at around 2 months. Minor on-boarding tweaks and new retention efforts won’t get us there.

The solution isn’t to change new people to fit outdated practices, but rather to change our old practices to fit the new workforce!

Tribal Knowledge

Undocumented institutional knowledge makes it difficult and time consuming for new staff to be as productive as long-term staff.  There simply isn’t enough time to transfer 30 years of knowledge to a new employee, and even if it were possible, the person to whom its transferred is likely to leave much sooner than their predecessor.

Millennials are demotivated by the idea that it will take 10 years to contribute fully and earn a respected position.

This is a major liability that can no longer be maintained.

IT Service Management as a Workforce Strategy

For the record, I’m NOT a Human Resources professional, but I am a seasoned IT Manager concerned with the implication of significant numbers of retirements and the impact it’s already having on IT’s ability to deliver consistent quality and cost effectiveness.

The next generation of IT Professionals will be of the Millennial variety, and the common practice of training new hires ‘how we do things here’ poses a significant challenge.

IT Service Management frameworks like ITIL and COBIT are global best-practices framework for Service delivery that offers a standardized approach. These standards are shared across countries, continents, and companies.

Much like the building codes and tricks of the trade I mentioned above for the construction trades, these best practices are the key to not only survive, but to thrive with the Two Year employee.

The extent to which an organization is aligned with widely-adopted external standards directly determines how effective they will be with the coming workforce. Organizations with strong alignment will have a huge advantage in workforce time-to-value.

Standardization for it’s own sake has no real purpose but, as a workforce strategy, it has enormous value. It’s a strategic investment in an organization’s ability to thrive with millennial workers and the culture they bring.

On-Boarding in a Best Practices Organization

Newly hired employees who are trained in ITSM require very little explanation of “how -things are done here”.

Training can go more like:

Hiring Manager: Cheryl Smith is the Change Manager. CAB meets on Thursday at 9:00am.

New Employee: Where do I fill out RFCs?

Hiring Manager: <myorg/ChangeManagement>

New Employee: Does CAB meet in person?

Hiring Manager: Yes, room D713

The point being – they already get it. The know what CAB and RFCs mean, and they know how it’s done. A few minor ‘where’s the restroom’ kind of questions, and they’re good to go.

Services are well documented through the Service Strategy and Service Design phases. There is clarity and consistency in roles and responsibilities. Processes are well defined and have clear owners. Very little happens through undocumented, informal processes.

Service and process knowledge is documented in Knowledge Management. Documentation is kept up to date through Change and Release processes. All staff have access to the accurate information that they need to effectively do their job.

New staff with ITSM experience require very little how-we-do-it training when you’re using standard ITSM processes. Not only do new employees onboard faster, but they also bring valuable experience that’s compatible with best practices.

Hiring in a Best Practices Organization

The hiring process must include selection of candidates who have solid ITSM training and experience. It is no longer optional. Candidates must have both the technical skills and the ITSM process experience to be a good fit.

Colleges are starting to include course work in ITIL and organizations large and small are using ITSM to great success. Qualified millennial candidates with working knowledge of ITSM from college or a prior employer are increasingly common.

Hiring managers must consider the ROI of candidates, and shorter time-to-value is key for the Two Year Employee.

Embrace the Two Year Employee

Ready or not, welcome to the future.

If we can’t change Millennials, and I submit you cannot, then we must change our organizations to maximize value through them. We need to embrace the Two Year Employee as a strategic advantage.

IT Service Management is the key.

ITSM not only helps IT be more customer-aligned and effective, it also greatly reduces time-to-value of new employees.

If the thought of retiring Boomers, brain drain, and Two Year Employees scares you, think ITSM.  IT Service Management is an effective IT workforce strategy!

 Image Credit

The ITSM Diet

krispyI am undergoing a very personal transformational change right now. I am trying to learn how to eat in the real world and maintain a healthy weight. I had really let myself go.

No exercise, eating too much, eating the wrong things and not caring. The results: 360 lbs.; the inability to walk at least 50 feet without wheezing; acid reflux; and an impressive expanding waistline. I felt horrible. My body simply hurt all the time.

After much self-loathing, I made the decision to change. Now, I control my calories, carbs, fat and protein levels and I get 60 to 90 minutes of exercise in a minimum of 5 days per week. I made my health issues a “big rock” in my life (see Stephen Covey’s “Put your big rocks in first”).

The results: I currently weigh 320 lbs., I’ve lost 4 inches on my waist, and I feel a heck of a lot better.

The funny thing in all of this, people keep asking me what “diet” I’m using. Okay, here it is –  I eat less, make better food choices, and exercise as much as I can. Disappointed with my answer? I find that many folks are looking for me to give them some “magical” advice like “oh, I lost the weight by following the Krispy Kreme diet”. There are no silver bullets. You have to eat right and exercise.

So, what’s the point in relation to ITSM?

The point is this; you must build and follow a plan for an ITSM initiative to work. There are no simple solutions or silver bullets to make adoption easy. Be prepared to work hard, suffer some failures, learn from those failures and iterate, just like you do with a diet.

In order to be successful in ITSM adoption (or in your diet) I recommend following the key “exercise and eating” tips and advice listed below.

Don’t fall for hype

“Just follow our simple x step plan every day, and we’ll guarantee you will lose weight”

I’ve seen ITSM blog posts and consulting statements that indicate the same thing “…just follow our advice and you’ll be doing x process in no time” or “buy our product and we guarantee you will be ITIL compliant”. If it sounds too good to be true, it probably is. Any offering of a “quick fix” probably will not work. Think about the long term and what you want the program to achieve. Learn good habits.

Always evaluate

I don’t do “diets” but there are items within the multitude of diet plans out there that do make sense for for certain individuals. ITSM is no different.

If something works, adopt it. If it doesn’t, forget it. For example, Problem management as detailed in ITIL® doesn’t fit well with how my organization works. We therefore adopted LEAN 8-step method as the primary way to execute our problem management but use the information in ITIL® to ensure our process is as robust as needed.

Build a plan that works for you and helps you achieve your goals

There are many ITSM frameworks out there and no rules that say you have to use a specific one. My advice is that you read, learn, and research.

You may need to use ITIL®, LEAN, COBIT®, USMBOK®, and/or combinations of the aforementioned to build your plan. Don’t do something just because someone else says you should do it. Know what you are trying to achieve and select the appropriate framework to work toward it.

For example, my company uses many different frameworks along with ISO/IEC 20000, with ISO/IEC 20000 as an indicator of “world class” IT operations. Despite this, we have attempted on four different occasions to start the adoption process for Configuration Management. What we found is teams did not understand what to do with CIs or how to move them through a change process. We therefore took a step back and spent more time looking at our Change process, and are now starting to have tabletop discussions on moving a CI through a change.

In doing this exercise, we found our teams had different execution of change, different ideas on what a CI is, and different ideas on how to move a CI through a change cycle. These discussions gave us the opportunity to drop back and review all the frameworks for a “good fit” to help accelerate what we do.

If the plan is not working, change it

When exercising, eventually your body can become use to a specific exercise and become efficient in the activity. At that point, you can continue doing the same thing, but the results will not improve. An ITSM plan is the same. If your plan is not getting the results you desire, mix it up and try a different approach. Focus on a specific aspect and find the change that helps you get the results you need.

During the adoption of incident management at my company, we had team members onboard who had been doing incident work for many years and yet our design process kept missing key steps we needed to fulfill ISO/IEC 20000 requirements. Clearly we needed a different approach and so we went back to the beginning and built a checklist of items that the design team needed to complete prior to submitting deliverables. This helped us to identify the missing steps and fix the design process.

Measure

When it comes to exercising and being healthy, my FitBit gives me all types of data to help me determine if my behaviors match my plan. Data helps us measure where we are against our goals, which is important in any ITSM initiative.

What you measure is up to you, you cannot allow others to dictate what data you need to collect. Identify your goals, and collect and analyze data that helps you reach those goals.

At my company, we ask our service owners to identify “pain points”, the place where their team or their customers indicate something in the process doesn’t deliver the promised goods and/or causes them problems. We have found that focusing on a few key measures and “pain points” leads the service owner and their teams to think more holistically about the service and why they are doing what they do. This organically leads to continuous improvement, brainstorming and discussion about user experience.

Keep the goal in mind

It is easy to get discouraged when you go a couple of weeks without losing any weight, and the same is true in ITSM. Don’t lose sight of what you have done and where you are now.

Sometimes it may seem easier to follow the same path as you always have and get the same (bad) results to achieve quick “outcomes”, but how does this help overall? Remember, incremental improvements over time lead to reaching goals.

Relax

One of the toughest issues I have with weight loss is overthinking the situation – I can become my own worst enemy. The same is true with your ITSM plan. Work the plan you built, and if something doesn’t work so what? Try something new! Be mindful of your situation and don’t be afraid to change. It will all work out in the end so just remember to breath and relax.

And a bonus tip!

Be as transparent as possible in any ITSM initiative or project, routinely discussing your success, failure, trails, and tribulations. This will help you to stay grounded and on top of where you really are in your process/project. Use your measurements to remind yourself and others of the progress you have made and make sure you understand the deliverables and timeframes.

Final Though

ITSM adoption, just like maintaining a healthy lifestyle, can be tough. It takes planning and execution, measurement and analyzing data, and it also takes support. Remember, don’t fall for the hype; always evaluate; build a plan that works for your situation and change it as required; measure your progress; relax; and always keep your end goal in mind.

Image credit

How to conduct an ITSM assessment that actually means something

ITIL (Information Technology Infrastructure Library), a standard framework for managing the lifecycle of IT Services, is sweeping the U.S.   Based on a 2011 analysis of 23 ITIL studies, Rob England concluded that the compound annual growth in ITIL adoption was 20%± and that ITIL training attendance increased at a compound annual rate of 30% for the past ten years.  Despite this apparent surge of adoption, enterprises continue to struggle with ITIL’s daunting framework.

Recognizing the confusion inherent in ITIL alignment, numerous vendors have created “ITSM assessments” with varying degrees of complexity and debatable value.  These assessments draw upon frameworks such as ITIL, CMMI-SVC, Cobit and, occasionally, BiSL or more specific constructs such as KCS and IAITAM.  Where does one begin?  What is most important?  Where will improvement deliver the best payback?  How can one ensure that all phases of implementation share a common and scalable foundation?

Fundamental Assessment Approach
Figure 1: Fundamental Assessment Approach

All assessments follow a pretty basic formula:

  1. Determine and document the current state of ITSM in the organization.
  2. Determine and document the desired state of ITSM in the organization.
  3. Establish a practical path from current to desired state (roadmap).

Simply stated, the objective is to successfully execute the ITSM roadmap, thereby achieving a heightened level of service that meets the needs of the business.  But don’t let those vendors through the door just yet because this is where ITSM initiatives go sideways.

Current state, desired state and roadmap mean nothing without first establishing scope and methodology.  How comprehensive should the assessment be?  Does it need to be repeatable?  Which processes and functions should be targeted?  Should it be survey-based?  Who should participate?

Rather than seeking input from the ever so eager and friendly salespeople, one can follow a simple three-step exercise to determine scope and methodology.  These steps, described in the following sections, may save you millions of dollars.  I have seen dozens of large enterprises fail to take these steps with an estimated average loss of $1.25M.  For smaller enterprises ($500M – $1B in revenue), the waste is closer to about $450,000.  The bulk of this amount is the cost of failed projects.  In some instances those losses exceeded $10M (usually involving CMDB implementations).

Three Steps to a Meaningful ITSM Assessment

Though these steps are simple, they are by no means easy.  For best results, one should solicit the participation of both IT and business stakeholders.  If the answer comes easily, keep asking the question because easy answers are almost always wrong.  Consider using a professional facilitator, preferably someone with deep, practical knowledge of ITIL and a solid foundation in COBIT and CMMI-SVC.

So, the three steps are really three questions:

  1. Why do you need an ITSM Assessment?
  2. What do you need to know?
  3. How do you gain that knowledge?

Step 1:  WHY Do You Need an ITSM Assessment?

IT Service Management aligns the delivery of IT services with the needs of the enterprise.  Thus, any examination of ITSM is in the context of the business.  If one needs an ITSM assessment, the business must be experiencing pain related to service delivery.

  1. Identify service delivery pain points.
  2. Map each pain point to one or more business services.
  3. Assign a broad business value to the resolution of each pain point (e.g. High, Medium, Low).  Divide these values into hard savings (dollars, staff optimization), soft savings (efficiency, effectiveness), and compliance (regulatory, audit, etc.).
  4. Map each pain point to a process or process area.

There should now be a list of processes with associated pain points.  How well can the business bear the pain over the next few years?  With this preliminary analysis, one should be able to create a prioritized list of processes that require attention.

For now, there is no need to worry about process dependencies.  For instance, someone may suggest that a CMDB is required for further improvements to Event Management.  Leave those types of issues for the assessment itself.

Step 2: WHAT Do You Need to Know?

 

Four Assessment Needs
Figure 2: Four Assessment Needs

Now that the organization understands why an assessment is required (of if an assessment is required), it can identify, at least in broad terms, the information required for such an assessment.

Referring the chart in Figure 2, IT management need only ask four questions to determine the needs of an assessment.

Is ISO/IEC 20000 Certification Required?

If the organization requires ISO/IEC 20000 certification, a Registered Certification Body (four listed in the U.S.) must provide a standardized audit, process improvement recommendations, and certification.  For most enterprises, this is a major investment spanning considerable time.

Does Repeated Benchmarking Provide Value?

Does the organization really need a score for each ITIL process?  Will the assessment be repeated on a frequent and regular basis?  Will these scores affect performance awards?  Will the results be prescriptive or actionable and will those prescribed actions significantly benefit the business?

The sales pitch for an ITSM assessment usually includes an ITIL axiom like, “You can’t manage what you don’t measure” (a meme often incorrectly attributed to Deming or Drucker).  One must ask if scores are the best measure of a process?  To what extent do process maturity scores drive improvements?  Not much.  Each process has its own set of Critical Success Factors, Key Performance Indicators and metrics.  These are far more detailed and effective data points than an assessment score.  Ah, but what about the big picture?  Again, ITIL and COBIT provide far more effective metrics for governance and improvement on a macro level.

That said, there are some pretty impressive assessments available, some with administrative functions and audience differentiation baked into the interface.  However, one should build a business case and measure, through CSFs and KPIs, the value of such assessments to the business.

Do you need an ITSM Strategy and Framework?

Does the organization already have an intelligent strategy for its ITSM framework?  Is there a frequently refreshed roadmap for ITSM improvement?  For most enterprises, the honest answer to this is no.  Numerous Fortune 500 enterprises have implemented and “optimized” processes without strategy, roadmap, or framework.  The good news is that they keep consultants like me busy.

To build an ITSM strategy, an organization needs enough information on each process to prioritize those processes as pieces of the overall service workflow.

To gauge the priority of each process, we focus on three factors:

  • Business value of the process – the extent to which the process enables the business to generate revenue.
  • Maturity gap between current and desired state – small, medium or large gap (scores not really required).
  • Order of precedence – is the process a prerequisite for improvement of another process?

To complete the strategic roadmap, one will also need high-level information on ITSM-related tools, integration architecture, service catalog, project schedule, service desk, asset management, discovery, organizational model, business objectives, and perceived pain points.

Are You Targeting Specific Processes?

To some extent, everything up to this point is preparation and planning.  When we improve a process, we do that in the context of the lifecycle.  This task requires deep and detailed data on process flows, forms, stakeholders, taxonomy, inputs, outputs, KPIs, governance, tools, and pain points.

As this assessment will be the most prescriptive, it will require the most input from stakeholders.

Step 3:  HOW Do You Gain that Knowledge?

Finally, the organization identifies the assessment parameters based on the data required.  Similar to the previous step, we divide assessments into four types.

ISO/IEC 20000 Certification

The only standardized ITSM assessment is the audit associated with the ISO/IEC 20000 certification (created by itSMF and currently owned and operated by APM Group Ltd.).  The journey to ISO 20k is non-trivial.  As of this writing, 586 organizations have acquired this certification.  The process is basically measure, improve, measure, improve, ………. , measure, certify.  Because the purpose of improvement is certification, this is not the best approach to prescriptive process optimization.

Vendor-Supplied ITSM Assessment

The administration, content, and output of ITSM assessments vary wildly between vendors.  In most cases, the ITSM assessment generates revenue not from the cost of the assessment but from the services required to deliver the recommended improvements.

Rule #1:  “If you don’t know where you’re going, you’ll probably end up somewhere else” (Lawrence J. Peter).   Without a strategy and roadmap, assessments will lead you to a place you would rather not be.

Rule #2:  The assessment matters far less than the assessor.  When seeking guidance on ITSM optimization, one needs wisdom more than data.  A skilled assessor understands this workflow in the context of a broader lifecycle and can expand the analysis to identify bottlenecks that are not obvious from an assessment score.  An example is Release Management.  The Service Desk may complain that release packages are poorly documented and buggy.  Is that the fault of the Release Manager or is it a flaw with the upstream processes that generate the Service Design Package?

Rule #3:  Scores are only useful as benchmarks and benchmarks are only useful when contextually accurate (e.g. relative performance within a market segment).  Despite the appeal of a spider diagram, avoid scored assessments unless compelled for business reasons.  Resources are better spent analyzing and implementing.

Rule #4:  An assessment without implementation is a knick-knack.  Validate the partner’s implementation experience and capability before signing up for any assessments and be prepared to act.

Rule #5:  A free assessment is a sales pitch.

Rule #6:  A survey-based assessment using a continuous sliding scale of respondent perception is a measure of process, attitude, and mood.   So is a two year old child.

Rule #7:  In ITSM assessments, simpler is better.  Once a vendor decides that the assessment needs to produce a repeatable score, the usefulness of that tool will decline rapidly.  If you doubt this, just look under the covers of any assessment tool for the scoring methodology or examine the questions and response choices for adherence to survey best practices.

Strategy and Roadmap Workshops

Enterprise Service Management strategies save money because not having them wastes money.  Without guiding principles, clear ownership, executive sponsorship, and a modular, prioritized roadmap, the ITSM journey falters almost immediately. Service Catalogs and CMDBs make a strategy mandatory.  For those who lack an actionable Service Strategy and Roadmap, this is the first assessment to consider.

An enterprise needs an experienced ITSM facilitator for strategy workshops.  Typically, the assessment team will perform a high-level process assessment, relevant tool analysis, framework architecture integration study, and a handful of half-day workshops where the gathered information is molded into a plan for staged implementation.

Targeted Process Assessments

Organizations know where the pain points are and have a pretty good sense of the underlying factors.  The assessor finds this knowledge scattered across SMEs, Service Desk personnel, business line managers, development teams, project office, and many other areas.  The assessor’s value is in putting these puzzle pieces together to form a picture of the broader flows and critical bottlenecks.  Through the inherited authority of the project sponsor, the assessor dissolves the organizational boundaries that stymy process optimization and, with an understanding of the broader flow, assists in correctly identifying areas where investment would yield the highest return.

For these assessments, look for a consultant who has insightful experience with the targeted process.  An assessment of IT Asset Management, a process poorly covered in ITIL (a footnote in the SACM process), requires a different skill set than an assessment of Release and Deployment Management or Event Management.

The output from a Targeted Process Assessment should be specific, actionable, and detailed.  Expect more than a list of recommendations.  Each recommendation should tie to a gap and have an associated value to the business.  Essentially, IT management should be able to construct an initial business case for each recommended improvement without a lot of extra effort.

Summary

Liam McGlynn
Liam McGlynn

Organizations are investing tens of millions in ITSM assessments.  I have seen stacks of them sitting on the shelves of executives or tucked away in some dark and dusty corner of a cubicle.  Whether these assessments were incompetent or comprehensive, as dust collectors, they have zero value.

How prevalent is the lunacy of useless ITSM assessments?  From my own experience and from conversations with others in the field, vendors are selling a lot of dust collectors.  Nobody wants to be the person who sponsored or managed a high-profile boondoggle.

So the advice is this.

  • Don’t waste time on scores because there are better ways to sell ITSM to the board than a spider diagram.
  • Develop and maintain an ITSM Strategy and Roadmap.  As Yogi Berra once said, “If you don’t know where you’re going, you’ll wind up somewhere else”.
  • Assessing and implementing need to be in close proximity to each other.
  • Get an assessor with wisdom who can facilitate a room full of people.
  • Finally, follow the three steps before you let the vendors into your office.

The journey may have many waypoints but let’s just make it once.

Liam McGlynn is a Managing Consultant at Fruition Partners, a leading cloud systems integrator for service management and a Preferred Partner of ServiceNow.  

Moving Beyond ITSM Maturity Assessments

Maturity assessments are popular for kick-starting ITSM initiatives. It allows an organization to spot gaps and prioritize areas for improvement.

However, the half-life of a maturity assessment is remarkably short and the impact of the glossy report can quickly fade. The key messages and compelling recommendations can soon be lost in the noise of other projects and new fires to fight.

What stops the shiny benchmark report from collecting dust on the shelf?

Michael Nyhuis, Managing Director of Australian firm Solisma, claims the answer to keeping assessments alive is to transform them into continual service improvement projects.

Their solution Service Improvement Manager (SIM) provides a workspace for teams to baseline their maturity against various standards or frameworks, identify areas for improvement, document risks and then assign tasks to ensure progress.

Built-in assessments include ITIL, ISO 14001, ISO/IEC 27001, ISO 9001, COBIT, and ISO/IEC 20000.

Service Improvement Manager (SIM)
Service Improvement Manager (SIM)

The hosted solution has four main areas:

  1. Assessments – Compliance and Maturity, Baseline Reporting, Benchmarking, Prioritized Improvements
  2. Registers – Improvements and Risks Registers
  3. Initiatives – Activity Planning, Define Costs and Savings, Benefits Realization, Initiative Scoring
  4. Explorer – Management System, Policies and Procedures, Roles and Functions, KPI’s and Metrics

Elevator Pitch Video (<2 min):

I like this collaborative way of working; spreadsheets and email ping-pong are replaced with progress (Assuming the team jumps on board with the idea). No great ideas are allowed to slip through the cracks and an audit trail of improvements and staff suggestions are kept in one place. SIM also allows users to track improvement projects according to weighted scores and ROI.

This is a good presentation framework for benchmarking against standards and ensuring good ideas and opportunities for improvement are put into action. It would be good to see the team behind SIM put more depth into the Assessment libraries; the current questioning format is open to subjective opinion and the individual rigor of the auditor. Since it is a cloud based offering, surely there is the opportunity shared intelligence and the ability to benchmark organizations against each other as well as standards? For example a company could benchmark themselves against companies of a similar size in a similar vertical sector as well as a standard.

Further info at http://www.Service-Improvement.com

If you have experience with SIM or a similar offering I would be pleased to hear about it, please leave a message in the comments below.