ITIL Process Assessment Framework

Transcription

HOW DOES YOUR
BOARD VIEW ITSM?
CONFERENCE
REPORT
ITIL PROCESS
ASSESSMENT
FIRST, SECOND
AND THIRD-LINE
SUPPORT
Engaging
the bored
board
P23
CONTENTS
CEO comment and editorial
4
A welcome from Ben Clacy and Mark Lillycrop
Industry news
CHIEF EXECUTIVE OFFICER
BEN CLACY
EDITOR
MARK LILLYCROP
DESIGNER
RAPTURE DESIGN
rapturedesign.co.uk
5
All the latest ITSM product, service and customer stories
itSMF UK news
9
Board changes, new members and a call for speakers
itSMF events
11
Rosemary Gurney reports on service management in the clouds
COBIT 5:
development
now
underway
ISM and prISM update
Knowing your lines
A success by any measure
ITIL
Talking to... Ashley Hanna
P31
14
A fresh look at first, second and third-line support from Noel Bruton
P26
Process
Assessment
Framework
12
Matthew Burrows outlines the current relationship between
ISM and prISM
16
Mark Lillycrop reports on the itSMF UK 2010 Conference
and ITSM Awards
20
31
© The IT Service Management
Forum (itSMF) Ltd, 2010.
All rights reserved.
23
Why is it so hard to sell ITSM to senior management? asks
Michelle Major-Goldsmith
COBIT 5: development now underway
26
An update on the COBIT governance framework from Rob Stroud of CA
ITIL and ISO/IEC 27001
Mark Sykes and Nigel Landman discuss the common ground
between ITIL and the ISO security standard
Change
matters!
Ten golden
rules for
successful
change
management
P40
ITIL process assessment framework
The first part of Ian Macdonald’s submission of the year award-winner
Ten golden rules for successful
change management
40
When you need to make changes, here’s what and what not to do
The ITIL Update: meet the team
Jevin Mercer-Tod from TSO introduces the authors and mentors
ITIL is the registered
trademark of the Office of
Government Commerce (OGC).
itSMF is a registered word
mark of the IT Service
Management Forum
(International) Ltd
28
21
Three new pocket guides from itSMF UK
Engaging the Board
itSMF UK, 150 Wharfedale
Road, Winnersh Triangle,
Wokingham, RG41 5RB
Tel: 0118 918 6500
Email:
servicetalkeditor@itsmf.co.uk
Disclaimer
Articles published reflect the
opinions of the authors and
not necessarily those of the
publisher or his employees.
While every reasonable effort
is made to ensure that the
contents of articles, editorial
and advertising are accurate
no responsibility can be
accepted by the publisher for
errors, misrepresentations
and any resulting effects.
ServiceTalk interviews the man behind the itSMF UK
publications strategy
Publications update
All communications to:
42
Material within this publication
may not be reproduced in
whole or in part without the
express written permission of
The IT Service Management
Forum (itSMF) Ltd.
For all editorial, advertising,
reprint or subscription
enquiries, please contact
mark.lillycrop@itsmf.co.uk
JANUARY 2011 SERVICETALK 3
EDITORIAL
A TIME TO CELEBRATE
ACHIEVEMENTS
January again! A chance to plan for the
year ahead and to reflect on the
highlights and events of the past year.
An open
invitation
W
elcome to 2011, and I hope this issue of ServiceTalk
finds you ready and raring to go. At this time of year
magazines are awash with predictions for the months
ahead and people’s thoughts on just what will be the next hot
topic. Sorry to disappoint you, but I’m not going to be making
any wild statements about fluffy white things or anything
sustainable, but I want to take this opportunity to re-affirm the
reason why itSMF, and in particular the UK chapter, are in
existence. That is to help you, the members, to get better at
delivering service management.
2010 was a tough year for many and, whilst a lot of members I
talk to feel it was an improvement on 2009, many feel we still
have hard times to come. There is still a lot of uncertainty in a
number of sectors and only time will tell how quickly we recover
from recession. This uncertainty in my view makes the itSMF
more important and potentially more valuable to organisations
and their staff. As businesses strive to make everything more
cost effective and more efficient and to enable more innovation
from within, we are ideally placed to help our members achieve
their goals. We are in a unique position because we are run by
our members for our members – something of which we
probably don’t remind people often enough. The more we
understand about what it is our members need, the more we
can help them to satisfy those needs.
As an organisation run by members, a large amount of my time
is spent with the volunteers who make this organisation what it
is today. But I believe I need to spend more time talking to the
members who aren’t so involved, to try and make sure that we
are delivering products and services that are of real benefit to
them. More importantly than that, I need to know what else we
should be doing to help service management professionals
around the UK to deliver more to their organisations.
So please take this as an open invitation to contact me with any
thoughts, ideas or just feedback on what we currently do. I want
to establish a very open dialogue with all our members to make
sure that we are continually making the most of our position in
this fantastic industry.
All that’s left is for me to wish you all the very best for 2011. I
hope that the year brings us all an interesting, challenging and
rewarding 12 months!
Ben Clacy
Chief Executive ■
4 SERVICETALK JANUARY 2011
And there are plenty of highlights to
reflect on in this issue of ServiceTalk –
particularly in the report on the 2010
Conference and IT Service Management
Awards. The Awards are itSMF UK’s
opportunity to celebrate the
achievements of our members, and this
year’s impressive array of finalists shows
that there is no shortage of talent and
energy within the movement. As well as
the report itself, you can read the first
part of this year’s submission of the year
– Ian Macdonald’s excellent description of
the ITIL Process Assessment Framework
implemented at the Co-operative
Financial Services – and learn how to
engage effectively with your senior
management with the help of trainer of
the year Michelle Major-Goldsmith. If the
picture of the front cover looks like your
board-room during an average IT
presentation, this is the article for you.
ServiceTalk has also caught up with
Ashley Hanna, winner of this year’s
Paul Rappaport award, to find out more
about the man behind itSMF UK’s
publications strategy.
Our regular columnist Rob Stroud of CA
brings us up to date on COBIT 5, while
doyen of the service desk Noel Bruton
asks what we really mean by first,
second and third-line support. Maya
Malevich and Michael Hamelin offer ten
golden rules for successful change
management, and Mark Sykes and Nigel
Landman discuss the importance of ITIL
in establishing an ISO/IEC 27001
information security management system.
deliberately chosen as it’s the point score
needed to achieve expert level in the ITIL
qualification scheme (sorry Adrian, it was
just a coincidence but it’s a nice thought).
If you have any ideas for future
competitions, please let me know!
One of the reasons for running
competitions is that it gives us an excuse
to ask readers for their feedback on
ServiceTalk at the same time. I’m pleased
to report that we have received some
excellent comments and suggestions,
and we’ll try to implement these ideas in
the months ahead. By far the most
popular request was for more stories
from the coalface – case studies and
profiles of service management
professionals that describe their practical
experience. I have to say that I’ve been
trying to persuade IT professionals to talk
about their experiences for many years,
and it never gets any easier. You’re all
just too modest!
If you would be interested in sharing your
ITSM knowledge with other readers,
either though a column such as ‘Day in
the Diary’, as the subject of an interview
or case study, as part of an ‘ask the
members’ question panel (one idea that
we’re currently considering), or just by
sending a letter to the editor, please get in
touch. itSMF UK is a forum for
exchanging ideas and experiences, and
ServiceTalk is our main channel of
communication – so we really do need to
hear from you.
Happy New Year – and happy reading!
Mark Lillycrop
Editor
mark.lillycrop@itsmf.co.uk ■
As always, we also bring you the latest
news and views from itSMF UK and
the ISM.
WE HAVE A WINNER!
Congratulations to Darren Gough of the
Audit Commission, whose name was
selected at random from among more
than 40 correct entries to the competition
in the October issue of ServiceTalk.
Darren wins a fantastic iPod. The right
answer was DEMING CYCLE and the
Scrabble tiles added up to 22. One entrant
suggested that this score was
Mark Lillycrop Editor
NEWS
INDUSTRY NEWS
Numara FootPrints
achieves ITIL verification
with Pink Elephant's
3.1 PinkVERIFY
Numara Software, a global leader in service management and asset
management solutions for IT professionals, has announced that its awardwinning FootPrints IT service desk management solution has achieved ITIL
verification from Pink Elephant through its PinkVERIFY 3.1 programme.
Numara FootPrints has been verified as compatible with ten ITIL processes
through this latest certification.
As ITSM adoption increases and expands in complexity, IT organisations will
continue to leverage ITIL to improve efficiency and cost management and
standardise service life-cycle processes. “To do this effectively,” says
Numara, “they require tools that support their process improvement
initiatives. Tools must enable them to quickly implement the ITIL best
practice framework with the means they have available and demonstrate
clear value in their business. Numara FootPrints is a proven solution that
helps organisations achieve these objectives with ITIL.” ■
APMG launches first
role-based qualification
for service managers:
Change Analyst
APMG-International launched its
first role-based qualification for
service managers at the itSMF UK
Conference in November. The
Change Analyst qualification has
been launched in response to
market demand for practical,
focused qualifications. It is designed
to help candidates understand the
wider implications of change within
ITIL service delivery.
Barry Corless, chair of itSMF UK,
said that Change Analyst gives
knowledge and practical experience
of the main skills and competencies
required in fulfilling the role of
a Change Analyst within IT
Service Management.
their understanding and knowledge
working in a role where change
management forms an integral
part of the day-to-day activities.
IT professionals who are working
within other areas that have a direct
interface with change management,
such as third-party suppliers,
application developers and other
related service management
functions will also benefit from the
course. The qualification combines
a more detailed look at the
structure and application of the key
change processes and procedures,
together with an insight into the
soft skills required to meet the
everyday challenges in the role
of Change Analyst. ■
SERVICE-NOW.COM POSITIONED
IN THE 2010 MAGIC QUADRANT
FOR IT SERVICE DESK
Service-now.com, the creator of modern software-as-a-service (SaaS) for
ITSM, has been positioned by GartnerGroup in the Challenger Quadrant of
the 2010 ‘Magic Quadrant for the IT Service Desk’ report.
According to Gartner research, "In 2010, IT organizations are selecting IT
service desk tools based on ease of implementation, pricing flexibility and
breadth of integrated IT service management tool offerings."
Service-now.com says that it changed the IT service desk market by
delivering new, efficient and powerfully simple automation for IT
transformation. Service-now.com is now synonymous with new IT
management and offers the SaaS IT service desk application that can meet
the Gartner criteria for inclusion on the Magic Quadrant. These criteria
reflect advanced IT service desk functionality, enterprise customer adoption
and prevailing interest from Gartner clients. ■
Accenture and BMC expand
their relationship
Accenture and BMC have announced the expansion of their existing
relationship with joint development and delivery agreements plus additional
technology services for the ongoing BSM ‘journey’.
Beyond adding further delivery consultants to BMC’s Professional Service
Organisation, this will also allow both companies to focus on developing
solutions which allow IT to optimise and streamline their operation while
taking advantage of technologies such as virtualisation and cloud computing.
While BMC already has its own Professional Service Organization (BMC PSO),
this partnership gives the company additional scalability in the delivery of
Business Service Management solutions to their combined customer base.
Accenture’s reputation with C-level executives is high, and the company itself
has undertaken many ITSM and BSM consulting projects in the past.
Additionally, BMC is facing continuous pressure from vendors such as IBM and
HP, who have large consulting groups. ■
The qualification is for those
specializing in change management
and who wish to extend or formalise
NEWS
INDUSTRY NEWS
GINSTERS ADOPTS BCS launches final three
specialist IT Service
SOSTENUTO
Cornish pasty maker Ginsters has selected Sostenuto from Sunrise
Software to support its IT service management strategy and ITIL v3
direction. The company, which is owned by Samworth Brothers, is known
for its Original Cornish Pasty, the UK's biggest selling product in the chilled
savouries market.
Sostenuto will be used within the IT department initially, providing a
platform to support two thousand internal customers split across four
businesses and eighteen locations within Samworth Brothers. The intention
is to extend the use of the software to further applications in future,
including change and release management activities carried out by the
development team.
Ginsters purchased Sostenuto as a result of a thorough selection process
involving a formal tender which led to a shortlist of three. Head of IT Morgan
Ball explains the team's choice: "Our selection process was centred on three
main criteria: functionality, usability and flexibility. Sostenuto excelled at all
three, thanks to its ITIL v3 credentials, intuitive user interface, and ability
to be configured to suit the needs of other areas of the business. We are
able to adapt the workflow within Sostenuto, providing us with flexible
process management." ■
Pink Elephant acquires
ServiceSphere
Pink Elephant has announced the acquisition of ServiceSphere, an IT market
leader and innovator in the emerging area of social networking.
With the acquisition, Pink has also brought on board the founder of
ServiceSphere, Chris Dancy, in the new role of digital engagement director.
Dancy, one of the IT support industry's most respected social networking
experts, has brought with him a wealth of experience and knowledge, enabling
Pink to continue its mission of leading the way in IT management best practices.
“We're very excited about this opportunity and welcome Chris and
ServiceSphere's customers into the Pink family,” said Pink Elephant's president,
David Ratcliffe, adding that the acquisition is a solid fit with the company's vision
for the future. ■
SAManage introduces advanced
IT Service Catalogue solution
SAManage, a provider of on-demand IT management software, has
introduced a new, advanced IT service catalogue solution. According to
company officials the service catalogue can be fully integrated with its ITSM
offering. Also, it will improve the efficiency and effectiveness of IT service
desk teams, allowing companies to deliver improved support to their
end users.
In a press release Doron Gordon, CEO of SAManage, said, “As with other
SAManage solutions, the new IT service catalogue is intuitive and easy-touse, and packed with innovative features and functionality. Requesting a
new service from IT is as simple as shopping on Amazon.”.
By leveraging the IT service catalogue, says the vendor, IT organisations can
optimise service delivery, reduce support-related costs, improve communication
with end users and boost the efficiency of IT service desk staff. ■
Management qualifications
BCS, the Chartered Institute for IT,
has launched the final three of its
suite of six new specialist
qualifications in IT Service
Management. The qualifications
aim to help IT service management
professionals to keep abreast of
current best practice and maintain
a competitive edge in the
employment market.
Michiel van der Voort, director of
International and Professional
Development at the Institute, said:
"IT service management is an
important element in any business.
These qualifications are part of our
drive to ensure that IT practitioners
are supported in their careers and
can realise their true potential.
Maintaining and developing
professional skills is important for
every professional and even more
so in a very competitive
employment market."
The six available qualifications are:
• Specialist Certificate in
Business Relationship
Management
Problem Management
Supplier Management
• Specialist Certificate in Service
Desk & Incident Management
• Specialist Certificate in Change
Management
• Specialist Certificate in Service
Level Management ■
NEWS
INDUSTRY NEWS
Salisbury Hospital prescribes FOX IT ROLLS OUT POINTS
SupportDesk for healthier IT OF SERVICE FRAMEWORK
A hospital which cares for 200,000
people in Wiltshire, Dorset and
Hampshire is aiming to ensure its IT
users receive an even cleaner bill of
health by installing new service
management software.
Salisbury District Hospital, whose
specialist services extend to millions
of people across southern England,
has selected House-on-the-Hill’s
SupportDesk solution to improve IT
services to 4,000 clinical and
business staff.
“House on the Hill was successful in
a competitive tendering exercise,
demonstrating that it is a tool that
could not only deliver what we
wanted now but also adapt to a
changing NHS environment,” said
Garry Tatton, IT Operations Manager
of Salisbury NHS Foundation Trust.
“As performance monitoring against
Service Level Agreements and
Organisational Level Agreements is
key in today’s world, it was a natural
choice to deliver an effective service
for the organisation, and was costeffective as well.”
SupportDesk, which replaces a
RoyalBlue system, will be used for
incident and problem management
alongside software licensing, asset
management and reliable
management reporting. ■
Spirax Sarco
goes live with
Cherwell Service
Management
Spirax Sarco, the global engineering
firm, has gone live with the first
phase of a significant ITIL project
based on Cherwell Service
Management, developed by
Cherwell Software. Spirax Sarco,
which is best known for its
unparalleled knowledge about the
application of steam across a wide
range of industries, moved all its IT
services to Cherwell Service
Management in September and
before the end of the year all
remaining IS systems will be moved
to Cherwell in a phased
implementation.
Towards the end of 2009, Spirax
Sarco initiated a venture to
consolidate all its varied IS support
systems, asset and service
management processes onto a
single software architecture and
chose Cherwell Service
Management after reviewing all the
market’s offerings.
“We were keen to eliminate the
anomalies and inconsistent
processes that inevitably arise when
you have a variety of unconnected
legacy tools in place,” said Tim
Dewson, UK IS Service Desk
Manager, Spirax Sarco. “The advent
of Cherwell’s highly flexible and
configurable software will make it
possible to harmonise all our
processes and improve efficiencies
across the team. We were very
impressed by the high level of
tailorability and the ability to build
entirely new features. Cherwell is
far more than a service
management tool in fact. ” ■
Fox IT has announced a new Points of Service
framework. This new and innovative approach to
planning, managing, validating and accelerating
Continual Service Improvement Programmes (CSIP) will
enable organisations to dramatically reduce the risks,
time and costs associated with implementing ITIL and
achieving ISO/IEC 20000 Certification. Available
immediately, Points of Service provides a scalable and flexible approach to
meeting complete ITIL and ITSM requirements regardless of organisation
size or industry sector.
This is the first announcement of significance since Fox IT became part of
365 iT PLC – #15 in the Tech Track 100. As the company with the greatest
heritage in ITSM, Fox IT has recognised that the success of many
organisations’ ITIL implementations is restricted by the packaging and
procurement terms of suppliers’ tools and services. This leads to:
• Service Improvement Programmes failing to consider in advance all
the people, process and technology implications - adding unnecessary
cost and time delays
• Return on training investment not being realised due to confusion on
where and how to start
• Support being procured from multiple suppliers – building in extra
cost, complexity and time of managing the implementation
• Implementations taking longer or being delayed due to unavailable
resources and budgets
• Improvements not sustained due to skills not being transferred
effectively from suppliers to in house teams.
To remove these barriers and realise the business benefits of ITSM and ITIL,
Fox IT has created an innovative points system that puts the customer in
control of what, when and how to acquire the required services to support
Continual Service Improvement Programmes. ■
FRONTRANGE LAUNCHES IT SERVICE
MANAGEMENT ENTERPRISE
FrontRange Solutions, a leading provider of ITSM, IT asset management and
customer service management solutions for leading global companies, has
announced the launch of FrontRange ITSM Enterprise. As companies
continue to look to align IT with business, FrontRange ITSM Enterprise brings
the ability to define, track and measure key service management metrics that
improve performance towards key service and support objectives.
ITSM Enterprise enables growing and increasingly IT-reliant organisations
to improve their IT service desk, IT best practices, ITSM, governance and
compliance and customer service – key considerations for both healthy
business and organisations working towards ITIL compliance.
Michael McCloskey, CEO of FrontRange Solutions said, “Our ITSM Enterprise
release represents our most significant Service Management release to
date. We have received exceptional feedback from partners and customers,
and expect our latest release to alter the competitive landscape. We are
committed to providing industry leading products to our customers, and
combined with our just announced Service Catalog release, believe that we
are delivering the most powerful suite in the industry”. ■
NEWS
INDUSTRY NEWS
ManageEngine adds Service
Catalogue to Service Desk Plus 8.0
TelstraClear overhauls IT Service
Management with BMC Software
ManageEngine has announced the release of ServiceDesk Plus version 8.0,
an updated generation of the company's ITIL-ready help desk application.
ServiceDesk Plus 8.0 offers a host of new features including a service
catalogue, enhanced asset management, automation of common help desk
processes, multiple Application Programming Interfaces (APIs) designed to
further simplify interaction with third-party products, and tighter integration
with other ManageEngine software suites.
TelstraClear, one of New Zealand's largest telecommunications companies,
has selected BMC Software's Remedy IT Service Management (ITSM) Suite to
provide a fully-integrated and automated ITIL-based ITSM platform.
With the new service catalogue, IT teams can organise and publish a list of
all help desk services available, as well as maintain a workflow for service
requests, helping ensure those services are delivered effectively and on
time. The service catalogue is customisable to fit the needs of individual
organizations, the company noted.
ManageEngine claims that with ServiceDesk Plus 8.0's asset management
functionality, administrators no longer need to open ports, switch off firewalls
or enable Windows Management Instrumentation (WMI) while scanning
assets, and that these new capabilities can reduce scanning failures across
assets, especially across distributed networks. ServiceDesk Plus is available
as a downloadable file for both Windows and Linux platforms. ■
OTRS LAUNCHES RELEASE
3.0 WITH ALL-NEW GUI
OTRS, one of the world's leading providers of open source help desk and
ITIL-compatible ITSM solutions, has launched OTRS Help Desk 3.0, featuring
a brand new Ajax-powered interface designed to dispatch help tickets 30
per cent faster under the most demanding usage scenarios.
"OTRS exceeded my expectations and helped to redeem my faith in open
source software," stated Paul Hill, system administrator of Alaska school
district in the USA. "As a system administrator, you come across open
source solutions that are far from refined and so problematic that the
amount of work they save aren't worth the time and effort to get them up
and running. OTRS was a pleasant change."
The new web front-end features customer-configured ticket overviews, a
dynamic Ticket Zoom view, enhanced full text search, a separate ticket
archive for quick retrieval, and accessibility compliance. Other new features
include an optimised web installer, easy intranet integration, and quick
identification of new and unread articles. ■
TelstraClear's ITSM application will provide a transparent support and
monitoring mechanism between its service desk, operations infrastructure
management, Voice and Data Operations (VDO) and Computer Telephony
Integration (CTI) operations teams. This will enhance TelstraClear's ability to
deliver more efficient, automated IT services to its customers, reducing
response times and improving service levels.
"We've chosen BMC Software to provide an integrated platform that will offer
a broad range of cost-effective IT services," said TelstraClear Head of Networks
and Services Andrew Crabb. "BMC Remedy ITSM dramatically improves our
operating efficiencies, removes complexity and makes customer support,
change, asset and request management an integrated process." ■
HOUSE WINS POSITIVE REACTION
FROM US CHEMICALS FIRM
The world's leading producer of
cobalt-based specialty chemicals
has selected House-on-the-Hill’s
SupportDesk service management
tool for its global Helpdesk. OM
Group, Inc is using SupportDesk to
manage production issue
resolutions and IT service requests
internationally across 26 sites.
Based in Cleveland, Ohio, it operates
manufacturing facilities in the
Americas, Europe, Asia and Africa.
“We were looking for an ITILcompliant, web-based, highlyconfigurable and in-housemaintainable global help desk
application,” said IT Quality
Assurance Manager Mike Huesman.
“House-on-the-Hill met our
requirements and seemed to offer
East of England Ambulance Service Trust
provides rapid response with Supportworks
East of England Ambulance Service
NHS Trust has selected Hornbill’s
Supportworks ITSM Enterprise to
manage IT support calls from
thousands of staff working in its
operations centres and ambulance
stations. Hornbill’s service desk
software passed the Trust’s rigorous
procurement process, with its
functionality and user interface
scoring higher than competitive
vendor products. ITIL compatibility
was also a key factor in the
selection. The IT service desk at
East of England Ambulance claims
improved service delivery since
using Supportworks for both
incident management and service
requests, and expects to see further
efficiencies through the planned
introduction of the SelfService
portal.
Supportworks ITSM replaces a
manual help desk system based on
spreadsheets and emails, and will
support the Trust’s adoption of ITIL
best practice.
Andy Marrs, service desk manager
at East of England Ambulance
Service Trust commented; “We
identified a very specific list of
requirements during our
procurement process for service
management software, including
ITIL compatibility, proper call
handling and auditable processes.
Hornbill offered all of the
functionality that we required, which
included a full range of processes to
support our ITIL adoption, not just
call handling and change control.” ■
the best value for available
functionality, sustainability and
application support services.”
OMG, which supplies more than
4,000 customers in 50 industries
worldwide and is also a leading
supplier of nickel-based specialty
chemicals, previously used a
proprietary Lotus Notes-based help
desk program maintained by a
contracted consulting support
group, with limited functionality.
Replacement options were
evaluated in detail against helpdesk
management and notification
requirements, features and
functionality, maintainability and
long-term cost. ■
NEWS
itSMF UK NEWS
VERNON LLOYD BECOMES
HONORARY LIFE VP
One of itSMF UK’s leading lights,
Vernon Lloyd of Fox IT, received a
special honour at this year’s Annual
Conference when he was appointed
honorary life vice-president. An
active member since the itSMF
movement started, Vernon has
occupied most positions on the UK
Management Board over the years
and stepped down as international
director at the AGM. He received the
award from guest speaker Sir
Ranulph Fiennes, while chair Barry
Corless expressed his heartfelt
thanks for Vernon’s outstanding
contribution to the organisation.
Vernon later commented,
“Receiving this prestigious award
came as a complete surprise but,
needless to say, I am extremely
honoured and grateful to have
received it.” ■
ITSMF UK APPOINTS BEN CLACY
AS NEW CHIEF EXECUTIVE
business development of the
organisation, and since May 2010
has also served as company
secretary to itSMF International.
Chairman of itSMF UK, Barry
Corless, backed Ben Clacy’s
appointment saying, “The
Management Board took the
decision to appoint from within. Ben
has shown tremendous flair and
aptitude during his time with us. We
have given him a fantastic
opportunity to realise his potential
and are confident in his ability to
deliver increased benefits to our
members.”
itSMF UK has announced the
appointment of Ben Clacy as its new
chief executive officer.
Formerly itSMF UK’s deputy chief
executive, Clacy has overseen the
operational management of the
itSMF UK for some months. He
joined itSMF UK in July 2006,
predominantly managing the
“This is a very exciting time to take
on the role of CEO at itSMF UK,”
commented Ben on his
appointment. “Having been through
extremely tough times in the ITSM
industry over the last two years,
now is the time when service
management can make a real
difference to businesses. Here at
the itSMF UK and globally we are
well placed to be an integral part of
this journey forward.”
Married with three young children,
Ben lives near Reading. ■
NEW MEMBERS
A WARM WELCOME TO THE FOLLOWING NEW
MEMBERS OF ITSMF UK.
COMPANY 25
Mark Sims of Methodrutilus
Fidelity Investment Managers (John
Randall)
Paul Brayford of Paraboloidal
Northgate IS UK (Andrew Aitken)
Julian Parsons of Shell IT
International
COMPANY 10
FCO Services (Stuart Ridgard)
COMPANY 5
Star (Marion Stuart)
Graduate Prospects (Mark Smith)
INDIVIDUAL
Simon Jacobs of Bang & Olufsen
Sean Becks of Drax Power
Shahla Dilawar of East London NHS
Foundation Trust
James Harkins of East Sussex Fire
& Rescue Service
Darren Martin of RSSB
Barclay Rae of Barclay Rae
Consulting
Joseph Kiddell of Cable & Wireless
Worldwide
Shirley Lacy of ConnectSphere
Boade Ezekiel Babarinde of Folubb
Consulting
Nigel Hunter-Cowton of HunterCowton Ltd
Martin Hall of ITSM Consulting
Mark Worley of Service Advocates
Derek Collns of GlaxoSmithKline
David Kelly of Specialist Schools
and Academies Trust
Bjorn Barton-Pye of HKC Services
Mark Holl of TLT Solicitors
Stephen Shepheard of Land
Securities
Laurence Hamer of Weatherbys
NEWS
itSMF UK NEWS
Two new members
for itSMF UK Board
CALL FOR SEMINAR
SPEAKERS FOR 2011
itSMF UK is seeking speakers for its 2011 seminar programme. Preference
will be given to those sessions that offer practical advice and guidance, and
to those that provide seminar delegates with high quality ‘'takeaways’ that
they can apply immediately after the seminar.
All submissions are reviewed by the itSMF UK Events ESC who make the
final decision on speakers and the agenda order of each event. The
programme is as follows (see back cover for further details):
Introducing and improving problem management to maximise your
investments
16th February, Leicester
Practical service strategy
16th March, Newbury
Service Transition: How to achieve painless go-lives
18th May, Edinburgh
Service management in challenging times
22 June, Portsmouth
Keeping your service management journey moving
September, Liverpool
Achieving and maintaining service excellence using service levels
7th December, Duxford ■
At the itSMF UK annual general meeting on 8th November, two new
members were elected to the Management Board. David Jones of Pink
Elephant (above, right) became chair of the Qualifications & Certification ESC
while John Windebank of Oracle became international director. Other
positions remained unchanged – Barry Corless continues as chair and Colin
Rudd as VP; Matthew Burrows was re-elected to the role of ISM president;
Alan Thomson remains finance director; while Steve Straker, Ashley Hanna
and Don Page carry on as chair of the services, publications and events
ESCs respectively.
Barry Corless expressed his sincere thanks to outgoing Board members
Rosemary Gurney and Vernon Lloyd for all their hard work. ■
Election results for the
ISM ESC/Council
At the Institute of Service Management (ISM) AGM in 9th November, five
people were elected to the ISM ESC/Council. Congratulations to the
successful candidates – Stephen Griffiths, Adam Poppleton, Brett Tilney,
Christine Welsh and Paul Simpson. At the itSMF UK AGM the previous day,
Matthew Burrows was elected for a second term as ISM president. See the
ISM pages of this issue for further information. ■
LONDON CONFERENCE A GREAT SUCCESS
itSMF UK chair Barry Corless said he is “very happy and proud” following
itSMF UK’s 2010 Conference which attracted 650 delegates to the capital. For
a full report on the event and details of this year’s award winners, see the
Conference section later in this issue. ■
NEWS
itSMF EVENTS
❅ Service management
❅
in the
❅
clouds
SNOW WAS MORE OF AN ISSUE THAN CLOUD AT THE LATEST ITSMF UK SEMINAR
IN MANCHESTER, REPORTS ROSEMARY GURNEY.
This seminar highlighted the specific challenges,
and suggested practical ways to modify your
approach to service design, service transition,
and service operation to avoid these
technological marvels turning into service
catastrophes.
The theme for the latest itSMF UK seminar,
Service Management in Cloud and Virtual
Environments, couldn’t have been more apt.
Specifically, it was the amount of snow falling
from the clouds in the leaden Manchester skies
that was of real concern. Would the exhibitors
make it, would the speakers be able to negotiate
the journey, and would the delegates be
sufficiently motivated to travel?
Fortunately, the answer to all of these was a
resounding yes. Only two exhibitors were unable
to travel and five delegates sent apologies. So
after a short delay to allow for travel conditions
and fortified by excellent refreshments, we were
ready to go.
New technologies such as virtualisation, cloud
computing, grid computing, software as a service
and platform as a service are already a reality,
yet only a few people in IT service management
have started to understand what these concepts
really mean to them and to the future of ITSM.
Moving to this new world of utility computing, ondemand services, and dynamic distributed
environments provides many challenges to our
traditional approaches to ITSM and to IT. Many
will tell you that you just need the right tools, but
the old adage of ‘a fool with a tool is still a fool’
applies even more in this brave new world.
The good news is that the solution to many of the
challenges already exists. By using the service
lifecycle as the basis, and by morphing the ways
that we apply service management, we can help
to realise the potential benefits of new
technologies. Or we can just put our heads in the
sand whilst the cloud blows over…
Following the itSMF UK update, presented by
member services manager Chris Roberts, our
first presentation, from David Chalmers of HP,
was entitled ‘Why is Infrastructure Converging?’
David looked at three global trends and
illustrated these by highlighting changes in
technology that have occurred since the 1960s
and those that he forecast we would see in the
coming decade.
Barry Corless, business development director at
Global Knowledge and itSMF UK chairman,
followed with his ‘Survival Guide to Service Level
Management and the Cloud Revolution’. Key
messages were the change in the monitoring
landscape that would focus on the end-user
experience and synthetic monitoring of cloud
services. Barry also provided us with a dose of
reality, telling the audience that cloud was “just
another third party” and that the old rules about
underpinning contracts supporting SLAs and
understanding customer needs were still critical.
Finally, Chris Frost and David Buckley from
Fujitsu and HMRC, gave us an overview of their
S4 project implementation and the savings that it
has brought to their organisation. We also
discovered that their S4 product is a private cloud
service available now in HMRC, the largest of its
kind in central government.
Given the inclement weather, a speedy departure
was made by all. The only other concern was
how to dodge the snowballs being thrown by
Manchester Uni students as we hurried down
Oxford Road.
Rosemary Gurney is director of Wardown
Consulting and recently stepped down as itSMF
UK Qualifications & Certification ESC chair and
acting CEO. ■
❅
❅
Barry is also itSMF UK’s self-confessed ’weather
geek’ and gave delegates the opportunity to
check his real-time weather radar to manage
their expectations for the journey home.
Following a break for lunch and an opportunity to
network and visit the exhibitors, we were
delighted that Adam Woolford from Atos Origin
was able to make the perilous journey across the
Pennines from Derbyshire. His presentation,
‘Bringing Business Ready Services Together’,
discussed such topics as how service managers
and solution architects can support the
enterprise in the decision-making process to “go
down the cloud route” and what the service
designer needs to ensure that the right service
management framework is incorporated to meet
the business needs.
❄
❆❅
ISM
MATTHEW BURROWS
REPORTS ON THIS
YEAR’S ISM ANNUAL
GENERAL MEETING
Moving towards prISM...
Following a successful pilot of the prISM
programme in the USA, representatives of the
ISM, on behalf of itSMF UK, have been working
with colleagues from itSMF International and
itSMF USA to roll it out on a global basis.
WHAT IS PRISM?
prISM (Professional Recognition for IT Service
Management) is a credentialing programme
aimed at ITSM professionals. The scheme
provides a framework and guidance for
continuing professional development while
building upon members’ existing training,
certification, education, and experience. The
attainment of priSM credentials aims to provide
the individual with a broad range of benefits
including industry and potential employer
recognition and post-nominal use (depending on
the level achieved).
PROGRESS SO FAR
Matthew Burrows has been working with a small
team from itSMF International and itSMF USA
since March 2010 to ‘internationalise’ prISM. The
ISM already has a very well established and
comprehensive CPD scheme available to
members, and the prISM scheme is very similar.
itSMF International is very keen to harness this
experience for the benefit of the global
movement. It was felt that the most desirable
outcome was to have a single scheme,
standardised and internationally recognised,
rather than several competing offerings which
might confuse the market. As a result, the ISM
and itSMF UK have been collaborating to see
whether this is feasible.
As part of this effort, a wider group of
participants, with representation from global
itSMF chapters, took part in an initial conference
call on 12th November 2010. The group’s
discussion included the pilot launch and success
of the scheme in the USA, achievable phased
rollout approaches for other geographic
locations, and local/regional roles and
responsibilities. Matthew Burrow and Stephen
Griffiths from the ISM, together with Ben Clacy
from the itSMF UK, also attended meetings with
itSMF International and itSMF USA
representatives during the UK conference to
discuss UK involvement. Further discussions are
in the pipeline.
EXISTING ISM MEMBERS
If the UK decides to fully participate in the prISM
scheme, the intention is that existing ISM
members will be offered a clear transition path
from the current ISM CPD scheme. Thus it is an
advantage to be a member of ISM as the
discussions continue and the transition plans are
developed. ISM members also continue to benefit
from the other membership services, such as
mentoring and events. At the time of writing this
article (November 2010) a firm decision is
expected during the December 2010 to February
2011 timescale, and will be announced once
this happens. ■
ISM
ISM update
On 8th November, during the itSMF UK
conference in Hammersmith, London,
we held the AGM of the Institute of IT
Service Management. The meeting included a
chairman’s report, financial summary, and
elections for ISM Council members.
O
The chairman’s report included the following
highlights:
more than they have taken out, all for the benefit
of our members and our service management
profession in general. Many of the members of
itSMF UK staff have supported us – I’d
particularly like to record my personal thanks to
Megan Pendlebury (who has recently moved on
from her itSMF role), Danielle Marshall, Sarah
Nieto and Ben Clacy (our new CEO) for their
outstanding efforts.
• Membership decline has been reversed and
we now have almost double the number of
members we had one year ago
Following the election of five ISM ESC members,
and my re-election as president, I can confirm
the new ESC names and focus areas:
• Conditions are still challenging, and
membership growth continues to be
positive but relatively slow
MENTORING AND CPD (CONTINUAL
PROFESSIONAL DEVELOPMENT)
• The focus of the last year has been about
restructuring, repositioning, review and
renewal.
At the itSMF UK conference ISM members
presented and effectively ‘re-launched’ our
updated mentoring and CPD schemes.
• We are now in a good position to start
aggressively driving increased membership
During a presentation led by Nigel Mears (one of
the pioneers of the ISM scheme), mentors and
mentees spoke about the benefits they had
gained from the mentoring scheme, and why
they believe all those in service management
should consider taking part. Mentoring is total
free to members, so all you have to do is join the
ISM and make a request to take part.
• Our services and membership benefits have
all been reviewed and improved - CPD
(Continual Professional Development) and
mentoring schemes were ‘re-launched’ at
conference
• SFIA (Skills Framework for the Information
Age), for which the ISM ESC manages the
itSMF UK co-ownership and activity,
continues to grow globally
• Following a pilot implementation with itSMF
USA, we’ve been working with itSMF
International on a global credentialing
scheme for our community, under the
prISM name.
Christine Welsh led the presentation on the ISM
CPD scheme, for which she has recently
conducted a review and update to ensure greater
alignment with SFIA and to reflect new
qualifications and experience areas. The process
has been made simpler, and templates and
guidance are now available to help all members.
The scheme can easily be integrated with
existing schemes which members’ employers
have in place, or can provide a framework for
those who don’t already have one established.
CPD, like mentoring, is entirely free to members.
HOW TO CONTACT US
To contact any of the ESC members, or to make
any other ISM enquiries, please phone the office
on +44 (0)118 918 6500 or email info@iosm.com.
Information, including membership application
forms, is available on the ISM website –
www.iosm.com
FINAL WORD
As always, I’d like to encourage all ISM members
to take advantage of the services that are
available, whether you need support in your own
skills development through our CPD and
mentoring programmes or you’re looking to
benefit from our events and body of knowledge.
Please make contact and we’ll be pleased to
help you.
For non-members, please look at the benefits of
membership and consider joining us. With
membership fees starting at £30 per year you
could be getting access to the best value
professional support in service management.
Matthew Burrows is president of the ISM
and managing director of BSMimpact. He
can be contacted at
matthew.burrows@bsmimpact.com ■
Despite continuing challenges for our industry,
including many service management
professionals finding themselves looking for
new jobs, we have almost exactly double the
number of members we had a year ago. We still
have a long way to go to build membership and
demonstrate its tangible value, but our activity
this year has definitely moved us in the right
direction. The team of volunteers, assisted by
several key itSMF UK staff, have delivered almost
all of the items on the roadmap we published
for 2010. The only things not fully delivered to
plan have been the website update, for which we
are dependent on a wider itSMF UK website
project, and the minor delay of an event which
was postponed until after conference for
logistical reasons.
I’d like to thank the members of the ISM ESC,
those filling the gaps while we waited for the full
election process, and the people who served on
the initial working party during the first half of
2010, for their considerable effort in directing and
building our institute – Stephen Griffiths, Eddie
Potts, Adam Poppleton, Declan Galvin, Christine
Welsh, Paul Simpson, Michelle Hales, Brett
Tilney and John Godwin. These people gave their
time freely to help fellow members and start the
transformation of the ISM – they have truly put in
KNOWING YOUR LINES
n the July issue of ServiceTalk, I wrote about a
client of mine who had seen growth in his
service desk staffing and discussed his
approach. I alluded then to ‘two quick fixes’ but
did not have space to go into detail. In that case,
the fixes were:
I
1) the second-line support would announce
to the user that it had taken ownership of
a call and
2) the client would be updated directly about
call progress without further involving the
service desk.
Of course these are out of context – and I’ve
known many a second-line technician who would
arms-foldedly refuse to speak to the user
directly. So this article provides that context by
looking at the so-called ‘lines’ of support and
considering the workflow between them. The
first question is how many of these lines there
are or should be.
THE TRADITIONAL MODEL
We’ve all heard of (and even ITIL has now got
round to mentioning) ‘first’, ‘second’ and ‘third’
line support. The old way of defining these lines
is based on the traditional technocracy inherent
in much of IT. Typically, the higher the line
number, the more technical you are, the further
you are from the user and the more you get paid.
Traditionally, first-line takes and resolves the
simple enquiries; second-line (often known as
‘desktop’) support deals with the more difficult
ones; third-line support requires profound
technical understanding, so this can involve the
implementer or perhaps local network
specialists. The vendor may be designated as
fourth line and so on through the hallowed,
numbered tiers of knowledge until, presumably,
the seventeenth line or thereabouts is the
Omniscient Almighty in Heaven.
As a model, that is dysfunctional. It attempts to
impose process on an existing structure
characterised by technical rank, that does not
actually describe where responsibility should lie
or ownership can be taken. It confuses politics
with workflow. It mismatches what needs to
happen (restore the user to productivity) and the
focus of the workflow (how technical is this
enquiry?). It cannot lend itself to standardisation.
Models like this frequently produce black holes,
enquiry backlogs, ownership confusion, call
bouncing (“not my problem mate, send it to
Networks”), absence of intelligence on real-time
call progress and almost useless management
information.
MENTAL LEAPS
There is another, far more logical and scientific
way, but to get to it we have to make two mental
leaps. The first is to separate genuine ‘break-fix’
support enquiries from all the other stuff latterly
taken on by (or dumped into) what has come to
be known popularly as the ‘service desk’. A
definition is needed. If the incoming enquiry has
been necessitated by a failure in IT or its use,
such that the user’s productivity has been
impeded, then it is a break-fix enquiry.
Everything else in the service desk’s queue is a
service request, change request, advice, general
query and so on.
This ‘everything else’ does not constitute user
impediments but Business As Usual (BAU). Most
of it can and should be automated, designed into
forms and put on a web site or, where
unavoidable, dealt with over email by
administrators. By the way, although break-fix
may be BAU for the support technicians, it is the
absolute opposite for the users, and given that
they are the customers for whom we make these
services available, it is the users’ point of view
we should be taking. Our purpose is to restore
user BAU.
The second mental leap is to remove technical
specialisation from the equation and look at the
pure, operational functions we need to deliver a
support service. Necessary technical knowledge
notwithstanding, to restore user BAU we need
only two lines of support. The first line resolves
those enquiries that can be fixed at first
encounter. The second line resolves those where
a separately scheduled second encounter is
made inevitable by distance, diagnosis or
complexity of communication. What these two
have in common, and what makes them
essentially a support function, is that the
resolutions they produce come from within the
existing parameters of the system, where that
system includes both the involved IT and the
ability of the user to make use of it. This ‘existing
parameters’ definition is essentially what makes
superfluous all other lines of support beyond
these two.
Knowing
your lines
KNOWING YOUR LINES
Either the system can be repaired and restored,
or the enquiry can only be resolved by the
creation of new parameters not present in the
current system. This includes waiting for the next
version, developing a system alteration, or
otherwise reorganising the technology. In other
words, what separates a query at this level from
the usual break-fix is that, in order to resolve it,
we must introduce something new, which means
that the change process must be invoked. We
may call this third-line support, but really it is a
development function. Third line means ‘change’
not ‘repair’.
PEOPLE
So who works in first or second line support,
with what skills? Actually, the issue is irrelevant.
The skills, technical rank or home workgroup of
a member of IT personnel do not denote in which
‘line’ they work. There is indeed a rough
correlation between enquiry reception and first
line, and again between at-desk fixes and second
line, but this is only an overlap of subsets. Rather
than see first and second line as departments,
they should be viewed instead as operational
functions. You may be the most Unix-savvy
developer in the company, Civic Type R in the car
park, salary astronomical, and have left the help
desk over a decade ago, but if a user asks you to
clarify the use of a piece of code you wrote, then
you are performing a first line function. Similarly,
you may be the most junior, subsistence-paid,
last-in greenhorn in IT, but if you hang up the
phone to think about and then resolve the
technical question you have just been asked, you
are performing a second-line function.
The lines of support are denoted by the workflow
components of our production line, not by the
departments who most often carry them out.
Defining the view by process rather than
workgroup can free up considerably how we do
things. We can now talk in terms of which
department does first line and second line for
which technology. Take a vertical application, still
under development, newly rolled out. It is far too
specialist and subject to change at this stage to
be formally handed over to IT support, and
routing calls that way would just add a delay. The
users contact the development group direct – the
first, second and probably third line functions all
reside there. But as the application reaches
maturity, the first line may be in-sourced to the IT
help desk, second line to business apps support
and so on.
TRIAGE
There is another dimension to first line, and that
is to further sort the incoming enquiries into
‘reception fix’ or ‘triage fix’. This accounts for the
practical reality that work often arrives at the
help desk or service desk at a high rate.
‘Reception’ call takers often cannot afford the
time to resolve everything over the phone, for
that would tie up a line and keep other callers
out. One common solution for this is not to
attempt to resolve the enquiry immediately, even
if that is possible, but instead to log the enquiry
and pass it to second line, so another call can be
taken. Of course this delays resolution – not
good. Another is that the call-taker ‘goes
unavailable’ (logs out of the telephone system) to
diagnose and fix the enquiry – but that only
reduces the service to incoming calls.
One effective solution is ‘triage’ – an adjunct to
the first line. The call taker assesses whether the
enquiry can be fixed remotely – and then also
whether that fix can be quick. If possible, but not
quick, the caller is immediately passed to the
triage team who, not being call receivers, have
the time to produce a first-line fix. It takes
analysis to create this kind of function, but a
triage service can be immensely cost effective. I
once designed one for a support group that freed
up six field technicians for every head in triage.
OWNERSHIP
So who owns the enquiry in all this? To my mind,
this is simple – ownership lies with the person
most in the position to influence the enquiry
toward resolution, regardless of line. And with
that ownership comes the responsibility to
proactively keep the user apprised of the
progress of the enquiry. If you’re not already
doing this, try it. I can almost guarantee you will
see calls to the first line plummet and customer
satisfaction rise.
Noel Bruton is a UK-based consultant and trainer
who advises companies on the practicalities of IT
support management and improvement, and the
author of best-selling books on all aspects of IT
service delivery. See more of his work at
www.noelbruton.com ■
NOEL BRUTON TAKES A
FRESH LOOK AT FIRST,
SECOND AND THIRD-LINE
SUPPORT AND SUGGESTS A
DIFFERENT APPROACH TO
HANDLING USER ENQUIRIES.
CONFERENCE
A success
by any measure
tSMF UK’s 2010 Conference in Hammersmith
was a success by any measure. Despite the
recessionary pressures, 650 delegates packed
into the Novotel London West on 8th-9th
November to enjoy a programme of over 40
presentations and keynotes and a bustling
ITSM exhibition.
i
“This was our first Annual Conference in
London,” said itSMF UK CEO Ben Clacy, “and I
couldn’t be more delighted with the result. We
were also really pleased with the number of
overseas visitors who joined the event this year,
including representatives from over 20 other
chapters. I would like to say a big thank you to all
our sponsors and exhibitors, without whom the
Conference would not have been possible. Many
thanks too to the speakers and delegates who
made this a Conference to remember.”
"There was always going to be a little
apprehension working with new partners at a
new hotel,” commented itSMF UK chair Barry
Corless. “However, it all went far better than we
could have imagined. The keynote speakers, the
exhibitors, the hotel staff, the lighting and sound
gurus at JLP, the event support team from PB
Projects, not forgetting the itSMF UK permanent
staff... Everybody gave 110% for the whole time to
ensure we sent away 650 happy delegates and
one VERY happy and proud itSMF UK chairman."
The opening keynote was presented by
adventurer and explorer Sir Ranulph Fiennes,
who captivated the audience with his dry humour
and warmth as he described his breath-taking
travels across the deserts and frozen continents
of the world. The sheer commitment and
determination demonstrated by Fiennes and his
companions as they pushed human endurance to
new levels was an inspiration to all and
highlighted the importance of team-working and
leadership in any discipline.
Other keynote sessions were provided by James
Staten, vice-president of Forrester Research,
who offered a fascinating insight into the practical
application of cloud computing, and ITIL chief
architect Sharon Taylor, who provided a glimpse
into the future of service management.
Experience-based presentations from companies
such as Camelot, the UK Border Agency, UK Land
Registry, Heineken, Belron, Bank of England, the
Co-operative Financial Services, Defra, Standard
Life, Thomson Reuters, Axa, Virgin Airways, the
University of Bolton and Unilever ensured that
the programme focused on practical service
management issues and challenges, while
interactive features such as an Ask the Experts
panel session and G2G3’s cloud simulation
encouraged delegates to become fully involved in
the proceedings.
RECOGNISING ACHIEVEMENT IN
SERVICE MANAGEMENT
On the Monday evening the conference played
host to the prestigious ITSM Awards dinner. This
year the master of ceremonies was
impressionist Jon Culshaw, who delighted the
audience with comic versatility as he introduced
each of the awards. Following tradition, the event
included a charity raffle which raised an
impressive £2200 for this year’s beneficiary, the
Hammersmith Academy.
The awards featured eight categories (the full list
of winners and finalists appears overleaf).
Student of the Year (ISO/IEC 20000) went to
Louise Howson of Steria, while Richard
Carpenter of HSBC picked up the gong for best
ITIL student. Both awards were sponsored by
APMG-International. After the ceremony Louise
said, “I was really surprised to be nominated for
and then to receive the award. I have been
working with ISO/IEC 20000 since 2005 and
assisted Steria last year in achieving certification
against the standard, so the course was very
relevant to me.”
The Trainer of the Year award went to Michelle
Major Goldsmith of Sysop, a finalist for the
second year running. Michelle, whose article on
communicating with business management
appears later in this issue, commented to
ServiceTalk, “I’m particularly delighted to have
received the award given that the nominations
are made by students and the accompanying
endorsements and final assessments are
conducted by one’s peers and other recognised
ambassadors for service management. I was
very pleased that another Sysop trainer, Andy
Wright, was a finalist too and for a small but
established service management organisation
such as Sysop it really acknowledges our
commitments to deliver an exceptional training
experience for all our customers. I’d like to thank
the many students who nominated me for this
award; the fact they took the time to do it leaves
me humbled.”
MARK LILLYCROP REPORTS
ON ITSMF UK’S ANNUAL
CONFERENCE IN LONDON
AND ON THE RECIPIENTS
OF THIS YEAR’S IT SERVICE
MANAGEMENT AWARDS.
Submission of the Year (sponsored by Exin
International) went to Ian Macdonald, senior IT
specialist at the Co-operative Financial Services,
for his ITIL Process Assessment Framework
paper. It’s been a good year for Ian; his paper on
end-to-end service reporting took last year’s
prize and went on to worldwide acclaim with a
special award from itSMF International. “The
Submission of the Year award from itSMF UK,” he
said, “is the ultimate industry recognition of the
contribution and value provided to the forum and
its membership in leading the development of
best practice. To win this for the second year
running is a fantastic achievement personally
and for Co-operative Financial Services.” The first
part of Ian’s process assessment paper appears
in this issue, and both papers are available to
members for download from the itSMF UK website.
NURTURING INNOVATION AT GCHQ
The winner of the Service Innovation award
(sponsored by Exin International) was UK
Government Communications Headquarters
(GCHQ) for its risk-based Service Transition,
evaluation, Planning & Support (STePS) project.
STePS is a corporate process, owned and
managed by the IT Services Business Unit, to
ensure that all new IT deliveries are fully
supportable, affordable and sustained once
transitioned into operations. The innovation
replaced an existing Transition to Operations
process, which was proving too slow and rigid to
allow IT Services to respond to rapidly changing
business demands. STePS also allowed GCHQ to
benefit from the best practices supported by
ITIL V3.
“From the top down, GCHQ values innovation,”
commented the STePS project leader. “It is
crucial to the organisation’s success. Innovation
amongst software developers and researchers
produces massive business benefit but can pose
a challenge for those who are charged with
running the IT whilst reducing support budgets.
STePS gives GCHQ a way of enabling large-scale
agile delivery of new, innovative capabilities into
the live IT environment without losing control. It
does this by focusing the Service Transition
function on to the identification and management
of risks.”
He continued, “Winning the itSMF UK Service
Innovation of the Year award is a huge morale
boost to the team that developed it, and enhances
GCHQ’s reputation as a major player in the IT
CONFERENCE
industry. Most of our work goes on in secret, so
we don’t often get the chance to show off what we
have done. A group of judges from the IT Service
Management industry have had a look and
agreed that it really is an enabler of innovation.
That means a great deal to us.”
CHAMPIONING SERVICE
MANAGEMENT ACROSS THE OCEANS
This year’s Service Management Champion, Clare
Hubbard, has demonstrated how to use tried and
trusted good service management practice to
support new technology. Clare, service
management team manager at the Met Office,
won the award partly because of significant ITSM
improvements within the Met Office itself and
partly because of the input that Clare’s team have
provided to a new EU-wide initiative called
MyOcean.
“Although my name is on the award,” Clare told
us, “this wouldn’t have happened without the
enthusiasm of the whole team. The Met Office
has made a huge commitment to IT management
over the last three years, and in particular has
focused on improving the quality of service
management through ITIL V3 best practices. This
can be seen in the way incidents are managed,
the quality of reporting, the approval of changes
and many other service areas.”
MyOcean harnesses the resources of over 60
organisations across Europe to provide a web
portal and data download service for users of the
oceans. Offering information on such subjects as
tides, temperatures and salinity, the data
available through MyOcean has the potential to
greatly improve the safety and efficiency of sea
travel in areas with extreme weather conditions
as well as providing essential support for those
monitoring the marine ecosystem.
Among other things, the Met Office has been
given responsibility for implementing service
management across the partnership, and it’s
very clear that best practice permeates the whole
MyOcean project. A visitor to the myocean.eu.org
portal can download a service level agreement
(SLA) which outlines the level of commitment
and service she can expect from the portal and
from the service desk. The user in turn signs up
to the SLA in order to gain access to the MyOcean
data. There is a further SLA in place between the
MyOcean management and the EU, and this
cascades down to Operational Level Agreements
(OLAs) between MyOcean and each of its
production centres.
These agreements, and the surrounding service
culture, have been introduced by Clare Hubbard
and her team to ensure that MyOcean provides
the same kind of service delivery that Met Office
customers have long been accustomed to. “Many
of our partners in MyOcean did not come from
customer-facing roles and had little concept of
service management in the ITIL sense,”
explained Clare. “We have been very encouraged
by the way that the SLAs and OLAs have been
accepted within the project, and it means that we
should be able to build a strong relationship with
our users as we move to ‘go live’.”
The other key service management component
within the portal is a standard service catalogue.
“Our users’ requirements can be quite complex,”
said Clare, “so we expect changes to be
requested to the existing service portfolio. As we
move forward, users will be able to log change
requests through the portal.”
One of the most exciting aspects of the MyOcean
project is that many of the processes have been
based on templates published in ‘Service Level
Management – a Practitioner’s Guide’, written by
the itSMF UK SLM Special Interest Group. “The
book proved invaluable in providing us with
simple, standard documents on which to base
the MyOcean agreements and catalogue,” said
Clare. “Of course we also drew on resources
from the Met Office, but the templates offered an
excellent place to start.”
The SLM Practitioner’s Guide (complete with
template CD) is available from the bookshop at
itsmf.co.uk. The Service Management Champion
award was sponsored by BCS.
PROJECT OF THE YEAR:
IMPLEMENTING GLOBAL ITSM IN
DEUTSCHE BANK
Deutsche Bank's winning entry for Project of the
Year describes the project established to form a
global production management function (Global
Technology Production Management or GTPM),
which has integrated the IT service management
functions of the Bank into a single organisation.
The project involves the transition of 4,600
applications, of which more than 10% are
mission-critical, and the bringing together of
more than 50 IT teams consisting of 2,000
internal staff and externals distributed across five
continents spanning 15 time zones. The benefits
already realised include a reduction of 90% in the
level of critical incidents from January to April
2010 versus 2009, a 20% reduction in the overall
level of critical and severity 1 incidents, and over
EUR10 million of savings realised from the
consolidation of the production management
function, rationalisation of vendor relationships,
and a reduction in incidents and service requests.
Marc Earl, head of GTPM, said "I am immensely
proud of what we have achieved as a team and it
is fitting that we have now gained recognition for
it amongst our industry peers. The quality of
work our people have put in to making the
transformation such a success has been
outstanding. We are still at the beginning of
realising all the potential benefits of our work
both for clients and the Bank. Winning this award
shows industry endorsement for the path we are
following - a strategy that will enable us to
continue to go from strength to strength and be
recognised as one of the leading teams within
the Bank".
THE PAUL RAPPAPORT AWARD
Last but certainly not least, this year’s recipient of
the coveted Paul Rappaport award for
outstanding contribution to service management
is Ashley Hanna, tireless ITIL author and
reviewer and ISO/IEC 20000 examiner. As chair of
the itSMF UK Publications ESC, Ashley oversees
the organisation’s publishing and book sales
portfolio, and is part of the itSMF International
publications think-tank. He is currently the
technical continuity editor of the ITIL Update and
works as a business development manager at HP.
Ashley said the award had come as a complete
surprise and he felt very privileged to have
received it. See the profile of Ashley Hanna later
in this issue. ■
Sir Ranulph Fiennes
and the winner is...
Student of the Year: ISO/IEC 20000
(sponsored by APMG-International)
Service Innovation of the Year
(sponsored by Exin International)
Awarded to the individual that, in the markings submitted to itSMF
UK, has been the most successful highest scoring student during
the year. Individuals are automatically entered into this Award
when taking the ISO/IEC 20000 Consultants exam through the
itSMF scheme.
Awarded to the most novel project, product or service that has been
developed over the past year. The winning submission will be, in the
judges’ opinion, the project that has best demonstrated a proven
ability to create, grow and develop innovations or processes that
substantially improve the business operations of the organisation.
Winner
Winner
Louise Howson, Steria
GCHQ – Risk-based Service Transition, evaluation,
Planning & Support (STePS)
Finalists
Anthony Nantes, Lucid It
Nick Lewis, Steria
Finalists
Coventry University – Firstline Enduser Local Information
eXchange (FELIX)
NHS Connecting for Health – The National Monitoring Service
Student of the Year: ITIL
(sponsored by APMG-International)
Awarded to the student listed on the Official Accreditor’s ITIL
Successful Candidate Register who has achieved the highest
average mark across two or more ITIL Intermediate qualifications.
Winner
Service Management Champion (sponsored by BCS)
Awarded to the individual who, in the judges’ view, has been the
most successful and consistently achieving IT Service Manager
during the year and made the most outstanding contribution within
their organisation and for their customers.
Richard Carpenter, HSBC
Winner
Finalists
Clare Hubbard, The Met Office
James Harkins, East Sussex Fire & Rescue Service
Nathan Pincher
Finalists
Paul Buxton, Logica plc
Bidemi Johnson, Northgate Information Solutions Ltd
Trainer of the Year
Awarded to the individual who, in the judges’ view, has been the
most successful and consistent IT Service Management trainer
during the year. All trainers are nominated by a student.
Winner
Michelle Major-Goldsmith, Sysop
Finalists
Kevin Shaw, FOX IT
Andy Wright, Sysop
Service Management Project of the Year
(sponsored by Marval)
Awarded to the organisation that has completed the most
successful and challenging IT Service Management project during
the year, demonstrating a proven ability to design, plan, build,
implement (and maintain) a Service Management service or
product to substantially improve the business operations of
the organisation.
Winner
Submission of the Year
(sponsored by Exin International)
Awarded for the Submission which is judged to offer most
informative and educational content, broadening the reader's
knowledge by introducing new concepts, methods and frameworks,
and providing pragmatic advice and guidance on service
management implementation and improvement.
Deutsche Bank – Global Technology Production Management
(GTPM)
Finalists
McKesson – ESR Integrated HR and Payroll system
Centrica – Project Nexus
Paul Rappaport Award For Outstanding Contribution
to Service Management
Winner
Ian Macdonald, The Co-operative Financial Services
Winner
Finalists
Marie Gough, National Australia Group
Gillian Hughes/Sharon Hutchison, Standard Life
International
Ashley Hanna, HP
Chair, itSMF UK Publications ESC
TRAINER OF TH
E YEAR. Winne
r Michelle Maj
or-Goldsmith,
Sysop
SBC
rpenter, H
ichard Ca
R
r
e
n
in
.W
EAR – ITIL
OF THE Y
STUDENT
SERVICE INNOVATION OF THE YEAR
. Winner GCHQ
SERVICE MANAGEMEN
T CHAMP
ION. Winner Clare Hubbar
d,
The Met Office
G CONTR
STANDIN
FOR OUT
D
R
A
W
A
,
PPAPORT NT. Ashley Hanna
PAUL RA
AGEME
N
C
A
S
M
E
E
s
n
IC
o
SERV
ublicati
MF UK P
Chair, itS
SERVICE MAN
AGEMENT PROJ
ECT OF THE YE
Winner Deutsc
AR.
he Bank
IBUTION
TO
TALKING TO... ASHLEY HANNA
This year’s winner of the prestigious
Paul Rappaport Award for Outstanding
Contribution to IT Service Management
is Ashley Hanna. Ashley is a business
development manager with HP and has
devoted many years to developing ITSM
publications and qualifications. ITIL
author and lexicographer, senior ITIL
and ISO/IEC 20000 examiner, and
tireless chair of the itSMF UK
Publications Executive Sub Committee
(PESC), Ashley is also a publications
advisor to itSMF International and is
currently technical continuity editor for
the ITIL update.
Talking to...
Ashley Hanna
FIRST OF ALL, CONGRATULATIONS ON
WINNING THE PAUL RAPPAPORT
AWARD. WHAT DOES IT MEAN TO YOU
TO BE PART OF SUCH AN ILLUSTRIOUS
LIST OF WINNERS?
This award means a great deal to me and it came
as a complete surprise. As the list of previous
winners and the requirements of the award were
being read out, I began to wonder what one
needed to do to achieve this award and whether
it might be possible for me to achieve it one day.
About 30 seconds before my name was
mentioned I realised it was me and I was a little
overwhelmed if I am honest. I now understand it
is a tradition for the winner to say a few words
but this seemed to pass me by completely!
Of course, you can’t do these things on your own
and a great many people have helped me along
the way. Indeed, that’s one of the great things
about working on the publications subcommittee and with the UK board – the team
work is tremendous and many people give very
significant amounts of their own time to help get
things done for the benefit of the ITSM industry
and our members.
YOU HAVE BEEN AN ACTIVE MEMBER
OF ITSMF UK FOR MANY YEARS NOW –
WHY IS MEMBERSHIP OF THE
ORGANISATION IMPORTANT TO YOU?
itSMF is a thought leader in the ITSM space and
the UK has been very fortunate to have among its
members many significant contributors to the
industry and to our body of knowledge. itSMF UK
has always provided a mechanism for its
members to network and share their experience
through our annual conference and through our
ongoing sub-committees and special interest
groups. I started to get involved formally in 2003
when I volunteered to join my first sub-committee
- I was made to feel very welcome and was
encouraged to contribute almost immediately.
HOW DID YOU ORIGINALLY BECOME
INVOLVED IN IT SERVICE MANAGEMENT?
I was a consultant at Tandem Computers, helping
customers to install and implement fault-tolerant
systems and real-time applications. But we
realised that hardware and software fault tolerance
was not enough: if you ignore warning messages
or turn the whole thing off by mistake, then it’s
going to fail, however fault-tolerant the design
might be. I joined a consulting practice within
Tandem focused on operations management (as
we called it then) – helping customers to design
and manage the complete end-to-end process of
delivering IT services. As ITIL became established
we began to adopt it and use it as the basis for
our advice and guidance to customers.
WHAT IS THE BIGGEST CHANGE
(ENCOURAGING OR OTHERWISE!) THAT
YOU HAVE SEEN IN ITSM DURING THE
TIME THAT YOU’VE BEEN INVOLVED IN
THE BUSINESS?
I think the biggest change has been the growth in
the adoption of service management best
practice such as ITIL and ISO/IEC 20000, and the
emergence of many new players in this space.
ITSM is no longer a dark secret and has become
much more mainstream.
WHAT’S YOUR DAY JOB AT HP AND
WHAT DOES IT INVOLVE?
I work in HP’s worldwide support organization as
a business development manager, with a focus
on proactive ITSM services. As with other
technology vendors, our support services started
by providing reactive break-fix and preventive
maintenance, but we now provide our customers
with on-going help in the implementation,
operation and continual improvement of their IT
services. This includes support for people and
process as well as just technology. These
services are complementary to HP’s more
traditional time-bound consultancy and projectbased services. My role includes a variety of
responsibilities, from the design and
development of services, training and mentoring,
to on-site consulting with customers. I am also a
co-lead of HP’s Service Management Profession,
where we collect and share knowledge, and help
develop our member’s capabilities through
mentoring and training.
WHEN YOU’RE NOT WORKING, HOW
DO YOU LIKE TO RELAX?
I like to spend time with my family as often as
possible. My daughter is still at school and my
son is in his first year at University - both of
which involve lots of driving around! I also have a
39 year old classic car, an Austin Healey Sprite,
and I spend quite a bit of time collecting up the
various bits that seem to drop off fairly regularly
– you haven’t come across one of my windscreen
wipers have you?
IF YOU WERE GRANTED ONE WISH
FOR THE FUTURE OF SERVICE
MANAGEMENT, WHAT WOULD IT BE?
I would love to see more members able to share
their best practices and to get their contributions
recognised. From my perspective, I hope to be
able to extend the reach of the PESC further, and
to encourage and support people to take part in
QA/review of white papers and books, and also to
be authors in their own right. ■
CONFERENCE
THREE NEW POCKET GUIDES FROM ITSMF UK
itSMF UK and TSO have launched two new intermediate-level ITIL pocket
guides for the ‘Service Offerings & Agreements’ and ‘Planning, Protection
& Optimisation’ modules of the Capability stream. These titles complete
the series of four Capability Handbooks, as ‘Operation Support &
Analysis’ and ‘Release, Control & Validation’ were launched a year ago.
With the complete range of Capability Handbooks and Key Element
Guides, there is a now a pocket guide to accompany each of the ITIL
intermediate courses. The co-branded ‘ITIL V3 Foundation Handbook’ is
already in use by thousands of students each year as a revision guide for
the Foundation exam.
itSMF UK has also published a revision to its popular pocket guide,
‘Planning and Achieving ISO/IEC 20000 Certification’. As well as providing
updated information on the ISO/IEC 20000 Certification Scheme, which
was developed by itSMF UK and is now owned by APMG-International,
the book acts as a useful reference for those who need a basic
knowledge of the ISO/IEC service management standard. This second
edition covers the latest additions to the standard and outlines the current
alignment between ISO/IEC 20000 and ITIL V3.
PUBLICATIONS UPDATE
For further information on these and other IT service management
publications, visit the itSMF UK bookshop at www.itsmf.co.uk. Remember
to log into the site to gain your membership discount of 15 to 20%. ■
New Specialist
qualifications in IT
service management
IURP %&6 7KH &KDUWHUHG
Institute for IT
Our new series of qualifications focus on
specific IT service management job roles.
The six qualifications:
š HPEUDFH EHVW SUDFWLFH IURP &2%,7 ®,
,62,(& 6),$6),$plus and ITIL®
š HQDEOH MRE VSHFLILF VNLOO GHYHORSPHQW
š DUH LQGXVWU\UHOHYDQW DQG LQWHUQDWLRQDOO\
recognised
š DUH HQGRUVHG DV ,7,/ &RPSOHPHQWDU\
Products
š DWWUDFW FUHGLWV WRZDUGV ,7,/ ([SHUW
Find out more at
www.bcs.org/iseb/specialist
ITIL® is a Registered Trade Mark of the Office of Government Commerce
in the United Kingdom and other countries.
COBIT ® is a trademark of the Information Systems Audit and Control
Association and the IT Governance Institute.
The British Computer Society (Registered charity no. 292786) 2010
MTG/AD/878/1110
ENGAGING THE BOARD
Engaging the
d
r
a
o
bored b
ITSMF UK TRAINER OF THE YEAR MICHELLE MAJOR-GOLDSMITH FROM SYSOP CONSIDERS
WHY IT SERVICE MANAGERS FIND IT SO HARD TO COMMUNICATE EFFECTIVELY WITH SENIOR
BUSINESS MANAGEMENT.
hy is it so difficult to sell service
management and the ITIL framework?
After all it’s just about good common
W
sense…
Allow me to play out a scenario. Imagine your
typical IT manager. He is focused on the IT
infrastructure and therefore engages in
conversations about IT in a technical way,
proudly vocalising about what the hardware
and applications do, how they do it, at what
speed and for how long.
This is also how the Service Management piece
plays out too. We hear comments such as, “Our
team have attended a brilliant set of ITIL courses.
They now know how to write and improve
processes for Incident Management, Problem,
Change, Release, and even how to design a
CMDB for us. It’ll be great, we will do things the
right way, we’ll know where to go to find
information, we’ll know exactly where all are
infrastructure is. More than that, we can look at
what’s going wrong and know exactly what
affects what. Best of all, we can do proper
Financial Management and surely that will
please the Board?”
However, the Board are sitting in their offices,
thinking about different things:
• How are we going to gain competitive
advantage in the marketplace?
• How can we leverage our skills and assets
to deliver better results?
• How can we create more revenue?
• Do we use the current customer base
and product range or do we try and
expand both?
• How do we increase and leverage our
customer knowledge and market our
products in a more effective way to them?
• How do we use all this to deliver a
better return on investment and
shareholder value?
In short, there are two sets of dialogues,
coming from two directions, from the very
people who should understand what each other
are talking about.
Consider the quote in the ITIL books: ‘IT is at the
heart of every business’. This may be so, but then
why is it that the focus of IT plays out like this?
We hold review meetings, and what do we talk
about? One of two things – how good we are or
how bad we are. Either way, it is a view of IT, from
an IT perspective, talking about IT-focused
performance. We’re consistently brilliant at one
thing in IT and that is providing endless statistics
about how full, empty, fast or slow something is,
depending on what we are trying to prove or
cover up. However, this doesn’t really mean
much in terms of communicating with the Board.
Where are the links between the demands of the
organisation and the way the services support
them? We tend to end up with just a pile of
statistics showing that more money is needed to
prop up IT.
ENGAGING THE BOARD
Put yourself in the shoes of a CEO for a moment.
She thinks, “I want to grow this business. The
recession is on its way out and we can see
through the gloom. We need to grow this year by
around 10%, but we can’t increase the cost base
by more than 3%, so everyone will have to get by
on a minimum. I especially don’t want that IT
manager coming to me with excuses about
performance this and terabytes that. We need to
achieve growth at minimum cost.”
If we actually start to have conversations with the
CEO about her business rather than IT we might
learn something. As we know from our ITIL
tomes, effective Service Management is about
providing value to customers without the
associated costs, risks and complexity. The CEO
isn’t interested in throughput, disk space,
transaction rates and CPU. Her focus is on the
success of the business and in making sure that
it operates effectively and delivers growth.
Establish how the business intends to grow.
Depending on the growth strategy chosen, there
will be different implications. Simply taking the
message of growing the business could lead to
all sorts of ill advised projects and purchases,
most of which will achieve no more than further
denting both the reputation of IT and the already
restricted budgets.
So, what does growth mean? In the commercial
world, we have three typical definitions for
growth:
1. Increasing the value of each sale. This may
actually be through increasing the price of
the products or increasing the amount of
products each customer buys
2. Increasing the number of customers, so you
have more people buying the same things
3. Increasing the frequency of sales, so people
buy the products more often
What the IT manager really needs to do is:
• understand what the business is actually
trying to achieve - its objectives.
• get the CEO to understand how important IT
is in fulfilling those objectives.
The CEO has demands set by shareholders and
customers. She wants to save money where
possible and also grow the business. The IT
manager needs to be able support this strategy
by providing IT services to support the business
processes. He already knows that he can use
Service Management to enhance the delivery of
the services, the processes and the supporting
technology. This in turn should lead to a more
robust and responsive IT offering, and for the
CEO less downtime, more productivity, and of
course that all important growth.
UNDERSTANDING BUSINESS GROWTH
A business will always need to grow or it will
stagnate or worse, die. IT has to help the
business grow. But what do we mean by growth?
IT may have entered into a dialogue with the CEO,
now it’s time to show we really want to
understand the business strategy and start
questioning the growth.
Each of these has a subtly different impact on the
infrastructure needed to support them.
Increasing the cost of products may just mean a
simple project to ensure prices on the web site
and in stores are all increased by a percentage.
Potentially there are no hardware/software
changes. By increasing the number of
customers, there may be a need to expand
transaction processing capacity or even integrate
IT with the equivalent function in another
organisation if a merger takes place to increase
market share. This is likely to involve a major
project in either case. Frequency of sales may
mean a need to increase current network,
processing and storage capacity.
These are very simplistic views, but they
demonstrate some of the ways that things can
go wrong if there is no dialogue or understanding
of objectives and strategy. In the public sector
these objectives are expressed in a slightly
different way:
1. Increase service take-up.
Encouraging your current users to use all
the services available to them and use them
more often.
2. Provide services to more people.
Take the services you have but offer them
out to more people. Retire legacy systems,
encourage use of your new investments.
3. Provide more services.
Do things internally that have typically been
done by third parties in the past. Grow and
enhance the Portfolio with some cuttingedge services.
So when the business talks about growth, they
want to know that they have control of the
supporting infrastructure. However, the business
considerations tend to be:
• The logistical support of what they are doing
– how will it be supported and delivered?
• How reliable will the performance be? The
first time the infrastructure fails we’ll lose
customers to the opposition.
• Do we have the right assets to support this?
• How do we market this drive? Do we have
the capability to promote it and deliver
this growth?
• What about the finance? How do we
achieve this growth with the cost
restrictions in place?
The IT manager is thinking, “These are very
important considerations but I need the business
to understand not just logistics and warehousing
and market spaces; I also need them to consider
the impacts on the IT services. I don’t need the
CEO to understand the technical detail but I do
need to engage her in how the services are
being used.”
Consider the way the role of IT has changed. In
the 1970s IT was used to replace clerical tasks
such as Payroll and Invoicing. In the ‘80s and ‘90s
the focus shifted and IT was used to provide
essential services to support vital business
processes. In the 21st Century the business is
increasingly dependent on IT for competitive
advantage. Take low-cost airlines as an example.
Could they begin to operate without their online
booking systems? Bear in mind how they
reduced their administration costs by getting us
ENGAGING THE BOARD
to check in on line and even print our own tickets.
Today IT IS the business. Most modern
businesses simply can’t operate without it!
In reality what the CEO is thinking is now
mirrored by the IT manager but from the other
direction. The CEO is concerned with how all the
parts fit together and are supported to deliver the
growth plan and cost containment. The IT
manager is now fully conversant with the
requirements of the strategy and can consider
how IT can adapt to meet these demands.
ENGAGING THE BOARD
We (IT) have the attention of the Board; now we
must keep it. So we need to have a very different
conversation. We engage the CEO in
understanding how the business depends on IT;
how its use of IT can be flexed to impact on the
overall cost base. We can initiate sensible
discussions about creative ways of using the
services to get the most from the investment. We
can talk about ways to reduce demand where we
are feeling the strain and utilise the spare
capacity more effectively. This is how good IT
strategy evolves! Sadly, most organizations do
things the way they do because they always did
them that way.
By understanding how and when IT supports
business process, the IT manager can build up
profiles of activity and use these to have
discussions offering suggestions and
alternatives. After all isn’t that how Richard
Branson encourages us to use the trains in a
particular way or how British Gas entices us with
bronze, silver or gold boiler maintenance
packages? This is about using their resources in
the most effective way, only achievable if you
know how your business or customers are using
the service.
Back to discussions with the CEO: we won’t bore
her with the technical details but, based on the
service profiles, IT can model the patterns of
activity and projected growth of the business to
offer an insight into the impacts on IT and some
options and costs.
We need to engage the Board. Both talking to
them and listening to what they have to say. By
listening we can propose services that actually
deliver to the needs of the business and
demonstrate our ability to keep to commitments.
From here, we demonstrate the reliability not
only of the infrastructure but of the entire IT
department through the services we deliver and
how we execute that delivery. We agree what to
deliver, within what scope and according to what
measurements.
This builds us up to be respected by the business
for our consistency and commitment to the
delivery of service. And now IT has respect for
the business, as they are now treating us as an
integral part of their strategy. We have
established mutual trust, a ‘Service Culture’
where a true partnership status exists. Now all
we need to do is maintain that trust through
continual service improvement and dialogue.
In today’s society, information technology
services are as important to the business as the
distribution, warehousing, sales and marketing
departments. IT is the strategic asset that makes
it all tick. IT is the business!
So surely there must be some ITIL guidance,
something to tell us how to align our IT and
business strategies? Something that tells us how
to establish a service culture and achieve shared
strategy, vision and objectives? Here it is…
In 1937, British born economist Ronald Coase
concluded that the boundaries of firms are
determined by transaction costs.
The concept of transaction costs used here is not
to be confused with the discrete cost of
transactions such as requests, payments, trades
and updates to databases. What is referred to
here are the overall costs of economic exchange
between two parties, including but not limited to
costs incurred in finding and selecting qualified
suppliers for goods or services of required
specifications, negotiating an agreement, cost of
consuming good or services, governing the
relationship with suppliers, to ensuring that
commitments are fulfilled as agreed.
Policing and enforcement costs are the costs of
making sure the other party sticks to the terms of
the contract, and taking appropriate action (often
through the legal system) if this turns out not to
be the case.
So begins the introduction to the ITIL Service
Strategy book. This guidance is supposed to
support IT in engaging with the business and
aligning IT strategy to business strategy.
Sadly, what we have here is a collection of
words that will put off even the most hardened
and determined.
The reality is that it isn’t that hard to align
strategies and engage the Board. It’s about
creating and maintaining a dialogue to establish
common goals.
In short:
• Understand the business objectives. Talk to
the Board; ask them to clarify the corporate
strategy so that you can align your services
and help them achieve their objectives.
• Speak the right language. Don’t try and
cover everything with IT speak and
technology.
• Map the IT strategy to the business strategy.
By demonstrating a clear link to IT services
and how they underpin business strategies,
the Board will understand the need
to invest.
• Establish a service culture, involving shared
responsibility and an appreciation of the
importance both the business and IT play in
the effective delivery of services.
• IT is a strategic asset (if we get it right)! We
can only do that by knowing what our CEO
or our customers need from those services.
A very brief conclusion, but that is the point.
Rather than the text we saw quoted from the
Service Strategy book, the route to engaging the
Board and aligning IT and business strategy is
actually a straightforward one, based on plain
talking and ongoing dialogue. ■
COBIT 5
COBIT 5:
development
now underway
ROB STROUD PROVIDES AN UPDATE ON ISACA AND THE COBIT
GOVERNANCE FRAMEWORK
I am currently serving as an ISACA
international vice president and have long
been involved with the development of
ISACA intellectual property (IP), including COBIT.
In this column I would like to outline some
significant developments that are underway in
the organisation.
A
ISACA was established back in 1969 in response
to the demand for a centralised source of
information and guidance in the growing field of
auditing controls for computer systems. Today,
ISACA has more than 95,000 members
worldwide. A significant part of the value that
ISACA provides to its members is access to its
guidance and research including COBIT, Val IT,
Risk IT, the IT Assurance Framework (ITAF), the
Business Model for Information Security (BMIS)
and more, all of which supports the ISACA
mantra of “trust in, and value from, information
systems.” More information is available at
www.isaca.org.
I know that some ServiceTalk readers will not be
familiar with COBIT (Control Objectives for
Information and related Technology) which is
currently at version 4.1. COBIT is used for
governance and control by organisations globally.
Following a review of its member support
strategy, the ISACA board of directors recently
decided to consolidate and reinforce its guidance
and knowledge assets with COBIT version 5.
COBIT 5 will include the following components:
• COBIT 4.1™ Framework
• Board Briefing on IT Governance, 2nd
Edition
• Business Model for Information
Security™(BMIS™)
• IT Assurance Framework™ (ITAF™)
• Risk IT Framework
• Taking Governance Forward
• Val IT™ Framework
The objective of COBIT 5 is to provide the next
generation of ISACA’s guidance, which will help
to support enterprise governance of IT, allowing
organisations to meet current stakeholder
requirements and leverage recent developments
in enterprise governance and IT management
techniques. The initial proposed deliverables for
COBIT 5 include an end-to-end framework
structure that will include familiar components
such as a domain/process model,
governance/management practices, RACI charts
and inputs/outputs.
An initial COBIT 5 product architecture will
specify the types of ‘view’, product and other
guidance that may be delivered for specific IT
professional audiences (e.g. assurance, security,
risk managers) in support of enterprise business
needs, including COBIT for risk, COBIT for value
etc – see Figure 1.
The development of the initial components (for
delivery in late 2011 or early 2012) is progressing
well and according to plan. The release of a
public review of the design paper earlier this year
yielded more than 3,000 comments from 600
business/IT professionals, all valuable input to
the design of COBIT 5. More than 92 percent of
respondents reported that the proposed
enhancements to COBIT would be valuable or
very valuable to them.
Waiting a year for the release may sound like a
long time, but there will be an opportunity for a
sneak preview along the way. The next steps
include a subject matter expert review of the
COBIT 5 components, to be followed by the
release of a public review of the architecture and
the initial deliverables. This is currently
scheduled for the first half of 2011.
If you would like to be involved, be sure to watch
the ISACA web site (www.isaca.org) and, in
particular, the COBIT 5 web page
(www.isaca.org/cobit5) for information on when
the public exposure draft of the initial
deliverables will be made available. In the
meantime, you can learn a lot more about the
current COBIT framework and other products
from ISACA in the Knowledge Center on the
ISACA web site. To get involved with local
activities, check out your local ISACA chapter web
site, too.
Rob Stroud is vice president, service
management and governance evangelist at CA
Inc; international vice president of ISACA and
ITGI; and a member if the itSMF International
Executive Board. ■
THE OBJECTIVE OF
COBIT 5 IS TO PROVIDE
THE NEXT GENERATION
OF ISACA’S GUIDANCE,
WHICH WILL HELP TO
SUPPORT ENTERPRISE
GOVERNANCE OF IT,
COBIT 5
Figure 1: COBIT 5 Family of Products
ITIL and ISO/IEC 27001:
bringing service
management and
security together
nformation security or, to be less formal, the
protection of an organisation’s information
assets, has seen a serious upsurge in activity,
starting in 2007/08. The momentum continues
with the majority of public sector organisations
(mirrored to some extent within the commercial
sector), now seriously conducting third-party
supplier audits and assessments.
I
What perhaps is less well understood is that
work to protect the information asset should
have been in the pipeline well before 2007/08.
The upper echelons of an organisation have
either failed to grasp the importance of the
situation or have simply left this problem to those
within the IT domain. The example of the everpresent USB memory stick, pre-2007/08, is a
perfect example of reacting to a problem that
was and regrettably continues to be the cause of
misplaced data and information. What plans for
change were implemented within the
organisation to allow a USB memory stick to be
used as a perfectly sound operational tool, pre2007/08? Anecdotal evidence collected over the
years suggests that the simple answer is, none.
The protection of the information asset is a
corporate responsibility and yet that message
has failed to arrive in one piece. How does an
organisation go from a policy of implementing ad
hoc reactive measures to protect information
assets to one that is structured, balanced and in
tune with operational requirements? The tools
have always been available via British and
international codes of practice, guidelines and
requirements (standards). Additional tools within
the UK in the form of information assurance
maturity models for the public sector (and
perfectly valid for the commercial sector) have
come on stream via the Communications
Electronic Security Group (CESG). It therefore
begs the question; why is there so much angst
when highly skilled and experienced individuals
attempt to put in place preventive measures to
protect the information asset? Senior officers
should always remember that implementing an
IT solution is not always the first port of call.
This article highlights procedural techniques that
are utilised within the service management
domain that could be used to roll out positive and
workable information governance, security and
assurance. The notion of change, for example,
and the procedures adopted within change
management can and should be used to positive
affect throughout the organisation. Perhaps a
unified theory is beginning to form, the outcome
of which can only be a positive step forward.
Indeed, this article helps to show that many of
the existing service management processes and
practices that may already exist within an
organisation can be used to good effect for
satisfying parts of the ISO/IEC 27001 international
standard.
WHAT IS ISO/IEC 27001?
The full name of the ISO/IEC 27001 standard is
‘ISO/IEC 27001:2005 - Information technology Security techniques - Information security
management systems – Requirements’. It is the
only auditable international standard which
defines the requirements for an Information
Security Management System (ISMS).
The standard is designed to ensure the selection
of adequate and proportionate security controls;
these controls help protect information assets
and give confidence to stakeholders such as
customers. Individual controls are neither
specified nor mandated; these are dependent on
the size and type of organisation, and what is
applicable to their business.
The standard itself adopts a process approach for
establishing, implementing, operating,
monitoring, reviewing, maintaining, and
improving the ISMS. ISO/IEC 27001 is intended to
be used in conjunction with ISO/IEC 27002, the
‘Code of Practice for Information Security
Management’, which lists security control
objectives and recommends a range of specific
controls. Organisations that implement an ISMS
in accordance with the advice provided in ISO/IEC
27002 are likely to meet the requirements of
ISO/IEC 27001 for certification.
The ISO/IEC 27001 standard, published in October
2005, is one of the growing ‘family’ of ISO/IEC
27000 series of standards. These standards are
derived from BS 7799 and provide generally
accepted good practice guidance on ISMS,
designed to protect the confidentiality, integrity
and availability of the information content and
information systems.
CONTROLS AND CONTROL
OBJECTIVES
One of the key aspects of ISO/IEC 27001 is Annex
A – Control objectives and controls. This table
lists the 11 control areas of the standard, their
associated control objectives (39 in total), and the
MARK SYKES AND NIGEL
LANDMAN DISCUSS THE USE
OF ITIL IN SUPPORTING THE
DELIVERY OF COMPLIANT
PRACTICES FOR
INFORMATION SECURITY
MANAGEMENT SYSTEMS
Area
Number of relationships
A.5 Security Policy
A.6 Organisation of Information Security
A.7 Asset Management
2
22
2
A.8 Human Resources Security
10
A.9 Physical and Environmental Security
13
A.10 Communications and Operations
Management
32
A.11 Access Control
12
133 controls themselves. Controls are required to
be put in place so that an organisation can
manage the risks to their information security,
and are implemented relative to the greater
business risks of the organisation as a whole.
A.12 Information Systems Acquisition,
Development and Maintenance
12
A.13 Information Security Incident
Management
7
The control objectives and their controls form
the Code of Practice (ISO/IEC 27002) and it is
here that ITIL can play an important part in
supporting the delivery of many aspects of the
listed controls.
A.14 Business Continuity Management
5
It should be noted that ITIL won’t ‘do it all’ if you
are seeking to obtain ISO/IEC 27001 certification,
but it will certainly ease the path to achieving that
objective. Indeed, organisations already
operating a mature ITIL framework will find that
many of the processes and activities that are
already in place will make implementing the
information security controls that much easier,
and quite likely for less cost and much more
quickly than would otherwise be the case.
A.15 Compliance
nil
As you can see, many of the controls and their
associated implementation recommendations
can be supported by processes and activities that
form part of the ITIL framework.
The extract below, taken from the relationship
matrix, shows a number of the Service Transition
processes within ITIL and their direct connection
to the controls within ISO/IEC 27002.
Let’s looks at some of these relationship in more
detail to understand exactly where and how ITIL
can be used to support the delivery of individual
ISO 27002 controls.
CHANGE MANAGEMENT
As can be seen in the extract of the relationship
matrix above, six of the eleven control areas
show direct relationships to Change
Management. A.6.1 Internal Organisation, within
A.6 Organisation of Information Security, has the
following control: A6.1.4 - Authorisation process
for information processing facilities.
The control here is for ‘Management
authorisation process for new information
processing facilities, to be defined and
HOW CAN ITIL HELP?
Fox IT and QT&C Group recently performed a
mapping exercise that looked at each of the 11
information security control areas. The individual
controls and control objectives were reviewed,
the associated implementation recommendations
for each control were assessed, and connections
were built to the relevant ITIL v3 processes that
would support delivery of each individual control
– either fully or in part.
The exercise identified the following numbers of
relationships between ISO/IEC 27002 and ITIL:
Mark Sykes
• A11.2.1 User registration
• A11.2.2 Privilege management
• A11.2.3 User password management
implemented’. We recommend that, where
authorisation is required, then a change request
should be raised and the Change Management
process followed.
Another relationship can be found in A.9 Physical
and Environmental Security, more specifically
A.9.2 Equipment Security. The control for A9.2.6 Secure disposal or re-use of equipment states
that, “All items of equipment incorporating
storage media should be checked to ensure that
any sensitive data and licensed software has
been removed or securely overwritten prior to
disposal”. The recommendation for this control is
that devices containing information need to be
destroyed physically and/or erased with
appropriate tools to prevent any reuse of the
data; also re-used equipment needs careful
erasure to ensure no data is readable.
To support this activity, and to ensure that the
requirements are successfully fulfilled, it is
recommended that a change request be raised
and hence the Change Management process will
be initiated – this will ensure that the Information
Asset Owner (IAO) receives formal notification.
The IAO will advise on what action needs to be
performed – which may include performing an
additional risk assessment.
Similarly, A9.2.7 - Removal of property states
that, “Equipment, information or software should
not be taken off-site without prior authorisation”.
This is another clear example of where a suitable
authorisation procedure is required, together
with the appropriate level of authorisation (i.e. via
the Change Management process). A9.2.7 also
has an interface to Service Asset & Configuration
Management as the equipment should be
recorded as being off-site, using the
configuration management database (CMDB).
ACCESS CONTROL
Looking elsewhere away from Service Transition,
A.11 Access Control is broken down into seven
control objectives, the majority of which can be
found to have relationships with aspects of ITIL.
As with all of the controls, ITIL doesn’t
necessarily provide an all-encompassing answer
(or answers), but ITIL processes can support and
deliver many of the individual controls, or parts of
the controls, that are required by the ISO/IEC
27002 Code of Practice.
The ITIL Service Operation book has a process
called Access Management, and it is relatively
easy to relate this process to A.11 Access Control.
One of the seven control objectives of this
standard is A.11.2 User Access Management,
which in turn is broken down into the following
four segments:
• A11.2.4 Review of user access rights
When looking at the specific control statements
for each of these, and their associated
implementation recommendations, it is quite
simple to see that the Access Management
process within ITIL supports the delivery of the
above – and, providing the appropriate Access
Policy is in place, will go a long way to satisfying
the controls that are required.
To further support the relationship between ITIL
and the international standard, one of the
implementation recommendations is that
changes are logged for any amendments to user
access rights. This provides a clear and distinct
relationship to the Change Management process
within ITIL – indeed, this role for many
organisations will already be performed.
1.1. MULTIPLE RELATIONSHIPS
Another good example of how the
implementation of information security controls
can be assisted by the existence of a mature ITIL
framework is the control objective A.6.2 External
Parties within A.6 Organisation of Information
Security. The third control within this objective is
A6.2.3 - Addressing security in third-party
agreements.
The implementation advice for this control covers
many areas, but can be directly linked to the
following ITIL processes:
• “Clear process for change management” Change Management.
• “Service continuity process” - IT Service
Continuity Management.
• “Problem resolution process” - Problem
Management.
• “Product or service descriptions” - Service
Catalogue Management.
• “Clear reporting process” - Service
Reporting.
• “Service targets and other contractual
responsibilities such as those found in
contracts” and “Conditions of early
termination/renegotiation of agreements” Supplier Management.
Indeed, taking the whole of A.6.2 External Parties,
there are also links to Access Management, Risk
Management and Service Level Management.
OTHER STANDARDS
The mapping exercise that we performed
highlighted relationships across all five ITIL
books, and more specifically between the
majority of processes within those books.
Supplier Management is one of a number of
processes that was not in the original core ITIL v2
books of Service Support and Service Delivery,
but it is a distinct element of ISO/IEC 20000, the
international standard for IT Service
Management. Although this process is now
included within the Service Design book, many
organisations will have implemented this
process as part of their activities for achieving
ISO/IEC 20000 certification.
In this case, consider how your existing process
and underlying activities can support the relevant
information security controls as listed within
ISO/IEC 27002, and review all of your processes
(not just Supplier Management) to see where
there are synergies that can be maximised. The
same can also be said for other standards such
as ISO 9001 – Quality management systems, BS
25999 – Business continuity management, and no
doubt many others.
SUMMARY
As we have seen, there are many relationships
between ITIL and ISO/IEC 27001 (including
ISO/IEC 27002). Having a mature service
management framework will assist greatly
in achieving compliant controls that support
an ISMS.
It is important to remember that there are many
aspects of ISO/IEC 27001 where ITIL will not
provide the ‘answers’. But what ITIL will do is to
assist in many of the control aspects required by
the international standard. So make a start by
examining your current framework and look for
opportunities to utilise existing processes and
practices as part of the security controls and
ISMS that must be implemented.
As the saying goes, there is no need to re-invent
the wheel. For example, if your existing Change
Management process can support the
information security controls, then use it. Okay, it
may need adapting a little, but that will likely be a
much more effective approach (and certainly
more efficient) than starting from scratch.
Mark Sykes, principal consultant at Fox IT Ltd, is
a highly experienced service management
professional with over 20 years of experience,
performing technical, project and line
management duties. His experience includes a
number of key roles in Incident, Problem, Change
and Capacity Management for one of the UK’s
largest retail organisations, as well as
implementing Change and Release Management
in large companies both in the UK and USA.
Nigel Landman is the chair and founder of QT&C
Group Ltd. Nigel formed the companies in 2003
having retired after a full career in the UK Armed
Forces working principally in the field of security
research and development. Nigel is the author of
one book on information security management
(to be published) and is currently working on
a second. ■
ITSMF UK SUBMISSION OF THE YEAR 2010
ITIL Process
Assessment
Framework
IAN MACDONALD DESCRIBES THE APPROACH UNDERTAKEN BY THE CO-OPERATIVE FINANCIAL
SERVICES TO DEVELOP AN ITIL PROCESS ASSESSMENT FRAMEWORK THAT PROVIDES A SIMPLE,
LOW-COST AND MODULAR METHODOLOGY FOR THE DELIVERY OF ITIL PROCESS ASSESSMENTS. IN
THIS FIRST ARTICLE, HE TALKS ABOUT THE FRAMEWORK ITSELF. IN THE NEXT ISSUE OF SERVICETALK,
THE AUTHOR WILL COVER BENCHMARKING, PLANNING CONSIDERATIONS AND LESSONS LEARNED.
rocess assessments are the formal
mechanisms for comparing an
organisation’s current ITIL process
environment against established industry
performance standards and criteria for the
purpose of identifying shortcomings, differences
and gaps.
P
The ability to perform ITIL process assessments
and use these to establish baseline
measurements and benchmarks for future
comparison are key tenets of the Continual Service
Improvement (CSI) model.
In the marketplace, there are many service
management consultancy groups that provide ITIL
process assessment services and offerings. Many
companies perceive these to be their only viable
option. Typically this belief is based upon a view
that they do not have the internal skills, expertise
or tools to execute an assessment for an exercise
that is considered overly complex and resourceintensive.
This case study challenges these beliefs by
providing a credible alternative in-house approach
that can deliver comparable results at significantly
lower cost.
The need to develop an in-house competency is
becoming more important for organisations truly
committed to CSI. ITIL process assessments
should be performed and repeated on a periodic
basis and therefore, in today’s economic climate,
a more cost-effective and flexible alternative is
required from that available in the external
marketplace.
This article (and the second part in the next issue
of ServiceTalk) document the approach
undertaken by the Co-operative Financial Services
(CFS) to develop an ITIL Process Assessment
Framework (IPAF) that provides a simple, low-cost
and modular methodology in the delivery of ITIL
process assessments.
The methodology employed utilises existing
industry best practice publications, tools and
reference material and adds additional value by
providing a balanced and holistic view of the
organisation’s ITIL process maturity by focusing
on four key dimensions:
• The process management perspective
• The process maturity perspective
• The customer perspective
• The ITIL perspective
The IPAF methodology has been used extensively
to assess the process maturity of the ITIL process
environments across the CFS and Britannia
organisations.
The case study therefore benefits from the
learning gained and provides you with a
comprehensive guide including tangible ‘start-up’
support on how to successfully establish the IPAF
methodology and in how to perform the activities
necessary to deliver a successful ITIL process
assessment.
The benefits of the IPAF approach have been
endorsed by the CFS and Britannia process owner
communities (the two companies merged in 2009),
who endorse the fact that the core design
principles of ‘simple, low cost and modular’
combine to provide a comparable output to that
provided by consultancy groups.
The methodology has allowed CFS to identify a
programme of tactical process improvements that
position the combined organisation to achieve its
strategic aim of creating an integrated service
management process model. It has also provided
an organisational blueprint to help improve our
overall IT service management capability. This has
been achieved with zero spend on external
consultancy support.
33% RATED THE IPAF REPORTS AS MORE VALUABLE AND 67% AS
COMPARABLE TO A PROCESS ASSESSMENT REPORT PRODUCED
IN 2008 BY AN EXTERNAL CONSULTANCY GROUP.
THE CSI PERSPECTIVE
CSI embraces every aspect of the ITIL service
lifecycle and can be applied to provide a sustained
improvement in IT performance and to deliver a
positive uplift in the service management
capability of the IT service provider.
The most important aspect of understanding how
to improve is knowing what to measure and how
such measures can be assessed, analysed and
used as a basis for delivering improvements. The
ability to measure improvements and provide a
‘before and after’ comparison is essential in being
able to demonstrate the benefits of CSI and the
value delivered.
The establishment of baseline measurements and
benchmarks are key tenets of the CSI model and
ITIL process assessments are the mechanism
used to create these for your ITIL process
environment. These then help identify the desired
CSI improvement activities that can improve
process maturity and the organisation’s overall IT
service management capability:
• Assessments are the formal mechanisms for
comparing the organisation’s current ITIL
process environment against established
industry performance standards and criteria
for the purpose of identifying shortcomings,
differences and gaps.
• Comparing the current ITIL process model
against external industry references creates
the benchmark against which the
organisation can compare its existing
maturity with industry norms. This provides
guidance and direction to ensure that
resultant CSI activities reference and
leverage acknowledged industry best
practice.
• The measures and results from a well
structured ITIL process assessment create
the baselines and benchmarks against which
the progress of CSI activities instigated as a
result of the assessment can be
demonstrated.
How the outputs from an ITIL Process
Assessment Framework (IPAF) align with
the CSI Model
What is the vision?
Assessments are an effective method of
answering the question ‘Where are we
now?’
Where are we now?
How do we keep the
momentum going?
Where do we want to be?
How do we get there?
Establishing a benchmark to compare
against industry norms identifies the
shortcomings, differences and gaps within
the existing ITIL process environment and
defines the target for ‘Where do we want to
be?’
The findings and recommendations from an
assessment formulate the process
improvement plans to determine ‘How
do we get there?’
The original outputs from the assessment
created the baseline measures and
benchmarks against which a repeat
assessment can demonstrate improvement
and answer the question ‘Did we get there’
Did we get there?
Figure 1: Continual Service Improvement Model
• The customer perspective
This assessment is based upon direct
customer feedback on how well the
ITIL process is focused on meeting
customer needs.
CREATING THE ITIL PROCESS
ASSESSMENT FRAMEWORK
The IPAF was developed to enable us to adopt a
modular approach in performing ITIL process
assessments. This provided flexibility in the
scheduling and execution of the required activities.
• The ITIL perspective
This assessment compares the
current in-house ITIL
implementation against the OGC
ITIL guidance publications. This
highlights areas of nonconformance to ITIL covering
execution, terminology,
organisational construct,
measurement and reporting.
ITIL Process Assessment Framework
Process
Management
Customer
Current
State
Assessment
Process
Maturity
ITIL
Figure 2: ITIL Process Assessment Framework
The use of this framework ensured a balanced
and holistic view of our ITIL process environment
and provided the recipients of the assessment
outputs with a range of CSI opportunities to further
improve their processes. The IPAF achieves this by
ensuring the assessment considers each ITIL
process from the four perspectives mentioned
earlier:
• The process management perspective
This assessment indicates the level to which
process management
has been formally
established for each
ITIL process.
• The process maturity
perspective
This assessment can
use the ITIL V2 or V3
approach to selfassessment. This
provides a useful
indication from the
view of the IT
practitioners of how
well the process has
been deployed and
executed.
The outputs from these four areas
of assessment are then
represented within a structured
one page summary Current State
Assessment report for each
individual process within the
scope of the ITIL process
assessment activity.
THE IPAF MODULAR
STRUCTURE
PROCESS MANAGEMENT
Process management is a key discipline for any
organisation committed to CSI. Process
management helps define, visualise, measure,
control, report and improve processes so that they
are efficient, effective and consistent.
The roles (process owner and process manager)
Process Management Assessment
G
Process Owner assigned
A
Process Management fully established
G
Core Process documented
A
End-End Process documented
A
Process measured
A
Process optimised
Figure 3: Sample process management assessment as represented
within the current state assessment for a selected ITIL process.
define the accountabilities and responsibilities for
performing the planning and control activities for
each process.
The IPAF assessment helps to determine the level
to which process management has been formally
established for each ITIL process. Compliance
against defined assessment criteria for each
process management category determines the
RAG (red, amber, green) status that is reported.
PROCESS MATURITY
Process maturity is an indication of how well the
process has been developed, deployed and is
capable of continuous improvement. Assessing
the maturity of the ITIL process provides the
process owner with an understanding of the
strengths and weaknesses of their process and
importantly where CSI focus should be applied to
further mature the process.
The IPAF assessment utilises available ITIL selfassessment techniques to provide an approach
that can easily be adopted by all organisations for
both ITIL V2 and V3 process environments.
The benefits of ITIL self-assessment are that they
provide a baseline against which future
improvements can be assessed and measured.
The self-assessments are easy to schedule and
can be repeated as and when required.
The self-assessment techniques available for ITIL
V2 and V3 differ considerably. The two approaches
are explained below.
ITIL V2 - ITIL SELF-ASSESSMENT
TOOL (DEVELOPED BY THE ITSMF UK
WITH OGC ENDORSEMENT)
It is recommended to use the itSMF UK ITIL selfassessment tool which provides a structured
questionnaire for each ITIL process that can be
completed electronically. This tool is available
from the itSMF UK web site. (Note: there is a V3
equivalent, managed by OGC, but it is currently
only available through TSO’s ITIL Live product.)
The OGC self-assessment provides questions and
scoring based upon the following elements of the
process management framework:
• Prerequisites: Ascertains whether the
minimal levels of prerequisite items are
available to support the process activities
• Management intent: Establishes whether
there are organisational policy statements,
business objectives (or similar evidence of
intent) providing both purpose and guidance
to develop the process.
• Process capability: Examines the activities
being performed to support the process.
• Internal integration: Seeks to ascertain
whether the activities are integrated
sufficiently in order to fulfil the process
intent.
• Products: Examines the process outputs to
ascertain if all expected process outputs are
being produced.
• Quality control: Is concerned with the review
and verification of the process output to
ensure that it is in keeping with the quality
intent.
• Management information: Is concerned with
the governance of the process and ensuring
that there is adequate and timely information
produced from the process in order to
support management decision making.
multiple process self-assessment
workshops, creating the danger of ‘workshop
fatigue’ and risk of non-attendance.
Process Maturity - ‘Self Assessment’
Customer Interface
Distributed
External Integration
This approach is to identify the individuals who are
to participate in the process assessment and send
them their individual copy of the self-assessment
questionnaire that you want them to complete. A
deadline is set for the return of the completed
questionnaire.
Management Information
Quality Control
Products
With this approach it will be necessary to create a
spreadsheet to record all individual responses and
their scores. When all surveys have been returned
and results recorded, these are then calculated to
provide the average scores for each element of the
self-assessment process model.
Internal Integration
Process Capability
Management Intent
Pre Requisites
0
20
40
60
80
100
OCG ‘target score’ to achieve ‘capable process’
Self-Assessment scores for process
5 from 9 indicators exceed OGC maturity targets
Figure 4: Illustrative report for a selected process using the OGC-endorsed ITIL self-assessment tool.
• External integration: Examines whether all
the external interfaces and relationships
between the discrete process and other
processes have been established within the
organisation.
• Customer interface: Is primarily concerned
with the ongoing external review and
validation of the process to ensure that it
remains optimised towards meeting the
needs of the customer.
a consensus view of the response provided for
each question.
Pros
• Time efficient in providing a single time
boxed event to deliver the self-assessment
results
• Encourages debate and challenge to
ensure that the most appropriate responses
are provided
The results of the completed self-assessment are
available in graphical form and compare results
against what is considered to be ‘good practice’.
• Anecdotal comments and observations can
be captured to provide context and
understanding on how the results have
been derived.
GUIDANCE ON SCHEDULING THE ITIL
V2 SELF-ASSESSMENT
Cons
The itSMF UK tool provides a flexible approach to
performing self-assessment of the ITIL V2 process
environment.
The tool supports individual process assessments
of all processes within the Service Delivery and
Service Support publications, including the service
desk function. It is easy to use and is built around
Microsoft Excel and therefore can be completed
online allowing results to be easily shared.
• Attendance levels can be impacted by
operational events etc which may dilute the
value of the session and results obtained if
key personnel fail to attend.
• Where consensus is achieved as a
compromise (i.e. there is a minority in
disagreement) results may not be truly
balanced and are swayed by those with the
loudest voice.
• Generates additional time demands on key
personnel who are required to contribute to
To provide your final self-assessment score for the
given process, the easiest approach is to simply
resubmit the average scores obtained into an
unused copy of the self-assessment
questionnaire. Alternatively you can create your
own graphs based on the results compared with
the OGC targets for the given process.
Pros
• Provides the process practitioners with
flexibility in completing the self-assessment
at a time convenient to them within their
current workload.
• Completion rates by key personnel will be
higher as there is no dependency on set
times for workshop participation and the risk
of non-attendance due to operational events.
• Responses are more balanced and
considered. Process practitioners are not
influenced by the ‘group debate’ and have an
opportunity to reflect and review their scores
before they are returned for processing.
Cons
• The likelihood that you will need to ‘chase’
individuals to complete the questionnaires
where your deadline has passed and there
are a number of ‘nil returns’.
• Practitioner questions and/or areas of
clarification cannot easily be obtained.
• The self-assessment co-ordinator receives
numerous individually completed
assessments. An additional spreadsheet
is required to aggregate all the returned
results to provide the final scores and
graphical result.
The self-assessment is based upon a structured
questionnaire specific to each process, with each
question requiring a simple YES/NO response.
The questions are grouped under the process
management framework headings, with each
question weighted according to its significance.
HINTS & TIPS
On completion of the survey the responses are
immediately provided in numeric table and
graphical form and provide a comparison of the
completed scores versus the ‘good practice’ target
set for each element of the process management
framework.
The ‘consensus group’ approach can help mitigate this risk.
Two scheduling options can be considered when
planning for the self-assessment exercises. These
are as follows:
Consensus group
This is based on a facilitated workshop approach,
where a selected group of process practitioners
for the given process work through each section of
the process management framework and debate
each question and the response. The aim is to gain
THERE ARE A COUPLE OF AREAS OF CAUTION WITH SELF-ASSESSMENT
(1) One area of caution is that the process practitioners view the results as a reflection on their team
or department capabilities. So sections of the questionnaire that most closely relate to their team or
department have an (unrealistic) positive bias.
(2) A ‘self-assessment’ is exactly that and results will naturally reflect ‘what you know’. So, if the
prevailing views are that we are ‘good’ or that we are ‘poor’, then results typically will reflect this.
From experience junior staff are more likely to score positively compared with more experienced IT
practitioners.
• To offset this and provide balance, the approach should be to schedule assessments with a mix
of experienced individuals from different areas, blending input from core process practitioners
with colleagues from areas that interact or execute activities within the process.
• Consider involving service managers in all self-assessments. As a group they intuitively know
what works well and what doesn’t, particularly from the perspective of the customer.
(3) Each completed process assessment should be reviewed by the process owner to understand
what drives the results for each section within the assessment.
• Optimised (level 5): The process has now
been fully recognised and has strategic
objectives and goals aligned with overall
strategic business and IT goals. These have
now become ‘institutionalised’ as part of
everyday activity for everyone involved with
the process. A self-contained continual
process of improvement is established as
part of the process, which is now developing
a pre-emptive capability
• The timeframe to deliver the selfassessment results for each process is
longer compared with the scheduled single
workshop approach
ITIL V3 – THE SERVICE MANAGEMENT
PROCESS MATURITY FRAMEWORK
One approach to the assessment of ITIL process
maturity is documented in the ITIL V3 publications.
This involves comparing each process against a
process maturity model which defines five levels
of maturity (this approach is aligned with the
Software Engineering Institute’s Capability
Maturity Model Integration or CMMI).
GUIDANCE ON SCHEDULING THE
SELF-ASSESSMENT (USING THE ITIL
V3 SERVICE MANAGEMENT PROCESS
MATURITY FRAMEWORK)
The major characteristics of each level are
as follows:
• Initial (level 1): The process has been
recognised but there is little or no process
management activity and it is allocated no
importance, resources or focus within the
organisation. This level can also be described
as ‘ad hoc’ or occasionally even ‘chaotic’
Level 1
Level 2
Level 3
The service management process maturity
framework enables each ITIL process to be
compared against the criteria established for each
level within the model. The result of this
comparison is to assign a process maturity level
for each process reviewed.
The assessment of the current process ‘as is’
versus the criteria defined
Level 4
Level 5
Pros
• Has less reliance on the input of a reasonably
sized sample group of process practitioners
to complete the self-assessment.
• The results can be considered more
objective as they can be linked directly with
the defined criteria for the process maturity
level assigned.
• The results consider a broader leadership
and management perspective of the process
environment (vision & steering, process,
people, technology and culture) compared
with the more practitioner-focused toolbased assessments.
Cons
• Because of the broader leadership and
management perspective the assessment
may miss the input and opinions of the
practitioner community. There is potential
for a mismatch between the leadership
and management view and that of the
‘IT coalface’.
HINTS & TIPS
(1) To help support the assignment of a process maturity level (using V3
process management framework) it is recommended that this aspect of the
ITIL Process Assessment Framework is performed after completion of the
other IPAF activities:
Problem
Mgmt
• Process management
• Customer
• ITIL ‘gap analysis’
The outputs from the above will help better inform the comparative view of
the process ‘as is’ with the defined process maturity level criteria, and will
maximise the value of the complete ITIL Process Assessment Framework
by avoiding rework and/or duplication of effort.
Initial
Repeatable
Defined
Managed
Optimised
(2) The above ITIL self-assessment techniques can be inter-mixed. The ITIL
V3 process maturity framework is not version dependent so can be used as
an alternative to the itSMF self-assessment tool for ITIL V2 process
environments.
Figure 5: Illustrative process maturity assessment for problem management.
• Repeatable (level 2): The process has been
recognised and is allocated little importance,
resource or focus within the operation.
Generally activities related to the process are
uncoordinated, irregular, without direction
and are directed towards process
effectiveness.
• Defined (level 3): The process has been
recognised and is documented but there is
no formal agreement, acceptance or
recognition of its role within the IT operation
as a whole. However, the process has a
process owner, formal objectives and targets
with allocated resources, and is focused on
the efficiency as well as the effectiveness of
the process. Reports and results are stored
for future reference.
• Managed (level 4): The process has now been
fully recognised and accepted throughout. It
is service focused and has objectives and
goals. The process is fully defined, managed
and has become proactive with documented,
established interfaces and dependencies
with other IT processes.
for each maturity level can be delivered in a
number of ways based on organisational
preference as follows:
Consensus group
This is based on a workshop approach where a
selected group of senior IT personnel, typically
process owners and process managers, review
appropriate supporting process documentation as
the basis for determining how well the ‘as is’
process compares to the defined criteria for each
process maturity level. An agreement is made on
the level of process maturity to be assigned.
This has similar pros and cons to those described
for the consensus group approach in ITIL V2.
Independent assessment
This follows the same principles of the above but
the process maturity level assigned for the
process is provided by an independent reviewer. A
suggestion would be for process owners to
perform this assessment for processes not under
their remit. A degree of challenge via an
appropriate management forum or committee
may be healthy to ensure that there has been
consistency in approach across the process owner
community before the maturity level is ratified.
• The outputs from the process maturity
assessment will only provide high-level
pointers for areas of CSI to further improve
the process.
• Movement across the model requires ‘step
change’ improvement. Incremental
improvements delivered may not be
recognised in repeat assessments and may
de-motivate the process community.
CUSTOMER
ITIL strongly emphasises the importance of each
process being optimised towards meeting the
needs of the customer.
ITIL considers the following as key aspects of what
customers want and expect:
• Specification
• Conformance to specification
• Consistency
• Value for money
• Communications
The IPAF assessment seeks customer input to
help understand the effectiveness of each ITIL
process in delivering against the above, and
provides a useful insight into where future process
improvements should be focused and prioritised.
MSM 100% WEB-BASED ITSM
AND SERVICE DESK SOFTWARE
Now
shipping
MSM is a fully integrated, easy to use, powerful
ITSM software solution designed to help you:
MraSM v12
pid ret
urn
investment, non
hidden costs o
Drive down costs
Increase productivity and efficiencies
Do more with the same or less
Improve the quality of your IT support services
Optimise time and resources
Keep your customers informed and satisfied
For more information or to book a demonstration
of MSM contact Marval today
T: +44 (0) 1536 714325 E: info@marval-group.com W: marval-group.com
PRACTISING WHAT WE PREACH
Marval is an ISO/IEC 20000 registered company
T: +44 (0) 1536 711999
E: info@marval-group.com
W: marval-group.com
The outcomes from the customer engagement
also provide a good balance with the results from
other aspects of the assessment. Other results
from the assessment, whether good, bad or
indifferent, should ultimately be viewed in the
context of the prevailing customer perception.
Approach – interview or survey?
It is recommended that a ‘best of both’ approach is
used to gain this vital perspective of ITIL process
maturity. A selected number of customers should
be interviewed individually using a structured
approach to discuss aspects of each ITIL process
in terms of how it interacts with and supports the
day-to-day business process. The structure of the
questioning should aim to bring out the ‘key
aspects’ listed above.
A key deliverable from the interview should be a
set of scores determined by the customer based
upon their view of each ITIL process that they have
been asked to review in the interview.
recognises and differentiates standard
incident management from major incident
management, so both are scored separately.
• Scores are provided against each of the key
elements discussed with customers, e.g. for
incident management score against incident
classification, incident handling, incident
escalation, incident communications.
ITIL GAP ANALYSIS
This assessment provides a ‘gap analysis’ by
comparing the current in-house ITIL
implementation against that documented in the
OGC ITIL guidance publications and other best
practice references you wish to include. This
provides a useful indication of where gaps in
process capability exist and an overall view of
conformance to the prescribed ITIL best practice.
Aspects covered might include:
HINTS & TIPS
(1) To simplify the scheduling of sessions with the business and avoid creating additional meetings,
use the next appropriate monthly service review meeting and extend the agenda to include the
completion of this survey.
(2) The interview approach will result in many anecdotal comments and observations which, where
repeated by multiple customers, indicate potential process shortfalls. These comments should be
captured and formally recorded and handed to the appropriate process owners as an output.
(3) Consider the most appropriate customer groups for each process. Typically business customers
will relate to the service desk function and ITIL processes such as incident, problem, change and
service level management. Consider the internal IT departments and teams as a customer group.
They will relate more closely with availability, capacity, configuration, IT Service Continuity (ITSC) and
release.
• Process definitions
Scoring mechanism
A simple scoring mechanism has been devised to
allow ‘customer perception’ to be represented as a
score within the IPAF as follows:
• For each customer interview, devise the level
to which you wish to assign scoring of each
ITIL process (see Figure 7).
• Each customer interviewed is requested to
provide a ‘score’ from 1 to 5 (with 1 being
‘poor’ and 5 being ‘excellent’) for the level of
the process you wish to score.
• On completion of the business customer
interview schedule, produce an overall
customer perception rating. The overall
rating score is simply an average of all the
scores provided.
Process level
Each ITIL process should be represented within
the IPAF report with a customer perception score.
This can be illustrated in the following ways:
• A score is provided at the ITIL process level,
e.g. incident management.
• A score is provided for each aspect of a
process if relevant, e.g. the customer
1
Poor
2
Low
3
OK
4
Good
• Process policies, objectives, critical success
factors
• Process roles and other organisational
considerations
• Process interfaces (inputs and outputs)
• Process terminology
• Process measurement
Additional references (external)
In compiling your checklists you may wish to
reference additional best practice publications to
further enhance the value from the gap analysis
exercise. Some examples of additional references
are as follows:
• COBIT and the mapping of its control
objectives against ITIL. This helps establish
the level of process controls that have been
established.
• itSMF UK ITIL V2 self-assessment
questionnaire. Review the questions within
the self-assessment questionnaires and
include key questions in your checklist.
• FSA – Business Continuity Management
Practice Guide. This provides useful guidance
on observed best practice for BCM in the
financial services sector. This is useful for
comparing aspects such as the frequency of
testing, risk assessments and values such as
Recovery Time Objectives (RTO) when
reviewing the internal ITSC process.
• ‘Metrics for IT Service Management’,
published by VHP and available from the
itSMF UK bookshop. This provides the
measures and targets that you would expect
to be established for each ITIL process. This
is particularly useful in allowing a
comparison of internal process KPI targets
with external ‘best practice’.
Additional references (internal)
The following are recommended sources of
internal documentation that should be used as
input to the review:
• Structure charts
• Process documentation and work
procedures
• Reports produced as an output from the
process, e.g. major problem report
• Process KPIs and measures
Example statements for your checklist
• Process KPI targets
• Process reporting
To support the gap analysis it will be necessary to
produce a checklist consisting of a list of
statements against which you can subsequently
‘test’ your in-house process(es).
The result of each test will indicate the
conformance of the in-house process to
established ITIL best practice, i.e. where the test is
successfully completed, then this aspect of the
process is conformant. An unsuccessful test
indicates non-conformance.
The statements themselves are derived by
reviewing the established best practice
publications, which identify the key features and
requirements of the process. This is an important
investment as these checklists will be used in
repeat ITIL process
assessments. Over time the
number of non-conformances
should decline as CSI activities
by the process owner
community are implemented.
5
Excellent
Figure 6: Simple scoring model for determining the customer
perception score
can be recorded. This will help with subsequent
reporting within the ITIL gap analysis section of
the Current State Assessment (CSA) report.
Structure your checklist so that
any observations or deviations
noted during the gap analysis
Incident Management
3.2
Incident Management
Standard
3.2
Major
4
Incident Management
Incident Classification
3
Incident Communications
2.7
Incident Resolution
3.1
Incident Closure
2.8
Figure 7: Illustrative options on reporting the
customer perception of the incident management
process
To provide a better understanding of how to
populate your checklist, here are some example
statements for a selection of the ITIL processes:
Service desk (SD)
• The SD is the single point of contact for all
business colleagues and third party support
organisations with regard to day-to-day
contact regarding IT service.
• The SD has a marketing plan to raise the
profile of the desk and to better understand
the user experience of its customers.
• The SD owns the incident control process
and monitors progress on all incidents.
Incident management
• Incident classification is supported by a
priority coding system to assign incident
priority based on an assessment of urgency
and impact.
• A major incident handling procedure is
documented.
• The target value for the percentage of
incidents resolved within target time by
priority is set at 95%.
Problem management
• Problem classification is supported by a
priority coding systems to assign each
problem a priority based on an assessment
of urgency and impact.
• Major problem reviews are undertaken and
documented upon the resolution of every
major problem.
• Staff are trained in the use of methods and
techniques that help with problem
investigation and diagnosis, e.g. KepnerTregoe, Brainstorming, ISHIKAWA diagrams,
Pareto Analysis.
Change management
• Every Request For Change (RFC) is allocated
a priority that is based on the impact of the
problem and the urgency of the remedy.
HINTS & TIPS
When reviewing the in-house process
documentation, record all findings and
observations on your checklists electronically.
This provides an audit trail but also allows the
results to be shared and more importantly
reviewed by the relevant process areas. Seek
agreement to the findings and observations or
respond to any challenges raised before
completing the ITIL gap analysis section
of the CSA report.
• Each RFC is categorised using ITIL
prescribed change categories (major,
significant, and minor).
• There is a documented policy that defines
how the delegation of change authorisation in
‘out of hours’ emergency situations is
performed with the criteria and supporting
procedures required to mobilise an
emergency CAB (CAB/EC)
Release management
• There is a documented release management
policy to state which aspects of the IT
infrastructure will be controlled by definable
releases.
• Releases are categorised in line with ITIL
guidance as major, minor and emergency.
• A responsibility matrix (or similar) is defined
to denote the release responsibilities of all
teams and roles that execute within the
release management process.
Configuration management
• There are documented policies that define
the objectives, scope, principles and critical
success factors for configuration
management.
IT financial management
• Budgets are monitored and regular reports
are produced to compare expenditure
against the budget.
• Simple, accurate and timely invoices are
produced for the customer groups.
• The customer groups are periodically
surveyed to ensure the activities performed
by financial management adequately support
their business needs.
• The roles and responsibilities for the
configuration manager, asset manager,
configuration analyst and configuration
administrator are documented and assigned.
• Configuration verification and audit is
periodically performed to verify the physical
existence of CIs with the information
recorded in the CMDB.
Service level management
• Service Level Agreements (SLAs) have been
negotiated and agreed with all business
areas for the IT services provided.
• Service review meetings are scheduled on a
monthly basis with representatives of each
business area to review service achievement
and discuss key issues.
• SLA documents are reviewed at least
annually with representatives from each
business area to ensure that the services
covered and targets are still relevant.
Availability management
• The cost of an outage (financial) is known for
each critical service to help understand
business impact and help prioritise service
improvements.
• ITIL methods and approaches to help
determine and drive availability
improvements are documented and
embedded, i.e. the expanded incident
lifecycle, service failure analysis, component
failure impact analysis and technical
observation posts.
• There is a test schedule for the regular
planned invocation of resilience and failover
components to provide assurance on their
readiness to ‘work in anger’ when required.
Capacity management
• A capacity plan is produced and updated on a
periodic basis (at least every six months).
• The capacity management process has the
key capacity sub-processes defined and
executed (resource capacity management,
business capacity management, service
capacity management).
• End-to-end response times are measured
and included in SLA reporting.
IT service continuity
• Proactive risk analysis and management
exercises are performed for critical end-toend services and key components. These are
performed at least annually or after a change
in normal operations.
• All IT services are aligned to an ITSCM
recovery option (do nothing, gradual,
intermediate, fast, hot standby).
• An overview of the organisation’s approach to
business continuity management and the IT
service continuity strategy is included in the
staff induction process.
CURRENT STATE ASSESSMENT (CSA)
CSA is the main output document, bringing together all the results from each
element of the ITIL Process Assessment Framework. A CSA document is
produced for each individual process. The report is produced on a single page and
provides a powerful visual view of the results for each process (see the samples
in Figures 8 and 9).
Figure 8: Current State Assessment report format
CONCLUSION
This first article describes how the CFS set up its
ITIL Process Assessment Framework and some of
the issues that we had to consider along the way.
The second part in the next issue will look at
benchmarking, planning considerations and
lessons learned.
Ian Macdonald is a senior IT specialist at the
Co-operative Financial Services and winner of the
itSMF UK Submission of the Year award in 2009
and 2010. ■
Figure 9: Illustrative Current State Assessment report for incident management
CHANGE MATTERS!
Change matters!
Ten golden rules for
successful change
management
TIME DOESN’T STAND STILL AND NEITHER DOES YOUR BUSINESS, SAY MAYA MALEVICH
AND MICHAEL HAMELIN. SO WHEN YOU NEED TO MAKE CHANGES, HERE’S WHAT
(AND MORE IMPORTANTLY WHAT NOT) TO DO.
e all know that nothing stays the same
- no matter how much we might wish it
did. In business new services will be
introduced and unpopular ones discontinued in
response to business requirements. Technology
is no different; new applications will need to be
integrated into the existing infrastructure and
others dissolved. Equally the workforce ebbs and
flows with new employees (or new project team
members) requiring access to corporate data and
leavers needing to be removed. Change happens,
it’s a fact of life, but it needs to be handled
competently if the desired benefits are to
be realised.
W
When it comes to reflecting these changes in IT
systems, complexity and a lack of process have
compromised best practices. Organisations are
ready to take action – but the enormity of the
situation means many do not know where to
start, or even how.
WHERE DOES IT ALL GO WRONG?
HOW CAN WE MAKE IT RIGHT?
We’ve all been there. We’ve arrived bright and
breezy on a Monday morning only to find that a
change implemented over the weekend causes
things not to work as they should. Often this
results in IT support scrambling around the
network, making random changes without
planning or authorisation, in a desperate effort to
find and ‘fix’ the fault.
There are many ‘steps’ that should be followed
when defining a change management process.
Our ‘top tips’ for handling this are :
The reality is that all of these little tweaks can
potentially cause additional problems that may
not come to light at first, instead rearing up at a
later date when the connection to the original
change has been completely lost.
Step 2: Define how changes are requested and
what supporting documentation is required. This
could be as simple as an email request to a
triplicate form that is completed and officially
submitted to a pre-determined person.
A more worrying issue is when these changes
aren’t identified. There have been numerous
examples of how failing to control the process has
led to breaches and compliance violations that
can be traced back to mis-configured systems.
Step 3: Define the change management process
so that everyone knows what will happen and by
when. This should include how changes are
prioritised, timeframes involved, how they can be
tracked, and how they’ll be implemented. As part
of this step, you should also define the appeals
process. It should cover how a person is
informed that their request has been declined,
the reason why it failed and what happens next.
Step 1: Graphically build existing workflow
processes within your organisation. Ideally they
should fit ITIL guidelines, or at the very least the
organisation’s pre-defined processes.
Step 4: If you don’t already have one, establish a
Change Advisory Board (CAB). This should
include a representative from each area of the
business. This team will have responsibility for
reviewing all requested changes, checking that a
change is complete, that it meets a business
need, that the impact on other areas of the
organisation both negative and positive are fully
Michael Hamelin
CHANGE MATTERS!
understood, and finally whether the change
would introduce risks. If declined, this decision
needs to be communicated back to the originator
with the reasons why. If approved, the team
would then be responsible for communicating
the change to those affected by it.
Step 5: Design the change. During this stage it is
important that any conflicts or insecurities are
identified and rectified to avoid expensive
repercussions at a later point. It may be prudent
for this role to be split into two with an
administrator to verify that the change remains
within corporate compliance. This is sometimes
easier said than done as, in making a change to
meet one standard, you could quite easily be in
breach of another; so this role can be key in
determining what is and isn’t allowed. Tools are
available that can help with this veritable
minefield to automate, check and flag potential
compliance conflicts.
Step 6: Implement and document the change. In
an ideal world, the person who implements the
change should be different from the person who
designed it to avoid a conflict of interests.
Step 7: Verify that the change has been made,
that it has been executed correctly, and that only
authorised changes have been implemented.
Step 8: Have a backup plan. If a change has been
implemented that has had an adverse affect on
a system, rather than blindly making follow-up
changes to try to ‘fix’ the problem, the original
change should be reversed, reassessed and
re-implemented once the point of failure has
been identified.
Step 9: Audit the change process. It is important
to check that approved improvements have been
made – after all they have been identified as
being beneficial to the organisation.
Step 10: Regularly reflect on the change
management process to identify any sticky areas
that can be improved.
MANUAL VERSUS AUTOMATED
Many organisations still rely on manual
documentation of their network configurations.
This means that access requests are also
manually processed, which intoroduces a
number of pitfalls:
1. Extended costs of manual changes
Manual requests can typically take anything
up to ten days, which is time that could be
utilised elsewhere. A further issue is time
wasted checking, verifying and
implementing unnecessary or duplicated
changes that an automated process would
have identified.
2. Risks of something breaking
As the workflow is all on ‘paper’, it is
virtually impossible to check all potential
break points without automating the
process. Sometimes the team will have
spent a great deal of time engineering the
change up front for it to be denied by the
risk team because approval is sought too
late in the process.
3. Lack of audit and accountability
As everything is on paper, and often
hurried, processes will go out the window
with paperwork submitted after the change
has been implemented, if at all. This can be
as basic as having no idea who requested
the change or why it was needed in the
first place.
4. Compliance that is impossible to define
and enforce
With just documentation to determine what
the organisation’s compliance requirements
are, administrators are left to use their own
personal judgement to determine whether
a new rule introduces risks.
5. Quality of service
As it takes longer to submit and implement
changes the service is suffers – both
internally and externally. This can lead to
revenue loss and poor image in the
marketplace.
Change is happening constantly and
organisations need to put clear steps in place to
manage the process successfully.
Maya Malevich is director of product
management and Michael Hamelin is chief
security architect at security lifecycle
management specialist Tufin Technologies. ■
THE ITIL UPDATE
The ITIL Update:
meet the team
carefully selected team of authors and
mentors is currently updating the ITIL
guidance in response to users’ feedback
and suggestions from the training community.
A
The process of assembling the team began in
December 2009, when a mentoring team was
appointed, headed up by Shirley Lacy. As overall
project mentor, Shirley is responsible for
consistency across all five books. Other team
members include Ashley Hanna as technical
continuity editor, David Wheeldon as mentor of
the strategy and improvement titles (Service
Strategy and Continual Service Improvement)
and Colin Rudd, who is mentoring the authors
working on the lifecycle titles (Service Design,
Service Transition and Service Operation).
The mentors advise and support the authors,
reviewing their work and providing insight. All of
the mentors contributed to the creation of ITIL V3
and their presence on the project team provides
a vital thread back to the inception of V3, helping
to ensure continuity.
Once appointed, the mentoring team worked with
TSO and OGC to select authors for the five core
books and the Introduction to the ITIL Service
Lifecycle. Following a rigorous selection process,
which included a written assessment and an
interview, the authors were appointed. David
Cannon (Service Strategy), Lou Hunnebeck
(Service Design), Stuart Rance (Service
Transition), Randy Steinberg (Service Operation),
Vernon Lloyd (Continual Service Improvement)
and Anthony Orr (Introduction to the ITIL Service
Lifecycle) have, under the guidance of their
mentors, been working to remedy errors and
inconsistencies in their respective titles, address
issues raised via the Change Control Log, and
consider suggestions made by the training
community.
Authors and mentors, along with representatives
from TSO and OGC, participate in a weekly
teleconference. They report to the Project Board,
which also meets on a weekly basis. Regular
communication and a close working relationship
are essential in ensuring consistency across
all titles.
The people working on the ITIL Update project
are dedicated individuals with proven experience
and expertise in ITSM and ITIL. Their
commitment to the project, along with TSO’s
publishing expertise, will result in updated
guidance that is consistent, easier to understand
and easier to teach. ■
JEVIN MERCER-TOD
OF TSO INTRODUCES
THE AUTHORS
AND MENTORS
RESPONSIBLE FOR
THE FORTHCOMING
ITIL UPDATE.
SHIRLEY LACY: PROJECT MENTOR
Shirley is an acknowledged leader and specialist in service
management. Co-author of the ITIL Service Transition
publication, she has been an active contributor, reviewer
and collaborator in the development of international
standards, ITIL and supporting publications.
STUART RANCE: AUTHOR, SERVICE TRANSITION UPDATE
As well as delivering HP’s mission-critical partnership
service to some its largest customers, Stuart helps develop
and deliver ITIL and other training courses. Stuart is a
senior ITIL examiner for APMG and he co-authored the ITIL
V3 glossary.
ASHLEY HANNA: TECHNICAL CONTINUITY EDITOR
An HP business development manager and chair of the
itSMF UK Publications ESC, Ashley has contributed to
numerous ITIL V2 and itSMF publications and co-authored
the ITIL V3 glossary. He won the 2010 Paul Rappaport Award
for outstanding contribution to IT service management. See
the interview with Ashley in this issue of ServiceTalk.
VERNON LLOYD: AUTHOR, CONTINUAL SERVICE
IMPROVEMENT UPDATE
Vernon has filled a very wide range of operational and
management roles in the ITSM industry. He is international
client director for Fox IT and honorary life vice-president
of itSMF UK. He was a lead author of the V3 Service
Design book.
DAVID WHEELDON: SS AND CSI MENTOR
A former HP director of service management, managing
drector of CEC Europe and chief ITSM consultant with
Ultracomp, David was a member of the original CCTA author
team and joint author of the V2 Service Delivery and V3
Service Operation books.
LOU HUNNEBECK: AUTHOR, SERVICE DESIGN UPDATE
With over 25 years of experience in the service industries,
Lou is currently Third Sky Inc’s vice president of IT Service
Management Vision and Strategy. She served on the public
QA team for ITIL V3 and is a member of the V3 Senior
Examination Panel.
COLIN RUDD: SD, ST AND SO MENTOR
Colin was a lead author in the development of ITIL V1, V2,
and V3. A prolific writer on ITSM topics, he has delivered
service management training and consultancy all over the
world. In 2002, Colin received the itSMF UK’s Paul
Rappaport Award.
RANDY STEINBERG: AUTHOR, SERVICE OPERATION UPDATE
Randy has over 25 years of international IT service
management experience and has co-authored an ITSM
methodology and operational framework. Randy holds ITIL
V3 Expert and ITIL V2 Service Manager certifications and
was a reviewer for the ITIL V3 Service Transition book.
DAVID CANNON: AUTHOR, SERVICE STRATEGY UPDATE
David is currently global director of ITSM Strategy for HP. He
has provided training and consulting services to virtually
every industry sector and co-authored the Service Operation
book for ITIL V3.
ANTHONY ORR: AUTHOR, INTRODUCTION TO THE ITIL
SERVICE LIFECYCLE UPDATE
Anthony is currently global best practice director for services
at BMC Software Inc. He is certified in project management
and ISO/IEC 20000 (SQMF), and holds the ITIL V2 Practitioner
and Service Manager and ITIL V3 Expert qualifications.
“I would definitely recommend
working with Sunrise for a project like
this. The service we’ve received has
been spot on right from the start.”
“The experience has been
very positive throughout.
Communication has been
excellent and the Sunrise team
has delivered on its promise.”
“With Sunrise, everything
has been straightforward,
from the statement of
work all the way through
to going live and ongoing
support.”
“I have to say that Sunrise
struck me from the start
as a professional company,
who would work with us to
achieve our objectives.”
“When you embark on a project like
this, you need to know that you’re going
to get the backup you need. The Sunrise
team has been professional, tenacious
and dedicated.”
“Sunrise has delivered at all levels.
This is the kind of project you would
always wish for: seamlessly smooth
and delivered on time.”
“The relationship we have with Sunrise
feels more like a partnership than a
client / supplier dynamic.”
The people behind the software
When you
ou embark on a new IT service management pr
project,
o
oject,
it’ss not always
it’
lways easy to know which
ch solution to choose. Every
very vendor
ccan
an give
give you
you a reason
reason w
why
hy ttheir
heir software
software iiss b
better:
etter: fl
flexibility,
exibility, look
look
and feel, ITIL compatibility
compatibility...
...
Of course these
ese are all important and require a thorough
horough evaluation. However the best
est software in the
world is nothing
ing without the right people to deliver
ver and support your project. Ensure
e your success for
years to come,
e, just like our customers did: choose
e the people behind the software.
www.sunrisesoftware.co.uk
www
.sunrisesoftware.co.uk
020
0 8391 9000
“Right from the start, we got the
feeling that ‘nothing was too big a
job’. Working with Sunrise has just
been fabulous all round.”
it’s seminar time...
six of the best for 2011
Introducing and improving
problem management to
maximise your investments
16th February 2011
Leicester Tigers
Rugby Centre
Practical Service Strategy
16th March 2011
Newbury Racecourse
Service Transition:
achieving painless go-lives
18 May 2011
Edinburgh Corn Exchange
Service management
in challenging times
22th June 2011
Royal Marines Museum,
Southsea
Keeping your service
management journey
moving
September 2011
Liverpool Convention
Centre
Achieving and maintaining
service excellence using
service levels
7th December 2011
Imperial War Museum,
Duxford
2011 Seminar Prices: Members – £185 +VAT | Non-Members – £285 +VAT
Further information: www.itsmf.co.uk or events@itsmf.co.uk
seminar
APRIL 2010 SERVICETALK 44

ITIL Process Assessment Framework

Transcription

Similar documents

COMPANIES - DOCUMENT Strategy Media

Using Complementary Methodologies for your ITSM Flight

Tim Cox ITIL® Operational Support and Analysis Certificate

x-active Product Flyer en.cdr

Service is our Middle Name Making IT Service Management

PinkFORUM16 - Pink Elephant

itSMF Serbia Milan Zivkovic Presentation

Introducing RESILIA: Cyber-Resilience for the 21st Century