Frameworks like the Information Technology Infrastructure Library (ITIL) are not new. Frameworks existed before there was technology. Why is it that so many organizations have now begun to evaluate and adopt a framework in Information Technology?
Why Use IT Frameworks?
The basic answer is structure. Organizations need to adopt a structured environment to achieve operational efficiency and effectiveness as well as to understand how to measure performance and continuously improve.
When chaos takes over in our daily lives, the signs are apparent, and we feel overwhelmed, exhausted and hopeless to fulfill all of our competing obligations. As an individual, we can apply a framework that enables us to prioritize our work, identify critical tasks and begin completing our work one item at a time. We accomplish this by creating checklists, multi-tasking, assigning some work to other family members, and walking away from the tasks that are not necessary.
Frameworks can provide the same control and management for IT organizations.
IT organizations have rapidly evolved to keep up with the pace of technology, and in many ways, we have fallen short of the expectations of the users of the technology we create and support. It is understandable. We have little influence over setting and managing expectations and poor visibility into what we should prioritize to serve the business.
The adoption of a framework provides structure to an IT organization. One of the reasons why ITIL has become so popular is that it provides structure and helps us to manage the environment and our customer’s expectations.
ITIL is not the only game in town. Yes, it is the defacto standard when it comes to the adoption of service management, but service management is not the only thing we need guidance on to run IT like a business.
Take for example IT Governance. The business is continually dealing with changes to laws and regulations that impact the way they can conduct business. Whether it is HIPPA for patient information, Sarbanes-Oxley for publicly traded companies or all the new regulations that are driven from Homeland Security – these laws and regulations were developed to protect the rights and information of the consumers of services, and corporations need to demonstrate compliance with these laws and regulations.
Because the customer data resides on IT systems, it doesn’t take the business long to recognize that IT must fill an essential role in demonstrating compliance. ITIL gives us three processes that will help, Change Management, Information Security Management, and IT Service Continuity Management. The framework provides an overall view of a Service Lifecycle and will help us to identify regulatory constraints and design the best possible service for the business. We can also learn how to improve the service and measure its effectiveness.
With a limited view of Risk Management, ITIL falls short of helping an IT organization to adopt a holistic IT governance approach.
COBIT or Control Objectives for Information and Related Technology is a framework that focuses on the management an IT organization through establishing controls necessary for IT governance. The framework is used by IT organizations and compliance officers to assess the strength of the controls in achieving strategic direction.
Picture a ship with a captain at the helm and many deck hands working to keep the ship running. Governance provides information to the Captain that allows him or her to set direction and keep the ship on course. The key concepts of direct and control are at the heart of IT governance.
Why Would an Organization Use COBIT?
COBIT enables us to identify the business goals, how to align IT goals with the business then assess the current strength of our practices that support the IT goals. When we recognize a weakness, COBIT also helps to define a desired target state. Once we determine that strategic direction, then we can leverage ITIL to help us improve what needs to be fixed – ITIL helps us to get to that target state.
For example, the business wants to improve customer orientation. The business goal is mapped to the IT goal of improving customer satisfaction, which is then mapped to the IT process of Manage the Service Desk and Incidents. We can assess the current level of performance of the IT process, and identify where we want to be to best support the business goal. The controls or measurements allow us to provide information from the process, back to the IT goal and back up to the business that tells us how well we are doing. When we identify a weakness, we can turn to ITIL or HDI to help us understand how to improve the Manage the Service Desk and Incidents process.
Many organizations that leverage ITIL have a difficult time trying to figure out where to begin. Incident Management and Change Management are usually high on the list of things to fix. How do we know what to fix and in what order?
COBIT spans across a more substantial portion of the IT organization and covers everything from planning, organization, delivery, support, acquisition, implementation, measurement and evaluation. The five domains of processes provide a comprehensive way to evaluate the IT organization to determine what its weaknesses are and to help align improvement opportunities that best support the business strategy. IT governance is an essential contribution to the value that IT provides to the business. Governance also helps to manage risk, manage performance, and manage resources.
Standards are developed as a method to compare an organization to defined requirements. In manufacturing, ISO9000 is the standard. For IT Service Management, the standard is ISO20000. Security uses ISO17799.
A standard provides guidance on what best practices should be in use within the organization. ISO20000 covers a similar scope to ITIL and acts as a measuring stick for how successful our ITIL implementation in compared to the standard.
For example, ISO20000 asks a series of questions about Change Management like, “Do you have change management in place?” “Is it documented?” If you answer “no” to any of the questions, it is an identified weakness that should be addressed for Change Management to be successful. Going through ISO20000 certification is a lengthy and expensive as well as exhaustive process. Many organizations will use the standard to help them identify weaknesses. Certification provides a competitive edge in the marketplace but may not be the right path for every IT organization.
The Balanced Scorecard is a business management framework that evaluates the health of an organization across four domains: financial, customer, internal processes, learning and innovation. By defining metrics for each quadrant, the business has a picture of the overall organization’s performance.
The value of this management framework is to see how a focus on one quadrant can affect the performance in another. Maintaining all four perspectives in balance will help to ensure that an organization is prepared for success. The balanced scorecard is one of the most challenging frameworks to implement due to the lack of controls throughout the organization that feed the view of performance.
IT governance is one way to get better information that feeds back up through the organization to understand how successful the strategy is in driving organizational performance. Implementing controls from COBIT would enable the organization to more successfully capture relevant information that feeds into the Balanced Scorecard.
How do all of these frameworks fit together? Each one has its place in an organization. Depending on what the organization is trying to achieve, one particular framework or standard may be more important than another to help the organization meet its goals. When the dynamics of the environment change or different issues take priority, then an organization may use a different framework.
To better understand how these different frameworks and standards fit together (Figure 1), start with the overall concept of IT Governance. Within IT governance, one of the primary goals is to establish direct and control in the organization. If an organization has some of these controls in place, then it may be decided to evaluate the current level of maturity of IT governance and improve from there.
Figure 1. Combining Frameworks
To do this, the CSI approach from ITIL provides a view of how to assess the current state and identify how to improve. This model has five questions:
- What is the vision?
- Where are we now?
- Where do we want to be?
- How do we get there?
- Are we there yet?
To help an organization understand “What is the vision?”, the organization will look to its senior management to set the strategic vision and goals. To understand “Where are we now ?” we can use ISO20000 to understand the weaknesses of the organization compared to the standards for IT Service Management.
Then when we ask, “Where do we want to be?”, we can use the COBIT process maturity model to identify the desired maturity level. “How do we get there?” is answered by looking at the ITIL framework. To measure “Are we there yet?” we can use the controls in COBIT that feed into the overall Balanced Scorecard.
The outlined approach is just one creative way in which an organization can leverage multiple frameworks. Each one has its strengths and weaknesses. Each framework also requires a level of knowledge and competency to use it to engage the organization successfully in change.
The success of any framework adoption depends upon your organization’s ability to engage in change successfully. Management commitment, communication, training, clear vision, and a guiding coalition will enable the adoption of change.
Kotter’s 8-steps to Organizational Change is another tool that an IT organization can use, and it is a great way to view change holistically. This methodology will not help us identify the right framework to use, but it will help the organization to wrap the change into a project with defined goals and objectives.
To successfully manage an IT organization and the services they provide to the business, the IT service provider must use multiple frameworks that help them identify weaknesses and improvements that will be aligned with and benefit the business.
ITIL, COBIT, ISO20000, Six Sigma, Project Management, Kotter’s 8-steps to Organizational Change, the CSI Model, and the Balanced Scorecard are all great tools to know and leverage when it makes sense to drive higher value to the business. Limiting the organization to only one tool limits the possibilities for improvement. Try to use too much may dilute the effectiveness of any one tool.
Just like a chef, having more tools doesn’t help you cook a better meal. It is up to you as an IT professional to create the right recipe leveraging the best ingredients and tools for the job. Experience comes with practice, training, and experimentation. And it never hurts to bring a Master Chef along for the ride.