When chaos takes over our daily lives, the signs are obvious. We feel overwhelmed, exhausted, and despair of fulfilling all of our competing obligations. As individuals, we can adopt frameworks that help us prioritize our work, identify key tasks, and complete our work one item at a time. To do this, we create checklists, multitask, assign work to other family members, and walk away from tasks that we decide are not as important. As it turns out, IT is not so very different.
Frameworks existed long before there was technology. So why is it that so many organizations have only recently now begun to evaluate and adopt IT frameworks? The easy answer is structure. In order to manage a complex system or value network, organizations need to adopt a structured environment to achieve operational efficiency and effectiveness as well as understand how to measure performance and continuously improve. Let’s examine some of the most popular frameworks and discuss how they can work together in service to IT governance.
IT organizations have rapidly evolved to keep up with the pace of technology, but, in many ways, we have fallen short of the expectations of the users of the technology we create and support. It is understandable. We often have little influence over setting and managing expectations and poor visibility into what we should prioritize in order to best serve the business. The adoption of a framework provides structure to an IT organization, and one of the reasons ITIL has become so popular is that it provides that structure and helps us manage both the environment and our customer’s expectations.
ITIL is not the only game in town. Yes, it is the de facto standard when it comes to the adoption of service management, but service management is not the only thing we need guidance on in order to run IT like a business. Take, for example, IT governance. IT organizations are constantly dealing with changes to laws and regulations that impact the way they can conduct business. Whether it is HIPPA for patient information, Sarbanes-Oxley for publically traded companies, or all the new regulations that have handed down by Homeland Security, these laws and regulations were developed to protect the rights and information of the consumers of services, and corporations need to demonstrate compliance with these laws and regulations. Because customer data resides on IT systems, IT plays an important role in demonstrating compliance.
The ITIL framework provides an overall view of the service lifecycle and will help us to identify regulatory constraints and design the best possible service for the business. We can also learn how to improve the service and measure its effectiveness. With regard to compliance, there are three ITIL processes that are particularly helpful: change management, security management, and service continuity management. However, given its limited view of risk management, ITIL falls short from helping an IT organization to adopt a holistic IT governance approach.
COBIT, or Control Objectives for Information and Related Technology, is a framework that focuses on the management of an IT organization through establishing the controls necessary for IT governance. This framework is used by IT organizations and compliance officers to assess the strength of the controls associated with the organization’s strategic direction. Picture a ship with a captain at the helm and many deckhands working to keep the ship afloat. Governance provides the captain with the information that allows him or her to keep the ship on course. The concepts of direct and control are at the heart of IT governance.
Why would an organization use COBIT? COBIT helps us identify business goals, align IT goals with the business’s goals, and assess the strength of the practices that support the IT organization’s goals. COBIT also helps to define a desired target state. Once we fix that strategic direction, we can then leverage ITIL to help us improve what needs to be fixed. In other words, ITIL helps us to get to that target state.
For example, say the business wants to improve customer orientation. The business goal is mapped to the IT goal of improving customer satisfaction, which is then mapped to the IT processes related to managing the service desk and incidents. Using COBIT, we can assess the current performance level of the IT process and identify where we need to be to best support the business goal. The controls or measurements allow us to collect information from the process, and when we identify a weakness, we can turn to ITIL to help us understand how to better manage the service desk and incidents process.
Many organizations that leverage ITIL have a difficult time deciding where to begin. Incident management and change management are usually high on the list of things to fix, but how do we really know what to fix, and in what order? COBIT spans a larger portion of the IT organization and covers planning, organization, delivery, support, acquisition, implementation, measurement, and evaluation. Its four process domains provide a more comprehensive method for evaluating the IT organization as a whole, determining its weaknesses, and aligning improvement opportunities with those activities that best support the business strategy. COBIT is a vital component of overall good governance, which itself helps to manage risk, manage performance, and manage resources.
Standards provide a method for organizations to evaluate their performance against defined requirements. The ISO standards provide guidance on the best practices for a given industry. ISO 9000 is the standard for manufacturing, ISO 17799 for security. For IT service management, the standard is ISO 20000. The scope of ISO 20000 is similar to ITIL; it serves as a yard stick for measuring the success of an ITIL implementation as it compares to the standard. For example, ISO 20000 asks a series of questions about change management, including “Do you have change management in place?” and “Is it documented?” If you answer “no” to any of these questions, these are weakness that must be addressed before your change management program can be deemed successful.
ISO 20000 certification is a lengthy, expensive, and exhaustive process. And though certification provides a competitive edge in the marketplace, it may not be the right path for every IT organization.
The balanced scorecard is a business management framework that evaluates the health of an organization across four domains: financial, customer, internal processes, and learning and innovation. By defining metrics for each quadrant, the business can paint a picture of the organization’s overall performance.
The value of the balanced scorecard is in seeing how your organization’s performance in one quadrant can affect its performance in another. Balancing all four quadrants will help ensure that your organization is prepared for success.
The balanced scorecard is one of the most difficult frameworks to implement because of the lack of control over the information that feeds the scorecard. IT governance is one way to collect better information that helps you understand how successful your strategy is at driving organizational performance. In particular, implementing controls from COBIT would further enable the organization to more successfully capture relevant information to populate the balanced scorecard.
How do all of these frameworks fit together? Each one has its proper place in any organization. Depending on what the organization is trying to achieve, one particular framework or standard may be more important than another. When the dynamics of the environment change or other issues take priority, a different framework may take priority.
To better understand how these different frameworks and standards fit together (Figure 1), start with the overall concept of IT governance. One of the major goals of IT governance is establishing direct controls in the organization. If an organization has some of these controls in place, they may decide to evaluate the current level of maturity of IT governance and improve from there. ITIL’s CSI model provides a methodology for assessing the current state and determining how to make improvements. The CSI model asks five questions:
- What is the vision? (Most organizations look to their senior management to set the strategic vision and goals.)
- Where are we now? (Use ISO 20000 standards to identify the organization’s weakness.)
- Where do we want to be? (Use the COBIT process maturity model to identify the desired maturity model.)
- How do we get there? (Look at the ITIL framework.)
- Are we there yet? (Apply the controls in COBIT that feed information to the balanced scorecard.)
This is just one creative way in which an organization can leverage multiple frameworks. Each has its strengths and weaknesses, and each requires a certain level of knowledge and competency to successfully engage the organization in change.
The success of any framework adoption depends upon your organization’s ability to successfully engage in change. Management commitment, communication, training, well-defined vision, and a guiding coalition all affect how well your organization embraces change. Kotter’s eight steps to organizational change is a great tool for viewing change holistically. This methodology will not help you identify the right framework to use, but it will help your organization incorporate changes into a project with defined goals and objectives.
To successfully manage an IT organization and the services that it provides to the business, the IT service provider must use multiple frameworks to identify weaknesses and make improvements that benefit the business. ITIL, COBIT, ISO20000, Six Sigma, project management, Kotter’s eight steps to organizational change, CSI, and the balanced scorecard—all are great tools for driving greater value to the business. Restricting the organization to only one tool limits the possibilities for improvement; trying to use too many dilutes the overall effectiveness of any or all of them. Just like a chef, having more tools doesn’t help you cook a better meal. You need the best recipes, the best ingredients, and the right tools for the job. This takes with practice, training, experimentation, and experience. And it never hurts to bring a master chef along for the ride.
Julie Mohr is the principal research analyst and author at BlueprintAudits.com. She is a passionate organizational change advocate, providing imaginative insight and dynamic leadership that transforms organizations into best practice, customer-focused environments through knowledge management, ITSM, IT governance, organizational enhancements, process re-engineering, and service level management. Julie has developed an IT governance framework and audit methodology that is used by thousands of organizations worldwide to identify weaknesses, develop improvement plans, and implement IT governance. She is the author of The Help Desk Audit: Blueprint for Success (BlueprintAudits.com, 2003) and The Help Desk Dictionary (BlueprintAudits.com, 2006).