Chapter 6: Caselet #3 – Risk Management – Pragmatic Application of Service Management

CHAPTER 6: CASELET #3 - RISK MANAGEMENT

IT Issue: A candy manufacturer conducted a selection process for a major ERP replacement system. The implementation was supposed to be completed within nine months. At the seven-month mark of the implementation, it was determined that the effort would need to be extended. The Executive Steering Committee remained strangely silent during the decision-making process, and very little effort was made by the program team to identify risks (i.e. incompatible architectural components, data migration issues, poor transition plans, etc.) and develop meaningful strategies to deal with those risks. With a major holiday approaching, the manufacturer is now expediting the implementation by adding more resources to the team with the intent of meeting the original nine-month timeframe and of not impacting the major sales season.

The addition of the extra resources was the solution necessary to meet the original timeframe. The implementation was completed following a ‘big bang’ approach just two months before the busiest holiday season of the year. Unfortunately, the implementation caused a widespread system outage and required a complete release back-out. The company’s only choice at this point was to utilize the old systems. This created a massive backlog of manufacturing orders, unhappy angry customers and lost orders.

The Five Anchors

Anchor Discussion

I. Strategic Alignment: IT Services to Business Objectives

1. What are the business strategy, goals and objectives? Are there any measures that demonstrate the achievement of the business strategy, goals and objectives?

• While every organization will have some strategy defined, we don't know what it is here. Know that any solution should link to the achievement of the enterprise strategy, goals and objectives.

2. What is the business issue, or activity at risk?

• Production and shipment of the organization's product line during peak sales season.

3. Is the ownership to resolve the issue at the appropriate level of authority?

• Unknown, but the Executive Steering Committee for some unknown reason went silent during a crucial IT decision. Where is Change Management?

II. Security, Compliance, and Risk Issues

1. Has there been a compromise of the information security policy?

• Unknown with the information provided.

2. What are the internal and external compliance or regulatory concerns?

• Certainly there are regulatory or compliance issues that need to be addressed. The main issue though is the contractual obligations with the customer.

3. What is the cultural appetite for risk?

• We assume there is discussion around the underpinning environment but the Executive Steering Committee (and any Change Management system) certainly ignored any known corporate culture for risk.

COBIT5: APO12, BAI06

ISO20K: 4.1, 4.5.2, 4.5.3, 5.2, 6.3

ITIL: SD 4.4, 4.6, 4.7, M, N.3; ST 4.2, 4.6

1. Does the current portfolio meet expectations and needs of the stakeholder?

• Unknown with the information provided.

2. What is the value of that business activity (VBF)?

• This is their core business. Without this system, product is not being shipped therefore the potential and probability for sales and customer loss is high.

3. Does the portfolio have the right mix of resources to deliver business benefit?

• Assuming yes; the target delivery date was met, there were no other indications of failure or poor performance (other than the future massive failure).

IV. Design and Architecture

1. Will the current architecture effectively resolve the issue? Is it feasible?

• Unknown with the information provided.

2. Can the current architecture accommodate the issue?

• Unknown with the information provided.

3. Do we have the necessary competencies to design the required change(s)?

• The assumption is yes. The current staff were able to meet the deadline and deal with all the moving parts of deploying a new ERP system. What was lacking was a thoughtful assessment of what could go wrong and have mitigating plans prepared.

V. Planning and Use of Resources

1. What resources are required to resolve the situation (e.g. people, capital, technical...)?

• Better project planning where exceptions are considered and a more realistic view of time and resource necessary for the rollout. This could have been accomplished by a better charter within the Executive Steering Group where proper oversight is forefront as well as their demand of the project team to report progress appropriately.

COBIT5: EDM03, APO12, BAI01, BAI03, BAI06, BAI07

ISO20K: 5.0

ITIL: ST 4.2, 4.4, 4.5, 4.6

2. Can the required resources be acquired?

• The assumption would be yes.

3. Is the necessary data and information available, collected and managed to resolve the current situation and prevent future occurrence?

• Unknownwith the information provided.

Improvement Model Application

This scenario really falls into an “esoteric” category – it points directly at understanding the organizational tolerance toward risk, having the management leadership to control how projects are performed and having a robust Change Management process. It’s really a cultural issue where process has not been designed (followed?) to ensure minimal impact of change. There are many process areas where one could focus; the main culprits are the overall management system, governance and Change Management.

The main improvement model would be COBIT5’s Implementation Model – Phase 1 of this model “What are the drivers?” includes a failed IT initiative among others (e.g. internal or external events, trends, poor performance, etc.).The main outcome of Phase 1 is the development of a business case written for the executive management level and this case will be managed and monitored to ensure a successful outcome. This would have been of great use to the Executive Steering Committee in guiding their actions and decisions.

The tangible application of the Implementation Model comes in Phase 2, “Where are we now?”, which links IT objectives with enterprise strategies and risks. This linkage defines the critical processes necessary for successful outcomes. Now we have a defined objective, clearly linking the necessary IT capabilities with the achievement of business outcome. This very action should have provided the necessary governance and oversight so that some of the “cowboy” activities would have been curtailed.

The underpinning policy in any service management framework is the control by the change management process. ISO/IEC 20000-1 unequivocally states the process of design and transition of new or changed services shall be managed via the change management policy and process. Period. The ultimate in control, at least as long as the process is robust enough and followed. If it’s not, well, that’s another issue that must be addressed and quickly (and in a different book!).

Solution References:

Primary Solution

Both COBIT5 and ISO/IEC 20000-1 drive the service manager to understand the risk appetite and then define and mitigate risk within those parameters. The SMS and the principles defined in the design and transition process demand it and manage those via change management. COBIT5 has defined specific processes around risk and change to ensure the intended outcome is achieved.

Secondary Solution

ITIL: All ST processes, especially “true” Change Management, control risk. Change Evaluation evaluates the benefits of a new or changed service from the “as planned/to be delivered” perspective and reports not only on the achievement of service requirements but also risk (specifically, residual risk). Their recommendations are submitted to Change Management for consideration in the “go/no-go” decision at key points in the transition cycle.