Chapter 7: Caselet #4 – Achieve Business Outcomes – Pragmatic Application of Service Management

CHAPTER 7: CASELET #4 –ACHIEVE BUSINESS OUTCOMES

IT Issue: A small auto insurance company has experienced significant growth in the last several years. The IT department has done a good job of managing increasing capacity requirements based on the demand patterns. Additionally, they provide an onsite service desk as well as level 2 and level 3 support and a fairly active PMO. In a strategic planning session held last year, the company leadership made it very clear that there were three vital areas which the IT department needed to focus on: 1) communication technologies must have high availability, 2) downtime of critical services must be kept to a minimum, and 3) customers need a self-help portal that provides value.

The IT department deployed all of the necessary technologies to support the stated vital needs of the business (as well as continued support of the core business functions), but continually had issues around supporting those services. The following issues have been identified in the last six months:

  • The self-help portal doesn’t provide information for the most commonly used services.
  • It is rarely used due to a poor design.
  • Incident and request ticket backlog has grown by 120%.
  • Three major incidents have occurred resulting in large amounts of downtime to critical services; one failure caused a 12-hour outage within their mobile communication technologies.

The Five Anchors

Anchor Discussion

I. Strategic Alignment: IT Services to Business Objectives

1. What are the business strategy, goals and objectives? Are there any measures that demonstrate the achievement of the business strategy, goals and objectives?

• The continued growth of the business is paramount but no specific business goals or objectives have been stated. What has been communicated is that IT must provide high availability, reduce the downtime of the critical services (implying the creation or improvement of a continuity plan) and provide a method of self-help. No measures are mentioned but could be easily created as necessary.

2. What is the business issue, or activity at risk?

• There are two issues – first the downtime of the critical services, which needs to be addressed not only from an agreed delivery position (i.e. SLAs and appropriate availability requirements and planning) but also from the intangible cost perspectives (i.e. confidence, reputation, etc.) all of which can lead to a loss of customers. Big question: Is there an IT Service Continuity plan? The second issue is one of poor support (backlog of incident and request tickets as well as major incidents).

COBIT5: BAI04

ISO20K: 5.0, 6.3, 6.5

ITIL: SD 4.4, 4.5, 4.6

3. Is the ownership to resolve the issue at the appropriate level of authority?

• Unclear, though organizational leadership did communicate what IT was to accomplish – we do not know the roles within IT but could assume a “like” position or direct report to the company leadership received those requests and then assigned as appropriate.

II. Security, Compliance, and Risk Issues

1. Has there been a compromise of the information security policy?

• Unknownwith the information provided.

2. What are the internal and external compliance or regulatory concerns?

• There are regulatory concerns within auto insurance companies, but the caselet does not hint that there have been any issues. But, this is a constraint for any planning of new or changed services to ensure continued compliance to the internal or external regulatory concerns or contractual obligations.

COBIT5: APO11, MEA03

3. What is the cultural appetite for risk?

• The organization has experienced growth and we've assumed they do want to continue that pattern. Logically, one can make a case that the strong growth pattern is a result of taking some risks to gain market share, thus the organization may be willing to accept some level of risk.

III. Value-based Portfolio

1. Does the current portfolio meet expectations and needs of the stakeholder?

• The portfolio meets the needs of the organization if only due to the successful growth. The issues now seem to revolve around operational demand and support and the lack of a continuity plan (remember the 12-hour outage). IT should be analyzing the trends of use, develop/improve a continuity plan, and ensure appropriate knowledge and resources for the design and support staff.

2. What is the value of that business activity (VBF)?

• For the auto insurance industry, communication is vital for new policies, claims and policy management. The outages within communication technology directly affect the viability of this company. This IT organization would benefit from completing a Business Impact Analysis (BIA), if it hasn't been done already, to quantify and qualify the impact of the IT service loss.

ITIL: SD 4.6.5.2 (BIA)

3. Does the portfolio have the right mix of resources to deliver business benefit?

• Logically, we have to assume yes, if only because of the growth that has been managed to date (i.e. necessary functionality has been delivered). The current issues are more support process-oriented, rather than a non-functional service, specifically around the backlog of incidents and requests as well as the under-used and poorly designed self-help portal.

IV. Design and Architecture

1. Will the current architecture effectively resolve the issue? Is it feasible?

• In the balancing of resources and capabilities, we assume they have the resources but capabilities may be lacking (i.e. management, processes, knowledge, organization and people). The current self-help portal is obviously not effective, thus requiring a major change. It is assumed the IT organization will require additional resources and capabilities for that project.

2. Can the current architecture accommodate the issue?

• There is no evidence the current architecture cannot overcome the issues.

3. Do we have the necessary competencies to design the required change(s)?

• Unknown at this point – but there are two pertinent facts: 1) IT has been able to keep up with the capacity demands; 2) IT has done a very poor job in designing a self-help system. Thus, IT leadership should define and re-examine current competencies, especially around the support area, and improve where necessary.

COBIT5: APO07

ISO20K: 4.4

ITIL: SS 6.10, SD 6.5, ST 6.6, SO 6.9, CSI 6.6

SFIAwww.sfia.org.uk

V. Planning and Use of Resources

1. What resources are required to resolve the situation (e.g. people, capital, technical.)?

• Clearly, this IT organization needs to take a strong look at their support processes as well as the flexibility and continuity of their designs to address continued demand and mitigate the outages. Resource management practices need a review – has the company growth exceeded IT capacity? Additionally, a knowledge base for the self-help portal requires development and on-going maintenance for applicability.

COBIT5: BAI04, BAI08, DSS02, DSS04

ISO20K: 4.4., 4.5, 5.0, 6.3, 8.1

ITIL: SD 4.4, 4.6; ST 4.7; SO 4.2

2. Can the required resources be acquired?

• Without a doubt. The organizational sourcing model is unknown but current technologies are available to resolve the issues as long as this organization clearly defines the requirements before engaging a commercial solution (e.g. outsource the service desk, commercial tools to create the self-help portal, etc.).

COBIT5: APO10

ISO20K: 7.2

ITIL: SS 3.7, SD 3.11, 4.8

3. Is the necessary data and information available, collected and managed to resolve the current situation and prevent future occurrence?

• Clearly, there is some data available as we know of the poor use of the self-help portal, backlogs and outages. Is it being used to create a solution and or prevent future occurrence? That is unknown.

COBIT5: Information Enabler

ISO20K: 6.2

ITIL: CSI 4.1

Improvement Model Application

This entire scenario screams “Process improvement!” and ITIL’s CSI Approach and Seven-Step Improvement process would be an excellent fit to effectively and efficiently guide the necessary improvements. It is obvious the current practices are not keeping up with current business requirements and damaging overall business operations. To apply the CSI Model, confirmation of organizational goals and objectives is necessary (“What is the vision?”) as well as a clearly defined future state (“Where do we want to be?”) before the development of process and service improvements (“How do we get there?”). Remember, this organization already has some measures for its current state (we will not make a value judgment if those measures are sufficient).

These steps clearly relate to the Seven-Step Improvement Process, which really focuses on the collection of appropriate data to support improvement efforts. This process demands a very clear structure around the whole activity of data collection and analysis creating repeatable measures which drives reliability. Deploying this process would serve the organization well - if they are to continue to grow, developing consistency around the information upon which decisions are made, will serve them well.

Solution References:

Primary Solution:

ISO20K and ITIL: Review the requirements for Incident and Service Request Management (8.1) defined in ISO/IEC 20000-1 and consider the other practices described in ITIL around incidents and service requests. Also review the clear and concise process in ISO/IEC 20000-1 for the design and transition of new or changed services (it can be applied to process improvement as well) and go back and “fill in” the missing parts to create a better self-help portal as well as critically review the availability designs. ITIL offers expanded information in several areas:

  • SD 3.0. 4.4; SO 4.2, 4.3; CSI 4.1

As recommended above, strongly consider the review and update of IT staff competencies and invest in their continued growth. SFIA offers a globally accepted framework for defining the various roles and competencies.

Secondary Solution:

Utilize the information within COBIT5 (as listed above) to guide metric development as well as appropriate relationships and communication between processes and stakeholders utilizing the RACI diagrams.