The Balanced Improvement Matrix

Two weeks ago I presented to a customer how their IT improvement program can be improved by adopting principles from ITIL. I used this slide to illustrate another way to think about the issue.

Benefit-Change-MatrixClick to expand

Recipient of Benefits

The Y-axis who receives most of the immediate benefit of the activity. “Inside” refers to IT, either a component of IT or the entire department.

Outside refers to the outside stakeholders for IT services. Generally they fall into one of these groups:

  • Users: those who directly use the services. Generally the users also request the service.
  • Internal customers: those who request or authorize services on behalf of the users. Generally customers are the users, but sometimes they are distinct.
  • External customers: The ultimate customer who exchanges value with the organization.

Focus of Change

The focus or perspective of change describes where most of the change or improvement takes place. We are also describing this as within IT or out of IT.

The change or improvement may or may not be limited to the primary location. There are often spillover benefits for related stakeholders that are less immediate.

Examining the Quadrants

Inside-In

This quadrant describes change or improvement activities that are limited exclusively to IT. Some examples may include:

  • Code refactoring
  • Recabling
  • Process improvement
  • Service Asset and Configuration Management
  • Training

Inside-In activities may be thought of as “charging the batteries”.  External stakeholders will not see immediate benefits, but the benefits will accrue over time as the IT organization becomes more agile, flexible, efficient and effective.

Inside-Out

Inside-Out activities are those that modify the behavior of external stakeholders in order to maximize the capabilities of IT. Some examples may include Demand Management and Financial Management of IT Services, specifically charging for IT services in a way that encourages their efficient use.

Service Catalog Management and Service Portfolio Management also create activities in this quadrant, specifically those that describe prerequisites or costs to external stakeholders.

Outside-In

Outside-In activities are those that benefit external stakeholders by modifying the services or processes of IT. Service Level Management sits firmly in this area. The Service Improvement initiatives within CSI certainly fit here too. Alignment of IT with organizational strategy also reside predominantly in this quadrant.

Outside-Out

Does IT ever perform Outside-Out activities? With a few exceptions, yes, all IT organizations do.

Outside-Out efforts or improvement activities take place whenever IT acts as a consultant to the organization by bringing its unique capabilities and resources to business problems.

Some examples may include:

  • Strategic planning
  • Creating new lines of business
  • Due diligence of partnerships or acquisitions
  • Enterprise Risk Management and Business Continuity Planning

From an ITIL process perspective,  Outside-Out quadrant is best illustrated by Business Relationship Management (SS) and Supplier Management (SD), and some activities of Change Management (ST) and Knowledge Management (ST).

Optimizing the matrix

In no case did we ever claim that any one quadrant is better than another. IT departments of the last century received criticism for focusing too much on inward benefits and losing focus on the broader context in which IT operates. That situation was expensive, frustrating to users, and ultimately untenable.

IT organizations in this century must and do perform activities in all four quadrants. Neglecting any quadrant can lead to the following outcomes.

Benefit-Change-Neglect-MatrixClick to expand

Using frameworks such as ITIL, COBIT 5, or ISO/IEC 20000 to guide improvement initiatives can help IT organizations balance their efforts in all quadrants.

The Role of COBIT5 in IT Service Management

In Improvement in COBIT5 I discussed my preference for the Continual Improvement life cycle.

Recently I was fact-checking a post on ITIL (priorities in Incident Management) and I became curious about the guidance in COBIT5.

The relevant location is “DSS02.02 Record, classify and prioritize requests and incidents” in “DSS02 Manage Service Requests and Incidents”. Here is what is says:

3. Prioritise service requests and incidents based on SLA service definition of business impact and urgency.

Yes, that’s all it says. Clearly COBIT5 has some room for improvement.

COBIT5 is an excellent resource that compliments several frameworks, including ITIL, without being able to replace them. For the record, the COBIT5 framework says it serves as a “reference and framework to integrate multiple frameworks,” including ITIL. COBIT5 never claims it replaces other frameworks.

We shouldn’t expect to throw away ITIL books for a while. Damn! I was hoping to clear up some shelf space.

Improvement in COBIT 5

In a previous post I discussed starting your service or process improvements efforts with Continual Service Improvement (or just Improvement).

I prefer COBIT5, and the issue is ITIL. The good news is the Continual Service Improvement is the shortest of the five core books of ITIL 2011. CSI defines a 7 Step Improvement Process:

  1. Identify the strategy for improvement
  2. Define what you will measure
  3. Gather the data
  4. Process the data
  5. Analyze the information and data
  6. Present and use the information
  7. Implement improvement

This method, as the name suggests, is heavily focused on service and process improvement. It is infeasible in situations where there is no discernible process, a complete absence of metrics, and a lack of activity that could be captured for measurement and analysis. It is infeasible in most services and processes described in most organizations, due to this lack of maturity.

I find the COBIT5 method is more flexible. It also provides 7 steps, but it also views them from multiple standpoints, such as program management, change enablement, and the continuous improvement life cycle.

For example, the program management view consists of:

  1. Initiate program
  2. Define problems and opportunities
  3. Define road map
  4. Plan program
  5. Execute plan
  6. Realize benefits
  7. Review effectiveness

COBIT5 provides a framework that is more flexible and yet more concise, but still provides detailed guidance on implementation and improvement efforts in terms of a) roles and responsibilities, b) tasks, c) inputs and d) outputs among others.

Therefore I find the COBIT5 framework, particularly the COBIT5 Implementation guide, superior to the Continual Service Improvement book of ITIL 2011.

In addition COBIT5 provides a goals cascade that provides detailed guidance and mapping between organizational and IT-related goals and processes throughout the framework that may influence those goals. The goals cascade is useful guidance for improvement efforts, but alas it is the subject of another discussion.

Challenges Generated by the Implementation of the IT Standards COBIT 4.1, ITIL V3 and ISO/IEC 27002 in Enterprises

Abstract: The main purpose of this paper is to emphasize the importance of the implementation of IT best practices in enterprises and to identify the key challenges managers are facing when creating a standardized IT control framework in order to achieve alignment of best practices to business requirements. First, the authors present the increasing necessity of implementing IT standards in organizations acting in IT environments with focus on the standards COBIT, ITIL and ISO/IEC 27002. Second, the paper develops the analysis of the three standards which is a guidance for organizations wishing to adopt IT best practices on how to integrate the leading global frameworks and other practices and standards in inter-organizational relationships. The last part concentrates on the best methods of implementing in an efficient way the IT standards, which include identifying the use of standards and IT best practices, prioritizing processes according to an action plan and planning the steps of the implementation approach.

Reference: Năstase, P., Năstase, F., & Ionescu, C. (2009). CHALLENGES GENERATED BY THE IMPLEMENTATION OF THE IT STANDARDS COBIT 4.1, ITIL V3 AND ISO/IEC 27002 IN ENTERPRISES. Economic Computation & Economic Cybernetics Studies & Research, (3), 1-16.

Link: http://www.ecocyb.ase.ro/articles%203.2009/Pavel%20Nastase.pdf

From the paper:

COBIT provides best practices and tools for monitoring and mapping IT processes while ITIL aims to map IT service level management and ISO 27002 provides guidelines for implementing a standardized information security framework.

There is nothing in this paper that is original, and even less that is intelligible. Moving on.

Confusion in the Ranks: IT Service Management Practice and Terminology

Abstract: The Information Technology Service Management (ITSM) movement is gaining adopters throughout the world, expanding from the 2005 ratification of International Standards Organization (ISO) ISO/IEC 20000. However, this concept grew out of older frameworks such as Britain’s IT Infrastructure Library (ITIL) and U.S. service level management (SLM). To further confuse the landscape, there are also related terms such as business service management (BSM), the Control Objectives for Information and related Technology (CobiT), and IT governance.

There is a lack of descriptive academic literature currently published, which has mainly focused on prescriptive pieces. This paper gives a background on the several contributing frameworks mentioned above, and reports on a survey U.S. IT managers to determine the extent of understanding of these terms and frameworks. The findings indicate that ITSM adoption and knowledge may be lower than some studies have indicated. There is also conceptual confusion about what constitutes ITSM, with conflation of terms and practices.

Reference: Winniford, M., Conger, S., & Erickson-Harris, L. (2009, Spring2009). Confusion in the Ranks: IT Service Management Practice and Terminology. Information Systems Management, 26(2), 153-163.

Link: http://www.informaworld.com/smpp/content~db=all~content=a910451171

Comments: The authors used a third-party research firm to interview 364 American companies whether they are or are planning to manage IT from a services perspective, which may include ITSM, SLM, or BSM. They found that a little less than half are implementing service management, and another fifteen percent are planning to to do so. The most recognized services frameworks, in order, are SLM, ITSM and IT Governance, followed by CoBIT. Only two-thirds of organizations implementing service management recognized the term ITIL, versus one-third of those not implementing service management. An interesting finding was that even among those implementing service management frameworks, a majority could not correctly identify a service they offer (i.e. quality, which is actually a measurement of service effectiveness).

Among the reasons for not implementing service management included not enough information, costs, belief it isn’t needed, and lack of management support. Less than twenty percent admitted they didn’t want the accountability, though in my experience this number is really a great deal higher.

In my opinion this is one of the better academic studies performed in the area of IT service management. The authors identified lower support for ITSM than purported by other authors in the area. They also identified much greater confusion and much lower awareness of ITSM among practitioners and academic researchers. My own personal observations working with 50+ companies is consisent with the findings in this paper.

Exploring IT Governance in Theory and Practice in a Large Multi-National Organisation in Australia

Link: http://www.informaworld.com/smpp/content~content=a910451709~db=all~jumptype=rss

Reference: Willson, P., & Pollard, C. (2009, Spring2009). Exploring IT Governance in Theory and Practice in a Large Multi-National Organisation in Australia. Information Systems Management, 26(2), 98-109.

Abstract: IT governance is critical to most organisations and has an influence on the value generated by IT investments. Unfortunately, IT governance is more aspiration than reality in many organisations. This research seeks to address the dearth of empirical evidence about IT governance in practice, presenting the findings of an IT governance case study in an Australian organisation. Recommendations are provided to assist organisations to maximise potential of IT governance and insights are provided for researchers.

Comments:

In his book Secrets and Lies: Digital Security in a Networked World, author Bruce Schneier frequently addressed the following comment:

In theory there is no difference between theory and reality. In reality there is.

For this research the authors interviewed 28 senior IT and corporate managers at an Australian MNE in order to address two questions:

  1. What is the nature of IT governance in practice?
  2. What factors contribute to differences between theory and practice?

Their analysis of the interviews identified four major themes that do not entirely overlap with theoretical models of IT governance. For example, although IT governance models frequently deal with risk management of IT-related risks, the subject organization restricts risk management activities primarily to the area of project risk management. The research highlights the importance of visionary leadership and key players in IT-business alignment, and also introduces the importance of historical context in the governance of IT and its initiatives.

Researchers and industry frameworks, such as COBIT and ITIL, frequently document practices that have little relevance in most organizations. For example, during my implementations of CMDB at customer sites, I emphasize the importance of aligning IT service, logical, and phsysical assets with the organization through relationships in a top-down approach. In practice most organizations ignore this advice and build the CMDB bottom-up through the identification of physical assets. In other words, their most pressing concern is to manage the “thinks they can kick” in a way that won’t achieve benefits the CMDB may, in theory, provide. These differences between the theoretical and practical are important, and I would like to see more research like this that covers practical application.

A Conceptual Framework for the Integration of IT Infrastructure Management, IT Service Management and IT Governance

Link: www.waset.org/pwaset/v52/v52-69.pdf

Reference: Knahl, M. (2009, April). A Conceptual Framework for the Integration of IT Infrastructure Management, IT Service Management and IT Governance. Proceedings of World Academy of Science: Engineering & Technology, 40, 447-452.

Abstract: The definition and use of standardized IT Management techniques and processes provide the basis for IT Service Management and IT Governance. With the establishment of de facto standard “Best Practice” reference and process models such as the IT Infrastructure Library (ITIL) or Control Objectives for IT and related Technologies (CobiT), an integrated management architecture for the provision of IT-Services built upon standards based processes and tools becomes feasible. ITIL provides a structured and widely adopted approach to IT Service Management and its processes. ITIL can further be aligned with related standards such as ISO 20000 to manifest IT Service Management practice or CobiT to support IT Governance. However IT Management processes must be developed to align with the existing IT infrastructure and operation and must be modeled around frameworks such as ITIL. This paper illustrates the key IT Management requirements and reviews the current state of the art. A case study highlights the contribution of reference models and management related tools for organizations and presents an integrated management architecture.

Comments: This paper presents a case study, saying the definition of SLA’s and KPI’s are critical to the success of the implementation, and I would have liked to have seen in details what these were. In addition, the first phase of the ITSM rollout includes Configuration Management but not Change Management. I wonder how they plan to keep the CMDB up-to-date.

Why ISACA Certifications Will Supercede ITIL

Below is a list of the top reasons ISACA’s COBIT Foundation and CGEIT certifications will become more popular than ITIL certifications. I am not suggesting the ITIL certifications will go away or be replaced by ISACA, in part because their frameworks are complementary and not entirely competitive. Nevertheless, ITIL and COBIT going in different directions, particularly ITIL doing everything wrong and COBIT doing things mostly right.

  1. ITIL V3 framework has become complicated and convoluted. Although ITIL V3 is supposed to provide clearer guidance for implementation, in most cases it is simply too complicated for organizations who still desire a piecemeal approach. Most IT practitioners still think in ITIL V2 terms (Incident, Problem, Change, Configuration) and ignore the V3 additions.
  2. COBIT is more rigorous and intellectually consistent. It lends itself easier to auditing. Many organizations wish to adhere to SOX requirements, even if they are not publicly traded. On the other hand, I haven’t yet seen an organization that desires ISO/IEC 20000 certification.
  3. ISACA documentation is more readily available to organizations at affordable prices. ITIL documentation has become expensive, and an apparent moneymaker for OGC and its related organizations.
  4. ITIL certifications (beyond Foundation) require classroom training that are mostly a moneymaking racket for APM Group and the OGC. Few will afford the $10K plus costs to obtain higher levels of certification–fewer will want to. ITIL Foundation will remain far more popular than the higher certifications, even among practitioners with significant experience with ITIL.
  5. The COBIT Foundation certification is similar in structure to the ITIL Foundation, and serves the same basic function. The two are equivalent and complementary, and COBIT Foundation will soon become as popular as ITIL Foundation. I believe this was a brilliant move by ISACA.
  6. The CGEIT requires real-world experience, in addition to a structured exam. In this way CGEIT is similar to CISA and PMI’s PMP certifications, both of which are very popular and respected.