CobiT, ITIL v3, ISO 27002: Benefits and risks

-

By the beginning of the 1990’s an increasing number of IT departments started using process oriented models like ITIL, ISO/IEC 9000 and CMM(i). Later on substituted by CobiT, ISO/IEC 27002, ASL, BiSL, ISO/IEC 20000 and many more. That these models helped professionalize IT and transform themselves from a technology playground to a more business and service oriented procession is without a doubt. A survey among 503 companies on the benefits of ITIL shows that with the increased maturity of the IT function, also the realized benefits increased, while the perception of implementation challenges decreases (2010[FZ1]). From a strategic standpoint is the added value however limited as ITIL implementations can be easily imitated by competitors, leveling the playing field again. Furthermore is there a considerable risk implementations will end up in a swamp due to over-engineered procedures, templates, PPI and KPI reports and lack of fundamental understanding of the concept behind ITIL. A risk especially prone to materialize with the introduction of version 3 which is even more complex and extensive than the previous version. As a result companies got disappointed with the outcomes of implementations.

Investigating two American and two Australian companies which implemented ITIL (version 2) provide some pointers however to the increase the chance of a positive return (2009[FZ2] ): executive management support, interdepartmental communication and collaboration, use of consultants, training and careful software selection. Besides these more generic critical success factors, they also found three specific ones: creating an ITIL-friendly culture, process as a priority, and customer-focused metrics. In my experience is especially the ITIL-friendly culture an important one as the implementation of a service and process-orientation in an organization that is used to think in functional silo’s has a considerable impact on both staff and managers. And changing a culture is a time consuming process and may thus collide with ambitious targets like ‘we are going to implement ITIL within the next six months’. Hence, the disappointment in some cases.

Some of the same risks and challenges may arise when implementing (parts of) CobiT and ISO/IEC 27002, as these are also extensive frameworks. CobiT covers both strategic governance (e.g. IT value management) and more operational IT management (e.g. managing service calls). ITIL’s original focus was more on the operational aspects of IT (the ‘service support’ and ‘service delivery’ processes), but with version 3 the framework also added more strategic topics, resulting in even more overlap with CobiT. While both CobiT and ITIL cover security management, provides ISO/IEC 27002 much more detail and is therefore widely adopted by any IT function where security is considered to be a risk factor which has to be mitigated. More information on the overlap and alignment of CobiT, ITIL v3 and ISO/IEC 27002 can be found here. It is a management briefing of 130 pages which gives an indication of the extensive scope and complexity of these models.

Embedded in the broad scope and complexity is one major strategic risk: compliance to the model itself tends in time to overshadow the original purpose of the implementation. So much effort and time is invested in the implementation that IT becomes inward looking while the core of most frameworks is making IT more externally focused. The risk of internal focus is given momentum by two other factors: the CFO tightening the resource tap and the increased dynamics and complexity of the business demand. Less resources means paying a lot of attention to initiatives to enhance internal efficiency, while the natural defense against contracting forces is building a (paper) shield. In the words of Minzberg (1991[FZ3] ): ‘Organisations that have to reconcile contradictory forces, especially in dealing with change, often turn to the co-operative force of ideology or the competitive force of politics’. And this is not without pitfalls as Mintzberg continues that an ideology encourages the members of an organisation ‘to look inward – to take their lead from the organizations own vision’.

What does not help is the focus on most frameworks on activities and accompanying forms, reports and other pieces of paper. While the business is mostly interested in results. Result from a business perspective (99,9% of transaction processed flawlessly), not IT perspective (e.g. we closed 20 incidents today). Also Schaffer and Thomson (1992[FZ4] ), and Mastenbroek (1997[FZ5] ) are convinced that improvement programs that focus solely on structures and systems (= frameworks and tools) don’t necessarily lead to increasing performance. In the words of Mastenbroek: ‘the more the organisational change is linked to improvements in the output, the better’. Schaffer and Thomson distinguish within this context between ‘activity centered’ and ‘result driven’ transformation. Some of the typical characteristics of both approaches are summarized in the table.

 

‘Activity centred transformation’

‘Result driven transformation’

Often too ambitious, large-scaled and diffused. Not oriented towards archiving specific outputs, resulting in misleading performance measurements.

Forces management to prioritise its targets and the necessary means to archive them.

Preference for orthodox approach instead of empirical.

Empirical tests show what works and what doesn’t .

Focus on long term, not on results.

Frequent reinforcement by the management provides the transformation with new energy

Controlled by staff departments and consultants.

Management creates an ongoing learning process by leveraging on lessons learned in previous phases and use new insight when designing and implementing the next phase.

As a result have many IT departments entrenched themselves with formal procedures and templates to structure the communication with the business. A business which is the ‘client’ and IT being referred to as the ‘supplier’. Good and well in a static environment, but a recipe for an out-of-business-signboard in a highly competitive one as the Entrepreneurial IT requires a fundamentally different approach.

[Note: this is another small piece of the book I’m writing]

 

Literature:

[FZ1]ITIL and the creation of benefits: an empirical study on benefits, challenges and processes, 18th European Conference on Information Systems, Marrone, Mauricio, Kolbe, Lutz M.

[FZ2]Justifications, Strategies, and Critical Success Factors in Successful ITIL Implementations in U.S. and Australian Companies: An Exploratory Study, Carol Pollarda; Aileen Cater-Steelb, Information Systems Management, Volume 26, Issue 2, 2009, Pages 164 – 175.

[FZ3]The effective Organization: Forces and Forms, Henry Mintzberg, Sloan Management Review, Winter 1991, Volume 32, number 2

[FZ4]Successful Change Programs Begin with Results,
Schaffer R. H., Thomson H. A, Harvard Business Review, January-February 1992.

[FZ5]Mastenbroek, W. Verandermanagement. Holland Business Publications, 1997.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

Beyond Two-Speed IT – Part 1

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. This blog is the first in a series covering the third principle of the Digital Manifesto.   When in New York, searching for a restaurant on your mobile yields those nearest to your current location. If your search history indicates you like Chinese food, the results will highlight those. To create this kind of personalized experience, Google Now, Cortana and Siri combine several data sources, such as location and past usage patterns, to deliver a personalized experience. The capability to show the restaurants in New York instead of Moscow reduces the ‘search stress’ faced by customers and the saved time is a source of customer benefits. The business has a similar expectation. When requesting a new IT solution, the context, such as stable versus emerging market, or having little or intense competition, is at least as rel
Read more