INNOTRAIN IT. IT Service Management Methods and Frameworks Systematization

Transcription

1 INNOTRAIN IT IT Service Management Methods and Frameworks Systematization July 2010

2 Content So much of what we call management consists in making it difficult for people to work. Peter F. Drucker Authors Heilbronn University, Germany Philipp Küller Cracow University of Economics, Poland Mariusz Grabowski Westmoravian College Trebic PetrSameš Bond University Marcus Vogt I

3 Content Content CONTENT LIST OF ABBREVIATIONS LIST OF FIGURES LIST OF TABLES ABSTRACT II IV VI VII VIII 1 INTRODUCTION 2 2 METHODOLOGY 3 3 STRATEGIC FRAMEWORKS Val IT 5 4 TACTICAL FRAMEWORKS CobiT 7 5 OPERATIONAL FRAMEWORKS (PUBLICDOMAIN) IT Infrastructure Library Business Process Framework 38 6 OPERATIONAL FRAMEWORKS (NON-PUBLIC DOMAIN) Microsoft Operations Framework 46 7 RELATED CONCEPTS Calder-Moir ICT Governance Framework Risk IT Capability Maturity Model Integration The Open Group Architecture Framework 60 8 ISO STANDARDS ISO 9000 Series for Quality Management ISO SPICE 65 II

4 Content 8.3 ISO IT Service Management 68 9 CONCLUSION LIMITATIONS 73 BIBLIOGRAPHY GLOSSARY INDEX IX XII XIII III

5 List of Abbreviations List of Abbreviations abs. ADM AI BRM CCTA CI CMDB CMMI CMMI-SVC CobiT CSF CSI CSO DOD DS Ed. Ed. e.g. etom ff. HMSO Ibid. ICT ISACA ISM ISO IT ITGI ITIL ITS ITSCM ITSM itsmf ITU KGI KPI ME MOF MR absolute Architecture Development Method Acquire and Implement Business Relationship Manager Central Communications and Telecommunications Agency Configuration Item Configuration Management Database Capability Maturity Model Integration Capability Maturity Model Integration for Services Control Objectives for Information and Related Technology Critical Success Factor Continual Service Improvement Chief Sourcing Officer US Department of Defense Deliver and Support Edition Editor exempli gratia (lat., for example) enhanced Telecom Operations Map following Her Majesty s Stationery Office Ibidem (lat., the same place) Information and Communication Technology Information Systems Audit and Control Association Information Security Management International Standards Organization Information Technology IT Governance Institute Information Technology Infrastructure Library Information Technology Service IT Service Continuity Management Information Technology Service Management IT Service Management Forum International Telecommunication Union Key Goal Indicator Key Performance Indicator Monitor and Evaluate Microsoft Operations Framework Management Review IV

6 List of Abbreviations NGOSS OGC OLA PM PO RACI SACM SCM SDP SEI SID SIP SKMS SLA SLM SLP SME SMB SMF SPICE SPM TAFIM TAM TM Forum TOGAF UK V New Generation Operations Systems and Software Office of Government Commerce Operational Level Agreement Product Manager Plan and Organise Responsibility Assignment Service Asset and Configuration Management Service Catalogue Management Service Design Package Software Engineering Institute Shared Information/Data Model Service Improvement Plan Service Knowledge Management System Service Level Agreement Service Level Management Service Level Package Small and medium-sized enterprises Small and medium-sized businesses Service Management Function Software Process Improvement and Capability Determination Service Portfolio Management Technical Architecture Framework for Information Management Telecom Application Map TeleManagement Forum The Open Group Architecture Framework United Kingdom Version V

7 List of Figures List of Figures Figure INNOTRAIN IT Knowledge Model 3 Figure "Four Areas" of Val IT 6 Figure CobiT Cube 8 Figure CobiT Maturity Process for Benchmarking 11 Figure Mapping CobiT Processes to ITIL 11 Figure Mapping CobiT Information Criteria and IT Resources to ITIL 12 Figure Mapping CobiT IT Governance Focus to ITIL 12 Figure Mapping CobiT Processes to CMMI 13 Figure Mapping CobiT Information Criteria and IT Resources to CMMI 13 Figure ITIL Service Lifecycle 16 Figure ITIL Complementary Publications 16 Figure ITIL Key Links, Inputs & Outputs of the Service Lifecycle Stages 17 Figure ITIL Core Disciplines with Processes and Functions 18 Figure ITIL 7-Step Improvement Process 34 Figure Implementation of ITIL Areas 36 Figure Business Process Framework Overview 39 Figure Frameworx Integrated Business Architecture 44 Figure IT Service Lifecycle of Microsoft Operations Framework Figure Intersections of MOF and Val IT 51 Figure Intersections of MOF and CobiT 52 Figure Deming s Plan-Do-Check-Act Management Cycle 53 Figure MOF Service Map Example 54 Figure Calder-Moir Framework 56 Figure CobiT - Val IT - Risk IT 58 Figure TOGAF Content Structure 62 Figure TOGAF Architecture Development Cycle 63 Figure ISO / SPICE Overview 65 Figure SPICE Levels 66 Figure SPICE Process Improvement Model 67 Figure ISO Origin and Development 68 Figure ISO Structure and Processes 69 Figure ISO Certification Process 70 Figure ISO Certifications in Central Europe 70 Figure ISO Certification Dissemination 71 VI

8 List of Tables List of Tables Table CobiT Generic Maturity Model 10 Table Business Process Framework Strategy, Infrastructure & Product 40 Table Business Process Framework Operations 41 Table MOF Plan Phase Overview 48 Table MOF Deliver Phase Overview 49 Table MOF Operate Phase Overview 50 Table MOF Manage Layer Overview 50 VII

9 Abstract Abstract ITIL, CobiT and Val IT are all well-known abbreviations - but what is behind such letters? As part of INNOTRAIN IT s knowledge concept, this document looks at various information technology service management frameworks and approaches, which are related and relevant for ITSM. The most relevant frameworks like ITIL and CobiT will be evaluated in detail with a strong focus on the needs of small and medium-sized companies. The different perspectives and objectives of the individual frameworks are highlighted; the structure and the individual patterns of the frameworks are presented and explained. Furthermore, an evaluation of the strengths and weaknesses of the framework is provided in each chapter. In addition to the most relevant frameworks, the authors have also included summaries of frameworks, methods, standards and ideas in their considerations that are not original ITSM frameworks, but related to the topic and could provide relevant input for future developed methods. VIII

10 Introduction 1 Introduction Looking at the kitchen team of a star-rated restaurant surely everyone can imagine excellent cooks. Each of these chefs has mastered the craft perfectly - has learned to cut vegetables efficiently and to prepare a beef steak perfectly. Ifall the chefs now acted as single player, they would cook, but not a delicious and cost-covering dish. For a cost-recovery class cuisine, other factors are relevant: a good management for the coordination of activities within the team and a set of tools to share the relevant knowledge between chefs like cookbooks, recipes, order list, but also a common language. The IT organization of a company indicates many parallels. Each employee has his own special skills, knowledge and role (e.g.administrator, developer, etc.) within the organization. Without any kind of coordination, everybody would do the ideal activities for his area, but the overall requirements would be neglected. Also in the case of an IT organization, the Head of Department (or CIO) must coordinate and align the individual activities of his staff. Similar to the example before, countless tools like architecture guidelines, specifications, software etc. are used within the IT department. The various ITSM frameworks can be understood as one of several cookbooks. What "cookbook" is used depends on various factors like the industry, legal requirements or the size of the company. The final decision about the usage and acceptance of a specific cookbook is made by the staff. This document looks at various frameworks - the cookbooks of ITSM. Each of these frameworks (e.g. ITIL) will be awarded by their own characteristics and has a unique perspective on the IT organization.in addition, the authors have also included frameworks, methods, standards and ideas (e.g. ISO 9000) in their considerations that are not original ITSM frameworks, but related to the topic and could provide relevant input for developed methods in the future. 2

11 Methodology 2 Methodology The knowledge model of the INNOTRAIN IT project contains three fundamental pillars. First, in an empirical study many small and medium-sized companies have been interviewed to show the current IT service management and innovation situation in the six project regions in Central Europe (cf. INNOTRAIN IT Survey Report). Figure INNOTRAIN IT Knowledge Model The second pillar on the right side (cf. Figure 3.1-1) is based on 24 case studies created in summer 2010 in Central Europe. Using the case study method, the consortium wants to analyse the current situation of small and medium-sized enterprises (in combination with INNOTRAIN IT Innovation Maturity Report) as well as to collect and share innovative examples between the regions. Each case presents the current situation, the problem and the specific solutions together with some background information about the company, which may allow them to be classified in context. In other words, the case presents the story exactly as the protagonist has seen it, so even with lacking information, unclear answers and missing perspectives. This document serves as a central pillar and provides the available knowledge from research and industry. Many existing and well-known frameworks, models, methods, concepts and ideas have been reviewed and evaluated by the authors. The most relevant (see also INNOTRAIN IT Innovation Maturity Report - Survey Report) have subsequently been included in this document and have been described in great detail: 3

12 Methodology Essentials Structure Functional patterns Intersection with other frameworks Strength and weaknesses Potential simplifications Such more relevant frameworks are for example the IT Infrastructure Library (ITIL) or Control Objectives for Information and Related Technology (CobiT). Other frameworks considered as not so important have not been disregarded. They are also mentioned in this document, but explained on a higher level. 4

13 Strategic Frameworks 3 Strategic Frameworks 3.1 Val IT Marcus Vogt, Bond University Philipp Küller, Heilbronn University Val IT is developed and maintained by the IT Governance Institute (ITGI), which is an independent non-profit research institute affiliated with the Information Systems Audit and Control Association (ISACA). Val IT is an extension framework to COBIT; it focuses on the investment decision and the realization of benefits..., while COBIT focuses on the execution 1 and was developed when the ITGI recognized the need for a framework that sets good practices for the process of value creation. This can be accomplished by providing enterprises with the structure they require to measure, monitor and optimize the realization of business value from their investment in IT. Consequently, the Val IT framework was developed by drawing on the collective experience of a global team of practitioners and academics, existing and emerging practices and methodologies, and a rapidly growing body of research. Although Val IT is quite close to COBIT (see also chapter 4.1), literature or case studies about this framework are scarce. 2 However, the ITGI and other researchers are constantly developing the framework and document-related work to show the effectiveness of Val IT. COBIT helps enterprises understand if projects resulting from the aforementioned investments are being executed correctly, from an IT perspective. Taken together, Val IT and COBIT provide business and IT decision makers with a comprehensive framework for the creation of value from the delivery of high-quality IT-based services. The Risk IT framework published in 2009 by ITGI complements Val IT and COBIT and deepens the critical aspect of risk assessment. Val IT is a comprehensive and pragmatic organizing framework that enables the creation of business value from IT-enabled investments. The close relation to COBIT is also reflected in Val IT s structure, although it can be used without a prior implementation of COBIT. Val IT integrates a set of practical and proven governance principles, processes, practices and supporting guidelines that help boards, executive management teams and other enterprise leaders optimize the realization of value from IT investments. In other words, Val IT helps enterprises understand if they are making the right investments and to decide whether they are optimizing the returns obtained from them. The framework consists of three main processes (Value Governance, Portfolio Management and Investment Management) which are split into 40 Key Management Practices. 1 ITGI IT Governance Institute, Enterprise Value. Governance of IT Investments, The Val IT Framework (2006), Page 7 2 Symons, C., Measuring the Business Value Of IT (2006) 5

14 Strategic Frameworks The ITGI 1 describes these processes as: The goal of Value Governance is to optimize the value of an organization s ICT-enabled investments The goal of Portfolio management is to ensure that an organization s overall portfolio of ICT-enabled investments is aligned with and contributing optimal value to the organization s strategic objectives The goal of Investment Management is to ensure that an organization s individual ICTenabled investment programs deliver optimal value at an affordable cost with a known and acceptable level of risk The framework provides the board and executive managers with a good guideline and supporting practices as to how they should control and monitor their ICT investments to realize business value for their organization. The main goals of Val IT are 3 : Increase the perception and transparency of costs, risks and benefits Increase the likelihood of selecting the right investments with the highest possible return for the organization s objectives Increase the chance of a successful of execution of selected investments so that they realise or exceed the predicted benefits Val IT is primarily targeted at ICT-enabled business investments and process changes, where ICT is the means and the increase of business value is the goal as illustrated in figure 5. Figure "Four Areas" of Val IT 4 Therefore, Val IT fosters a close partnership between IT and the business, with clear and unambiguous accountabilities and measurements another key requirement for effective governance 3. 3 ITGI IT Governance Institute, Enterprise Value. Governance of IT Investments, The Val IT Framework (2006), Page 11 4 Ibid. 6

15 Tactical Frameworks 4 Tactical Frameworks 4.1 CobiT Mariusz Grabowski, Cracow University of Economics 4.1.1Essentials Control Objectives for Information and Related Technology (CobiT) is the most holistic, internationally recognized framework aimed at achieving organizational information technology goals and objectives, developed and maintained since 1996 (current version is 4.1) by IT Governance Institute - an organization tightly cooperating with Information Systems Audit and Control Association (ISACA) 5. Being a model of IT governance and information systems audit and control, CobiT is designed to provide effectiveness and efficiency while mitigating the risks connected with the use of IT based solutions. The framework is fully process-oriented and measurement driven. Its structure provides a definition and measurement tools for assessing IT related organizational control objectives. CobiT evolved as a set of good practices, which confirms its business applicability. The authors of the framework include many practitioners from various corporations and academics from a number of universities. The main documents describing the CobiT rationale, its ideas and structure are: framework, control objectives, management guidelines and maturity models. In the current version of CobiT (4.1) these elements are integrated in one document Structure The CobiT framework, on its highest level, constitutes a three-dimensional structure consisting of: (1) Business requirements (information criteria): effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability, (2) IT resources: applications, information, infrastructure, people and (3) IT processes (structured into domains, processes and people. The relationships between these components are illustrated by a so-called CobiT cube (Figure 4.1-1). 5 ISACA, Information Systems Audit and Control Association, URL: (Access: ) 6 IT Governance Institute, CobiT 4.1, URL: Center/cobit/Documents/CobiT_4.1.pdf (Access: ) 7

16 Tactical Frameworks Figure CobiT Cube 7 All (34) processes are grouped within four domains (each abbreviated by two capital letters): PO AI DS ME Plan and Organise, Acquire and Implement, Deliver and Support Monitor and Evaluate. The PO domain includes 10 processes responsible for the definition, realization and communicating of IT strategy across the organization. These processes are the following: PO1 Define a Strategic IT Plan, PO2 Define the Information Architecture, PO3 Determine Technological Direction, PO4 Define the IT Processes, Organisation and Relationships, PO5 Manage the IT Investment, PO6 Communicate Management Aims and Direction, PO7 Manage IT Human Resources, PO8 Manage Quality, PO9 Assess and Manage IT Risks,PO10 Manage Projects. AI domain groups 7 processes aimed at implementing and procuring the necessary means and resources for implementing IT strategy. AI domain includes the following processes: AI1 Identify Automated Solutions, AI2 Acquire and Maintain Application Software, AI3 Acquire and Maintain Technology Infrastructure, AI4 Enable Operation and Use, AI5 Procure IT Resources, AI6 Manage Changes, AI7 Install and Accredit Solutions and Changes. 7 IT Governance Institute, CobiT 4.1, URL: Center/cobit/Documents/CobiT_4.1.pdf (Access: ) 8

17 Tactical Frameworks The main goal of the DS domain is to deliver defined IT services and is made up of the following 13 processes: DS1 Define and Manage Service Levels, DS2 Manage Third-party Services, DS3 Manage Performance and Capacity, DS4 Ensure Continuous Service, DS5 Ensure Systems Security, DS6 Identify and Allocate Costs, DS7 Educate and Train Users, DS8 Manage Service Desk and Incidents, DS9 Manage the Configuration, DS10 Manage Problems, DS11 Manage Data, DS12 Manage the Physical Environment, DS13 Manage Operations. The last ME domain is designed to assess the quality and compliance of all processes with their control requirements over time. It includes the following 4 processes: ME1 Monitor and Evaluate IT Performance, ME2 Monitor and Evaluate Internal Control, ME3 Ensure Compliance With External Requirements and ME4 Provide IT Governance Functional patterns Each process of every CobiT domain is explained by the following description: 1. Information criteria affected by the process (primary, secondary or not addressed); 2. Control objectives fulfilling defined process goals by critical success factors (CSFs) and measured by key goal indicators (KGIs) and key performance indicators (KPIs) and list of supporting activities (sub-processes); 3. IT resources used by the process; 4. IT governance focus areas: strategic alignment, value delivery, risk management, resource management and performance management each marked if it is primary, secondary or not addressed; 5. Management guidelines including listing of other CobiT processes constituting input and output of the process, RACI chart, describing who is responsible/accountable/consulted and/or informed when performing a specific activity and a detailed chart of goals and metrics. A very crucial issue for CobiT framework is the possibility of benchmarking the current state of the specific process within the organization with the organization s goal and the average within the industry. The tool designed for performing this task is the maturity model. This concept is driven from CMMI (Capability Maturity Model Integration) methodology defined by SEI (Software Engineering Institute) 8 and consists of 6 levels from 0 Non-existent to 5: Optimized. The description of all level characteristics is submitted in (Table 4.1-1). 8 Carnegie Mellon University - Software Engineering Institute, CMMI Related Topics, URL: (Access: ) 9

18 Tactical Frameworks Table CobiT Generic Maturity Model 0 Non-existent Complete lack of any recognizable processes. The enterprise has not even recognized that there is an issue to be addressed. 1 Initial/Ad Hoc There is evidence that the enterprise has recognized that the issues exist and need to be addressed. There are, however, no standardized processes; instead, there are ad hoc approaches that tend to be applied on an individual or case-by-case basis. The overall approach to management is disorganized. 2 Repeatable, but Intuitive Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures, and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and, therefore, errors are likely. 3 Defined Process Procedures have been standardized and documented, and communicated through training. It is mandated that these processes should be followed; however, it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed and Measurable Management monitors and measures compliance with procedures and takes action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized Processes have been refined to a level of good practice, based on the results of continuous improvement and maturity modelling with other enterprises. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. When using maturity models for benchmarking the specific graphical objects are used as indicated in Figure

19 Tactical Frameworks Figure CobiT Maturity Process for Benchmarking 9 For every CobiT process a specific maturity model taking into account process peculiarities is provided Intersections with other frameworks CobiT as the most holistic IT/IS framework concentrates more on what to do than on how to do it. For this reason it delegates how-to-do related issues to other tools, frameworks and methodologies. There are various documents within the CobiT library describing the mapping of CobiT concepts and structure to other frameworks and standards. These documents include mapping CobiT to: ITIL, PMBOOK, CMMI, ISO 17799, TOGAF and others. Below are some main concepts connected with CobiT mapping to other frameworks mentioned in this document: ITIL and CMMI are described. Figure Mapping CobiT Processes to ITIL 10 9 IT Governance Institute, CobiT 4.1, URL: Center/cobit/Documents/CobiT_4.1.pdf (Access: ) 11

20 Tactical Frameworks CobiT interlaces with ITIL primarily in DS and AI domains; however processes from other domains are also significant to a certain degree. Also other concepts like information criteria, information resources and IT governance focus are mapped to some extent. The following pictures (Figure to Figure 4.1-5) describe CobiT/ITIL mapping in greater detail. Figure Mapping CobiT Information Criteria and IT Resources to ITIL 11 Figure Mapping CobiT IT Governance Focus to ITIL 12 CobiT/CMMI mapping is concerned with some concepts pertaining to process improvement for development activities, the implementation, acquisition and maintenance of systems and software products. CobiT also widely utilizes original CMMI concept e.g. maturity models. 10 IT Governance Institute, CobiT Mapping (ITIL), URL: Center/Research/Documents/Mapping-ITILV3-With-COBIT-4.pdf (Access: ) 11 Ibid. 12 Ibid. 12

21 Tactical Frameworks CMMI maps all processes of the AI domain and some processes of remaining domains. Also other concepts like information criteria and information resources are mapped to some extent. The following pictures describe CobiT/CMMI mapping in a greater detail. Figure Mapping CobiT Processes to CMMI 13 Figure Mapping CobiT Information Criteria and IT Resources to CMMI 14 It is worth noticing that neither ITIL nor CMMI are CobiT alternatives but rather frameworks that help to fulfil CobiT requirements at a lower level. 13 IT Governance Institute, CobiT Mapping (CMMI), URL: Center/Research/Documents/CMMI-Mapping-With-COBIT-FINAL-Research.pdf (Access: ) 14 Ibid. 13

22 Tactical Frameworks Strength / weaknesses The main CobiT strengths are holism and process and measurement orientation, which are the heritage of its origin information systems audit and control community. The other important advantage is balancing the effectiveness and efficiency of IT/IS systems being aligned with strategic business objectives of an organization on one hand, and on the other, mitigating the risks of using IT arriving from environment and compliance regulations. The main disadvantage is its complexity. The high interdependence of processes and concepts makes its implementation very difficult especially in small organization. The high level of framework concentrating on what rather than on how demands the joint use of other more detailed frameworks Potential simplification The complexity of CobiT makes it inconvenient for application in SMEs. In order to overcome this deficiency a specialized tool, CobiT Quickstart 15 is provided which simplifies the standard model. As compared to CobiT 4.1 which includes four domains, 34 processes and 210 control objectives CobiT Quickstart includes the same number of domains, 32 processes and a significantly lower number of control objectives 59 and a simplified version of the RACI chart. The simplified version of CobiT is called a baseline and expresses smart things to do. CobiT Quickstart baseline is built on the following assumptions 16 : (1) The IT infrastructure is not complex; (2) More complex tasks are outsourced; (3) The goal is less build, more buy; (4) Limited in-house IT skills exist; (5) Risk tolerance is relatively high; (6) The enterprise is very cost-conscious; (7) A simple command structure is in place; (8) A short span of control exists. CobiT baseline can be used without modification or can be used as a starting point for a more advanced IT/IS control/governance framework. CobiT provides two assessment tools Stay in Blue Zone and Watch the Heat helping to determine whether an organization should use the standard CobiT model or CobiT Quickstart. 15 ITGI - IT Governance Institute, CobiT Quickstart (2007) 16 Ibid. 14

23 Operational Frameworks (PublicDomain) 5 Operational Frameworks (PublicDomain) 5.1 IT Infrastructure Library PetrSameš, Westmoravian College Trebic Essentials ITIL is a public framework that describes Best Practice in IT service management. It provides a framework for the governance of IT, the service wrap, and focuses on the continual measurement and improvement of the quality of IT service delivered, from both a business and a customer perspective. This focus is a major factor in ITIL s worldwide success and has contributed to its prolific usage and to the key benefits obtained by those organizations deploying the techniques and processes throughout their organizations. Some of these benefits include: increased user and customer satisfaction with IT services improved service availability, directly leading to increased business profits and revenue financial savings from reduced rework, lost time, enhanced resource management and usage shorter time to market for new products and services improved decision making and optimized risk. ITIL was published between 1989 and 1995 by Her Majesty s Stationery Office (HMSO) in the UK on behalf of the Central Communications and Telecommunications Agency (CCTA) now subsumed within the Office of Government Commerce (OGC). Its early use was principally confined to the UK and Netherlands. A second version of ITIL was published as a set of revised books between 2000 and The initial version of ITIL consisted of a library of 31 associated books covering all aspects of IT service provision. This initial version was then revised and replaced by seven, more closely connected and consistent books (ITIL V2) consolidated within an overall framework. This second version became universally accepted and is now used in many countries by thousands of organizations as the basis for effective IT service provision. In 2007, ITIL V2 was superseded by an enhanced and consolidated third version of ITIL, consisting of five core books covering the service lifecycle, together with the Official Introduction. The five core books cover each stage of the service lifecycle (Figure ITIL Service Lifecycle) from the initial definition and analysis of business requirements in Service Strategy and Service Design, through migration into the live environment within Service Transition, to live operation and improvement in Service Operation and Continual Service Improvement. 15

24 Operational Frameworks (PublicDomain) Figure ITIL Service Lifecycle The five books are described in more detail in the following. A sixth book, the official introduction, offers an overview of the five books and an introduction to IT Service Management as a whole. The core books are the starting point for ITIL V3. It is intended that the content of these core books will be enhanced by additional complementary publications and by a set of supporting web services (Figure 5.1-2). Figure ITIL Complementary Publications 16

25 Operational Frameworks (PublicDomain) All service solutions and activities should be driven by business needs and requirements. Within this context they must also reflect the strategies and policies of the service provider organization, as indicated in Figure Figure ITIL Key Links, Inputs & Outputs of the Service Lifecycle Stages The diagram illustrates how the service lifecycle is initiated from a change in requirements in the business. These requirements are identified and agreed within the Service Strategy stage within a Service Level Package (SLP) and a defined set of business outcomes. This passes to the Service Design stage where a service solution is produced together with a Service Design Package (SDP) containing everything necessary to take this service through the remaining stages of the lifecycle. The SDP passes to the Service Transition stage, where the service is evaluated, tested and validated, the Service Knowledge Management System (SKMS) is updated, and the service is transitioned into the live environment, where it enters the Service Operation stage. Wherever possible, Continual Service Improvement identifies opportunities for the improvement of weaknesses or failures anywhere within any of the lifecycle stages Es ist eine ungültige Quelle angegeben. 17

26 Operational Frameworks (PublicDomain) Structure The current version of ITIL (Version 3) provides a Service Lifecycle structure and is organized into five high-level core disciplines described in five core books: 1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement ITIL V3 is best understood as seeking to implement feedback-loops by arranging processes in a circular way. This means also, that the old structure of Version 2 was replaced, but most processes and function are still available in V3. The figure below shows an overview of the 5 core disciplines and their related processes and functions. Figure ITIL Core Disciplines with Processes and Functions 18

27 Operational Frameworks (PublicDomain) Functional patterns Service Strategy The service strategy of any service provider must be grounded upon a fundamental acknowledgement that its customers do not buy products, they buy the satisfaction of particular needs. Therefore, to be successful, the services provided must be perceived by the customer to deliver sufficient value in the form of outcomes that the customer wants to achieve. Achieving a deep understanding of customer needs, in terms of what these needs are, and when and why they occur, also requires a clear understanding of exactly who is an existing or potential customer of that service provider. This, in turn, requires the service provider to understand the wider context of the current and potential market places that the service provider operates in, or may wish to operate in. A service strategy cannot be created or exist in isolation from the over-arching strategy and culture of the organization that the service provider belongs to. The service provider may exist within an organization solely to deliver service to one specific business unit, to service multiple business units, or may operate as an external service provider serving multiple external businesses. The strategy adopted must provide sufficient value to the customers and all of the service provider s stakeholders it must fulfil the service provider s strategic purpose. Irrespective of the context in which the service provider operates, its service strategy must also be based upon a clear recognition of the existence of competition, an awareness that each side has choices, and a view of how that service provider will differentiate itself from the competition. All providers need a service strategy. Hence, the Service Strategy publication sits at the core of the ITIL V3 lifecycle. It sets out guidance to all IT service providers and their customers, to help them operate and thrive in the long term by building a clear service strategy, i.e. a precise understanding of: what services should be offered who the services should be offered to how the internal and external market places for their services should be developed the existing and potential competition in these marketplaces, and the objectives that will differentiate the value of what you do or how you do it how the customer(s) and stakeholders will perceive and measure value, and how this value will be created how customers will make service sourcing decisions with respect to the use of different types of service providers how visibility and control over value creation will be achieved through financial management 19

28 Operational Frameworks (PublicDomain) how robust business cases will be created to secure strategic investment in service assets and service management capabilities how the allocation of available resources will be tuned to optimal effect across the portfolio of services how service performance will be measured Key Concepts The Service Strategy publication defines some key ITIL concepts. The four Ps of Strategy: perspective: the distinctive vision and direction position: the basis on which the provider will compete plan: how the provider will achieve their vision pattern: the fundamental way of doing things distinctive patterns in decisions and actions over time. Competition and Market Space: every service provider is subject to competitive forces all service providers and customers operate in one or more internal or external market spaces. The service provider must strive to achieve a better understanding than its competitors of the dynamics of the market space, its customers within it, and the combination of critical success factors that are unique to that market space. Service Value: defined in terms of the customer s perceived business outcomes, and described in terms of the combination of two components: Service Utility: what the customer gets in terms of outcomes supported and/or constraints removed Service Warranty: how the service is delivered and its fitness for use, in terms of availability, capacity, continuity and security. Service Value also includes the associated concepts of services as Assets, Value Networks, Value Creation and Value Capture. Service Provider Types: Type I: exists within an organization solely to deliver service to one specific business unit Type II: services multiple business units in the same organization Type III: operates as an external service provider serving multiple external customers. 20

29 Operational Frameworks (PublicDomain) Service Management as a Strategic Asset: the use of ITIL to transform service management capabilities into strategic assets, by using Service Management to provide the basis for core competency, distinctive performance and durable advantage, and increase the service provider s potential from their: capabilities: the provider s ability (in terms of management, organization, processes, knowledge and people) to coordinate, control and deploy resources resources: the direct inputs for the production of services, e.g. financial, capital, infrastructure, applications, information and people. Critical Success Factors (CSFs):the identification, measurement and periodic review of CSFs to determine the service assets required to successfully implement the desired service strategy. Service Oriented Accounting: using financial management to understand services in terms of consumption and provisioning, and achieve translation between corporate financial systems and service management. Service Provisioning Models: categorization and analysis of the various models that may be selected by customers and used by service providers to source and deliver services, and the financial management impacts of on-shore, off-shore or near-shore variants: Managed Service: where a business unit requiring a service fully funds the provision of that service for itself Shared Service: the provisioning of multiple services to one or more business units through shared infrastructure and resources Utility: services are provided on the basis of how much is required by each customer, how often, and at what times the customer needs them. Organization Design and Development: achieving an on-going shape and structure to the service provider s organization that enables the service strategy. Considerations include: Organizational Development Stages: delivering services through network, direction, delegation, coordination or collaboration depending on the evolutionary state of the organization Sourcing Strategy: making informed decisions on service sourcing in terms of internal services, shared services, full service outsourcing, prime consortium or selective outsourcing Service Analytics: using technology to help achieve an understanding of the performance of a service through analysis Service Interfaces: the mechanisms by which users and other processes interact with each service Risk Management: mapping and managing the portfolio of risks underlying a service portfolio 21

30 Operational Frameworks (PublicDomain) Key Processes and Activities In addition to Strategy Generation, Service Strategy also includes the following key processes. Financial Management Financial Management covers the function and processes responsible for managing an IT service provider s budgeting, accounting and charging requirements. It provides the business and IT with the quantification, in financial terms, of the value of IT services, the value of the assets underlying the provisioning of those services, and the qualification of operational forecasting. IT Financial Management responsibilities and activities do not exist solely within the IT finance and accounting domain. Many parts of the organization interact to generate and use IT financial information; aggregating, sharing and maintaining the financial data they need, enabling the dissemination of information to feed critical decisions and activities. Service Portfolio Management (SPM) SPM involves the proactive management of the investment across the service lifecycle, including those services in the concept, design and transition pipeline, as well as live services defined in the various service catalogues and retired services. SPM is an on-going process, which includes the following: Define: inventory services, ensure business cases and validate portfolio data Analyse: maximize portfolio value, align and prioritize and balance supply and demand Approve: finalize proposed portfolio, authorize services and resources Charter: communicate decisions, allocate resources and charter services. Demand Management Demand management is a critical aspect of service management. Poorly managed demand is a source of risk for service providers because of uncertainty in demand. Excess capacity generates cost without creating value that provides a basis for cost recovery. The purpose of Demand Management is to understand and influence customer demand for services and the provision of capacity to meet these demands. At a strategic level this can involve analysis of patterns of business activity and user profiles. At a tactical level it can involve use of differential charging to encourage customers to use IT services at less busy times. A Service Level Package (SLP) defines the level of utility and warranty for a Service Package and is designed to meet the needs of a pattern of business activity. 22

31 Operational Frameworks (PublicDomain) Key Roles and Responsibilities The Service Strategy publication defines some specific roles and responsibilities associated with the execution of a successful service strategy, including: Business Relationship Manager (BRM): BRMs establish a strong business relationship with the customer by understanding the customer's business and their customer outcomes. BRMs work closely with Product Managers to negotiate productive capacity on behalf of customers. Product Manager (PM): PMs take responsibility for developing and managing services across the life-cycle, and have responsibilities for productive capacity, service pipeline, and the services, solutions and packages that are presented in the service catalogues. Chief Sourcing Officer (CSO): the CSO is the champion of the sourcing strategy within the organization, responsible for leading and directing the sourcing office and the development of the sourcing strategy in close conjunction with the CIO Service Design Service Design is a stage within the overall service lifecycle and an important element within the business change process. The role of Service Design within the business change process can be defined as: The design of appropriate and innovative IT services, including their architectures, processes, policies and documentation, to meet current and future agreed business requirements. The main goals and objectives of Service Design are to: design services to meet agreed business outcomes design processes to support the service lifecycle identify and manage risks design secure and resilient IT infrastructures, environments, applications and data/information resources and capability design measurement methods and metrics produce and maintain plans, processes, policies, standards, architectures, frameworks and documents to support the design of quality IT solutions develop skills and capability within IT contribute to the overall improvement in IT service quality. Key Principles Service Design starts with a set of business requirements, and ends with the development of a service solution designed to meet documented business requirements and outcomes and to provide a Service Design Package (SDP) for handover to Service Transition. 23

32 Operational Frameworks (PublicDomain) There are 5 individual aspects of Service Design: new or changed service solutions service management systems and tools, especially the Service Portfolio technology architectures and management systems processes, roles and capabilities measurement methods and metrics. Good service design is dependent upon the effective and efficient use of the Four Ps of Design : people: the people, skills and competencies involved in the provision of IT services products: the technology and management systems used in the delivery of IT services processes: the processes, roles and activities involved in the provision of IT services partners: the vendors, manufacturers and suppliers used to assist and support IT service provision. Key Processes and Activities Service Catalogue Management (SCM) The Service Catalogue provides a central source of information on the IT services delivered to the business by the service provider organization, ensuring that business areas can view an accurate, consistent picture of the IT services available, their details and status. The purpose of Service Catalogue Management (SCM) is to provide a single, consistent source of information on all of the agreed services, and ensure that it is widely available to those who are approved to access it. The key information within the SCM process is that contained within the Service Catalogue. The main input for this information comes from the Service Portfolio and the business via either the Business Relationship Management or the Service Level Management processes. Service Level Management (SLM) SLM negotiates, agrees and documents appropriate IT service targets with the business, and then monitors and produces reports on delivery against the agreed level of service. The purpose of the SLM process is to ensure that all operational services and their performance are measured in a consistent, professional manner throughout the IT organization, and that the services and the reports produced meet the needs of the business and customers. 24

33 Operational Frameworks (PublicDomain) The main information provided by the SLM process includes Service Level Agreements (SLA), Operational Level Agreements (OLA) and other support agreements, and the production of the Service Improvement Plan (SIP) and the Service Quality Plan. Capacity Management Capacity Management includes business, service and component capacity management across the service lifecycle. A key success factor in managing capacity is ensuring that it is considered during the design stage. The purpose of Capacity Management is to provide a point of focus and management for all capacity and performance-related issues, relating to both services and resources, and to match the capacity of IT to the agreed business demands. Availability Management The purpose of Availability Management is to provide a point of focus and management for all availability-related issues, relating to services, components and resources, ensuring that availability targets in all areas are measured and achieved, and that they match or exceed the current and future agreed needs of the business in a cost-effective manner. IT Service Continuity Management (ITSCM) As technology is a core component of most business processes, the continued or high availability of IT is critical to the survival of the business as a whole. This is achieved by introducing risk reduction measures and recovery options. On-going maintenance of the recovery capability is essential if it is to remain effective. The purpose of ITSCM is to maintain the appropriate on-going recovery capability within IT services to match the agreed needs, requirements and timescales of the business. Information Security Management (ISM) ISM needs to be considered within the overall corporate governance framework. Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are being managed appropriately, and verifying that the enterprise s resources are used effectively. The purpose of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities. 25

34 Operational Frameworks (PublicDomain) Supplier Management The Supplier Management process ensures that suppliers and the services they provide are managed to support IT service targets and business expectations. The purpose of the Supplier Management process is to obtain value for money from suppliers and to ensure that suppliers perform to the targets contained within their contracts and agreements, while conforming to all of the terms and conditions. Key Service Design stage activities Business requirements collection, analysis and engineering to ensure they are clearly documented. Design and development of appropriate service solutions, technology, processes, information and measurements. Production and revision of all design processes and documents involved in Service Design. Liaison with all other design and planning activities and roles. Production and maintenance of policies and design documents. Risk management of all services and design processes. Alignment with all corporate and IT strategies and policies. Key Roles and Responsibilities The key roles involved within Service Design activities and processes are: Service Design Manager: responsible for the overall coordination and deployment of quality solution designs for services and processes IT Designer/Architect: responsible for the overall coordination and design of the required technologies, architectures, strategies, designs and plans Service Catalogue Manager: responsible for producing and maintaining an accurate Service Catalogue Service Level Manager: responsible for ensuring that the service quality levels are agreed and met Availability Manager: responsible for ensuring that all services meet their agreed availability targets IT Service Continuity Manager Service Transition The role of Service Transition is to deliver services that are required by the business into operational use. Service Transition delivers this by receiving the Service Design Package from the 26

35 Operational Frameworks (PublicDomain) Service Design stage and delivering into the Operational stage every necessary element required for the on-going operation and support of that service. If business circumstances, assumptions or requirements have changed since design, then modifications may well be required during the Service Transition stage in order to deliver the required service. Service Transition focuses on implementing all aspects of the service, not just the application and how it is used in normal circumstances. It needs to ensure that the service can operate in foreseeable extreme or abnormal circumstances, and that support for failure or errors is available. This requires sufficient understanding of: potential business value and who it is delivered to/judged by identification of all stakeholders within supplier, customer and other areas application and adaptation of service design, including arranging for modification of the design, where the need is detected during transition. Key Principles Service Transition is supported by underlying principles that facilitate effective and efficient use of new/changed services. Key principles include: Understanding all services, their utility and warranties - to transition a service effectively it is essential to know its nature and purpose in terms of the outcomes and/or removed business constraints (utilities) and the assurances that the utilities will be delivered (warranties). Establishing a formal policy and common framework for implementation of all required changes - consistency and comprehensiveness ensure that no services, stakeholders, occasions etc. are missed out and so cause service failures. Supporting knowledge transfer, decision support and re-use of processes, systems and other elements effective Service Transition is delivered by involving all relevant parties, ensuring appropriate knowledge is available and that work done is reusable in future similar circumstances. Anticipating and managing course corrections being proactive and determining likely course correction requirements, and when elements of a service do need to be adjusted, this is undertaken logically and is fully documented. Ensuring involvement of Service Transition and Service Transition requirements throughout the service lifecycle. 27

36 Operational Frameworks (PublicDomain) Key Processes and Activities Within the Service Transition process set, some of the processes most important to Service Transition are whole lifecycle processes and have impact, input and monitoring and control considerations across all lifecycle stages. The whole lifecycle processes are: Change Management Service Asset and Configuration Management Knowledge Management. Processes focused on Service Transition, but not exclusive to the stage, are: Transition Planning and Support Release and Deployment Management Service Validation and Testing Evaluation. Change Management Change Management ensures that changes are recorded, evaluated, authorized, prioritized, planned, tested, implemented, documented and reviewed in a controlled manner. The purpose of the Change Management process is to ensure that standardized methods are used for the efficient and prompt handling of all changes, that all changes are recorded in the Configuration Management System and that overall business risk is optimized. The process addresses all service changes. A Service Change is the addition, modification or removal of an authorised, planned or supported service or service component and its associated documentation. Change management delivers to the business reduced errors in new or changed services and faster, more accurate implementation of changes; it allows restricted funds and resources to be focused on those changes to achieve the greatest benefit to the business. Service Asset and Configuration Management (SACM) SACM supports the business by providing accurate information and control across all assets and relationships that make up an organization s infrastructure. The purpose of SACM is to identify, control and account for service assets and configuration items (CI), protecting and ensuring their integrity across the service lifecycle. 28

37 Operational Frameworks (PublicDomain) Knowledge Management The purpose of Knowledge Management is to ensure that the right person has the right knowledge, at the right time to deliver and support the services required by the business. This delivers: more efficient services with improved quality a clear and common understanding of the value provided by services relevant information that is always available. Transition Planning and Support The goals of Transition Planning and Support are to: plan and coordinate resources to ensure that the requirements of Service Strategy encoded in Service Design are effectively realized in Service Operations identify, manage and control the risks of failure and disruption across transition activities. Release and Deployment Management The goal of the Release and Deployment Management process is to assemble and position all aspects of services into production and establish the effective use of new or changed services. Effective release and deployment delivers significant business value by delivering changes at optimized speed, risk and cost, and offering a consistent, appropriate and auditable implementation of usable and useful business services. Service Validation and Testing Successful testing depends on understanding the service holistically how it will be used and the way it is constructed. All services whether in-house or bought-in will need to be tested appropriately, providing validation that business requirements can be met in the full range of expected situations, to the extent of agreed business risk. The key purpose of service validation and testing is to provide objective evidence that the new/changed service supports the business requirements, including the agreed SLAs. The service is tested explicitly against the utilities and warranties set out in the service design package, including business functionality, availability, continuity, security, usability and regression testing. Evaluation Ensuring that the service will be useful to the business is central to successful Service Transition and this extends to ensuring that the service will continue to be relevant by establishing appropriate metrics and measurement techniques. Evaluation considers the input to Service Transition, addressing the relevance of the service design, the transition approach itself, and the suitability of the new or changed service for the actual operational and business environments encountered and expected. 29

38 Operational Frameworks (PublicDomain) Service Transition Stage Operational Activities Service Transition is also the focus for some operational activities. These have a wider applicability than Service Transition and comprise: managing communications and commitment across IT Service Management managing organizational and stakeholder change stakeholder management organization of Service Transition and key roles. Key Roles and Responsibilities The staff delivering Service Transition within an organization must be organized for effectiveness and efficiency, and various options exist to deliver this. It is not anticipated that a typical organization would consider a separate group of people for this role, rather there is a flow of experience and skills meaning the same people may well be involved in multiple lifecycle stages Service Operation The purpose of Service Operation is to deliver agreed levels of service to users and customers, and to manage the applications, technology and infrastructure that support delivery of the services. It is only during this stage of the lifecycle that services actually deliver value to the business, and it is the responsibility of Service Operation staff to ensure that this value is delivered. It is important for Service Operation to balance conflicting goals: internal IT view versus external business view stability versus responsiveness quality of service versus cost of service reactive versus proactive activities. For each of these conflicts, staff must maintain an even balance, as excessive focus on one side of any of these will result in poor service. Key processes and activities Event Management Process An event is a change of state that has significance for the management of a configuration item or IT service. An event may indicate that something is not functioning correctly, leading to an incident being logged. Events may also indicate normal activity, or a need for routine intervention such as changing a tape. 30

39 Operational Frameworks (PublicDomain) Event management depends on monitoring, but it is different. Event management generates and detects notifications, whilst monitoring checks the status of components even when no events are occurring. Incident Management Process An incident is an unplanned interruption to an IT service, or a reduction in the quality of an IT service. Failure of a configuration item that has not yet impacted service is also an incident. The purpose of Incident Management is to restore normal service as quickly as possible, and to minimize the adverse impact on business operations. Request Fulfilment Process A service request is a request from a user for information or advice, or for a standard change, or for access to an IT service. The purpose of Request Fulfilment is to enable users to request and receive standard services; to source and deliver these services; to provide information to users and customers about services and procedures for obtaining them; and to assist with general information, complaints and comments. Access Management Process The purpose of the Access Management process is to provide the rights for users to be able to access a service or group of services, while preventing access to non-authorized users. Access Management helps to manage confidentiality, availability and integrity of data and intellectual property. Problem Management Process A problem is a cause of one or more incidents. The cause is not usually known at the time a problem record is created, and the problem management process is responsible for further investigation. The key objectives of Problem Management are to prevent problems and resulting incidents from happening, to eliminate recurring incidents and to minimize the impact of incidents that cannot be prevented. Common Service Operation Activities Service Operation includes a number of activities that are not part of the five processes described. Key Functions Service Desk Function The Service Desk provides a single central point of contact for all users of IT. The Service Desk usually logs and manages all incidents, service requests and access requests and provides an interface for all other Service Operation processes and activities. 31

40 Operational Frameworks (PublicDomain) Specific Service Desk responsibilities include: logging all incidents and requests, categorizing and prioritizing them first-line investigation and diagnosis managing the lifecycle of incidents and requests, escalating as appropriate and closing them when the user is satisfied keeping users informed of the status of services, incidents and requests. There are many ways of structuring and organizing service desks, including: local service desk: physically close to the users centralized service desk: allows fewer staff to deal with a higher volume of calls virtual service desk: staff are in many locations but appear to the users to be a single team follow the sun: Service Desks in different time zones give 24-hour coverage by passing calls to a location where staff are working. Technical Management Function Technical Management includes all the people who provide technical expertise and management of the IT infrastructure. Technical Management helps to plan, implement and maintain a stable technical infrastructure and ensure that the required resources and expertise are in place to design, build, transition, operate and improve the IT services and supporting technology. Activities carried out by Technical Management include: identifying knowledge and expertise requirements defining architecture standards involvement in the design and building of new services and operational practices contributing to service design, service transition or continual service improvement projects assistance with service management processes, helping to define standards and tools, and undertaking activities such as the evaluation of change requests assistance with the management of contracts and vendors. Technical Management is usually organized based on the infrastructure that each team supports. Application Management Function Application Management includes all the people who provide technical expertise and the management of applications. As such they carry out a very similar role to Technical Management, but with a focus on software applications rather than infrastructure. 32

41 Operational Frameworks (PublicDomain) IT Operations Management Function IT Operations Management is responsible for the management and maintenance of the IT infrastructure required to deliver the agreed level of IT services to the business. It includes two functions: IT Operations Control is usually staffed by shifts of operators who carry out routine operational tasks. They provide centralized monitoring and control, usually from an operations bridge or network operations centre. Facilities Management is responsible for the management of data centres, computer rooms and recovery sites. Facilities Management also coordinates large-scale projects, such as data centre consolidation or server consolidation Continual Service Improvement Continual Service Improvement (CSI) is concerned with maintaining value for customers through the continual evaluation and improvement of the quality of services and the overall maturity of the ITSM service lifecycle and underlying processes. CSI combines principles, practices and methods from quality management, change Management and capability improvement, working to improve each stage in the service lifecycle, as well as the current services, processes, and related activities and technology. Key processes and activities CSI defines three key processes for the effective implementation of continual improvement, the 7- Step Improvement Process, Service Measurement, and Service Reporting. 7-Step Improvement Process The 7-step improvement process (Figure 5.1-5) covers the steps required to collect meaningful data, analyse this data to identify trends and issues, present the information to management for their prioritization and agreement, and implement improvements. 33

42 Operational Frameworks (PublicDomain) Figure ITIL 7-Step Improvement Process Service Measurement There are four basic reasons to monitor and measure, to: validate previous decisions that have been made direct activities in order to meet set targets - this is the most prevalent reason for monitoring and measuring justify that a course of action is required, with factual evidence or proof intervene at the appropriate point and take corrective action. Monitoring and measurement underpins CSI and the 7-Step Improvement Process, and is an essential part of being able to manage services and processes, and report value to the business. Many organizations today measure at the component level, and although this is necessary and valuable, service measurement must go up a level to provide a view of the true customer experience of services being delivered. There are three types of metrics that an organization needs to collect to support CSI activities as well as other process activities. Technology metrics: often associated with component and application based metrics such as performance, availability. Process metrics: captured in the form of Critical Success Factors (CSFs), Key Performance Indicators (KPIs) and activity metrics. Service metrics: the results of the end-to-end service. 34

43 Operational Frameworks (PublicDomain) Component/technology metrics are used to compute the service metrics. An integrated Service Measurement Framework needs to be put in place that defines and collects the required metrics and raw data, and supports the reporting and interpretation of that data. Service Reporting A significant amount of data is collated and monitored by IT in the daily delivery of quality service to the business, but only a small subset is of real interest and importance to the business. The business likes to see a historical representation of the past period s performance that portrays their experience, but it is more concerned with those historical events that continue to be a threat going forward, and how IT intends to mitigate such threats. Key Roles and Responsibilities Whilst a CSI Manager is responsible for the overall CSI activities within an organization, the majority of the detailed improvement related work is carried out within each of the lifecycle stages, processes and activities Intersections with other frameworks The IT Infrastructure Library was one of the first frameworks for the management of services. It is the basis for many derived frameworks, architectures and standards that were developed afterwards. The relevant standard ISO (cf. chapter 8.3) is very equivalent and aligned to ITIL and vice versa. Manufacturer frameworks like Microsoft Operations Framework (cf. chapter 6.146) have developed based on ITIL or have been later aligned with ITIL. However, not all frameworks use the current version V3 as a basis and are still based on the earlier ITIL V2. The Business Process Framework an operational framework for the telecommunication and media industry described in the following chapter has included some ITIL processes, functions and concepts. It follows therefore a best of both approach. Also frameworks for quality management such as Total Quality Management (TQM) and frameworks for ITSM like CobiT have strong relations to ITIL. COBIT and ITIL provide a top-tobottom approach to IT governance and, thus, service management. COBIT guides management's priorities and objectives within a holistic and complete approach to a full range of IT activities. This can focus all stakeholders (business and IT management, auditors, and IT professionals) on an integrated and common approach. ITIL supports this with best practices for service management. When used together, the power of both approaches is amplified, with a greater likelihood of management support and direction, and a more cost-effective use of implementation resources. 35

44 Operational Frameworks (PublicDomain) Strength / weaknesses The strength of ITIL is that it is the only commonly accepted universal best practice framework and de facto standard for implementing IT Service Management. It is widely used by large enterprises; SME s utilize it more or less seldom or use only some specific parts of ITIL. The reason for this is the complexity of ITIL. As part of an INNOTRAIN IT Innovation Maturity Report, carried out with over 150 CEO s and IT professionals in June and July 2010, the following findings could be documented: ITIL is the bestknown ITSM framework in the six project regions. Therefore, knowledge within IT departments about this framework is pretty good and also the vocabulary of ITIL is often used. The following figure shows different patterns of ITIL and their usage: Figure Implementation of ITIL Areas 1819 Figure shows the different patterns of ITIL and their implementation. Everybody can see at a glance that rarely are all ITIL patterns implemented. The focus of the company is subject to their requirements and, accordingly the preferred patterns are focused on the daily business (Service Desk, Incident Management, Change Management, Problem Management and Configuration Management).This approach of adapting ITIL to their own needs is practiced very well by large companies. However, the best practice approach of ITIL is not often understood correctly by SMEs 18 Schmidt, R., Zepf, M., Dollinger, B., Verbreitung und Nutzen des prozessorientierten IT- Managements - Wo steht ITIL? (2004) 19 Multiple answers possible 36

45 Operational Frameworks (PublicDomain) and IT decision makers take it to mean that they have to implement ITIL completely. As a result change processes will be prevented instead of enabled or supported. It is too easy to consider ITIL just as too bureaucratic and cumbersome. Rather the option to adopt and adapt ITIL should be used and then ITIL provides an ideal guidance and framework to construct and implement one s own processes. Other strengths of ITIL are: a process centric approach a simple and flexible structure the included knowledge and experience of many enterprises worldwide nearly all ITSM tools (e.g. CMDB, helpdesk) support ITIL best practices out of the box the large number of publications and the available expertise In many ITIL certifications the glossary is thought. On the one hand, the huge amount of special words is unpleasant for ITSM newbie s. But on the other hand, as ITIL is known by many people, the ITIL wording is the basis for many other ITSM frameworks and enables the interoperability of frameworks Potential simplification As already described above, ITIL is very often used by large enterprises. Therefore, the features for such enterprises are often an overhead for small and medium-sized enterprises. Therefore, an adapt and adopt approach is definitely essential and some areas like IT Portfolio Management should be considered completely as optional. 37

46 Operational Frameworks (PublicDomain) 5.2 Business Process Framework Philipp Küller, Heilbronn University Essentials The Business Process Framework (also known as enhanced Telecom Operations Map (etom)) is a common companion of ITIL, an equivalent standard or framework for best practices in information technology. It is a broadly deployed and established model / framework for business processes in the information, communications and entertainment industries. The Business Process Framework has been published by the TeleManagement Forum (TM Forum) an international non-profit industry association and has been developed by several hundred member companies of the forum. Members are for example the largest communications service-providers, cable and network operators, software companies, equipment suppliers or system integrators like AT&T, British Telecom or Hewlett-Packard. By tradition in the communications, information and entertainment industry, service providers delivered end-to-end services to their customers. As such, the complete value chain was controlled by a single company, if required via interconnection arrangements with other providers. Nevertheless, in a liberalized market, providers have to react to the customer s increased demands for advanced customer service, as well as to harder competition. Consequently, they have been growing their markets beyond their self-contained borders and expanding their business relationships. The focus of the Business Process Framework is on business processes utilized by providers of services, the linkages between these processes, the identification of interfaces, and the use of customer, service, resource, supplier/partner and other information by multiple processes. The Business Process Framework also takes into account the ever-changing technology mix that the information, communications and entertainment industries are confronted with, by retaining a technology-neutral position, while allowing technology-specific views to be developed. etom describes the full scope of business processes required by a service provider and characterizes the key elements and how the elements interact. As a key part of TeleManagement Forum's Frameworx, the Business Process Framework provides an enterprise-wide view of all the business process areas needed to run a service provider business. End-to-end processes can be created from typical process steps that can then be used as the basis for optimizing costs, automating tasks or working with associates or suppliers. This is done through the characterization of each area of business activity, in the form of process components or process elements that can be decomposed to picture progressive detail. These process elements can then be placed within a model to illustrate functional, organizational and further relationships and can also be pooled within process flows that map out activity paths in the course of the business. 38

47 Operational Frameworks (PublicDomain) Structure The framework provides an enterprise-wide view of all the process areas needed to run a service provider business. At the overall abstract level, the framework can be structured as containing the following three main process areas: Strategy, Infrastructure and Product Operations Enterprise Management The following figure shows the structure of Business Process Framework with the three major areas and the multiple horizontal and vertical groupings. 20 Figure Business Process Framework Overview 21 The vertical process groupings (e.g. Strategy and Commit) focus on end-to-end activities and link together the customer, supporting services, resources and supplier. Taken together, these vertical groupings can be imagined as lifecycle perspective from left to right across the framework. In contrast, the horizontal process groupings (e.g., Marketing and Offer Management) concentrate on 20 TM Forum, Business Process Framework In Depth, URL: (Access: ) 21 Ibid. 39

48 Operational Frameworks (PublicDomain) functionally related parts. These groupings can be visualized as a layered perspective of business processes from top to bottom. On the vertical and horizontal intersections, further details can be applied in either that horizontal or vertical context. The process structure in the framework uses hierarchical decomposition, so that the business processes of the enterprise are successively decomposed in a series of levels that expose increasing detail. In addition, the Business Process Framework defines the process structure, with descriptions, linkages between these processes, identification of potential interfaces, inputs and outputs, as well as other key elements. The Business Process Framework is not a final implementation specification. It will typically be customized and extended by users for their own business needs, but provides a vital common reference that is industry-recognized Functional patterns In the following subchapters, the three major areas of Business Process Framework (etom 8) are explained and an overview of the main processes is given. More details can be found on MF Forums website Strategy, Infrastructure & Product Strategy, Infrastructure and Product covers all planning and lifecycle management activities like Marketing or Service Development. Table Business Process Framework Strategy, Infrastructure & Product Strategy And Commit Infrastructure Lifecycle Product Lifecycle Management Management Marketing & Offer Market Strategy & Product & Offer Product & Offer Management Policy Capability Delivery Development & Product & Offer Marketing Retirement Portfolio Planning Capability Delivery Sales Development Product Marketing Communications & Promotion Service Development Service Strategy & Service Capability Service & Management Planning Delivery Development & Retirement amdocs, Business Process Framework, URL: (Access: ) 40

49 Operational Frameworks (PublicDomain) Resource Resource Strategy Resource Capability Resource Development & & Planning Delivery Development & Management Retirement Supply Chain Supply Chain Supply Chain Supply Chain Development Strategy & Planning Capability Delivery Development & & Management Change Management Operations Operations wraps the core of operational management like SRM, Service Management or Assurance. Table Business Process Framework Operations Customer Relationship Management Service Management & Operations Resource Management & Operations Operations Support & Readiness CRM Support & Readiness SM&O Support & Readiness RM&O Support & Readiness Manage Workforce Fulfilment Assurance Billing & Revenue Management Marketing Customer Bill Invoice Fulfilment Interface Management Response Management Bill Payments & Selling Retention & Receivables Order Handling Loyalty Management Customer Problem Bill Inquiry Interface Handling Handling Management Customer Manage Billing Retention & Qos/Sla Events Loyalty Management Charging Service Service Service Guiding Configuration & Problem & Mediation Activation Management Service Quality Management Resource Resource Resource Provisioning Trouble Mediation & Resource Data Management Reporting Collection & Resource Resource Data Distribution Performance Collection & 41

50 Operational Frameworks (PublicDomain) Management Distribution Resource Data Collection & Distribution Supplier/Partner S/PRM S/P Requisition S/P Problem S/P Relationship Support & Management Reporting & Settlements & Management Readiness S/P Interface Management Payments Management S/P Management Performance S/P Interface Management Management S/P Interface Management Enterprise Management The underlying Enterprise Management covers corporate or business support management. Unlike the previously examined areas, Enterprise Management is not ordered horizontally and vertically. It is composed using different patterns. The patterns are listed below: Strategic & Enterprise Planning Strategic Business Planning Business Development Enterprise Architecture Management Group Enterprise Management ITIL Release & Deployment Management ITIL Change Management Enterprise Risk Management Business Continuity Management Security Management Fraud Management Audit Management Insurance Management Revenue Assurance Management ITIL IT Service Continuity Management ITIL Problem Management ITIL Info Security Management 42

51 Operational Frameworks (PublicDomain) Enterprise Effectiveness Management Process Management And Support Enterprise Quality Management Programme & Project Management Enterprise Performance Assessment Facilities Management & Support ITIL Service Catalogue Management ITIL Event Management ITIL Service Level Management ITIL Incident Management ITIL Capacity Management ITIL Request Fulfilment ITIL Availability Management ITIL Service Asset And Configuration Management ITIL Continual Service Improvement Knowledge & Research Management Knowledge Management Research Management Technology Scanning Financial & Asset Management Financial Management Asset Management Procurement Management Stakeholder & External Relations Management Corporate Communications & Image Management Legal Management Regulatory Management Community Relations Management Shareholder Relations Management Board & Shares / Securities Management Human Resources Management HR Policies & Practices Organization Development Workforce Strategy Workforce Development Employee & Labour Relations Management 43

52 Operational Frameworks (PublicDomain) Intersection with other frameworks TM Forum and IT Service Management Forum (itsmf) have analysed and defined an assimilation of the Business Process Framework and IT Infrastructure Library (ITIL) to leverage the best of both. As a result, the Business Process Framework has embedded direct support for ITIL processes by integrating these as best practice processes within the TM Forum Business Process Framework. The Business Process Framework has also been absorbed into a formal ITU-T (Telecommunication Standardization Sector) 24 recommendation Strength / weaknesses Strength of the Business Process Framework is the positioning of the framework within TM Forum s Frameworx Integrated Business Architecture (before known as New Generation Operations Systems and Software (NGOSS)). 25 Frameworx defines the mechanism by which the Forum's existing NGOSS standard Framework components are integrated into a comprehensive enterprise IT and process architecture that also embraces major IT industry standards such as ITIL and TOGAF. Its components are: Business Process Framework (etom) is the industry's common process architecture for both business and functional processes Information Framework (SID) provides a common reference model for Enterprise information that service providers, software providers, and integrators use to describe management information Application Framework (TAM) provides a common language between service providers and their suppliers to describe systems and their functions, as well as a common way of grouping them Figure Frameworx Integrated Business Architecture 24 The International Telecommunication Union (ITU) is an agency of the United Nations which regulates information and communication technology issues 25 TM Forum, Frameworx, URL: (Access: ) 44

53 Operational Frameworks (PublicDomain) Integration Framework provides a service oriented integration approach with standardized interfaces and support tools Using etom standard processes, enterprises are able to use standard software for the telecommunication and information industry and reduce costs for the adaption of tools. This is possible due to the close cooperation with software and hardware vendors during the development of the framework. Another positive aspect of the Business Process Framework is its wide scope. Besides business processes, interfaces to customers, resources (physical and logical), partner and company management are considered and involved. One possible weakness is its impreciseness regarding processes. They are as a flow of activities only defined as a kind of sketch. However, using the framework in combination with the best practices of ITIL, this issue is totally determined. In addition, the Business Process Framework is not completely publicly available. Relevant publications can only be downloaded by TM Forum Members, but to get a member account, the company has to pay a membership per year (at the moment at least $ 1500 per year depending on annual revenues 26 ) Potential simplification As an industry specific framework, Business Process Framework addresses the needs of the telecommunication and information industries. Thereby, it covers the complete business for the relevant companies. The required general validity for many industries is not given and therefore, only SME s in the telecommunication or information industry will profit completely from this framework, but even then, an adopt and adapt approach should be used for implementing the framework within an organization, because of the complexity of the whole framework. Furthermore, this framework shows the ideal "best of breed" approach: Certain functional patterns of the IT Infrastructure Library like ITIL Problem Management are part of the Business Process Framework (cf. chapter ). This means the best modules are used to make a better framework. SME s can follow this model and use the best patterns of different frameworks and put modules together. However, a certain effort is required to select the best pattern fitting to the needs of the company as well as for the design and construction of modified interfaces between patterns. 26 TM Forum, Membership Fees, URL: (Access: ) 45

54 Operational Frameworks (Non-Public Domain) 6 Operational Frameworks (Non-Public Domain) In addition to previously presented publicly available frameworks like ITIL and CobiT, some frameworks of companies have been established in the market. The difference between public and non-public frameworks is the copyright, the public availability and accessibility, but also adaption to the creator s technology and products. However, non-public domain frameworks are more or less based on the ITIL framework. Therefore, non-public domain operational frameworks are explained using Microsoft Operations Framework. Other frameworks (for example by IBM or Hewlett- Packard) are available, but the approach is similar and therefore, the authors have dropped them. 6.1 Microsoft Operations Framework Philipp Küller, Heilbronn University 6.1.1Essentials Microsoft Operations Framework (MOF) is a structured approach to help Microsoft customers to achieve operational excellence across the entire IT service lifecycle. MOF was originally created to give IT professionals the knowledge and processes required to align their work in managing Microsoft platforms cost-effectively and to achieve high reliability and security. After the first version of MOF was published in 1999, the framework was continuously improved. Currently version 4.0 of MOF is available free of charge under the Creative Commons Attribution License and can be also reused under the CC BY Structure MOF consists of three basic models - each representing a major component of IT operations. The process model represents a functional model of the processes that are used by service organizations to manage and maintain IT services, the team model is a simplified view of the necessary roles for a service organization and the risk model supports the daily management of existing risks. Very similar to ITIL, Microsoft Operations Framework follows a lifecycle approach at the highest level with three phases, Plan, Deliver and Operate. 46

55 Operational Frameworks (Non-Public Domain) Figure IT Service Lifecycle of Microsoft Operations Framework The IT service lifecycle of MOF is composed of three on-going phases: 1. Plan This first phase plans and optimizes an IT service strategy in order to support the goals and objectives of the business. 2. Deliver The second phase aims to develop IT services effectively, deploy them successfully and make them ready to operate. 3. Operate This last phase has the intention of ensuring that IT services are operated, maintained, and supported in a way that meets business needs and expectations. In addition to the mentioned three phases a common layer (Manage) as a foundation of IT governance, risk management, compliance, team organization, and change management is available. Each phase of the IT service lifecycle contains service management functions (SMFs) that define the processes, people, and activities required to align IT services to the requirements of the 27 Voon, P., Salido, J., MOF to COBIT/Val IT Comparison and Cross-Implementation Guide (2009), Page 11 47

56 Operational Frameworks (Non-Public Domain) business. Each service management function has its own guideline to explain the flow of the SMF and details about the processes and activities within it. Each service management function can be used as a stand-alone set of processes and activities, but it is also important to understand the relations between the SMFs, because SMFs are performed sequentially, as well as simultaneously to create the outputs for the phase. Management reviews (MRs) aid to unite information and people to determine the status of IT services and to establish readiness to move forward in the lifecycle. They are in-house controls that offer management validation checks, ensuring that goals are being achieved in a suitable way, and that business value is considered during the IT service lifecycle. The objectives of MRs, no matter where they happen in the lifecycle, are straightforward: Management oversight and guidance. Internal controls State assessment of activities and prevention of premature advancement into the next phases. Organizational learning capturing. Process improvement Figure shows the six management reviews (1) Service Alignment, (2) Portfolio, (3) Project Plan Approved, (4) Release Readiness, (5) Policy & Control and (6) Operational Health as well as their relationship to MOF phases, Plan, Deliver and Operate Functional patterns Table MOF Plan Phase Overview SMF Purpose Processes Business/IT Alignment Reliability Deliver the right set of compelling services as perceived by the business Ensure that service capacity, service availability, service continuity, and data integrity are aligned to the business needs in a cost-effective P1: Define IT service strategy P2: Identify and map IT services P3: Measure demand & manage business requests P4: Develop an IT service portfolio P5: Establish service level managements P1: Planning P2: Implementation P3: Monitoring and improving plans 48

57 Operational Frameworks (Non-Public Domain) Policy Financial Management manner Efficiently define and manage IT policies required for the implementation of business policies and the effectiveness of IT Accurately predict, account for, and optimize costs of the required resources to deliver an end-to-end service to ensure correct investments P1: Determine areas requiring policy P2: Create policies P3: Validate policy P4: Publish policy P5: Enforce and evaluate policy P6: Review and maintain policy P1: Establish service requirements and plan budgets P2: Manage finances P3: Perform IT accounting and reporting Table MOF Deliver Phase Overview SMF Purpose Processes Envision Project Planning Build Stabilize Deploy Clearly communicate the project s vision, scope, and risk Obtain agreement from the project team, customer, and stakeholders that all interim benchmarks milestones have been met, that the project plans reflect the customer s needs, and that the project plans are realistic Build a solution that meets the customer s expectations and specifications as defined in the functional specification Resolve all issues found by testing and through pilot feedback, and release a high-quality solution that meets the customer s expectations and specifications as defined in the functional specification Deploy a stable solution that satisfies the customer, and successfully transfer it from the project team to the Operations and Support teams P1: Organize the core project team. P2: Write the vision/scope document. P3: Approve the vision/scope document. P1: Evaluate products and technologies. P2: Write the functional specification. P3: Package the master project plan. P4: Create the master schedule. P5: Review the Project Plans Approved Milestone. P1: Get ready for development. P2: Build the IT service solution. P3: Get ready to release the solution. P4: Meet the requirements for the Scope Complete Benchmark. P1: Stabilize a release candidate. P2: Conduct a pilot test. P3: Review the Release Readiness Management Review. P1: Deploy core IT service solution components. P2: Deploy sites. P3: Stabilize deployment. P4: Review the Deployment Complete 49

58 Operational Frameworks (Non-Public Domain) Milestone. Table MOF Operate Phase Overview SMF Purpose Processes Operations Service Monitoring and Control Customer Service Problem Management Ensure that the work required to successfully operate IT services has been identified and described. Free up time for the operations staff by reducing reactive work. Minimize service disruptions and downtime. Execute recurring IT operations work effectively and efficiently. Observe the health of IT services and initiate remedial actions to minimize the impact of service incidents and system events. Provide a positive experience to the users of a service provider and address complaints or issues. Provide root cause analysis to find problems and predict future problems P1: Define operational work requirements. P2: Build operational work instructions. P3: Plan operational work. P4: Execute operational work. P5: Maintain operational work instructions. P6: Manage operational work. P1: Define service monitoring requirements. P2: Implement a new service. P3: Continuous monitoring. P4: Control and Reporting P1: Recording and determining the nature of a customer request. P2: Resolving requests for information, for existing and new features, and for changes. P3: Resolve the request P4: Conform resolution and close the request P5: Ensure good service P1: Document the problem. P2: Filter the problem. P3: Research the problem. P4: Research the outcome. Table MOF Manage Layer Overview SMF Purpose Processes Governance, Risk, and Compliance Change and Configuration Support, sustain, and grow the organization while managing risks and constraints Ensure that changes are planned, that unplanned changes are minimal, P1: Establish IT governance. P2: Assess, monitor, and control risk. P3: Comply with directives. P1: Baseline the configuration. P2: Initiate the change. 50

59 Operational Frameworks (Non-Public Domain) Team and that IT services are robust Agile, flexible, and scalable teams doing required work P3: Classify the change. P4: Approve the change. P5: Develop and test the change. P6: Release the change. P7: Validate and review the change. P1: Identify changes needed. P2: Align responsibilities. P3: Assign roles Intersections with other frameworks MOF and Val IT The following figures explain the intersections between Microsoft Operations Framework and Val IT by the IT Governance Institute. Figure Intersections of MOF and Val IT Voon, P., Salido, J., MOF to COBIT/Val IT Comparison and Cross-Implementation Guide (2009), Page 14 51

60 Operational Frameworks (Non-Public Domain) MOF and CobiT Microsoft has described the intersections between MOF and CobiT as shown in the figure below. Figure Intersections of MOF and CobiT MOF and ITIL The IT Infrastructure Library and Microsoft s Operations Framework are both operational frameworks and address the same areas. From a high-level perspective, ITIL and MOF follow a similar lifecycle approach ITIL with five elements (Strategy, Design, Transition, Operation and Continual Improvement) and MOF with only three phases (Plan, Deliver and Operate) and underlying layer (Manage). The ITIL best practices are customers, vendors, solutions and technology independent. That means in practice, the practices encouraged by ITIL can be applied across the board regardless of the underlying technology. Distinctly different, MOF was developed by Microsoft to provide a common management framework for its products. 29 Ibid., Page 15 52

61 Operational Frameworks (Non-Public Domain) Both ITIL and MOF use processes and functions as building blocks, although the emphasis differs significantly. ITIL labels most of its components as processes and activities (ITIL has 26 Processes and four functions), while MOF is almost entirely based on Service Management Functions (SMFs). The frameworks use transition benchmarks to control the lifecycle progress. Figure Deming s Plan-Do-Check-Act Management Cycle 30 Both frameworks utilize the familar Deming s Plan-Do-Check-Act Management Cycle for transformations ( Shewhart cycle ) 31 all the way through the lifecycle (cf. MOF, like ITIL, offers best-practice guidance that can be followed in full but also in part, for addressing a subset of local problems. The ITSM language is quite consistent between both frameworks, with only minor differences. A remarkable difference is the way customer calls are handled: ITIL separates incident calls from operational service requests and change requests, and MOF combines several customer request types in a single Customer Service SMF. ITIL and MOF also use very different role sets and role titles. This is largely due to the difference in starting points: ITIL works from the best practices documented in each phase, where MOF starts from a structured organization perspective. 30 van Bon, J., Dyer, J., MOF - Cross Reference ITIL V3 and MOF 4.0 (2009), URL: (Access: ), Page 9 31 Cf. Deming, W., Out ofthe Crisis (1982), Page 88 53

62 Operational Frameworks (Non-Public Domain) ITIL and MOF show some similarities and can be used interchangeably in practice. Both also have some specific features that may be of good use in a specific case. The main focus of ITIL is on the what to do where MOF concentrates on the what as well as the how to do. For companies running Microsoft it does make sense to consider MOF as an alternative to ITIL. Also a best of breed concept utilizing both frameworks is possible Strength / weaknesses The biggest strength of MOF the integrated support of Microsoft Systems is also its biggest weakness. Companies using mainly Microsoft Technologies like Windows, Office, Exchange, SharePoint or MS xyz can profit from the Microsoft adaption of ITIL. Companies not so familiar with Microsoft, can also use MOF, but will profit less or might even have disadvantages. Therefore, MOF is an ideal alternative for companies using Microsoft. Microsoft has developed a best practice to manage services in MOF. The service map is a graphical display that illustrates the what of a service (its components and their relationships) as a basis for managing the how of a service (how the service is delivered and controlled to ensure expected availability, capacity, security, and manageability). Figure MOF Service Map Example 54

63 Operational Frameworks (Non-Public Domain) The strength of MOF is also its availability on the internet for free. The copyright of other frameworks like ITIL is highly protected, whereas Microsoft made MOF content available under the Creative Commons Attribution License, which makes it freely available for commercial reuse. MOF was developed based on ITIL V2. ITIL V2 showed a combined handling of incidents and service requests in one process, but in ITIL V3 incident restoration and service request fulfilment were turned into two separately treated practices. MOF on the other hand stays much closer to the ITIL V2 practice, combining several customer requests in one activity flow, for incident restoration requests, information requests, service fulfilment requests, and new service requests. This combination is very pleasant for SME s, whereas separated threading is the better option for large enterprises.. 55

64 Related Concepts 7 Related Concepts 7.1 Calder-Moir ICT Governance Framework Marco Vogt, Bond University An excellent way to combine IT Governance / ITSM tools and frameworks, is to use an even more holistic approach. The Calder-Moir ICT Governance Framework is a straightforward tool for organizing and communicating IT governance issues and activities. 32 Calder and Moir s method does not provide a new solution; it is rather a joint collection of existing frameworks like ITIL, COBIT and ISO It organizes these tools and methodologies to support all organizational hierarchies - the board, executives and practitioners - and places them in an end-to-end context. Hence, this framework provides a simple reference point to discuss all facets of a harmonized IT- Business strategy. Figure Calder-Moir Framework Calder, A., Moir, W., The Calder-Moir IT Governance Framework (2006) (2006), URL: (Access: ), Page 2 33 Calder, A., Moir, W., The Calder-Moir IT Governance Framework (2006) (2006), URL: (Access: ) 56

65 Related Concepts The framework is built upon six segments and each of them symbolizes one step in the end-to-end process that starts with business. As one can see in figure 2, their framework covers all aspects of ICT Governance, including but not limited to technology management, risk management, strategy, intellectual property, business design, project management and compliance Calder, A., Moir, W., The Calder-Moir IT Governance Framework (2006) (2006), URL: (Access: ) 57

66 Related Concepts 7.2 Risk IT Marcus Vogt, Bond University The IT Risk Framework (Risk IT) was published in November 2009 and is therefore the most recent framework. It can be considered an extension of the Val IT and CobiT framework since it has been developed and maintained by the IT Governance Institute (ITGI) and deepens the critical aspect of risk assessment. The framework is designed to support companies to implement IT risk mitigation in their overarching risk management method, resulting in a better risk awareness of their IT investments, IT portfolios and IT projects (ISACA 2009a) 35. Figure CobiT - Val IT - Risk IT 36 Risk IT provides a framework and a Risk IT Practitioners Guide 37 in order to help enterprises to identify, assess and manage IT risks. It consists of three domains: - Risk Governance - Risk Evaluation - Risk Response 35 Information Systems Audit and Control Association, The Risk IT Framework (2009) 36 Information Systems Audit and Control Association & Fischer, Risk IT Based on Cobit (2009) 37 Information Systems Audit and Control Association, The Risk IT Practitioner Guide (2009) 58

67 Related Concepts 7.3 Capability Maturity Model Integration Marcus Vogt, Bond University The Capability Maturity Model Integration (CMMI) is based on the CMM. The CMM was developed by the Software Engineering Institute (SEI) in the mid-1980s. The latest version of the CMMI is version 1.2 and was released in August The objective of CMMI is to improve the usability of maturity models for software engineering, by integrating many different models into one framework 38. CMMI (Capability Maturity Model Integration) is a process improvement maturity model for the development of products and services. It consists of best practices that address development and maintenance activities that cover the product lifecycle from conception through delivery and maintenance. 39 CMMI represents a set of recommended practices for key processes, which have been used to enhance software process capability. It is a collection of best practices for Project Management, Software Engineering, Process Management and Support Processes to effectively manage software requirements, development, delivery processes and software quality. The CMMI provides a practical framework to organize evolutionary steps into five maturity levels and is compatible with the maturity levels of COBIT and ITIL. Most benefits of CMMI come from its rigorous rating processes. With a maturity model the status of each process can be ranked from non-existent to optimized (0-5). This creates a measure of where the organization is in reference to its goals and in comparison to other companies. Maturity models also help to identify where improvements can be made. 40 With regards to trust, data protection and security, CMMI provides guidance for efficient and effective improvements across multiple process disciplines in the organization. 41 Due to its focus on software development CMMI has its limitations on IT Service Management components such as infrastructure or more generic processes. One of the biggest criticisms is that implementing CMMI becomes too bureaucratic and time consuming SEI Carnegie Mellon Software Engineering Institute, CMMI History (2008), URL: (Access: ) 39 SEI Carnegie Mellon Software Engineering Institute, CMMI for Development Version 1.2 (2006) 40 ICF International, The business Value of CMMI (2004) 41 Ibid. 42 Ibid. 59

68 Related Concepts 7.4 The Open Group Architecture Framework Philipp Küller, Heilbronn University The Open Group Architecture Framework (TOGAF) is a comprehensive method and a set of supportive tools for enterprise architecture development. TOGAF has been developed and maintained by members of The Open Group. The original development of TOGAF Version 1 in 1995 was based on the Technical Architecture Framework for Information Management (TAFIM), developed by the US Department of Defense (DoD). The DoD gave The Open Group explicit permission and encouragement to create TOGAF by building on the TAFIM, which itself was the result of many years of development effort and many millions of dollars of US Government investment. 43 TOGAF is published on a public web server and its reproduction is allowed. It can be used free-of-charge by any organization using it internally to create an architecture. 44 The use of TOGAF enterprise architecture is usually modelled in four domains 45 : Business Architecture: The business strategy, governance, organization, and key business processes. Data Architecture (Information Architecture): The structure of an organization's logical and physical data assets and data management resources. Application Architecture: A blueprint for the individual application systems to be deployed, their interactions, and their relationships to the core business processes of the organization. Technology Architecture: The logical software and hardware capabilities that are required to support the deployment of business, data, and application services. This includes IT infrastructure, middleware, networks, communications, processing, and standards. These four basic architectures can be supplemented by other architectures such as security architecture and operational architecture. 43 The Open Group, TOGAF 9, URL: (Access: ) 44 Commercial exploitation is restricted 45 Andrew, J., TOGAF Version 9 (2009) (Access: ), Page 6 60

69 Related Concepts 1. Introduction The first part provides a high-level introduction to the key concepts of enterprise architecture and, in particular, to the TOGAF approach. It contains the definitions of terms used throughout TOGAF and release notes detailing the changes between this version and the previous version of TOGAF. 2. Architecture Development Method This second part is the core of TOGAF. It describes the TOGAF Architecture Development Method (ADM) a step-by-step approach for developing an enterprise architecture. 3. ADM Guidelines and Techniques The third part contains a collection of guidelines and techniques available for use in applying the ADM. 4. Architecture Content Framework This part describes the TOGAF content framework, including a structured meta-model for architectural artefacts, the use of re-usable Architecture Building Blocks (ABBs), and an overview of typical architecture deliverables. 5. Enterprise Continuum and Tools Part five discusses appropriate taxonomies and tools to categorize and store the outputs of the architecture activity within an enterprise. 6. TOGAF Reference Models This part provides two architectural reference models, namely the TOGAF Technical Reference Model (TRM), and the Integrated Information Infrastructure Reference Model (III-RM). 7. Architecture Capability Framework The last part discusses the organization, processes, skills, roles, and responsibilities required to establish and operate an architecture practice within an enterprise. 61

70 Related Concepts Figure TOGAF Content Structure 46 The key to TOGAF is the method the TOGAF Architecture Development Method (ADM) for developing an enterprise architecture that addresses business needs. The ADM provides guidance for architects on a number of levels: It provides a number of architecture development phases (Business Architecture, Information Systems Architectures, Technology Architecture) in a cycle, as an overall process template for architecture development activity. It provides a narrative of each architecture phase, describing the phase in terms of objectives, approach, inputs, steps, and outputs. The inputs and outputs sections provide a definition of the architecture content structure and deliverables (a detailed description of the phase inputs and phase outputs is given in the Architecture Content Framework). It provides cross-phase summaries that cover management requirements. 46 The Open Group, TOGAF 9, URL: (Access: ) 62

71 Related Concepts The ADM includes establishing an architecture framework, developing architecture content, transitioning, and governing the realization of architectures. All of these activities are carried out within an iterative cycle of continuous architecture definition and realization that allows organizations to transform their enterprises in a controlled manner in response to business goals and opportunities. Figure TOGAF Architecture Development Cycle 47 TOGAF complements, and can be used in conjunction with, other frameworks that are more focused on specific deliverables for particular vertical sectors such as Government, Telecommunications, Manufacturing, Defence, and Finance. Mappings between TOGAF and relevant frameworks like ITIL or CobiT are available. 47 The Open Group, TOGAF 9, URL: (Access: ) 63

72 ISO Standards 8 ISO Standards 8.1 ISO 9000 Series for Quality Management The standards series ISO 9000 define the basic principles for quality management methods. The different standards for quality management systems enable a common understanding at a national and international level. Each product requires specific quality requirements, but quality management systems are independent of the industry, companies or products. Since the ISO 9000 series also has a certain relevance for ITSM it was included in this document, but should not be discussed in detail. The authors refer rather to the numerous available publications about the ISO 9000 series. 64

73 ISO Standards 8.2 ISO SPICE Philipp Küller, Heilbronn University Since 1993, working group ten of the Joint Technical Subcommittee (between ISO and IEC) has developed a framework for the assessment of processes using the title "Software Process Improvement and Capability Determination" (SPICE 48 ) The technical report was published in 1998 with 5 parts, but the standard is still under development: Figure ISO / SPICE Overview 49 One the one hand, SPICE has integrated relevant standards like ISO 9000 for software evaluation and CMM. On the other hand, SPICE has created standards together with experts from 20 countries - an extended, independent, international standard. SPICE process assessment serves to determine the maturity level of a process as well as to identify potential for process improvements. The focus of the method is on the certification and also on the self-assessment of organizations. SPICE therefore defines five maturity levels: 48 initially "Software Process Improvement and Capability Evaluation" 49 Cf. Wallmüller, E., SPI (2007), Page 33 65

74 ISO Standards Figure SPICE Levels 50 In addition, each process has been assigned to one of the following categories: Customer-Supplier 2. Engineering 3. Management 4. Organization 5. Support Part 4 of ISO contains a complete model for process improvement (Figure 8.2-3). Based on the process assessments, weaknesses should be identified and eliminated by appropriate measures. Progress review using reassessments should ensure the achievement of the objectives. 50 Jeong, K., Kagioglou, M., et al., Embedding good practice sharing within process improvement (2006), Page Gaulke, M., Risikomanagement in IT-Projekten (2004), Page 27 66

75 ISO Standards Figure SPICE Process Improvement Model Cf. International Organization for Standardization, ISO/IEC (2004) 67

76 ISO Standards 8.3 ISO IT Service Management Philipp Küller, Heilbronn University ISO/IEC is an internationally accepted standard and documents the requirements for IT Service Management. It is based on and is intended to supersede the earlier, British Standard BS As the figure below shows, BS has its origins in the IT Infrastructure Library (ITIL). Figure ISO Origin and Development 53 In 2000, the British Standard BS was introduced as a quality management system for the provisioning of IT services by the British Standards Institution (BSI). Many authors of ITIL contributed to the definition of the BS so that ITIL and BS are very similar. Based on BS 15000, enterprises could get certified for complying with the standard s specifications and guidelines. The British standard also gained great international response. In 2004 BSI requested the authentication of BS as an international standard. As a fast-track process BS was converted to ISO / IEC by the Joint Technical Committee for Information Technology. The standard was published on 15 December 2005 and therefore it is also called ISO / IEC 20000: Disterer, G., ISO for IT (2009), Page

77 ISO Standards ISO provides measurable quality standards for IT service management (ITSM). It specifies the minimum requirements for a process which an organization must establish to be able to provide and manage IT services of a defined quality. The processes are aligned and complementary with the ITIL processes. The following figure shows the defined and necessary processes and requirements: Figure ISO Structure and Processes 54 The standard is organized in two documents: ISO Service Management: Specification and ISO Service Management: Code of Practice. The first document contains the formal description of the standard and describes the requirements that need to be complied with in order to achieve the certification. Document two supplements and clarifies the requirements and provides best practices for their implementation. ISO advises 14 processes in the five areas Service Delivery, Control, Release, Resolution and Relationship for Service Management (Figure ISO). The superordinate management processes are supposed to secure the strategic alignment of IT services. For this intention, a service catalogue as a key instrument has to be created and maintained and listing and explaining all services in detail (parameters, quality, service level, billing, etc.). Responsibilities, tasks and procedures have to be documented as well to enable a transparent service provisioning process. In addition, with a focus on quality, a continuous improvement process must be established. Demig s 54 International Organization for Standardization, ISO 20000:2005 Part I (2005) 69