Archive / Geen categorie @en

RSS feed for this section

On ITIL, VeriSM, IT4IT, ITCMF, practices and principles…

Although the interest in ITIL is declining on a global scale, AXELOS (the owner of ITIL) is still acting as before: a new version of ITIL will be launched in Q1 2019 and this new version is ready to support you in coping with the “Fourth Industrial revolution”. Quite a statement. And it’s now again identified with a number (‘4’) instead of a year (‘2019’) – something they said they wouldn’t do again…

This new ITIL version is “best practice” again, instead of just “good practice”. As AXELOS says: “Research has confirmed that ITIL remains best practice for the ITSM industry“. They know this, even before ITIL 4 has been developed and published.

This means that the announced update of ITIL was postponed at least half a year. The core elements will remain the same and all current certifications will continue to be recognized. This implies that ITIL 4 will only cover extensions. The new version says it will include practical guidance on how practices such as DevOps, Agile and Lean are associated with ITIL. But wasn’t that the claim that was already made by VeriSM, half a year ago?

And have they learned from the past? AXELOS now says they have a “Team of Lead Architects” instead of just one Lead Architect. That sounds like a reward system for the involved individuals: “I am a Lead Architect for ITIL, hire me”. And instead of a select team of senior experts, they now have “The ITIL Development Group”, covering more than 2,000 members and they’re asking for even more. Ever tried to produce a book with more than 100 participants? I can assure you that this either leads to one hell of a job, or to ignoring their contributions. Unless they simply don’t contribute, of course. AXELOS claims to already have a group of participants of >2,000, so that may explain part of the delay. Anyway, the new approach yells ‘practice’ all over.

And what about IT4IT?

Launched in 2015 by the Open Group, based on the HP & Accenture repository, it delivered a full-blown practice-based framework, like the ones we know from ITIL and COBIT. Was IT4IT the next threat to the IT market? The horribly complex ”reference architecture” seems to emphasize the vendor business model of complexity once again. Announced as a “game changer” at its launch, it is hardly heard of any more. More on IT4IT: here.

And what’s happening to VeriSM, in the mean time?

VeriSM was launched at the end of 2017, as an alternative approach, based on existing “best practices”. It immediately created a series of books, consultancy profiles, training programmes and exams – completely analogous to the business stategy of AXELOS, but with a set of business partners that was chased away by AXELOS in it’s effort to boost ITIL turnover with just one exam partner. After an overwhelming flood of attention in the first months of 2018, it seems to slow down a bit now, as people are asking the big question “what help does VeriSM bring me as a practitioner?”. The answer seems to be more in terms of “understanding how to approach and apply various existing best practices”, than in terms of providing specific support that wasn’t already covered elsewhere. This actually holds a promise of a bit more “principle” than the traditional practice-based approaches, but unfortunately VeriSM doesn’t deliver the solution with that promise: it remains with a high-level analysis of options to be used for a service management architecture, but it doesn’t deliver the architecture itself. Read more on VeriSM.

And IT-CMF, the product of the Innovation Value Institute?

Offering an integrated management toolkit, covering more than 30 management disciples, with organizational maturity profiles, assessment methods, and improvement roadmaps for each, this academic product may be considered a well-kept secret. It’s used within large organizations, it’s very practical, and it leans on more than just best practices. But again, IT-CMF offers predominantly practice support, be it on a more strategic level than the frameworks I mentioned above. Read more on IT-CMF here.

Practices or principles?

All of these frameworks still lean heavily on practices. Promoted by consultancy firms and supported by tool vendors, they illustrate a focus on where the current problems are felt, i.e. where their money is made. Solutions are always fitted into terms of provider offerings, not in terms of organizations learning to manage their own business in better ways. This approach is predominantly executable.

This is opposite to recent strategies followed in the Netherlands, where methods are gaining traction. These methods support principle-based strategies that aim for improving the control capabilities of organizations, by stimulating a self-learning path based on the understanding and application of management systems that follow a clear service management architecture. These approaches are predominantly learnable and they enable a well-considered application of a wide array of practices (from the popular frameworks).

These methods are still low in volume, as they do no provide an easy business model for supporting vendors: the focus is on improving the customer’s capabilities, and the result of that strategy is likely to end the provider’s turnover rather sooner than later. Nevertheless, more and more organizations are adopting these method-based approaches, as they obviously add value in a much simpler and more sustainable way than the traditional complexity-based offerings of the “ITIL industry”.

The method-based approaches have some very critical benefits over the traditional practice-based approaches:

  • The organization invests in its own capabilities, climbing up the value-based maturity ladder.
  • The level of control is accelerating, enabling the organization to save themselves better and better.
  • Services can better be aligned to customer’s requirements, as the organization is more in control of its own service delivering capabilities.
  • Tools can better be aligned to operational requirements, as the organization is more in control and it has more of a service management architecture in place.
  • It saves the organization “a bundle”, as they don’t have to hire or buy external resources at the traditional level any more.

It may be clear that – as long as vendor strategies are the dominant forces for innovation of service management strategies – only customers that have strong leadership in place, will be able to profit from these method-based strategies.

Is IT4IT the next threat to the IT Management market?

AAEAAQAAAAAAAALeAAAAJGU3ODBlNTE1LWY3OTItNDVmMy05M2VmLTA4NDgwNzU5OTQ1MQThe Open Group has adopted a new product: the IT4IT reference framework. The market seems to be responding well to this new leaf at the IT management tree.

As usual, consultants will be jumping the bandwagon to profit from from this great new opportunity to distinguish themselves from the competition, and to deliver the next big thing in their consultancy portfolio.Customers will simply have to follow up, as they really shouldn’t miss this great opportunity to solve all their problems with this magic stick.

 

Am I judging too hard? Too cynical? Maybe. But that may help to get the message across.

Why should a warning be in place here? After all:

  • the model works from an architecture point of view….
  • the model embraces popular frameworks and standards…
  • the model is supported by several large, global vendors…
  • the model is owned/managed by a global consortium of 450+ member organizations…

That should be a guarantee for success and value delivered, wouldn’t it? After all, ITIL (with the itSMF and now Axelos as the managing party) and COBIT (managed by ISACA) had the same signature, and these frameworks delivered great value to our world – in the sense that they delivered more value than cost. Haven’t they?

“The cost of ITIL and associated products can be ciphered in the order of 1 trillion dollars.”

And these illustrious frameworks were developed by the best minds available. The leading vendor companies in the market put all their knowedge together to bring us the solution. They provided the authors for the frameworks and the accompanying books. And they will provide the products that will help us solve it in our practice.

By the way – who created that mess? And who profits from it?

Now we have IT4IT. Initially set up by a number of vendors (Accenture, CapGemini, HP, PwC) and some user organizations (Shell a.o.), but then transferred to the Open Group, where it was handled by again some of the global leading consulting organizations and a number of user organizations (read Geoff Harmer’s analysis). The faces of IT4IT now are Accenture, HP, and of course a few customer organizations to avoid the idea of a commercial interest (Shell, Achmea).

Is IT4IT new?

Not really:

  • it adopts Porter’s Value Chain, published in 1985
  • it largely adopts the three-fold model of prof. Maarten Looijen, published in the late 1980’s (until recently a well-hidden asset of Dutch information management theory)
  • it follows the SAME model, documented as early as the mid 1990’s

Then why should this be the magic stick?

  • Because large vendors push it? History has demonstrated clearly that there is a huge risk in that strategy…
  • Because it embraces popular frameworks? If these frameworks have not delivered the solution, then why would you base a new one on the old ones? Adopting the popular frameworks unfortunately is a guarantee that the historical errors in terms of process management are inherited.
  • Because it is process-based? Unfortunatly, IT4IT also finds its roots in a best practice approach, where processes have essentially been ignored and results were based on procedure and work instruction level instead.
  • Because it adopts an architecture starting point? Now there we have an argument… At least this offers the opportunity of a more solid, principle-based approach that could align with any practice. A Service Management Architecture (SMA) has long been missing in this market.

How can we profit from this opportunity….?

  • as usual: be critical, beware of the hype
  • as usual: don’t trust the majority of vendors who want to sell you a solution, unless you have completely understood what they actually offer
  • as usual: find yourself a methodical approach, and then use the offered frameworks as references for your dot on the horizon.

Should you avoid IT4IT? Definitely not. It encompasses some major improvements compared to the ‘old school’ frameworks. I invite everyone to read more about it.

Should you adopt IT4IT as-is? Definitely not, like you should not adopt any of the other frameworks as-is. IT4IT is not a method. It provides guidance, but you will only be able to achieve your result effectively and efficiently if you have your own management system firmly in place.

Is IT4IT a threat for the IT management market? For vendors, it’s a great new asset to profit from ignorant customers, delivering complexity that generates turn-over. For customers, it’s a great opportunity to adopt some architecture into their management system. For both, it’s a great opportunity to take a step forward towards value delivery, both in consulting and in IT service management. It can get you closer to the long desired business-IT alignment. But I’m afraid only a limited number of vendors and customers will be able to really profit from this – as history has shown so abundantly.

The wrong end of the stick: rules vs. principles

horizonICT regulators and controllers tend to follow a rule-based approach. Although – if asked – they soon enough admit that they actually don’t believe it is the right approach. They would love to see their target audience being so well organized that they can stand up to any test. They know that a rule-based approach starts at the wrong end of the stick. But still – they always start at that end. Makes you wonder why….

Healthcare

Healthcare institutions are increasingly facing tough demands in the field of information security. In practice this is often expressed in terms of ISO27001 controls. Dutch healthcare regulators use a local standard, NEN7510, which is almost identical to ISO27001. In 2010, the regulators decreed that all healthcare institutions had to meet a subset of 33 controls, out of the full set of 125 controls in NEN7510. This NEN standard was recently updated to follow ISO27001:2013, but the set of controls used for healthcare institutions is still largely the same.

In their audits, the regulators didn’t demand hard scores, instead they emphasized that the organization should rather be able to show that they were systematically working towards a better score on the selected controls. In fact, the regulators stimulated the institutions to improve their quality in a methodical way, so that they would improve their assessment score in the next audit. In practice however, they are still auditing against the same set of controls. This approach is now stimulated even further, because the full set of NEN7510 requirements was recently promoted to law for any healthcare organization using the unique citizen registration number in their systems.

Finance

This approach is very similar to what is currently happening in the financial world: in the Netherlands, that sector is also sampled by means of a (self) assessment. The supervisor in this case is the Dutch national bank (De Nederlandsche Bank, DNB), and the controls they use are derived from COBIT, enriched with guidance from ISO27002. But the situation is essentially the same: a control-based approach (rule-based) does not lead to the desired result. Instead, banks, pension funds and insurance companies should turn to a quality management approach that produces the desired information security assurance inside-out.

In the mean time, healthcare institutions have learned to achieve at least maturity level 3 (CMMI), with a methodical approach based on the ISM Method, within a year, and level 4 is within reach shortly after. Not by following a rule-based approach, but by means of gradual improvement. “Old wine in new bottles, PDCA, been there, done that….”. The standard response. But when you look at the daily practice of our most elusive experts, with all the certificates you can think of on their wall, they always start on the rules end of the stick, using best practice guidance from sources like ITIL, COBIT, ASL, BiSL, and other frameworks. Hey, and why not? Nobody ever got fired for hiring an ITIL consultant, or a COBIT consultant, or ….

Dot on the horizon

The essence is that the road to information security is not walked by trying to start at the controls end of the stick – whether there are 33 or 125, they still represent tricks. And the real trick is that you should turn it around: if you manage to teach the organization an integrated and systematic way of managing their work, you are leading them to a dot on the horizon.

“If you want to build a ship, don’t drum up people to collect wood and don’t assign them tasks and work, but rather teach them to long for the endless immensity of the sea.”

This is ‘ancient wisdom’, words spoken by Antoine de Saint Exupéry. Each seriously educated expert must have heard that line before. Nevertheless, consultants are taught to apply best practices to their clients, and they honestly believe it’s the best they can do for them. But best practices are the result of (hopefully) a systematical approach that can (hopefully) be replicated in the environment of their clients. And you cannot start with results when improving the structure of an organization: you cannot start at the wrong end of the stick. They should focus on finding the approach that delivered these practices, and then replicating these practices by using that approach – or at least by teaching the organization to work with the approach.

Dots on the horizon will be changing all the time, but walking the road to the horizon will largely stay the same.

The method

The method Dutch organizations have learned to use is the ESM Method – Enterprise Service Management, developed in 2005. ESM is a method to get in control of any type of service organization, or any combination of service sections in an organization. The information management domain has proven to be a very grateful domain for ESM, because organizations had to gain ultimate control over their IT services, as a result of the ever growing dependency on IT. The IT specific application of the generic ESM Method was called the ISM Method: Integrated Service Management. In practice, ESM was applied to various other service domains, including the “business information management” domain (where it is labeled FSM – Functional Service Management), and to combinations of IT and other service sections (e.g. medical technology, education), where the term ISM or ESM was used.

In IT organizations, the ISM Method focuses on the management system (the engine), and on the turnaround the management and staff need to make to adopt a systematic approach to their work. In a standard ISM introduction project it takes 13 weeks to get all (existing) instruments in place in a fully standardized project, and then 6-9 months are spent teaching the organization to apply the method and to get used to a systematic step-by-step improvement approach. External consultants can coach the organization through this project, but a do-it-yourself approach is also often used, based on the book The ISM Method.

The results of the ISM Method are attracting lots of attention: organizations can achieve improvement goals (like ISO27001 or COBIT controls) in shorter times and at lower cost then before – and the results are lasting. Tool providers, consulting organizations, game developers, and trainers in the Netherlands are now adopting the method to create a new market; one with a much better cost/benefit ratio for their customers.

The big turnaround

The major advantage of starting at the other end of the stick is that you invest in an efficient and effective systematic approach, that can be applied again and again in a cyclic improvement strategy – as Shewhart and Deming taught us half a century ago. The new IT world is full of that approach, but only as long as it concerns technology: SCRUM, LEAN, DEVOPS…. It’s about time the management consultants join the bandwagon and pick up what Eliyahu Goldratt wrote down on the Theory of Constraints.

And following a rule-based approach is not what Goldratt, Deming and Shewhart meant.

In the Netherlands, the first finance organizations now work on their management system from a systematic inside-out approach, starting at the other end of the stick – even though their regulators confront them with rules to be followed and controls to be achieved – preferably by the letter, if you believe your auditor. Within a year they grow 2 levels on a 5-level maturity scale. Their road is the same, even though their dot on the horizon will differ.

Banks, insurance companies, pension funds, hospitals, nursing homes, care clinics, most of them still need to make the big turnaround to a systematically assured quality management. Luckily, they all aim for the same (improvement) and they all can use the same trail to their dot on the horizon following a standardized methodical approach that saves time, money, and worries. But the biggest advantage lies in the simplicity that it buys you. If your ‘inside’ is put together well enough, it doesn’t matter much what stick they use to measure you.

SLA or BLA? Or would you prefer ISA?

A posting in one of the many ITIL groups at Linkedin said “Service Level Agreement vs. Business Level Agreement. There is an new trend where for definition of value and benefits of ICT for business is considered BLA instead of SLA. In other words measuring of ICT performance by real business achievements and goals fulfillment. What’s your views and experience on this area?”

The question illustrates how IT organizations still deliver technology “services” instead of business values. And they all talk about business IT alignment, customer focus, etc….

Some of the responses even said that you should never agree on a BLA at all, only use an SLA according to ITIL. That only confirmed my statement that most IT organizations are still technology focused, and haven’t mastered the services level, let alone the customer level.

The initial question in the forum is justified. ITIL simply doesn’t cover this, and we need better practices. But practices should always work within a conceptual model of reality. That’s where this goes wrong.

The initial question could easily be answered with “BLA is what the SLA should have been all the time“. But then you only say that ITIL practices are not really current best practice. And on itself, that doesn’t help you any further.

Imho, a much better approach is this:

  1. information support for business processes is a responsibility domain
  2. to gain control over such a domain, separation of duty is the most elementary instrument
  3. this leads to 2 separated domains. Let’s call them Information Management (IM) and IT management (ITM). Adding the term ‘business’ would be meaningless, because we already confirmed that all was created on behalf of ‘business’.
  4. the chain of command runs from left to right in these domains: Business => IM => ITM
  5. the BLA should cover the relationship between Business and IM; the SLA should cover the relationship between IM and ITM.

You now have three separated domains with very clear responsibilities that can be managed in a systematic way.

bla-sla

The described approach is very common in the Netherlands, although only few organizations really have their IM and BLA in place.

In the Netherlands a standardized systematic approach is available in the form of the FSM Method. It supports the application of a Dutch standard set of best practices: BiSL. FSM is a standardized method for designing and improving IM organizations. The BLA is defined in the FSM Method as the ISA, the Information Service Agreement. The SLA is what ITIL defined as such, but in this model the SLA is limited to the relationship between IM and ITM. Note: the “who” is not relevant here. Whoever executes the responsibilities, be it an internal team or an external provider, doesn’t change the nature of the responsibilities.

Tools to support the management of IM organizations can easily be made available, as they fully resemble the tooling for the ITM environment, or any other service domain. And we have many hundreds of tools that compete in the “red ocean” of the ITM domain, even a huge number of open source tools.

The BLA, or rather the ISA, should indeed cover meaningful business terms for the information support that is delivered. But that requires quite a higher level of “value maturity” than most of the providers have in practice. In fact, only very few will even have slightly approached this level in their practice. There’s still a long way to go if we want to deliver real information value to “the business”.

More info:

  • the SAME Model describes the three domains. Free download at the ISM Portal
  • the FSM Method is document only available in Dutch, but there is some documentation in English. FSM fully aligns to ISM (dedicated to the ITM domain), so the ISM bookok actually covers this to a large extent