Governance 101: The role of effective Service Management governance in an IT services organisation and the key features of a governance framework

Delivering consistent and quality IT services for customers is not easy – and can be even more challenging – if they are not governed effectively. For example, how can an IT organisation look to improve if it doesn’t measure the amount of service-impacting incidents properly?

Take the high profile service outages of several major banks in recent years for example. Their customers were unable to make transactions or access services for periods of time. Even in such a highly regulated environment as financial services, where IT is governance is generally tighter, there are no guarantees that the outages could’ve been prevented by governance alone.

Equally, too much governance could be seen as overly bureaucratic. A complicated – and lengthy – change control process could drive the wrong behaviour from some members of the IT organisation in that they may simply bypass the process.

By order of the management, doesn’t always mean effective governance!
By order of the management, doesn’t always mean effective governance!

In any case, a business is often dependent on its IT services, and as such, there needs to be controls in place to not only protect – but gain value for – their customers. This of course needs to be appropriate as not all businesses are financial service providers needing tight control.

What is governance and why is it important?

Before implementing any type of governance, it is worth understanding what it actually is. According to Wikipedia, “governance refers to all processes of governing undertaken…and relates to the interaction and decision-making among the actors involved in a collective problem”.

The Harvard Business School describe IT governance as “specifying the decision rights and the decision-making mechanics to foster the desired behaviour in the use of IT”.

A key thing to note is that governance is not the same as management. Ultimately, ITSM governance is concerned with control, compliance and performance.

It is important that ITSM governance has effective decision-making in place; drives the right behaviours (and, by implication, discourages the wrong behaviour); and has policy and processes are in place so that it is easier to discover issues and remedy them quicker.

Going back to our banking example earlier, HSBC had an issue with ATMs and Online Banking in 2011 but were able to pinpoint it and restore service within 2-3 hours. If they didn’t have good governance in place, it feasibly could have taken considerably longer to obtain information and decisions.

What are the different aspects of ITSM governance?

In order to understand, design and communicate effective ITSM governance, Harvard Business School suggests “a decision, rights and accountability framework” should be created that covers aspects like:

  • What decisions should be made and what information should be considered
  • Who can make decisions and who is accountable for them
  • How can decisions and governance be measured?

You might also want to consider different aspects like those the in the table below:

Aspects Questions or things to consider
1.      People Communicating with guiding principles that inform and involve all relevant staff; leverage their expertise; and ensure strong input from Senior Management
2.      Process Governance should be controlled and executed through policy, process, ownership and performance
3.      Technology What technology and tools are required to support the process?
4.      Information What data such as measurements and metrics are required to inform decision making?
5.      Services What are they; how much do they cost; and how do they add value to the business?
6.      Suppliers What are their processes and metrics and how are they involved in your governance?
7.      Customers Who are your customers and how do they benefit from your governance?

How can you evidence your governance improves service costs, their perception and value delivery?

8.      Corporate Governance How does your governance align to the corporate governance, strategic objectives and architecture; and are IT involved at the right level within the organisation in this regard?

How is ITSM governance executed?

After considering what aspects to include in ITSM governance, it is equally important to consider how to design and execute it in practice. The following are some suggestions you might want to consider when implementing ITSM governance.

Firstly, identify the types of frameworks and methods to be used – particularly if you are starting from scratch. Whilst not exhaustive, the following are some common methods and how they can be applied:

  • COBIT is an IT governance framework that focuses on what should be covered in processes and procedures and they can be directed and controlled.
  • ISO/IEC standards like 20000 (Service Management), 27000 (Security) and 38500 (IT Governance) are international standards provide specific advice and controls IT can be audited against to gain industry recognised certification
  • TOGAF is a framework for enterprise architecture that provides an approach for designing, planning, implementing, and governing an enterprise and service orientated architecture
  • Other specific best practices for governance such as PRINCE2 for projects; USMBOK and ITIL for service; MoR for risk management; CMMI for benchmarking and maturity.

Secondly, ITSM needs to be involved with – or even own – certain internal governing bodies like:

  • IT Pipeline and Portfolio Board to understand the upcoming projects and be ready to design, transition and operate the services being delivered as necessary
  • Architecture Governance Board to influence and ratify all architecture designs and decisions
  • Change Advisory Board to review/approve changes – particularly to the live production environment
  • Other Governance or Steering Groups involving the business to ensure IT is represented appropriately

Thirdly, ITSM Governance needs to ensure key policies, processes and metrics in place. This may vary depending on the needs of the organisation but things like incident, change and release policies should be created to ensure service-related issues or changes are controlled, evaluated, measured and resolved in appropriate way to ensure minimum risk and impact to the business.

Finally, and arguably, the most important thing is to build an improvement culture that involves the support of the whole IT organisation. By establishing quick wins; involving staff in the policy development; and empowering them to take ownership as appropriate; and using improvement techniques Deming’s Plan Do Check Act cycle; ITSM governance is more likely to be established accepted and acted upon by the IT organisation.

Summing Up

The key things to remember when implementing ITSM governance are to:

  • Ensure it is appropriate for your organisation and limit bureaucracy were possible
  • Remember that governance is not management and is primarily about driving effective decision-making and ensuring control and performance of services
  • Make sure it aligns to the strategic and corporate governance and objectives of your organisation
  • Control, improve and mature governance through policy, process, benchmarks and measurements using industry best practice if practicable to do so.
  • Develop and maintain an improvement culture within the IT organisation so that staff understand the value of – and contribute to the success of – ITSM governance

References:

Image Credit

Jon Morley

 

This article was contributed by Jon Morely – Vice-Chair of the itSMF UK Service Transition Special Interest Group and  IT Service Transition Manager at the University of Nottingham.

 

 

The 7 habits of highly effective CABs

As a former Change Manager I can honestly say that the Change Advisory Board (or CAB) is one of the most important and useful meetings a service orientated organisation can have. It sets out a view of what’s happening to key services over the next week, reviews previous Change activity and looks at CSI so what’s not to like? CAB meetings are all about the people attending them and handled badly your CAB meeting will have all the power of a chocolate teapot so here are our top tips for running them effectively.

Step 1: TCB Power!

A colleague of mine once told me that TCB or tea, coffee and biscuits was one of the most important acronyms in IT. When I worked for a large investment bank in London, one of my first tasks was to roll out a sensible Change Management process across one of our service families. Trying to persuade grumpy techies who saw Change Management as red tape rather than an important part of service delivery was not going well until I brought out the big guns; Krispy Kreme doughnuts and chocolate biscuits. In all seriousness, a CAB meeting is where you want people to feel comfortable representing Changes or asking questions so anything that makes your meeting easier, nicer or makes people feel more relaxed can only be a good thing.

71753848_b6987fb8b9_o
What not to do! 

Step 2: Get organised

Make sure that your CAB has a terms of reference document so that everyone knows what they’re doing and why. The Change manager should send out the CAB agenda, including the Changes to be discussed, the Change Schedule (CS) and any Changes that caused Incidents well in advance of the CAB meeting.  Service Delivery teams and Project Managers need time to read and consider the Changes as well as identify any potential issues or questions.

Step 3: Look for the big hitters

One of the biggest mistakes people make is insisting all Changes should go to CAB.  Not a good idea unless you want your CAB meeting to be overrun with server reboots or patching requests. Use automation where possible so that the CAB meeting can focus on the major, high category Changes that need to be sanity checked and talked through.

 Step 4: Play nicely with your attendees

Some members of the CAB will be needed for their opinion on every Change; for example the Service Desk, Network Services and Server support and will make up the core CAB attendee list. Other attendees such a Project Managers, Service Delivery Managers and external suppliers might only be needed to discuss a couple of Changes on the list. If this is the case then be kind. Move those Changes to the beginning of the CAB so that these temporary or “flex” CAB attendees can discuss the relevant Changes and then leave.

Step 5: Ask the horrible questions

You know the ones, what everyone in the room is thinking but no one wants to actually ask. Some examples could include:

  • “What’s the remediation plan? Do we fix on fail or roll back?”
  • “What happens if rolling back doesn’t fix the issue?”
  • “Is the person doing the Change empowered to make that decision or do we need to arrange for extra support to be on call?”
  • Or even; “is this really a good idea?”

It’s better coming from the Change Manager than from an angry customer or senior manager following a failed Change right? Make sure the Service Desk feel comfortable asking questions as well; they’ll be the ones at the sharp end of customer complaints if anything goes wrong so make sure they’re happy with the Change content and plan.

Step 6: Keep it pacey

There is nothing worse than a two hour CAB meeting. I guarantee you; if you are regularly putting your CAB attendees through marathon meetings then people will run short of both patience and good will. There’s also a very real chance that someone may fall asleep. Keep things moving. If someone has launched into a long winded, uber waffley technical explanation and you get the sense that it’s adding no value as well as making everyone in the room lose the will to live then break in with a question so that you can get things back on track. Do it nicely though obvs.

Step 7: CSI

Don’t forget to review your list of previously implemented Changes. If something’s gone well then brilliant! Let’s template it or add it to any Change models to share the love. If something hasn’t been successful or worse, has broken something generating a load of Incidents then look at what happened, figure out the root cause and look at ways of preventing recurrence. If your Problem Manager isn’t attending CAB then invite them – they are the subject matter experts in this area.

What do you think? What are your top tips for effective CAB meetings? Tell me in the comments!

Image Credit