I’m at the itSMF Australia LEADit conference in Melbourne. It started with a buzz of excitement with a healthy turnout of 674 expected during the 3 days.
The opening ceremony from itSMFA Chair Kathryn Heaton and Australian politician Gordon Rich-Phillips were very positive about the state of ITSM in Australia and the future plans for even better cooperation between IT and the Government. Gordon Rich-Phillips stated, “IT is an enabler of productivity and employment” and emphasized and the importance of holding events like these in Melbourne where it is commonly accepted as the hub of IT particularly in the State of Victoria.
The keynote from Peter Nikoletatos on Accelerated Connectedness was an entertaining and insightful look at how to maintain the basics (Hygiene IT) whilst introducing an agile approach. The second keynote from Nigel Dalton was a well constructed debate and case study on whether adopting The Cloud is ‘all about money’ or is it actually the opportunity to succeed (albeit with a different approach to organizational structure) with his role as CIO at The REA group proved as a case study.
The main focus of the day from the perspective of the keynote and breakout sessions was the high level discussion on the ability to take Service Management beyond IT into other areas of business so they are integrated and not separate entities.
Some feedback from delegates suggested that more was needed in terms of how to implement ITSM outside IT. Some of the tool vendors I expressed concerns that the event had to develop this offering or miss the huge opportunity of being part of the larger business operation.
Peter Hepworth from Axelos provided an update on the 60 strong team now running the ITIL and Prince2 best practice frameworks including Prince2 for Agile.
Overall the first day of the LEADit conference has been incredibly productive and I have been very impressed by the amount of social interaction and discussions between end users, speakers and vendors alike in very relevant topics that many in Service Management face. This event is highly regarded by many of the attendees as one of the top five of itSMF events globally and at this stage I can only agree.
Another really good day at the LEADit conference for ITSMF Australia in Melbourne. The keynotes in the morning were two of the best I have seen at any event and will live long in the memory.
The first keynote was from Jason McCartney, an AFL hero who was badly injured in the Bali bombings in 2002 and his story of how he overcame injuries to marry his wife ( less than 2 months later) and return to his passion of playing football at the highest level when doctors said he wouldn’t ever play again. It was a great uplifting speech and one of the best I have ever had the pleasure to watch. Jason held our attention from start to finish which most presentations rarely do.
“It’s not what you are dealt in life – it is how you deal with it” ~ Jason McCartney
The second keynote was also very good from ITSM Ambassador Malcolm Fry. His keynote was very original and was based around looking at various famous types of artwork like Banksy, Salvador Dali and Monet and how they relate to ITSM in that sometimes Service Management isn’t about the little details its about the bigger picture and that you can look at things in a different way especially how the Service Desk works.
Malcolm Fry's passion for Art and ITSM and how they combine is very thought provoking and is passed through his audience. #leadit
The Breakout sessions were well attended again today and lots of positive and informative contributions from the speakers. A lot of focus of the event has been the whole ITIL vs Cobit and ITIL versus Agile debates with justified arguments on both sides. A lot of the end users I spoke to today were focused on delivering customer satisfaction and getting the basics right and were attending the courses relevant to these topics.
The final keynote of the day showcased the key findings of a collaboration between itSMFA and ISACA into problems faced when developing strategic IT plans (the ebook is available from the itSMFA or ISACA website).
Evening entertainment was the Telstra Gala Dinner and ITSMF industry awards. A well attended evening (they could have filled the hall twice) to celebrate the successes of the year and show gratitude to long standing members to the itSMFA. Congratulations to Karen Ferris of Macanta Consulting for here lifetime achievement award.
One of the things I’m getting asked about most this year is about getting the basics right – how to actually do change management in the real world. We all know that having good processes in place protect us all, ensures we meet regulatory guidelines and are generally just common sense, but what about using them so that we can build a better, stronger IT organisation? In this article, I’m going to talk about getting started and surviving the implementation phase. I’ll then follow it up with another article on how to actually run your change management process.
Let’s start from the beginning. change management sits in the transition stage of the service lifecycle. ITIL states that the objective of change management is “to ensure that changes are recorded, evaluated, authorised, prioritised, planned, tested, implemented, documented and reviewed in a controlled manner. In a nutshell, change management is about putting things in, moving things round or taking them out, and doing it safely and without setting anything on fire.
When describing the change process, I call change managers the guardians or protectors of our network. They ensure all changes are sanity checked, tested, reviewed, approved and scheduled at a sensible time. Their super power is an invisible shield (like Violet in “The Incredibles”) that protects the rest of the organisation from the adverse impact of change.
Getting started: Common Excuses and Ways Around Them
Change management is an incredibly important process because it enables you to manage, control and protect your live environment. Since the credit crunch, I’ve had more and more people coming to me saying that their change departments would either have to endure massive cut backs or stop improvement works. Here are some of the most common excuses I’ve come across for this along with some possible ways around them.
Excuse number 1: “We don’t have the time”. Ok, what about all the time wasted dealing with the impact of failed or unmanaged changes, firefighting incidents and dealing with the big angry mob camped outside the IT department waiting to lynch us for yet another mistake? Let’s be sensible, having a strong change process in place will lead to massive efficiency savings and the use of standard changes, models and templates will make the work involved repeatable.
Excuse number 2: “We don’t have the resources”. What about all the time spent going cap in hand to the rest of the business explaining why a key service was unceremoniously taken out by a badly executed change? Spin doctoring a major incident report that has to go out to external customers? I’d argue that you’re wasting resources constantly firefighting and if you’re not careful it will lead to stressed out departments and key individuals burning out from the stress of trying to keep it all together. Instead of wasting resources and talent – why not put it to good use and start getting proactive?
Excuse number 3: “We don’t have the money”. What about all the money spent on service credits or fines to disgruntled customers? Then there’s the less tangible side of cost. Reputational damage, being front-page news, and being universally slated across social media – not nice and definitely not nice having to deal with the fall out. Finally, what about compliance and regulatory concerns? Failing an audit could be the difference between staying profitable or losing a key customer.
Excuse number 4: “We can’t afford expensive consultants”. Ok, hands up. I used to be a consultant. I used to work for Pink Elephant UK and for anyone out there looking for an amazing consulting / training company then go with Pink – they rock. That aside, if you can’t afford outside help in the form of consultancy, you still have lots of options. Firstly, you have the itSMF. Again, I’m biased here because I’ve been a member, as well as a speaker for, and chair of, various sub groups and committees, all in an attempt to champion the needs of the IT service management community. Here’s the thing though, it’s useful war stories, articles, white papers and templates written by the members for the members. There’s also ISACA which focus more on the governance and COBIT side of things. There’s the Back2ITSM movement – lots of fantastic help support and information here. There’s the ITSM Review and blog sites from the likes of The IT Skeptic – lots of free resources to help you sort out your change Management process.
Excuse number 5: “I’m probably going to be made redundant anyway so what’s the point?” Yes, I am serious, this is an excuse I’ve come across. There’s no way to sugar coat it, being made redundant or even being put at risk is (to put it mildly) a rubbish experience. In that situation (and believe me, I’ve been there) all you can do is keep doing your best until you are told to do otherwise. Having a strong change management process can be a differentiator on responses to bids. Tenders as SOX compliance, or ISO 20000 accreditation can set you apart from competitors. Bottom line, we have to at least try.
Planning for Change Management
So how do you get started? First things first: you need to get buy in. Most management guides will tell you to focus on the top layer of management as they hold the purse strings, and that’s very true, but you also need buy in from your guys on the front line – the guys who will actually be using your process. Get their buy in and you’re sorted, because without it you’re stuffed.
So, starting with the guys at the top, you need to speak to them in their language and that means one thing – a business case! This doesn’t have to take forever and there are lots of templates out there you can use. The key thing is to explain clearly, in their language, why change management is so important. Things to cover in your business case are introduction, scope, options, deliverables and benefits. Now get your techies on board. There’s no “right” way of doing this. As someone with a few war stories to tell, things that have worked in the past include:
sitting down with your techies
using the umbrella argument (more on that later)
I’ve also found that bribing support teams with doughnuts can be very effective, as a former techie I can confirm that Krispy Kreme ones work particularly well.
Once you’ve got your buy in, gather and confirm your requirements. At the risk of playing management bingo here, a good approach is to set up workshops. Engage with both IT and the rest of the business so that there are no surprises. If you have an internal risk or audit department now is the time to befriend them! Using the aforementioned donuts as bribery if necessary, get their input as they will have the most up to date regulatory requirements you need to adhere to such as SOX or Basel 3.
Define the scope otherwise it will creep! Plan what you want to cover carefully. Do you want to cover all production equipment? What about test and DR environments? Whatever scope you agree, make sure it is included in any SLAs, OLAs or underpinning contracts so that you have documented what you are working to.
Keep your end users in mind
When writing your policy, process and procedures, keep your end users in mind. Don’t try to cover everything in red tape or people will find ways to circumvent your process. Let’s start with your policy. This is your statement of intent, your list of “thou shall” and “thou shall nots”. Make sure it’s clear, concise and is in alignment with existing company standards. I know this might sound counterintuitive but also, prepare for it to be broken. It might sound strange but there will be times where something will need to be fixed in the middle of the night or there will need to be an urgent update to your website. It’s important that changes are raised in enough time for them to be reviewed and authorised, but exceptions will pop up so plan for them now when you’re not under pressure. Examples of when an emergency process could be used are:
Something’s broken or on fire (fixing a major incident)
Something’s about to be broken (preventing a major incident)
Major commercial reasons (in response to a move by a competitor)
A major risk to compliance has been identified (e.g. base rate changes, virus patches)
When looking at your process, make sure you have all the bases covered. This will include:
Recording and processing the change
Change Advisory Board (CAB)
Build and test
Review and close
I’ll talk about these in lots of detail in part two of this article.
Training & Communications
You’re about to go live with your sparkly new change management process and you want it to be a success so tell people about it! First, attend every team meeting, management huddle and town hall that you can get away with! Get people onside so that they know how much help change management can be and to reassure them they won’t have to go through lots of red tape just for the sake of it. Another way of getting your message out is to use posters. They’re bright, cheerful and cheap – here is one that I’ve used often.
In terms of training you need to think about your change management team and your stakeholders, the people that will be raising changes using your process. For your change management team there are lots of practical courses out there that can help – a few examples could include:
ITIL – Service Transition
ITIL – Release Control and Validation (RCV)
SDI Managers Certificate
Other important considerations include:
On the job training
But what about your front line teams who will be raising the changes and carry out the work? Again put some training together – make it interactive so that it will be memorable – in the past I have been pelted by brightly coloured balls by a colleague in the name of explaining change management so there really is no excuse for death by PowerPoint!
Things to cover are:
The process, its scope and the definition of a change
Raising a change record to include things like implementation plans, back out plans, testing, risk categorisation (“no it is not ok to just put medium”) and DR considerations
Templates & models
I’ve done a fair few of these in my time so if you would like some help or examples just ping me on my contact details below.
So you’re good to go. You’ve gathered your requirements, confirmed your scope, got buy in and have written up your policy, process & procedures. You’ve socialised it with support teams, ensured everyone has been trained up and have communicated the go live date. So deep breath time, go for it! Trust yourself, this is a starting point, your process will improve over time.
I’ve written lots about metrics recently and have spoken about the basics in a previous article on availability, incident and problem management but in short:
You need to have a mission statement. It doesn’t have to be fancy but it does need to be a statement of intent for your team and your process. An example of a change management statement could be “to deliver changes effectively, efficiently and safely so that we put the customer at the heart of everything we do”.
Next come the CSF’s or critical success factors. CSFs look at how you can achieve your mission and some examples for change management could include:
To ensure all changes are carried out effectively and safely.
To ensure all changes are carried out efficiently, on time and with no out of scope emergency work.
To work closely with our customers & stakeholders to ensure we keep improving while continuing to meet their needs
Finally, we have Key Performance Indicators or KPIs. These give you the detail on how you are performing at the day to day level and act as an early warning system so that if things are going wrong, you can act on them quickly. Some example KPIs for change could include:
More than 98% changes are implemented successfully
Less than 5% of changes are emergency changes
Less than 10% of changes are rescheduled more than once
Less than 1% of changes are out of process
So you’ve survived your change process implementation – smile, relax and take a deep breath because now the real work starts! Come back soon for part two of this article which will give you some practical advice on running your new change management process.
Just five short years ago, cybercrime represented just 1% of all economic crime (source: PricewaterhouseCoopers, Global State of Information Security Survey, 2011). By 2011, that number jumped to 23%, and we can continue to expect those numbers to climb.
The numbers aren’t the only thing increasing – so too are the complexity and persistence of these crimes. According to an ISACA survey of more than 1,000 security professionals, more than 9 in 10 respondents believe advanced persistent threats (APTs) represent a credible threat to national security or economic stability. Among the enterprises that have experienced an APT attack, one in three were unable to determine the source (source: ISACA, Advanced Persistent Threat Awareness Study Results, 2014 (publishing in April).
There is no question that cybercriminals are more sophisticated than ever before. Enterprises today not only have to defend their assets – they must hunt. Detection and response, rather than prevention, are becoming the focus. But with a growing skills gap, still-lean budgets and constantly evolving threats, where can enterprises start?
Know the potential impact of cybercrime and warfare. Make sure you are aware of the potential damage a cyber attack can cause and the wide-ranging impact it may have. The organization must decide the risk level it can tolerate in order to ensure the appropriate level of cybersecurity governance.
Understand end users, their cultural values and their behavior patterns. As the ISACA guide notes, “Business impact and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture.” The culture – and the resulting end-user behavior and patterns – should be accounted for in the enterprise’s strategic, tactical and operational security measures.
Clearly state the business case for cybersecurity and the risk appetite of the enterprise. The business case outlining expected value and tolerable risk will drive the overall cybersecurity strategy. As a result, the business case must have depth and definition. Among its contents, it must include cost-benefit considerations and the organization’s culture and values pertaining to cybersecurity.
Establish cybersecurity governance. There is no need to reinvent the wheel here.Adopting and customizing a governance framework such as COBIT will give you the tried, tested and proven governance guidance you need. By effectively governing cybersecurity, an organization provides a clear sense of direction and boundaries.
Manage cybersecurity using principles and enablers. The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.
Know the cybersecurity assurance universe and objectives. Cybersecurity covers multiple areas and aspects within information security. To provide adequate assurance over cybersecurity, the cybersecurity universe must be well defined, and the assurance objectives must be clear and manageable.
Provide reasonable assurance over cybersecurity. This principle requires all three lines of defense within an enterprise to be defined and managed. This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.
Establish and evolve systemic cybersecurity. Cyber attacks target the weakest link in the system. As a result, cybersecurity must be looked at as a system of interdependent elements and the links between them. To optimize cybersecurity, the enterprise must have complete understanding of this dynamic system and must be fully aware that security governance, management and assurance cannot be viewed in isolation.
While no company can be 100% secure, regardless of the controls and security measures it has in place, companies that use good practices such as COBIT are off to a good start. COBIT treats cybersecurity systemically. It helps ensure that an organization has end-to-end policies and processes in place, which helps them recover more quickly and effectively after a breach.
Using COBIT 5, enterprises approach cybersecurity as a business process that is aligned with the enterprise’s governance, risk management and compliance arrangements. They divide it into four phases: prepare, investigate, remediate/respond and transform. The “transform” phase is especially key, as it ensures that the post-incident analysis leads to key insights and improvements that are put into practice. By using COBIT 5 to transform cybersecurity in your enterprise, you can help ensure that cybersecurity is transformed systemically.
Consider this sobering statistic from the ISACA APT survey: one in five enterprises have experienced an APT attack. That number is only going to grow. Take advantage of the excellent guidance out there and make sure your enterprise is following these eight principles; to make sure you are ready to prepare for, detect and respond to a cybersecurity attack.
Following on from part one, here are my next seven tips on on how to use availability, incident and problem management to maximise service effectiveness.
Tip 4: If you can’t measure it, you can’t manage it
Ensure that your metrics map all the way back to your process goals via KPIs and CSFs so that when you measure service performance you get clear tangible results rather than a confused set of metrics that no one ever reads let alone takes into account when reviewing operational performance. In simple terms, your service measurements should have a defined flow like the following:
Start with a mission statement so that you have a very clearly defined goal. An example could be something like “to monitor, manage and restore our production environment effectively, efficiently & safely”.
Next come your critical success factors or CSFs. CSFs are the next level down in your reporting hierarchy. They take the information held in the goal statement and break them down into manageable chunks. Example CSFs could be:
“To monitor our production environment effectively, efficiently & safely”
“To manage our production environment effectively, efficiently & safely”
“To restore our production environment effectively, efficiently & safely”
KPIs or key performance indicators are the next step. KPIs provide the level of granularity needed so that you know you are hitting your CSFs. Some example KPIs could be:
Over 97% of our production environment is monitored
98% of all alerts are responded to within 5 minutes
Over 95% of Calls to the Service Desk are answered within 10 seconds
Service A achieves an availability of 99.5% during 9 – 5, Monday – Friday
Ensure that your metrics, KPIs & CSFs map all the way back to your mission statement & process goals so that when you measure service performance you get clear tangible results. If your metrics are linked in a logical fashion, if your performance goes to amber during the month (eg threat of service level breach) you can look at your KPIs and come up with an improvement plan. This will also help you move towards a balanced scorecard model as your process matures.
Tip 5: Attend CAB!
Availability, incident and problem managers should be key and vocal members of the CAB. 70%-80% of incidents can be traced to poorly implemented changes.
Problem management should have a regular agenda item to report on problems encountered and especially where these are caused by changes. Incident management should also attend so that if a plan change does go wrong, they are aware and can respond quickly & effectively. In a very real sense being forewarned is forearmed so if a high risk change has been authorised, having that information can help the service desk manager to forward plan for example having extra analysts on shift the morning of a major release.
Start to show the effects of poorly planned and designed change with downtime information to alter mind-sets of implementation teams. If people see the consequences of poor planning or not following the agreed plan, there is a greater incentive to learn from them and by prompting teams to think about quality, change execution will improve, there will be a reduction in related incidents and problems and availability will improve.
Tip 6: Link your information
You must be able to link your information. Working in your own little bubble no longer works, you need to engage with other teams to add value. The best example of this is linking Incidents to problem records to identify trends but it doesn’t stop there. The next step is to look at the trends and look at how they can be fixed. This could be reactive e.g raising a change record to replace a piece of server hardware which has resulted in down time. It could also be proactive for example “ we launched service A and experienced X, Y and Z faults which caused a hit to our availability, we’re now launching service B, what can we do to make sure we don’t make the same mistakes? Different hardware? More resilience? Using the cloud?”
You need to have control over the quality of the information that can be entered. Out of date information is harmful so make sure that validation checks are built in to your process. One way to do this is to do a “deep dive” into your Incident information. Look at the details to ensure a common theme exists and that it is linked to the correct Problem record.
Your information needs to be accessible and easy to read. Your audience sees Google and their expectation is that all search engines work in the same way.
Talk to people! Ask relationship and service delivery managers what keeps them awake at night and if there is know problem record or SIP then raise one. Ask technical teams what are their top ten tech concerns. I’ve said it before and I’ll say it again. Forewarned it forearmed. If you know there’s an issue or potential for risk you can do something about it, or escalate to the manager or team that can. Ask the customer if there is anything they are worried about. Is there a critical product launch due? Are the auditors coming? This is where you can be proactive and limit risk for example working with change management to implement a change freeze.
Tip 7: Getting the right balance of proactive and reactive activities
It’s important to look at both the proactive and reactive sides of the coin and get a balance between the two. If you focus on reactive activities only, you never fix the root cause or make it better; you’ll just keep putting out the same fires. If you focus on proactive activities only, you will lose focus on the BAU and your service quality could spiral out of control.
Proactive actions could include building new services with availability in mind, working with problem management to identify trends and ensuring that high availability systems have the appropriate maintenance (e.g regular patches, reboots, agreed release schedules) Other activities could include identifying VBFs (more on that later) and SPOFs (single points of failure).
Reactive activities could include working with incident management to analyse service uptime / downtime in more granularity with the expanded incident cycle and acting on lessons learned from previous failures.
Tip 8: Know your VBFs
No, not your very best friends, your vital business functions! Talk to your customers and ask them what they consider to be critical. Don’t assume. That sparkling new CRM system may be sat in the corner gathering dust. That spreadsheet on the other hand, built on an ancient version of excel with tens of nested tables and lots of macros could be a critical business tool for capturing customer information. Go out and talk to people. Use your service catalogue. Once you have a list of things you must protect at all costs you can work through the list and mitigate risk.
Tip 9: Know how to handle downtime
No more hiding under your desk or running screaming from the building! With the best will in the world, things will go wrong so plan accordingly. The ITIL service design book states that “recognising that when services fail, it is still possible to achieve business, customer & user satisfaction and recognition: the way a service provider acts in failure situation has a major influence on customer & user perception & expectation.”
Have a plan for when downtime strikes. Page 1 should have “Don’t Panic” written in bright, bold text – sounds obvious but it’s amazing how many people panic and freeze in the event of a crisis. Work with incident and problem management to come up with the criteria for a major incident that works for your organisation. Build the process and document everything even the blindingly obvious (because you can’t teach common sense). Agree in advance who will coordinate the fix effort (probably Incident management) and who will investigate the root cause (problem management). Link in to your IT service continuity management process. When does an incident become so bad that we need to invoke DR? Have we got the criteria documented? Who makes the call? Who is their back up in case they’re on holiday or off sick? Speak to capacity management – they look at performance – at what point could a performance issue become so bad that the system becomes unusable. Does that count as down time? Who investigates further?
Tip 10: Keep calms and carry on
Your availability, incident and problem management processes will improve and mature over time. Use any initial “quick wins” to demonstrate the value add and get more buy in. As service levels improve, your processes will gather momentum as its human nature to want to jump on the bandwagon if something is a storming success.
As your process matures, you can look to other standards and framework. Agile and lean can be used to make efficiency savings. COBIT can be used to help you gauge process maturity as well as practical guidance on getting to the next level. PRINCE2 can help with project planning and timescales. You can also review your metrics to reflect greater process maturity for example you could add critical to quality (CTQ) and operational performance indicators (OPIs) to your existing deck of goals, CSFs and KPIs.
Keep talking to others in the service management industry. The itSMF, ISACA and Back2ITSM groups all have some fantastic ideas for implementing and improving ITIL processes so have a look!
I’d like to conclude by saying that availability, incident and problem management processes are critical to service quality. They add value on their own, but aligning them and running them together will not only drive improvement but will also reduce repeat (boring) incidents, move knowledge closer to the front line and increases service uptime.
In conclusion, having availability, incident and problem management working together as a trio is one of the most important steps in moving an IT department from system management to service management as mind-sets start to change, quality improves and customer satisfaction increases.