CA Community






This Blog
Syndication

April 2011 - Posts

Report of the evolving role of the CIO from the ISACA EuroCACS conference

Published: April 27 2011, 09:15 AM | no comments
by Robert Stroud

As part of my role as an ISACA international vice president and an evangelist for governance, cloud computing and service management, I spoke last month at the ISACA EuroCACS conference in Manchester, UK.  I delivered 3 sessions in total, one on Value Management, the second on using COBIT and ITIL for service excellence, and the third was a series of predictions I have for the CIO.  The session, the last of the event, was exceptionally well attended and a summary of my remarks were published on the ISACA Now blog.  For those who missed the session I am delivering my updated predictions at the ISACA North American CACS event, May 15-19 in Las Vegas which will include some additional predictions on the changing role of the CIO, cloud computing and security! If you are interested visit the website for more information.

Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Robert Stroud
Robert Stroud serves as VP and as Service Management, Cloud Computing and Governance Evangelist at CA Technologies. Robert also serves as an International vice president of ISACA, is part of the Framework committee and was the former chair of the COBIT Steering Committee. Robert also serves on the itSMF...
Read More..

Efficient, effective and just enough service management to drive business value

Published: April 26 2011, 09:20 AM | no comments
by Robert Stroud

Service Talk is the quarterly magazine of itSMF UK, designed to keep its members informed on trends in the service management industry and techniques to better execute their role.  This quarter, my article "Efficient, effective and just enough service management to drive business value" is the first of a series of articles identifying the requirement and techniques for professionals to focus on business value.  More information on ServiceTalk, contact communications@itsmf.co.uk

This article highlights incident management, the process I find most implementations of service management commence with. It offers some guidance and metrics to assist you in being focused on your business and not simply the process.  The text of the article is provided below and you can also download a PDF of the article.

...... 

Efficient, effective and just enough service management to drive business value

Rob Stroud suggests a more enlightened approach to incident management

With the focus on rapid value, shorter change cycles and the requirement to be agile, many CIOs have asked my opinion recently about their service management strategy. I have been hearing more frequently about large-scale service management implementations fixated on a long-term vision of a vague five-year plan with minimal project strategy. These implementations typically employ incident and problem management with the objective of driving better availability, and some of them get into what I call the ‘incident focused death spiral'.

The incident focused death spiral is where a service management implementation focuses on being reactive and solving problems with little or no focus on the business case or the value proposition.  Now being very effective at solving incidents is not a bad objective, but if you fail to focus on the other aspects such as incident removal, providing usable and productive knowledge, you are going to suffer customer satisfaction challenges. A good example is your local restaurant: if they make the same mistake every time you arrive, over time you will find somewhere else to eat even if it means travelling further.  In short, we're talking about implementations focused on solving the symptom rather than dealing with the cause.

Businesses change rapidly and, with business processes totally dependent on technology, one must mirror the other, flexing and contracting as required based on the value that the business delivers.  This means that IT must be focused on the delivery of service, a service aggregator sourcing the raw or partly finished components to be consumed by the business like a manufacturer does. Just as the business is focused on delivering a quality product at an appropriate price that supports the margin required, the same is true of IT. 

In this day and age when change is accelerating and technology is changing ever more rapidly, the supply chain is becoming increasing complex. We need to focus on a balanced implementation delivering enough resource across the full service lifecycle. This requires an understanding of capacity management, sourcing materials and managing delivery according to agreed service levels at the appropriate cost.  In service management terms, I believe that we have to move the focus away from incident management and place it instead on demand, measuring service levels against business expectations and basing our investment decisions on the business return.

All this may seem a little daunting after years managing incidents, but this fundamental transition can be delivered with the use of some basic guiding principles:

  • Service management implementations must be structured, with detailed project plans and defined milestones and metrics.

Most CIOs believe that 80% of service unavailability is due to failed change, both planned and unplanned, and this leads to implementations commencing with incident management to give the organisation a clearer view of service outages. This will allow the organisation to understand the service impacts, yet most fail to link outages and incidents to the change and consequently they are missing an essential metric.  As a result changes are made to resolve incidents with risks that are not effectively and appropriately managed, continuing the hero mentality and the cycle of downtime continues. The first technique is to capture the time spent on unplanned change as a lost productivity metric.

  • Each phase should be based on the 80/20 principle. 20% of the implementation should give you 80% of the value

The implementation of effective and efficient service management requires a focus on the key aspects of each process rather than a deep and detailed analysis.  In order to show business value quickly, we need to understand change and implement effective change processes, perhaps using request management to automate frequently implemented low-risk and low-impact changes.  Request management is one of the most underutilised and valuable tools in the service management arsenal, as it allows us to ensure that all the appropriate legal and audit metrics are in place and the data automatically collected as the request is executed.  Further service levels can then be linked to service delivery and automated in line with agreed business SLAs, making the IT organisation appear to be exceptionally responsive - a real bonus in this agile world.

  • Implement factual reporting and attestation that support data-driven decisions, linked to the business

IT is great at delivering technical data on the performance of hardware. This offers minimal value to the business.  IT needs to aggregate technical information and report against performance metrics that make sense to the business, and it must prioritise the delivery of metrics. 

In the initial implementation of effective service management you can typically use some indicative metrics. For example, for change management try the following:

  • Number of changes (a high rate of change with poor availability implies control problems)
  • Number of authorised changes (if the number is low then unauthorised change is occurring without your knowledge)
  • Change success rate
  • Incidents related to/arising from change
  • Business impacts of failed changes
  • Number of emergency changes
  • Average change processing time.

The one constant in any effective business is change, and the critical aspect of implementing good service management is making sure that you are close to the business and are synchronised with the changing business environment. Do everything with your goals and objectives in mind and be prepared to start the journey and learn. Leverage the 80/20 rule and always remember that process improvement is a journey - not the destination.

Share this post:  
Tags: , , , , , , , ,
Leave a comment

 

By: Robert Stroud
Robert Stroud serves as VP and as Service Management, Cloud Computing and Governance Evangelist at CA Technologies. Robert also serves as an International vice president of ISACA, is part of the Framework committee and was the former chair of the COBIT Steering Committee. Robert also serves on the itSMF...
Read More..

Effective Risk Management; a tool for the whole IT Family

Published: April 21 2011, 10:53 AM | 4 Comment(s)
by Robert Stroud

This week was my annual speaking engagement at the ISACA Los Angeles Chapter conference at Universal City Los Angeles.  The theme,  "What is the next big risk?" was a timely and excellent theme, especially with the economy heading out of recession (at least that is what the experts tell us) and featured several sessions exploring both the positive and negative aspects of risk. 

Risk exists in every aspect of our lives and all activities we undertake. For example, think about crossing the road. We naturally mitigate the risk of being struck by a car by looking for oncoming traffic.  Depending on a combination of factors such as the type of road, time of day, level of traffic and so on we may cross at crossing, lights, overpass or take our lives in our hands and sprint across. The risk management process becomes part of our daily process and becomes instinctive, why shouldn't the same be true in IT?

In recent times the level of complexity in IT, combined with experience of our people,  good skills and detailed IT domain knowledge have allowed IT to manage most risk through domain knowledge held by key individuals.  The growing complexity of IT, intertwined with compliance and the dependence on split second decision mandates that effective Risk Management becomes part of our DNA.

The trap here is that the automatic answer to all risk is to avoid or mitigate, but in this time of innovation the business may indeed agree to accept the risk based on the organization's risk position, culture and strategic direction established by the business. For instance, if the business is in a rapid growth phase they may accept more risk.

Acceptance of risk for growth also requires that you must be prepared to accept the consequences should the venture fail.  Unfortunately once failure occurs more often than not it leads to the "blame game". 

To grow and to innovate, some level of risk must be assumed and failure is another learning opportunity!

For more information on the ISACA LA Chapter conference visit the conference website: http://www.isacala.org/conference/

 

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Robert Stroud
Robert Stroud serves as VP and as Service Management, Cloud Computing and Governance Evangelist at CA Technologies. Robert also serves as an International vice president of ISACA, is part of the Framework committee and was the former chair of the COBIT Steering Committee. Robert also serves on the itSMF...
Read More..

Time to sharpen your pencils and comment on the COBIT Process Assessment Model

Published: April 14 2011, 06:58 AM | no comments
by Robert Stroud

I often tell the story of my eldest son when he first had he drivers license and would ask to borrow the car keys.  He would come into the kitchen and ask for the car keys and I would reply "where are you going?" His response "I don't know." To which I would reply "then how do you know when you have arrived?"  This simple analogy reminds me of many implementations of governance where the destination is not known, typically resulting in a lack of confidence in IT from the business executives.

COBIT (more information below) has offered a maturity model in the past that has allowed for the assessment of your COBIT maturity processes. That said, as part of the continual improvement process for COBIT, ISACA conducted a global survey in which it was found that 89 percent of the almost 1,400 respondents expressed a need for a rigorous and reliable IT process capability assessment. As an outcome, ISACA is in the process of developing a new COBIT Process Assessment Model (PAM). The objective of the COBIT PAM is a vehicle to drive executive confidence in the value that IT delivers from their investments in IT powered business.

There are two documents planned for the CAP series:

  • COBIT 4.1 Process Assessment Model (PAM), available for review on the ISACA web site
  • COBIT Assessment Process Guide for Certified Assessors, designed to support certified assessors; more information will be available later in 2011

Prior to release of the PAM, ISACA is calling on subject matter experts to comment on the PAM exposure draft which is available on the ISACA website for a month. The final document is anticipated to be available in the third quarter of 2011.

I, like ISACA, would be very interested in your comments on the PAM so take a look and the opportunity to contribute your feedback.

About COBIT
COBIT is a globally accepted set of tools that helps minimize IT-related risks and maximize the benefits of technology investment. COBIT acts as an integrator of more detailed international IT standards and guidance. Based on industry standards and best practices, it is a comprehensive approach to ensure that IT is meeting the needs of an enterprise and enabling the achievement of strategic business objectives. The COBIT framework is available as a free download at www.isaca.org/cobit.

Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Robert Stroud
Robert Stroud serves as VP and as Service Management, Cloud Computing and Governance Evangelist at CA Technologies. Robert also serves as an International vice president of ISACA, is part of the Framework committee and was the former chair of the COBIT Steering Committee. Robert also serves on the itSMF...
Read More..

Is Risk a negative word in your organization?

Published: April 06 2011, 12:13 PM | no comments
by Robert Stroud

"IT is too risk adverse!" was the statement that I heard today from a business representative at a major enterprise.  "IT put up barriers and all I want are solutions." These statements are becoming increasing frustrating for me to hear as is the description of IT by many users who tell me that IT's first answer to inquiries is always "no". 

Today, with the growing total dependence on IT for business and the expectation that IT like a utility is always available, IT is inheriting a significant portion of the risk associated with the business process.In the same manner that the business minimizes (or mitigates risk), IT must also adopt and execute this risk position. The perception is that IT in the past has been too sensitive to risk and would rather mitigate the risk or stop the process rather than assist the business in execution.

For example, some IT organizations decided to prevent their organizations using social media even when the business determined it a competitive advantage. Imagine if an organization where IT banned the use of cloud platforms, but the business circumvented IT and  hired programmers to write new applications outside the firewall and directly to the cloud platform? Implementing such tight control can backfire and cause the organization to be even more exposed as the rogue application may not use the organization's security policies.

Some simple guidelines for the implementation of effective enterprise risk management requires the development of a risk culture that considers the implications of risk and identifies process to determine if a risk should be accepted for business benefit or mitigated with appropriate controls.

The steps involved include:

  • Identify the organizations risk appetite and tolerance
  • Identify responsibilities and accountability for Risk Management
  • Create an awareness program and communicate

Risk management is the responsibility of all IT professionals. Over the next few weeks I will further detail how to deliver effective risk management and how to leverage it for competitive advantage.

Share this post:  
Tags: , , , , , , ,
Leave a comment

 

By: Robert Stroud
Robert Stroud serves as VP and as Service Management, Cloud Computing and Governance Evangelist at CA Technologies. Robert also serves as an International vice president of ISACA, is part of the Framework committee and was the former chair of the COBIT Steering Committee. Robert also serves on the itSMF...
Read More..

More Posts Next page »