Better management through best practices
Yes, best practice frameworks work, but no, they're not all the same.
By Denise Dubie, Network World | Network World US | Published: 00:00, 27 January 2006
The good news about adopting best practices is that corporations aren't limited to one method. The bad news is that companies will most likely need to adopt more than one best-practice framework - or at least parts of many - if they want a complete, effective set of management process guidelines.
A related concern is that when network managers realise that multiple standards may be required to achieve their goals, they may become overwhelmed trying to discern the differences among popular frameworks.
Best-practice frameworks such as IT Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) have been around for years. For the most part, these frameworks should bring consistency and efficiency to the various aspects of IT, such as application development, help desk, network operations, security, and service delivery and support. Compliance with the Sarbanes-Oxley Act and numerous other regulatory standards is another obvious benefit - and is often the impetus for IT executives to start looking at process frameworks.
Other - and perhaps longer-term - gains are the cost cuts and labour reductions that result when an IT shop deploys processes to which all staff members adhere. Best-practice nirvana occurs when IT is able to align with business by helping network managers translate their services into business terms and assign a business-relevant priority to their tasks.
Broad adoption this year
According to Forrester Research, best-practice frameworks will see broad adoption in 2006. The firm suggests that in many cases, ITIL and COBIT - along with the Capability Maturity Model (CMM) and ISO 17799 - should be adopted in concert. ITIL addresses service delivery and support; COBIT covers the broadest spectrum of IT governance; CMM, which is used frequently by application developers, shows how IT shops rate in terms of maturity compared with best-known processes; and ISO 17799 proposes security management measures.
"Most of these frameworks are not mutually exclusive and are most effective when used in combination with one another," says Craig Symons, a principal analyst with Forrester, in a report released this month. "The road to a comprehensive IT governance framework involves understanding the differences among the frameworks and when to apply each framework."
Which frameworks an organisation starts with depends on its goals. Many industry experts say even though ITIL is quickest to deliver incremental results, COBIT is a good place to start. COBIT can help IT shops prove they are performing the processes laid out in the other frameworks, as it is a common tool for auditors.
"COBIT is focused on governance, and if you are a higher-level IT manager concerned with overall corporate governance, this is the best place to start," says independent ITIL consultant John Worthington. "If you are purely focused on IT and have a specific area to control, you may start with ITIL, but it's likely the two initiatives would come together eventually."
Brian Childers, an independent IT service management consultant and a board member with the US-based IT Service Management Forum (which supports ITIL standards), adopted COBIT reluctantly during an IT process implementation at Earthlink, a previous employer. A big supporter of ITIL's tenets, Childers didn't want to explore the possibility of linking his process plans with those of COBIT. "I was adamant that I didn't want COBIT," he says. "But there was a gap in our plans to roll out two ITIL processes - change and release management - and COBIT addressed the hole because it provided specific audit guidelines that mapped directly to what auditors want."
He says that Earthlink was able to sign off on its Sarbox compliance in September 2004, a few months ahead of the December 2004 deadline, because the combination of ITIL and COBIT helped the IT staff to better define and then prove their processes were in place. "You can flat-out copy the COBIT guidelines and be golden, because that is exactly what the auditors are looking for," he says.
ISO certification as a side-benefit
Lenny Monsour reports a similar scenario, in which the use of one framework - ITIL - led him to get certified in another, ISO 9001, a standard that defines the requirements for a quality-management system. Monsour, product management director at SunGard, started to put ITIL's change management processes in place about 18 months ago and found that by also rolling out an automation platform he could achieve ISO compliance as well.
"ISO demands pretty intense processes that are focused on quality and compliance," he explains. "ITIL gives you a loose guideline as to how to do change management, it's not specific. But with ISO 9001, you have to have your processes documented against your logs, and an auditor will check those against each other."
Two years ago Kent Joshi had an external consulting firm advise him to put best practices in place to govern IT operations at Washington Mutual Bank in Los Angeles. Joshi, the bank's IT vice president, soon realised the suggested processes, which laid out many fundamentals Joshi deems critical, still lacked the specific processes he would need to synchronise IT services with business demands. "We realised without a strong service-level management [SLM] process in place, we weren't instilling practices that addressed IT's interaction with our customers," he says.
Joshi says that before exploring the SLM guidelines, which ITIL lays out at a high level, his organisation would have multiple IT staff people contacting customers, suggesting fixes for their problems. But without well-defined processes, the IT staff would provide only a piece of the necessary service and in a manner that couldn't be measured. The business unit would be left unsatisfied, and the IT staff would be left "scratching their heads" as to how their efforts didn't achieve the goal, he says.
Express and measure
"ITIL's SLM process places itself between the two areas: It expresses customer requirements in terms the business understands and in IT terms for my staff," he says. "And it helps you to figure out a measurable way to prove you delivered the services."
Despite the known benefits of frameworks, network managers should be wary of falling victim to "standards slavery," says Jon Vromat, a best-practice consultant with HP.
"IT organisations often think they have to take it all on at once, and then they fail. Adopting frameworks is more like eating an elephant; to be successful, you have to do it in digestible chunks," he says.
Referring to best-practice frameworks as alphabet soup, Vromat says that managers should approach process adoption in three steps: Start with a framework, such as COBIT or ITIL; move on to a standard that can be certified, such as the many ISO guidelines; then perform ongoing improvements that could be measured by, for example, CMM or Six Sigma.