Reprinted with permission from the Feb 2005 issue of Public CIO.
These are not good days for technology geeks, whether they work in government or the private sector. The bold era when problems were solved with the latest, most innovative technology -- damn the cost -- is over. Today, it's all about better processes and governance.
Just check out what's happening beyond our borders. In the United Kingdom, the British government created and implemented the Information Technology Infrastructure Library (ITIL). And just as its title claims, it has little to do with hardware or software, and lots to do with books -- seven books that are essentially a bible to everything you need to know about running an IT department, including best practices and standards for core operational processes.
North of the border, the Ontario government adopted the ITIL governance model -- or IT Service Management (ITSM) as it's increasingly called -- to improve across-the-board help desk management. The expected benefit will be vastly superior service delivery at much lower cost.
Already, Ontario's Ministry of Transportation used ITIL to integrate people, technology and processes. As a result, help desk incidents were resolved 98 percent of the time, up from 85 percent. Patti Kishimoto, head of ITSM Strategies and Change Management in Ontario's Office of the Corporate Chief Technology Officer, said the government views the newly adopted IT governance framework as an enabling strategy that will reduce the unit cost of IT.
In the United States, private-sector corporations are holding their IT organizations more accountable while reducing their budgets. To deal with this new reality, IT departments are adopting highly defined governance structures, such as the Control Objectives for Information and Related Technology (COBIT), which is heavily promoted by the IT Governance Institute.
Organizations also use a variety of IT governance models that connect IT strategies with business needs while aligning processes at the enterprise level. They go by various names, including the Capability Maturity Model, ISO7799 and the Balanced Score Card.
There are numerous reasons for this surge of interest in IT governance. In the private sector, the Sarbanes-Oxley Act forced corporations to set up internal controls to ensure financial accountability, which affects IT as well as other aspects of business. Mergers and outsourcing also placed pressure on IT organizations to ensure everybody is speaking the same language. Finally, CEOs in both the public and private sectors are demanding to see some ROI from IT investments. That can only happen when technology delivers what business units need across the enterprise.
Until recently, few understood how to make that happen. "The question everybody keeps asking is, 'If IT is a business within a business, what is it they deliver?'" said Kenneth Wendle, ITSM Solutions lead for HP and immediate past president of the ITSM Forum USA, for which he is still an adviser. "The problem is that IT organizations are like restaurants without a menu."
The menu most organizations have is a mishmash of services and infrastructures run by separate operations. The way to get everybody reading off the same card and processing the same operation evenly throughout an organization is to apply IT governance. Such governance allows CIOs to cut through the complexity of IT, and ties together IT strategies and business strategies, writes Marianne Broadbent and Ellen S. Kitzis in their book, The New CIO Leader.
What Broadbent, Kitzis, the IT Governance Institute and others are advocating is catching on. Nearly 80 percent of CIOs recognize governance is needed to address the structural and operational problems that plague IT operations today, according to a 2003 survey conducted by the IT Governance Institute. Few organizations, however, practice IT governance -- less than 5 percent among large firms, according to a survey by Meta Group. And while many recognize the problem, there's little consensus on what is the best IT governance model, according to the IT Governance Institute survey. In fact, the framework known as COBIT was recognized by only 18 percent of its survey respondents. Most mentioned internal or vendor solutions as the most widely accepted governance frameworks.
COBIT has been around since 1996, when its guidelines and best practices were published by the Information Systems Audit and Control Association. Its prime purpose is to align IT resources and processes with an organization's business objectives, quality standards, monetary controls and security standards. As the publisher's name suggests, COBIT was crafted to provide auditing controls for computer systems, which became increasingly necessary as those systems became integral to organizational processes.
Because COBIT has been around for a while, it has been tested by organizations from around the world, according to Jon Singleton, IT Governance Institute member and auditor general for the Province of Manitoba, who added that COBIT is used by some government utilities in Manitoba. "COBIT is very robust and allows us to measure processes when we do an IT audit," he said. Ultimately COBIT allows organizations to control the risks implicit in any IT project, he added. To an auditor, that's extremely important.
Canada's public sector isn't the only one using COBIT. According to the IT Governance Institute, approximately 11 percent of the global public sector is aware of the IT governance model (whereas 45 percent in financial services are knowledgeable about COBIT). In Massachusetts, the state auditor's IT audit management team uses COBIT to identify high-risk IT processes and assess IT controls.
Library of Services
Unlike COBIT, ITIL has taken longer to reach U.S. shores.
First launched as a set of 44 books by the British government's Stationery Office between 1989 and 1992, ITIL has since been condensed into seven publications (all copyrighted, but available for purchase) maintained by the UK's Office of Government Commerce.
Four years ago, few organizations in the United States had any idea what ITIL was. Some speculate that it has been slow to catch on in the United States because American firms tend to be more entrepreneurial and less process-oriented than European organizations. But as IT organizations in the American public and private sector become less technology centered and more service-centric, interest in ITIL has grown considerably.
ITIL is a process framework based on best practices and methodologies for change, release, incident and configuration management, as well as problem, capacity and financial management. However, its biggest impact so far has been in the field of help desk management. ITIL experts say the benefits are twofold: It improves IT services while reducing delivery costs. According to a brochure published by the ITSM Forum, some savings organizations have achieved through ITIL governance framework include:
The ITIL concept has spread by word of mouth rather than by corporate marketing, according to HP's Wendle. "ITIL has grown as IT organizations transition from looking at IT as a solution unto itself to looking at the delivery of IT as a service. And what are IT services? They are a set of related components that support one or more business processes. That shifts the perspective from managing IT to managing IT as a service," he said.
Wendle said ITIL is very descriptive but not prescriptive. In other words, it doesn't say things must be done a certain way, but provides a baseline so the process used to define help desk management in health and human services is also used to define help desk management
The ITIL governance framework is especially useful when consolidating business processes. CIOs and business unit directors can use ITIL as a tool to improve communication across silos and different IT centers because it forces everybody to speak the same language. In fact, global companies have eagerly adopted ITIL because divisions in different countries, speaking different languages, are on the same page when it comes to managing IT processes.
The fact that the British government developed ITIL and applied it throughout its IT operations makes the governance framework appealing to the public sector. The U.S. Office of Management and Budget and the U.S. General Services Administration have been pushing the ITIL at the federal level. California's Stephen P. Teale Data Center, the state of Michigan and the commonwealth of Massachusetts use parts of ITIL. A number of other states, including Kentucky, Iowa and Wisconsin, are also looking closely at ITIL.
In Ontario, ITIL use follows on the heels of a massive government reorganization that slashed the number of ministries from 25 to seven and reduced the number of separate IT infrastructures the government must manage, while allowing it to move forward with creation of enterprise plans for IT architecture, network and the province's messaging system.
The ministry identified the ITIL governance model as the enabling strategy for reducing the unit cost of IT while improving service delivery and support, according to Kishimoto from the Corporate Chief Technology Officer's office. The only way to do it correctly is to link the IT processes with the ministry's business needs and manage them across the enterprise. "It's very complicated," she admitted.
To make it work, Kishimoto suggests governments start small and make sure their ITSM strategy is based on a common infrastructure. Ontario focused its initial efforts on help desk services in the Ministry of Transportation. The goal is to create a single, virtual help desk that can be replicated for other ministries. Using ITSM as their framework, Kishimoto worked with the Transportation Ministry to develop common help desk tools so the service can be managed at the enterprise level to the "end of the chain," as she puts it.
Vendors Embrace Governance Model
Even though ITIL exists as a set of books anyone can purchase, the framework caught the attention of some of the largest IT firms in the United States. Along with IBM, HP in particular has embraced the ITIL's components because the framework was a huge help when the corporate giant acquired Compaq and merged the two cultures.
In turn, HP offers what it has learned about ITSM to its customers. Cathy Martin, HP's director for state and local government, said the public sector, like corporate America, is changing how IT operates within the enterprise but needs help making the transition. "CIOs want to centralize IT and build trust with the agencies, but they don't know what services the agencies want," she said. ITSM provides IT departments with the components that allow them to define the services they have and offer them in a way that makes sense to the end-user.
David Ratcliffe, CEO of Pink Elephant, a Toronto-based consulting firm that specializes in ITSM, cautions that IT governance is a complicated undertaking and that frameworks such as ITSM are particularly so, if not approached in the right way. It's not enough to identify a need for a new process. "You need a champion to make sure workers understand why they are deploying a new process," he said.
Like so many endeavors in IT, leadership and good communications skills are key ingredients to making ITSM and other forms of IT governance work. Other hurdles include alignment of processes with business drivers, lack of skills (especially in the area of project management) and high costs.
But Ratcliffe believes government is better suited than many private-sector firms for adopting IT governance. "The public sector is strong on order and discipline, has respect for following rules and has established ways for getting things done," he said. These are the cultural elements in which IT governance is best suited to grow.