Building the Business Case for Better IT

Today, more than at any time in the past, organisations are heavily dependent on their information and communications technology infrastructure. Business leaders quite rightly demand the most reliable up-to-date information systems and applications that will meet the expectations of customers and staff – and an increasing number of senior managers and executives believe that IT service management (ITSM) represents the best way to unlock efficiency and effectiveness without the need to inject large amounts of capital funding.

But how should a company get started on an ITSM implementation? And what important factors need to be taken into consideration to ensure measurable success? Business Management spoke to a number of executives at some of the leading ITSM solutions providers to find out.

John Scott is Vice President, Marketing and Product Development for RealOps. In this role, Scott’s responsibilities include providing vision and direction for the company and managing the roadmap and development of the company’s product portfolio.

Michael Scheib, iET Solutions President and CEO, is a 20-year veteran of technology management. As President and CEO of iET Solutions, he directs the company’s continued development of enterprise ITSM solutions built around ITIL.

Ken Hollywood is the Regional CTO, Management Software for the Americas and Asia Pacific. He has worked in regional and worldwide software positions as a senior technical consultant and domain expert in networking, communications, systems management and telecommunications management.

Anders Vinberg is the Chief Architect of the Windows and Enterprise Management Division, responsible for technical direction across Microsoft’s management initiatives – both the management infrastructure that goes into Windows and the management products.

Greg Downer is a Master-certified ITIL Service Management consultant at Pepperweed Consulting with extensive hands-on experience implementing ITSM in the field. Greg is also a Certified Information Systems Auditor (CISA) and an active member of itSMF USA.

BMUS. ITSM tools and strategies have been around for quite some time, yet they seem to have attracted unprecedented attention recently. What would you say are the drivers behind the rise of IT service management?
GD. A major driver behind widespread interest in ITSM is the rash of new compliance regulations that dictate an unprecedented posture of control for most organizations. Processes, transactions and information that were once only loosely managed must now be rigorously documented and tracked – a process that requires IT to take on additional responsibilities developing and managing compliance support systems. Further, as IT is, in and of itself, a critical link in the compliance lifecycle, it must now move forward in developing, documenting and tracking its own, internal processes.

IT organizations have historically been so occupied keeping end-user customers up and running that they have not had the luxury of putting in place their own ERP-like systems to improve process operations. Until recently, few IT departments could have secured the budget for such an effort, much less devoted the time and effort. What systems were available to address IT process management were not designed for the greater rigor that is now legislated.

ITSM and ITIL best practices provide a solid framework and starting point for defining and optimizing IT processes and addressing control requirements across the organization. As an added bonus, companies that follow well designed IT processes will find that they can lower costs and improve productivity as a result of reducing self-inflicted IT wounds.

MS. The drivers behind IT service management are exactly the same as the drivers behind all corporate initiatives – becoming more competitive, accountable and fiscally responsible. IT as a discipline is increasingly taking its place alongside supply chain, sales, manufacturing and all the traditional operations as a corner office concern.

More than ever before, IT executives are expected to answer a seemingly simple question: when will information technology ever deliver on its promise of service to the business? Simply put, when will service align with strategy? Service management allows IT to answer that question. It’s a methodology that enables the IT department to deliver a better ‘customer experience’ and higher value to the organization. It’s a holistic approach, encompassing the people, processes and technologies that deliver IT services. The goal is to transform the organization from a tactical technology-provider to a strategic, business-oriented service operation. This is a seemingly simple concept; however, as with most things in life, the devil is in the details.

JS. There are a number of drivers I would point toward for the growing adoption of ITSM, which serves as a comprehensive framework spanning the set of operational disciplines that combine and interrelate to deliver IT services (configuration management, change management, incident/event management, problem management, security management, service level management, etc.). In looking back to the early days of mainframe computing, there was a much more controlled grasp over these various functions and their related interdependencies. But with the advent of client/server and distributed internet server architecture, and the rapidly increasing technology lifecycle, we witnessed a regression in which many of these traditional rigors and frameworks were pushed aside in the name of responsiveness.

But over the past five to six years, having endured events such as 9/11, Hurricane Katrina, major security penetrations and service failures by prominent online brands and with the increasing regulatory attention focused on IT services delivery, there has been a renaissance within IT surrounding the importance and value intrinsic of establishing control and harmony across the breadth of operational functions. This has given rise to both awareness and adoption of ITSM in an effort to drive process maturity and deliver on the increasingly challenging mandate ‘do more with less’.

KH. Businesses today are being pressured as never before to find new ways to grow shareholder value, top line and bottom line results. As the business develops the right growth strategies, IT becomes the all-important factor. Today, corporate strategy drives business strategy; business strategy drives functional strategy, business activity and processes. We have moved away from an era where IT was simply mechanizing human effort in assembly-line fashion. We are now experiencing a trend where CIOs focus on business processes that enable growth, and the health of those business processes as critical success factors.

ITIL focuses on the delivery of information services, and underlying applications and associated infrastructure. What happens when you take away e-mail for an hour from today’s modern workforce? Think about the business impact of a salesperson stripped of their mobile e-mail device. Or what happens when the HR portal for timecards goes down and vacation or overtime cannot be recorded in the appropriate time period? This tie from information services to the business and correlating performance trends is also a driving factor in ITSM. To that end, HP has developed actionable performance dashboard products that link IT and business process performance. When business processes are linked to IT services and the proper management of those services is enabled, a business can accurately plan growth strategies. A business in today’s global economy cannot grow outside of the constraints of its IT capabilities.

BMUS. Why are best practices important in helping to manage IT services? How can the guidance provided in the IT Infrastructure Library help?
AV. There are three aspects associated with managing IT services – the people tasked with managing and operating the IT environment, the process they use to manage IT and the technology and tools they utilize to deliver IT services. It is relatively straightforward to calculate the cost of obtaining the human resources for managing the environment, and the cost of acquiring, implementing and operating the technology and tools utilized by IT. Because these two aspects are quantifiable, the importance of process is often neglected – but process and applying best practices to determine how the technologies are used can have a significant impact on the overall cost associated with operating IT and its ability to deliver higher levels of service to the business.

Cost savings accrue via the consistency of executing on the best practices and service levels delivered in a known, repeated and consistent fashion. ITIL provides a jump-start for circumventing the need to learn through trial and error how to streamline process and minimize cost. Microsoft has embraced ITIL, and has invested in extending the ITIL concepts to deliver prescriptive guidance through the Microsoft Operations Framework (MOF). MOF provides a practical way for organizations to implement ITIL guidance and best practices and operate their environments accordingly.

KH. Standardizing around a set of best practices drives out cost and expense. ITIL provides a common lexicon of terms, common inputs and outputs and measures, boundaries and interfaces – but doesn’t dictate how. It’s about getting everyone to move in the same direction. Imagine if everyone on a corporate board could make up their own process independent of other board members – would the company survive?

As an analogy, the rules of the road, the licensing of drivers, the inspection of cars and the standardization of vehicle capabilities allow us to easily drive any rental car after just a few minutes of familiarization. However, when a businessman arrives from Los Angeles at the Heathrow airport in London, it takes a bit of driving time to grow accustomed to operating a vehicle on the ‘wrong side’ of the road, even though it is perfectly normal for the locals. Likewise, ITIL standards are simply there for guidance – the rules are the same, but how they are applied is different based on individual businesses.

From an IT manager’s perspective, let’s say the car dashboard is the equivalent of the datacenter tools currently in place to determine the performance of the IT infrastructure – which is representative of the rest of the car. Is the instrumentation adequate? What does the dashboard look like? Is there enough gas and oil pressure? What are the key performance indicators, and what ‘gauges’ are relevant and actionable by the common driver? Your IT shop is no different, and with the right best practices in place, you can be sure everyone is going in the same direction.

JS. Best practices are important in delivering IT services for two fundamental reasons. First, best practices (as the name implies) provide a synthesis of leading edge thought and practice to common, real world problems. Thus, they represent a collection of leading thought to a specific area or topic. This then provides for their reuse by lesser-experienced organizations, which saves organizations time, money and potential disaster in attempting to ‘reinvent the wheel’ and having to learn from their own mistakes.

The second major reason that best practices are important is that they become common standards utilized by all (or many), which makes the skills associated with them far more transferable and available in the marketplace. This is economically valuable to both IT professionals and to the companies they deliver services for.

MS. Best practices are always important, of course. In IT services, they have extra importance, because technology is so complex and far-reaching. If you were to start from scratch to invent your own IT service infrastructure, there would be a million ways to go wrong, and the results could be disastrous for a company. The days of bringing in technology and seeing what you can do with it are gone. It’s all about discipline and results, and for that you need best practices. That’s what ITIL really is: a set of best practices. It doesn’t tell you exactly how to do something, but it defines the process for IT service management in the framework of best practices.

It’s important to understand that ITIL has been evolving for 15-20 years. The Library reflects the experiences of literally thousands of companies. It’s a repository of best practices from around the world, from both government and private sector organizations. At iET Solutions, we take ITIL so seriously that we built our ITSM solution suite around it, from the ground up. It’s the foundation of our ITSM applications, because we believe it’s the foundation of good IT practices.

GD. Many organizations have tried many approaches over the years. Some are wildly successful, others less so. Standards bodies, analysts and consortiums continually monitor these results and eventually are able to pull from this pool of industry practices those that have proven to be most effective – the best practices – over time.

ITIL best practices can be instrumental in creating efficiency and effectiveness in IT organizations. The IT Infrastructure Library organizes and documents best practices, and provides step-by-step guidance that can greatly reduce the learning curve required to assess and improve IT processes. While companies can (and should) prioritize and customize the processes for their unique operating environment, the ITIL library can provide a significant accelerator toward process re-engineering. Working with a de facto ‘standard’ like ITIL also establishes a basis for continuous improvement, at a level few companies could continue to fund. ITIL, version 3, is currently under development, capturing the next-generation of IT process improvements. Even those organizations that are able to secure funding on an ongoing basis would find themselves hard pressed to duplicate the added-value provided by the numerous IT professionals who contribute to keeping ITIL fresh and forward thinking.

BMUS. Some have claimed that ITSM is as much a cultural change as it is a technological one. To what extent do you agree with this assessment, and why?
KH. I completely agree. Let’s look at the business reality facing many IT organizations today. Many IT departments use outdated organizational structures, management systems, processes and tools that make it difficult to provide what businesses need most: the delivery of IT solutions – not products – with increased speed, agility and quality, while reducing the risk and cost of services. To meet this need, IT organizations must evolve into trusted IT service providers that can adapt IT on demand, and offer the cost-effective, reliable, flexible IT services so critical to today’s business initiatives. However, transforming an IT organization into a trusted service provider of IT services is no small task. That’s why IT organizations are turning to ITSM vendors for answers.

Here is the key though – people believe and follow other people, and need to know the new process or discipline will work. One of the largest hurdles in any standard adoption is not only executive sponsorship, but also leadership by example; this is where ITIL – a comprehensive and highly respected source of information about IT processes – comes in. Often the challenge lies in applying ITIL guidelines and making extensive changes to the people, processes and technology components of an IT organization. Developing a strong business case and then following through in selecting the right technology becomes critical for day-to-day operations. Technology, when carefully selected and properly integrated, supports existing processes and people, enabling IT organizations to successfully manage more processes with fewer resources while increasing customer satisfaction and lowering operating costs.

GD. ITSM is, in fact, mostly a cultural change, transforming not only how the IT organization comports itself, but how every department in the company comports itself in relation to IT. ITSM mandates a close partnership between business and IT that enables companies to selectively and aggressively deploy those IT services that will have the greatest and most immediate strategic impact. It is this opening of a continuous dialog between IT and the business that provides some of the greatest potential benefits to an organization.

A culture that supports and enforces systematic processes also significantly reduces the opportunities to shoot off one’s own feet. It has been well documented that 80 percent of system downtime arises directly as a result of implemented changes. As companies learn to reward proactive planning in place of heroic recovery, senior IT resources can be freed up to be more strategic and forward thinking – an obvious competitive advantage.

This is not to say technology isn’t a significant enabler. While ITSM is not dependent upon any single technology – it has, in fact, been implemented using nothing more sophisticated than MS Word and Excel – specialized process automation tools can certainly improve the effectiveness and efficiency of IT processes and provide a well-documented audit trail.

MS. ITSM is about defining how the IT organization does business and thinks about its services and its customers; defining processes; then implementing, measuring and refining those processes. Education plays a key role in the ITSM and ITIL adoption process and certainly this has cultural change implications. Technology comes into play in helping to implement and measure processes, but the actual process is by definition driven by the culture of the firm and the requirements of the business. In fact, I would say that unless ITSM is supported by (even driven by) the corner office, it may not succeed. This is one reason why iET Solutions provides a complete yet flexible solution. We recognize that ITSM doesn’t stop when you roll out the process the first time; there are frequent changes or adaptations that have to be made based on the evolution of the business’ needs.

On the other hand, this isn’t a sudden change. IT has been evolving toward business accountability for some time, and the CIO in any company is trying to align technology with business goals. The real shift with ITSM is how you do it. It’s a disciplined, procedural approach to what everybody is trying to do already. But I’d call the shift evolutionary, not revolutionary. Also, it makes a difference how you go about it. If you call one of the giant consulting firms and give them three years to set up ITSM for you, then yes, it might be a big cultural change. But that kind of massive initiative isn’t always necessary.

AV. An ITSM-based approach does involve a mindset change – in essence, it changes the lens and focus associated with IT implementation, operation and measurement. Introducing a new and different way of thinking and operating requires change in the entire approach to IT – from an organizational and technological perspective. Re-tooling an organization to support this new approach and changed process is often challenging and more expensive than re-tooling the infrastructure, tools and technologies itself – as people and organizations take time to learn, change and adapt to the new environment. When implementing ITSM, it is important not to discount the cultural impact, and to provide the necessary tools, training and guidance to the organization, orchestrating the change in parallel across both technological and cultural aspects. One of the approaches taken by Microsoft to assist in facilitating this is to imbed the best practices and processes into the tools and technologies itself – helping lead the organization through the procedural changes by the way the tools work.

JS. There is no question that ITSM is as much a cultural challenge in its implementation as it is one of technology. The core basis for this is that ITSM strategies transcend people, process and technology in viewing IT as a single living organism, requiring full integration and orchestration in order to be performed effectively. This is a fairly radical departure from the traditional organizational and delivery models utilized over the past 10-15 years, in which many IT organizations and functional processes have existed in a highly fragmented and autonomous manner. For example, it has been generally accepted that one or more technology departments would have management responsibility for configuration and change management over their specific area of technical expertise, with little oversight or input from those responsible for incident, problem and service level management. Yet, as we know from much recent research, change management is the leading cause of service failure. And this is just one simple example of many found in a traditional IT organization paradigm. Correspondingly, a comprehensive ITSM initiative will impact organizational structure, process ownership and enforcement, communication policies, etc., and in doing so will disrupt the norms that many IT departments have operated under for years. In short, ITSM implies fairly significant change, which always registers cultural backlash and resistance; this needs to be managed carefully for any such effort to succeed.

BMUS. While originally thought to involve finance departments only, the demands of regulations such as SOX have made their way to the desks of CIOs charged with the task of supporting compliance initiatives with technology. How can ITSM help support, drive and manage compliance requirements?
JS. It really should come as no surprise to anyone in the IT community that the onus of regulatory compliance has shifted or expanded to include IT itself. In a very literal sense, technology is utilized to mimic and replicate human functions in order to drive efficiency across the business. Before the advent of technology, business relied on people and process alone (through written record); today, the addition of technology means that labor resources are freed up from previous tasks (now being performed by the technologies deployed in their place) so that they can perform other, more value-oriented functions. Accordingly, the applications and infrastructure we rely upon today to run our business possess a wealth of institutional knowledge on how we do our business, along with nearly 100 percent of the resulting information in running it (the data compiled across various data stores).

IT is in a unique position to help drive compliancy initiatives for the business. IT possesses a mapping of the business processes (implicitly or explicitly) across all or most operations (those supported by IT applications), along with having management responsibility for enterprise data (both where and what). As such, IT is ideally positioned to provide a unique service to the business with respect to compliancy adoption and adherence.

MS. A key aspect of compliance is documenting activities and assigning accountability. You have to be able to prove what you do, and you have to show clear lines of responsibility. That happens to be exactly what ITSM provides for. Nothing is under the radar in a properly run ITSM operation, and when there are problems, the responsibility for fixing it is clear-cut. That’s the whole point, on an operational level.

From a higher level, compliance has become another business goal – and as with all business goals, IT has a strategic role to play. ITSM gives a framework for identifying the challenge, where technology can help, implementing a technology solution, and making sure it serves the need. ITSM helps IT work in partnership with the corner office to meet compliance objectives.

From a ground-level view, compliance issues have added a lot of new IT activities and possibly new software and hardware on the network, so there are more things for IT to service and keep track of. For instance, SOX compliance requires documentation of change in the IT environment and this results in a considerable amount of paperwork. ITSM solutions can address this problem with digital signatures for change management approvals. Although somewhat minor, this is an example of how ITSM can minimize the amount of paper IT departments have to process for SOX compliance. In short: you may want ITSM just to service your SOX operations!

GD. Sarbanes-Oxley has put a lot of pressure on IT organizations to develop adequate controls supporting financial systems and the underlying IT infrastructure. Adding to the pressure, IT itself must be able to pass a SOX audit. It is important not to overstate the case for ITSM in achieving regulatory compliance. ITSM alone cannot guarantee a successful SOX audit, but it can certainly be a mechanism for enabling and accelerating SOX compliance. At its core, ITSM establishes consistent communication between IT and the business functions it supports. ITSM dictates that IT proactively and methodically gather requirements from these business functions, not least of which will be a set of requirements around SOX compliance. And as ITSM also mandates access and documentation of new policies and procedures, this too supports a compliance audit.

ITSM can also address one of the most pervasive and persistent issues associated with process compliance: the tendency for people to abandon change – however necessary and beneficial – and fall back into familiar patterns. ITSM provides mechanisms for ensuring that process changes continue to be governed over time, and compliance sustained once a process has been implemented, audited, and approved.

KH. SOX is just one of many compliance requirements applied to all businesses. This is your opportunity to drive new value to the business as others wonder where to get started.

One of the benefits of HP’s ITSM approach with HP OpenView products is the aspect of user access control. Control benefits occur when employees have access to new and more adequate information and analysis (made possible by technology) – and, as a result, can make faster, better decisions than if they lacked this decision-support information. HP OpenView has the ability to control, automate and report on customer and employees’ access rights to their IT services and applications, thereby enabling organizations to meet audit and compliance requirements related to Sarbanes-Oxley/COBIT, Gramm-Leach-Bliley, FDA, Financial Services Authority, etc. In addition, the HP OpenView Configuration Management software (previously know as Radia) provides policy-based provisioning and ongoing automated management of Microsoft Windows, UNIX and Linux operating systems. This enables enterprise IT organizations and service providers to provision and manage all the digital asset layers on servers, desktops, laptops and other mobile or remote devices.

Use compliance to your advantage to catapult the business into shape, showing new value attributes that IT brings to the table. This can be painful initially (what new discipline is easy?) but the results can be astounding.

AV. Regulations or governance provides the ‘framework’ for desired organizational conduct, much as service-level requirements associated with an ITSM-based approach to IT provides the framework for desired business application conduct or behavior. ITSM already provides the mechanism for ‘following the rules’ and measuring IT’s compliance with those rules, and governance also requires systems and controls to facilitate and measure compliance to such regulations. Similar to IT optimization, many regulations require documented and repeatable processes, with controls in place and reporting against compliance. Even though IT-based controls are not specifically required by most regulations, it is often IT management that ends up implementing the controls that regulations require – and IT becomes a natural home for regulatory controls and compliance reporting.

Regulatory and compliance requirements have become part and parcel of the same businesses IT is already supporting through ITSM – and embracing and extending the compliance aspect is logical and practical. This expansion of IT’s support of the business needs can help IT further integrate with the business and become an even more valuable asset to the organization.

BMUS. How can companies quantify the business benefits of ITSM? Is it easy for them to measure ROI on such initiatives?
JS. Unfortunately, measuring ROI from ITSM initiatives can prove to be a difficult task. The most straightforward means of measuring ROI is to perform benchmarking and apply efficiency measurements to target process areas, which are then garnered through human resource or technology consumption savings. But this does not adequately account for ITSM initiatives designed to enhance service quality, which may be more effectively measured through customer retention rates or online sales figures. This becomes very murky when analyzed in light of additional service enhancement or lead and revenue generation initiatives. Which initiative is responsive for what percentage of the growth, and should some amount of that growth be backed out due to normal business expansion? These are tough questions to answer.

A similarly challenging topic with ITSM is security, where the financial ROI looks more like an insurance policy than an increase to the top line or an efficiency identified in the bottom line. Ultimately, it is the CIO’s job to socialize and evangelize the critical importance of a comprehensive ITSM strategy and the ROI benefits to the business associated with such a program.

MS. This can be hard to do for an ITSM initiative because, if a company is starting with no (or poorly defined) processes, they may have no baseline from which to measure ROI. For instance, prior to implementing change management, it may be very difficult to quantify the impact of poorly managed or unauthorized changes – yet we know from organizations like HDI that these are the second-leading cause of service desk calls. That said, some companies have claimed enormous savings. A major US consumer company reported saving half a billion dollars since starting its ITIL initiative several years ago.

I think measurement and ROI come into play as you move forward. A key part of ITSM is setting objectives and establishing service level agreements, based on what business objective you are trying to meet. Each company must decide why the business requires a certain level of IT service, what the payback is and how they will measure it.

The important point is, it’s part of the ITSM process – linking a given IT initiative to specific business goals, and then following up to make sure it delivers on expectations. It’s not an exaggeration to say that ITSM gives companies the power, for the first time, to quantify the value of IT and measure its success.

AV. Although the initial focus on IT optimization was driven by the need to reduce costs, the real value of ITSM is associated with the business benefits derived – which is often difficult to measure and quantify. It is relatively easy to measure the cost saving obtained through IT while rationalizing the infrastructure and streamlining process; however, a large number of companies take on major service management projects and still fail to deliver measurable benefits to the business – because they did not clearly articulate the value of ITSM to the business.

Organizations need a construct for tying infrastructure improvements to both maturity and capability improvements, and also to business improvements and benefits. It is easy to identify hundreds of issues and recommendations – but the essence of providing value to the business is in identifying the right things to work on that will directly impact the business. In order to quantify the value of ITSM, the MOF Business Value Service Management Assessment (SMA) supports the customer in identifying the right problems, qualifying them and creating an actionable roadmap for improvement. The SMA still supports the application of a maturity model – however, with an explicit tie to business reasons, not just increasing maturity for the sake of a higher score.

KH. What is ROI, really? ROI is a three-part equation, and a tricky one for many vendors with limited products, services or experiences. The three pieces of the equation to consider are ROI on the tool, ROI for IT and ROI for the business. ROI is dependent on the business problem you are solving, and your ability to quantify the problem and relevant cost, expense or the new value it creates.

There is so much more to ROI than the initial exercise to justify the project. Where ROI becomes powerful is when initial expectations are met, and then continually refined. When combined with existing ITSM and ITIL best practices, IT organizations have new visibility on where and how to drive business value and how to quantify their contribution.

GD. A Gartner study recently found that only three percent of respondents identified ‘inability to measure ROI impact’ as an inhibitor to implementing best practice process models. In point of fact, identifying and documenting causal factors associated with ITSM and tying those to a specific ROI is extremely controversial.

Which is not to say that the benefits of ITSM can’t be quantified and measured. Simply that the performance metrics most useful and supportable in evaluating the success of an ITSM project tend to be one level removed from calculation of an ROI. Further, different audiences will be interested in different metrics, and will tend to value those metrics differently. Even here, short-term business priorities can significantly shift the value placed on specific metrics at any given point in time.

ITSM performance metrics that are commonly used to measure project effectiveness include before and after data for availability/uptime, time-to-incident resolution, production improvement (defects, on-time and on-cost metrics), IT cost and variance, audit items (new, opened and closed) and complaints.

While IT tends to be better at tracking operational level metrics, which are typically easier to capture, operational metrics should be mapped, whenever possible, to a related organizational business metric. Availability, for example, should not be reported in terms of server uptime, but rather in terms of the end-user uptime experience for a specific business service.