How to get the biggest gains from ITIL

In their quest to achieve strategic and operational objectives, CIOs have increasingly turned to ITIL. However, without any clear starting place or prescriptive approach, most companies struggle to achieve tangible improvements. As a result, Kevin Behr and I co-founded the IT Process Institute in 2000 to advance the quantitative science of IT operations to create meaningful guidance tested with the same empirical rigor behind pharmaceutical drug trials.

Dedicated to researching, benchmarking, and developing prescriptive guidance for IT organizations, the ITPI has partnered over the years with organizations such as the SANS Institute, the Software Engineering Institute at Carnegie Mellon University, and the Institute of Internal Auditors to capture and codify how the high performers became great. The result of this research was published guidance in the form of The Visible Ops Handbook which was published in 2003. By July 2006, this handbook has sold over 40,000 copies, and is increasingly accepted as a powerful, prescriptive, project-based approach to implementing ITIL processes.

In analyzing the high performers, we asked, “what do high performers do differently, that results in real performance differences? How much better are they than typical organizations? And, can what they do be replicated in any IT organization?” To answer the question, we began the IT Controls Performance Study and spent three years benchmarking IT organizations to answer these two significant questions. Many will say that the goal of science is to explain the most amount of observable phenomena with the fewest number of principles, confirm deeply held intuitions and reveal surprising insights. The key findings from the IT Controls Performance Study do all three of these.

How much better are high performers?

In our benchmarking we found that the high performers outperform everyone else not by a factor of two, but often by a factor of five to ten. In our analysis, we found a high performing group that constituted 13 percent of the total respondents, and that as a group, they:

• Implemented eight times more projects than both low and medium performers.
• Delivered and supported 4.5 times more IT services to the business than medium performers, and 3.3 times more services than low performers.
• Supported 2.6 times more applications and software for the business than medium performers, and 6.6 times more than low performers.
• Authorized and performed five times more IT changes than medium performers, and 14 times more changes than low performers.

These are all strategic metrics that show that high performing IT organizations are delivering considerably more value to the business than medium and low performers. From an operational perspective, the gap between high performers and everybody else was even more impressive:

• When top performers manage IT assets, they have 2.5 times higher server/sysadmin ratios than medium performers, and 5.4 times higher ratios than low performers.
• When top performers implement changes, they have one-half the change failure rate of medium performers, and one-third the change failure rate of low performers.
• The percentage of work that is unplanned in top performers is 12 percent lower than in medium performers and 37 percent lower than in low performers.

What do high performers do differently?

We believed that high performers were not doing all of ITIL, but were focused on a common subset that really mattered. We coined this subset the ‘foundational controls’, which we thought would have a disproportionately large impact on the performance measures of operations, security and audit.

To find which controls mattered most, we developed a list of 63 controls by selecting the six leading control categories within ITIL that are considered to be ‘where to start’ (access, change, resolution, configuration, release and service levels). We then selected 63 COBIT control objectives within these areas. We also included 25 questions on operations, security and audit performance measures. Questions included topics such as IT user satisfaction, unplanned work, security sufficiency and audit compliance disruption level.

What we found was that the Pareto Principle applies to IT controls: 20 percent of the effort results in 80 percent of the effects. Moreover, we found that each of the six control categories could be reduced to either three or four foundational controls, with the same impact on performance measures as the full set of controls. We found 21 foundational controls in total.

To illustrate our conclusions, we relied on finding clusters of similarly managed control environments. Using each respondent as an input, we clustered respondents by how each answered on the 63 controls and whether each was in the top 20 percent of performance. We found three clusters, each represented below:

Each wedge on the polar vector diagrams represents a foundational control. The size of each wedge represents the percentage of the cluster members that responded ‘yes’ to that control. Note that almost all of the members of the high performing cluster had all of the foundational controls, and that almost all of the members of the low performing cluster had no controls except for access and resolution.

But are the high controls cluster the high performing cluster? Are the low controls cluster also the low performing cluster? The answer is ‘Yes!’ The interpretation of this result is that the medium and low controls clusters are trying a variety of controls in different areas and not getting the benefits because they have not started in the right place – with the foundational controls.

Can high performance be replicated?

When we analyzed what foundational controls were most present in high performers and the least present in medium performers, the controls (in order) with the largest gap were:

• Do you monitor systems for unauthorized changes?
• Are there defined consequences for intentional unauthorized changes?
• Do you have a formal process for IT configuration management?
• Do you have an automated process for configuration management?
• Do you track your change success rate?
• Are you able to provide relevant personnel with correct and accurate information on the present IT infrastructure configurations?

Of the 21 foundational controls, these six are the hallmarks of an efficient, effective IT operation. These controls were almost universally present in high performers and virtually absent everywhere else, indicating that they are the key levers necessary for medium and low performers to transform themselves into high performers.

These controls are exactly what we prescribe in Visible Ops as they are the controls needed to foster a culture of causality. In other words, these controls help the organization not only look one step ahead to avert risky behavior, but also look one step behind and trace back the source of outages and service impairments.

Moving from good to great

Without a doubt, high performers are better able to contribute to business value and provide strategic differentiation. In low performing organizations, IT staff can spend more than half their time on unplanned work whereas top performers spend less than 10 percent; high performers are able to spend over 90 percent of their time and resources on strategic projects, taking the business forward.

Management by belief or hope doesn’t work, and yet without a clear starting place, that’s exactly what IT management is expected to do. And as is all too familiar, operational issues cause lost revenues, failed changes and unplanned work, ultimately impacting strategic issues and resulting in late projects, poor user-satisfaction and audit findings.

So why are organizations failing to achieve the expected benefits from their ITIL investments? It is because many organizations do not know where to start. Fortunately, the ITPI research has revealed a set of foundational IT controls where the Pareto Principle applies. Visible Ops and the IT Controls Performance Survey reveal that the first step is to implement the foundational IT controls. With these controls in place, CIOs can fuel IT service quality improvements to drive strategic business initiatives.

There is an astoundingly strong correlation between the adoption of the foundational IT controls and the increased performance and productivity of IT. With these specific IT controls in place, organizations will achieve the significant productivity and efficiency gains that motivated their initial ITIL adoption.

Get a Free Copy of “IT Process Institute: IT Controls Benchmark
Survey Key Findings” at: http://www.tripwire.com/vault

Seven habits of highly effective IT organizations

1. They have a culture that supports change management
2. They monitor, audit and document all changes to the infrastructure
3. They have zero tolerance for unauthorized changes
4. They have defined consequences for unauthorized changes
5. They test all changes thoroughly in a preproduction environment before implementing them in the production environment
6. They have an established way of analyzing the impact of IT change before and after it occurs
7. They track and analyze change successes and failures and use that data for future changes