Monday, September 28, 2009

The Rain in Spain

When Dr. Higgins attempts to improve Eliza Doolittle’s speech in My Fair Lady, he starts with the basics: practicing speaking with marbles in her mouth, repeating basic sounds and words, the most famous being “the rain in Spain is mainly in the plain”. The parallels with an organization seeking to improve its processes are similar in that the basics must be mastered first before one can be the belle of the embassy ball.

What are some of the basics that an organization can put into place while attempting to improve? Some choices are:

Strategy: Easily the most neglected area of organizations worldwide and IT organizations in particular, certain basic techniques of Strategy should be implemented. While full blown strategy methodologies might be a bit much for the beginning effort towards improvement, fundamental techniques of demand analysis, financial management and portfolio management should be implemented.

Customer Point of Contact for Negotiation: While organizations do have this in place in some fashion, it is rarely enacted formally enough to bring its true value and benefits to the table. ITIL’s Service Level Management process is a well defined methodology for achieving this objective. The ability to not merely interact and form a point of contact with the customer but to build a relationship and understand their needs allows for superior alignment of IT with customer’s requirements. This effort returns rich rewards and is definitely much value for money.

Change & Configuration Management: Again implemented by most organizations but not adequately. A good first step for organizations committed to improvement would be to evaluate what they have in place and tighten up and further align with what users require. At an organization that I consulted for in the past, they had a home grown Change/Configuration management tool that had fields and options that users did not need or use and did not have needed fields and options. Clearly they could have benefitted immensely with a properly thought out tool that fitted with their needs better.

Service Desk, Incident and Problem Management: Another set of those processes that most organizations do have in place but could desperately use an overhaul and update of. Common service desk shortcomings are lack of current information made available to service desk personnel, increasing call volumes and increasing and more complex changes to the service. Incident and Problem management also suffer from lack of communication from change and configuration management typically.

Continuous improvement: While there may not exist an organizational maturity to reach six sigma levels at the present, certain basic improvement techniques can certainly be implemented. A basic technique of Root Cause Analysis and resolution to prevent similar mishaps occurring in the future is easy and requires minimal investment. Therefore, there is no reason to not implement a RCA system of continuous improvement, no matter how limited resources are available in the organization.

It is often argued that times are too challenging or resources not available to implement process improvements by those not enthusiastic about improvements. However, there are small and simple steps that can be carried out that yield rich returns for the effort expended. It is possible to get started without a great deal of investment and disruption. With the improvement and stability gained with these initial steps, further and more complex process improvement endeavors can then be undertaken. Even if an organization is dedicated to a large scale process improvement effort, the basics must first be completed successfully. Remember, the rain in Spain is mainly in the plain.

Monday, September 21, 2009


Service continuity is now an expected feature in any organization’s portfolio whether IT or non-IT. In the past, customers were sympathetic and understanding regarding disaster events that unexpectedly disrupted services. However, nowadays, organizations are expected to have accounted and planned for possible disaster events and to prepare and execute continuity plans in the event of the disaster actually occurring. Finally, after the dust clears, the operations should be brought back to a normal state.

IT organizations are expected to manage service continuity and this is generally included in the Service Level Agreements when the services are being negotiated and agreed upon with the customer. An IT Service Continuity Process with a Service Continuity Manager as the process owner should be established to carry out this activity on an ongoing basis. The process should then create a set of IT Service Continuity Plans that support the overall business continuity plans of the organization. The plans should identify possible disaster events and the contingency and continuity activities that should occur if the disaster does strike. Furthermore, the plans should include a description of how a return to normal service operation should occur after the disaster is over and the contingency plan is no longer necessary.

After the creation of the continuity plans, regular Business Impact Analysis (BIA) activities should be carried out to ensure that all the plans are in sync with changes that have been made to the service and organization.

Other activities of the Service Continuity Process include assisting the Change Management in assessing changes for any possible impact to service continuity and working with suppliers and the Supply Management Process to ensure supplies are made during a disaster event.

Of course, during the occurrence of the disaster event, the IT SCM process comes into the forefront and initiates the contingency plan in order to continue service delivery to the customer. Service Continuity monitors the situation until the disaster event subsides and then presides over the transition back to normal operations. To conclude, the process records the success of the continuity event and makes notes for future improvement.

Disaster recovery and service continuity are no longer a luxury but a necessity in today’s market. Organizations must take service continuity seriously in order to maintain customers in the competitive environment we live in now.

Tuesday, September 15, 2009


In the good old days, security meant a guard with a gun or a well trained Doberman that refused food from strangers. Now, we have hacking, phishing, identity theft, viruses, spyware, adware and a host of other malicious attack techniques. Over and above this, an aspect of security that is generally not considered as deeply, there exists the possibility of problems and issues occurring simply due to non-intentional, non-malicious errors. An example of this might be that due to a bug in the code, sensitive client’s information is available to view by everybody. This wasn’t a deliberate move on the programmer’s part but simply an error in the code. However, the net result was a compromise in the security level of the application.

The solution to security issues is, of course, a well defined and implemented security management process. The cornerstone of the security management process is the overall security policy for the organization. The Service Level Agreements of each service should also include security requirements that can then be individually addressed.

Security activities can be divided into the following steps:

  • Planning

  • Implementing

  • Evaluating

  • Maintaining

  • Reporting

  • Controlling

Security activities can also be broken down into the following types:

  • Preventative – such as firewalls, login requirements, ID cards etc.

  • Reductive – backups and testing etc.

  • Detection – Antivirus and antispyware software, network intrusion monitoring etc.

  • Repression – Blocked login after 3 failed login attempts, card retention after failed pin entry etc.

  • Correction – restoring backups, removing viruses that have entered the system etc.

Therefore, it is clear that a lot of thought and work must be devoted to security in order to maintain the security requirements that are considered part and parcel of any product or service nowadays. Security must be a consideration right from the very beginning when a service is being conceived at the strategy stage and should be designed into the service. Too often, very superficial security considerations are made in the beginning which results in inadequate security of the final product. Organizations must now consider security as important and significant as any other aspect of their organization’s functioning.

Monday, September 7, 2009

Taking Stock

In my experience, most organizations do not have a good understanding of their capabilities. I do not mean that they have not taken a good inventory of what they possess. Sure, they probably have a list of how many laptops and desktops are scattered around the office and the number of employees pounding the keyboards. They know how many licenses of Windows and Office are out there and the number of desks and chairs. The problem is that they do not have a good understanding of their organization’s capabilities; what the organization can achieve in how much time and more importantly what it cannot achieve.

The definition of an asset in the context of IT is a combination of resources and capabilities. Resources are defined as direct inputs for production and some examples are financial capital, applications, infrastructure and people. Capabilities represent an organization’s capacity, competency and capability for action. Some examples of capabilities are management, knowledge and processes. Generally organizations maintain a good checklist of their physical resources but have a poor idea and understanding of the less tangible capabilities that they possess. This lack of understanding makes management more challenging and in particular, makes improvements difficult to implement. After all, how can you improve that which you don’t understand in the first place?

Improvement is by no means the only aspect that suffers when an organization does not have a good understanding of itself. The ability for IT to align itself with business and to support business processes also suffers. So does agility and the ability to make quick changes which is crucial in today’s world. Financial estimating is also highly inaccurate when the capabilities of an organization are not understood completely.

Therefore, it is clear that an organization must understand its capabilities completely and move beyond just an inventory stock keeping of its resources. How does an organization go about understanding its capabilities properly? The first step, of course, is to keep a good stock of the organization’s resources as they are the building blocks of capability. A well setup Configuration Management system is crucial in achieving the ability to keep tabs on the resource items. The configuration Management System should also maintain relationships between the items that allow for an understanding of how a change in one item will affect another item or a system.

Next, a reliable process of documentation must be setup and maintained. Arm in arm with the documentation process, a system of collecting and analyzing metrics must be created and maintained as well. Metrics must be carefully collected and archived for future reference.

Finally a system of modeling should be setup that utilizes all the aforementioned data to provide a realistic estimate of the organization’s capabilities. The modeling should be set up to predict finances and costs, schedules, technical complexities and project and service deliverables.

With all this setup and relevant information available, management can make crucial decisions with confidence. Furthermore, the organization will make accurate estimates and will be extremely agile and better aligned to customer’s requirements. Simply by understanding one’s own self.