We have had descriptive governance and control frameworks such as COBIT and ITIL for several years. Many have found it difficult to develop specific work procedures for staff members. This is changing with the introduction of prescriptive frameworks.
Turning governance into action necessarily requires a prescriptive approach, as generalities are not useful for defining specific IT procedures. Previously organizations had to create their own "prescriptive frameworks" for use in addition to COBIT and ITIL. However, companies now have access to several "off-the-shelf" prescriptive frameworks as well, and more will arrive in the future.
The combination of descriptive and prescriptive frameworks provides, for the first time, a cohesive alignment of business, IT management, and IT operational activities leading to substantial improvements in IT service quality, value realization, and competitive advantage.
To me, this is what BSM really means. Following, I explain an interesting trend that I have seen developing in the industry. I think BSM is the only way to succeed with ITSM.
Business dependency upon IT requires IT improve, standardize and automate routine aspects of IT operations. IT must "manufacture" products and services with consistent quality, on time, and defect free. IT commoditization describes the maturation of IT capability toward this goal. Using prescriptive frameworks continues the process of standardizing IT operations. Standardization brings new repeatable and measurable capabilities to IT, which result in higher IT efficiency and effectiveness. Prescriptive frameworks also lend themselves to automation as they represent a collection of tasks that generally result from a particular event or events. Procedure definition, measurement, reporting, and automation are all indicators of increasing maturity.
With the increase in auditing and control required by regulations and legislation such Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and others it is now common to encounter COBIT and ITIL together in more mature organizations – COBIT for control, and ITIL for workflow.
By itself, COBIT provides a collection of sound control objectives and recommended ways to measure them. COBIT provides Key Goal Indicators (KGI) specifying business-aligned IT activities, making KGI attainment a measurement of success. However, COBIT stops short of providing detailed instructions on exactly how to achieve its objectives. The exact nature of addressing COBIT control objectives is then subject to interpretation and adaptation by the practitioner. This is by design and both ISACA and ITGI (the promulgators of COBIT) publicly state this is the case.
This descriptive nature of COBIT when combined with the need to audit IT organizations carrying out real work creates an implementation vacuum that COBIT alone cannot satisfy. Today’s regulatory environment requires audits and measures of real activities – in other words, having a statement on record may not pass an audit.
Increasingly, many IT organizations turn to the IT Infrastructure Library (ITIL) for more specific IT process workflow guidance to accomplish COBIT control objectives and meet COBIT KGIs. The ITIL completely describes the process workflow activities that a well-functioning IT organization must provide. The ITIL adds a very thorough explanation of how its components operate; their dependencies; and the importance of having governance guidance (which ITIL itself does not include.)
The ITIL forms the basis of an IT organization's workflow by providing detailed descriptions that help IT organize to manage day-to-day activities in repeatable, process-oriented ways. However, like COBIT, the ITIL is descriptive and provides minimal guidance on precisely how to attain its objectives. Also, similar to COBIT KGIs, the ITIL provides Critical Success Factors (CSF) and Key Performance Indicators (KPI) to measure its operation.
COBIT and the ITIL work together as a team. COBIT provides auditable KGIs that become trailing indicators of IT/business alignment. ITIL CSF and KPI become leading indicators to attaining COBIT KGIs. Indeed, ISACA/ITGI and OGC/ITSMF have jointly authored several papers describing how these two popular frameworks complement each other.
To achieve controls and meet legislative and regulatory mandates it is becoming common to encounter COBIT and ITIL together in more mature organizations. While the teaming works well, even this "one-two" punch is often insufficient to turn governance into action and make it "real." Worse, many consider the question to be "COBIT or ITIL" and fail to realize the co-dependent nature of these frameworks.
The “problem” with COBIT and ITIL is that they are descriptive and not prescriptive. While this is by design and required of flexible frameworks such as COBIT and ITIL, the lack of specific and detailed operational activity guidance makes their use more difficult for many practitioners.
One missing link until now has been the lack of prescriptive frameworks as neither COBIT nor ITIL provide guidance where "the rubber meets the road" – the IT worker with hands-on responsibilities for the applications and systems COBIT seeks to control and ITIL seeks to manage.
The addition of prescriptive vendor-specific frameworks aligned with COBIT and ITIL supplies the method for realizing ITIL workflow at the operational level. In short, to turn governance into action requires a new model with additional layers of prescriptive frameworks beyond control and process that detail what to accomplish, when, how and by whom. Such an expanded model for IT must add a Realization Layer (e.g., ITUP, MOF, etc.) to the existing Control (COBIT) and Process (ITIL) layers.
But this is still not enough to succeed at ITSM! IT commoditization requires the IT CPR framework, or something very much like it. However, to achieve the IT CPR model requires leadership and management. This role – the role of applying the IT CPR model to an organization – is creating true Business Service Management or BSM.
The way BSM accomplishes this is by combining IT and non-IT management tools into a cohesive system with the purpose of achieving the IT CPR model. To implement the IT CPR model requires four key elements, all of which BSM incorporates:
In the past, BSM was a term mostly used by vendors to represent their specific ITSM solution. These vendors want to emphasize the business-oriented nature of ITSM and so changed its name to change the discussion and focus. The goal of BSM remains the same – align IT operations with the business and manage IT services along business lines by using, for example, metrics that have more to do with how the business views things and traditional technology measurements.
This author has, in the past, referred to BSM as "ITSM done by the books." Indeed, the ITIL indicates the requirements for all of the above related items, and a few others. However, BSM is now seen by this author as the means to make IT commoditization real, a method for transforming governance into action, and this author bows to market realities. BSM, as defined in this paper, subsumes ITSM, and is the means to achieve IT CPR.
IT commoditization drives BSM, makes IT align with the business. Part of IT commoditization, if done well, includes automation. As the BSM initiative progresses, IT should discover consolidation opportunities, uncover "Darwinian" operational improvements, create standard service offerings, and a shared support organizations. This sets the stage for automation, and through automation IT begins to achieve true commodity status – and delivers the highest quality and most value to all participants.
The alignment of business objectives with IT process workflow and documented procedures used in the daily IT operations can produce a highly functional IT environment. BSM is the emerging management philosophy that integrates the IT CPR model into an organization. BSM includes more than IT, its member frameworks, such as COBIT and Six Sigma, extend into and affect IT, business, stockholders, and the marketplace.
Using BSM to apply the IT CPR model results is auditable, sustainable, and controlled IT operations that directly support business initiatives and contribute to competitive advantage over those companies that do not. This is "governance into action."