Conducting an ITSM process assessment can be both important and beneficial. The assessment exercise is important because it can provide the baseline information needed in order to improve the processes that were assessed. The improvement in the efficiency and effectiveness gained usually leads to better IT services, which is always a benefit for our customers. Conducting a process assessment is also not a trivial exercise. It takes a good deal of planning and preparation upfront before the first survey goes out to the stakeholders.
A number of organizations utilize the help of external consultants to perform the assessment. A number of organizations also would like to roll their own assessment exercises. This post will go into some suggested resources if you are thinking about performing a self-assessment on your ITSM processes today. Consider the following…
One or more of the core ITIL documents: Since we are talking about assessing ITSM processes, the ITIL documentation seems to be the most logical baseline material to have. Get the entire set of five manuals, preferably the 2011 update edition, from Best Practice Management or another source. There have been a number of books written on ITIL, and they do provide good information. Have the official ITIL manuals handy nevertheless.
A Process Maturity Model: For each process you assess, you will need to be able to assign a numeric rating that denotes the maturity level of the process. I would suggest adopting either the approach of Capability Maturity Model Integration (CMMI) for Service or ISO/IEC 15504. Both CMMI and ISO/IEC 15504 have a numeric ranking system of 0-5 to measure the process maturity level. The ways both standards label the maturity levels are also very similar. However, there is a cost consideration involved. CMMI can be downloaded free from Software Engineering Institute while ISO/IEC 15504 documents need to be purchased from ISO. If you have access to ISO/IEC 15504 at your organization, go for it. If not, download and use CMMI from SEI. At the end of the day, I believe either maturity model definition will do just fine for DIY assessments.
In addition to the maturity levels, you will need a list of best practices or control objectives for each process. The best practices or control objectives contain the finer details that show what a mature process will look like. Take the Problem Management (PM) process for example; a mature PM process should have something like…
- A procedure to identify, record, classify, and track problems
- A procedure to perform root cause analysis and closure for a problem
- A mandate where problems require changes in configuration items for resolution must be handled via the Change Management process
- A setup for Known Errors repository when root cause has been identified but the problem cannot be fully resolved for some legitimate reasons
- A procedure to monitor and measure the effectiveness of the PM process
- A well-defined set of interfacing procedures or protocols between PM and other related processes such as Incident, Service Request, and Change Management
To come up with a list of best practices or control objectives, I can suggest researching, distilling and integrating information from the following sources…
- The ITIL Core Documentation.
- COBIT 4.1: For our PM example, Process DS10 (Manage problems) has the control objectives which can be used for accessing the PM process. COBIT also contains a number of control objectives that can be mapped to other ITIL processes as well. COBIT can be downloaded from ISACA (registration required).
- CMMI Version 1.3 for Service: The section “Incident Resolution and Prevention” on page 171 contains some worth-a-while ideas and what a maturity level 3 will look like for Problem Management. CMMI for Service can be downloaded from SEI.
- ISO/IEC 20000-1 and 20000-2: ISO 20K and ITIL v3 share a number of similarities. For example, section 8.2 of ISO 20000 deals specifically with Problem Management and spelled out details on what constitutes compliance with the ISO standard. I would suggest purchasing the two ISO 20000 documents, with the latest updates from 2011 and 2012 if possible. ISO/IEC standards can be purchased from ISO or ANSI.
Combining the four documents between ITIL, COBIT, CMMI, and ISO 20000, you should be able to come up with a list of assessment criteria for a particular process. Coming up with a list of assessment criteria is probably one of the most time-consuming exercise of the process assessment. There is where the external consulting can help or come into the picture. The external consultants will likely already have those assessment criteria on hand and ready to go. Since we are talking about the DIY approach, coming up with a robust list of assessment criteria will be well worth the time to do it the very first time. After the one-time start-up effort, the assessment criteria can be fine-tuned and used over and over again for the subsequent assessments.
Other Supplementary Materials: I suggest obtaining the following documents because they contain valuable information that can help you immensely as you sort through various documents to formulate your assessment model.
- Aligning COBIT® 4.1, ITIL® V3 and ISO/IEC 27002 for Business Benefit: This document provides a detailed mapping of COBIT 4.1 processes to ITIL V3 and vice-versa.
- COBIT Mapping: Mapping of ISO/IEC 20000 With COBIT 4.1: Another helpful mapping document but available to ISACA member only. Non-ISACA members can also purchase the e-book from ISACA.
With COBIT 5’s planned release in April 2012, we will see some changes in how COBIT presents the process assessment and control objective information. If you need to start planning the process assessment effort for your organization, there is no need to wait for COBIT 5 in my opinion. Between ITIL V3, COBIT 4.1, CMMI Version 1.3, and ISO 20000, you have more than enough pieces to put together your own maturity assessment model picture. In the future posts, we will go into more assessment how-to’s such as surveying the stakeholders, analyzing the results, and presenting the findings.