Improving ITSM Through a Compliance Approach

Using compliance to improve ITSM

Continual service improvement projects (CSIPs), critical success factors (CSFs), key performance indicators (KPIs), and effectiveness and efficiency are all terms heard as frequently during discussions on IT service management (ITSM), as the jeers, laughter, and unrest that can be heard in the House of Commons. “Why compare ITSM to UK politics?” I hear you ask.

The truth is, that like UK government and its policies and initiatives that aim to improve areas such as economies, society, and security to name a few – ITSM initiatives aim to improve the way IT services are managed and aligned with business objectives and strategy. But what about compliance?

Dealing with “cross-party dissent”

However, as with politics, there are always those who oppose ITSM improvements and predict failure, and/or are not clear on how they will benefit them and the organization they work for. The changing, or existing, ITSM processes are often seen as another set of obstacles to “getting the job done” or a “smokescreen” to hide other operational frailties.

This perception that the ITSM processes are obstacles or smokescreens is almost always unfounded. Unfortunately though, organizations rarely measure and advertise how effective their implementations have been, and the results that have been achieved.

Even more of a rarity, are the organizations that measure and act upon the findings on assessments related to adherence to the processes that have been implemented in compliance terms.

Best practice is only best if used

Although ITSM best practice approaches such as ITIL are non-prescriptive, to achieve the desired goals and the benefits available, no part of the processes should be optional! Adherence to process is paramount if the benefits of implementing them are to be realized.

Along with the implementation of processes that are deemed to be operational, continuous improvements initiatives should also be deployed. This often takes the form of the production of reports at the end of a defined period, analysis of the contents of those reports, and a plan to do something about the findings. The desired results are not always achieved in the timeframes expected, and not all the opportunities for improvement are identified, because the information in the reports only tells a part of the compliance story!

Why are processes and outcomes suboptimal?

The delay in achieving the desired results may be down to a loss of momentum due to: the time between the production of figures, the analysis of these, and the creation of an action plan. More common is the lack of understanding of the business impact and root cause of the failure to adhere to process.

This in addition to the risk that the opinions and experiences of the individuals and groups in the wider ITSM community are not taken into account. It may be that they do not know of, or look for, a forum in which they can share what could be some valuable insight into the failure, or suggestions for improvement and refinement of the processes, tools, and/or training material. The compliancefindings may even indicate that a review of the personnel operating the processes is required.

So, what can you do?

There is an addition to the “monthly review” approach that, if implemented with the care, caution, and attention required, can assist in achieving the desired results more effectively and help to drive the expected behavior in the ITSM community. This is where the introduction of process compliance measurement can play a vital role…

Having a means by which to monitor adherence and act upon findings at the time of deviation can prove to be an extremely powerful tool in reducing risks by getting to the root of the failures and highlighting improvement opportunities. While also providing the ITSM practitioners with a voice to provide input for improvement initiatives.

An organization I previously worked with, implemented an initiative to assist in combating the prohibiting and delaying factors mentioned above.

This initiative is that of monitoring ITSM Process Compliance, identifying deviation from process and making users aware of the non-compliance when it occurs rather than waiting until a report has been created.

Compliance is a provocative word

I can hear the cries now, “Ah, but ISO/EC 20000 already focuses on ITSM compliance” and “ITIL is a framework and you can’t be compliant to a framework.”

While both statements are true, many organizations that obtain ISO/EC 20000 certification do so to demonstrate to prospective customers that they have the best ITSM set-up in the land. And, on many an occasion, it will involve running around like headless chickens (to get their house in order) when the auditor comes along with their clip-board and red pen in hand!

Having been subject to a number of such audits, experience tells me that they are not as rigorous as you’d expect. I personally wouldn’t have signed-off the organizations (different from the one that has taken the compliance approach) I was working with!

In addition, you might find that once the auditor has packed their bags, having provided sign-off to for the organization’s ISO/EC 20000 certification, everyone sighs with relief and the disarray and disorder return until the next scheduled audit.

As for the “ITIL is a framework and you can’t be compliant to a framework” statement, this is true. But there is nothing to prevent you from monitoring compliance against the parts of the framework you have chosen to implement. It should form a part of any continuous improvement plan where there is the potential for deviation from process.

Why did the aforementioned organization implement a compliance initiative?

In short, it was implemented to reduce the risks to the organization caused by deviation from process and in response to failures in process that have led to avoidable incidents and business impact. It focuses on the following:

  1. Understanding the business impact of deviation from process
  2. Driving the expected behavior of the ITSM practitioners
  3. Identifying the causes of deviations from process
  4. Identifying opportunities for process and tool improvement
  5. Educating on, and raising awareness of, the processes that have been implemented (many have been implemented for many years, but are only now being enforced)
  6. Providing a forum for practitioners to raise their suggestions and concerns
  7. Exposing any process-related misconceptions that may exist.

What does this involve?

In a nutshell, an automated tool was implemented, and when deviation from process is detected, the user(s) concerned are notified that they’ve been identified as having deviated from an agreed process. They have an opportunity to explain why the supposed breach occurred, and the compliance team use this information to identify opportunities for re-education on the processes concerned, process improvement, or – where negligence and disregard for process is apparent – the need for appropriate alternative measures.

While action is being taken at the time of detection, additional analysis is also performed to identify trends and areas of the organization that require focus.

Such compliance implementations are not without cause for caution though!

As powerful as a compliance process may be, there are factors that may lead to delayed buy-in to the value of the implementation, or worse still, its demise due to the perception that it is a hindrance and risk, rather than of any benefit.

Plus, chinks in the armor will be exploited more vehemently with something that is perceived to be a hindrance, than teething problems with something that is perceived to be a service that is providing benefit to users.

To avoid such pitfalls, it’s paramount that:

  • The vision for any such implementation is clear
  • Buy-in is unanimous from senior management and their subordinates
  • The impact on morale and the potential concern that jobs are on the line are not ignored or underestimated
  • You get it right first time

Misconceptions with regards to what the goals are (resulting from failure to communicate the vision for the initiative), must be avoided at all costs.

Communication is also of paramount importance! Where the organization is global and operates within diverse cultures, the messages need to be clear and concise and must be portrayed in a positive light.

After all, we’re looking at an improvement initiative and we must advertise it as such. Of course, the initiative should not be seen as a soft touch either. Therefore, it’s important to strike the right balance, avoiding the tendency to go heavy on either the carrot or stick.

Please use the website search capability to find other helpful ITSM articles on topics such as streamlining processes, service management software, how to manage tools, improving team members and their roles and responsibilities, customer experience, customer service, risk management, addressing compliance issues, improving efficiency, and ITSM frameworks.

Amal Lad
Head of Service Integration and Management (SIAM) at Sofigate UK

Amal Lad is an established IT executive with almost 20 years’ experience in IT service management and service integration. He has gained experience across multiple industries and organisations - British Airways, BP and Capgemini to name a few. This experience allows him to truly understand the challenges clients face in today’s complex environments, and can help drive solutions that actually align to business requirements. He also has demonstrable evidence of working effectively across all levels of management, including C-Level.

Want ITSM best practice and advice delivered directly to your inbox? Why not sign up for our newsletter? This way you won't miss any of the latest ITSM tips and tricks.

nl subscribe strip imgage

More Topics to Explore

Leave a Reply

Your email address will not be published. Required fields are marked *