Editor’s Note: This is the second installment in a series designed to highlight the products and services of the Navy IT Service Management Office relating their capabilities in a business case story format spread over succeeding chapters of an IT Service Management novella. The first part can be read here.
Bob’s head was swimming. The meeting had gone better than he anticipated and this time around instead of stark visions depicting gloom and doom, his imagination darted between all the possibilities unfolding before him. His Plan of Actions and Milestones had been well-received… by and large. There were some vocal naysayers who were resistant to a separate governance overlay of the existing departmental model. They just don’t see the convergence yet, he thought. And to be honest, it wasn’t exactly his POA&M either. He and Jim had worked together to refine their implementation plan for both of their processes and had presented them as a unified model for the rest of the enterprise.
The chief information officer had asked some very pointed questions — particularly about establishing process control and governance. As the discussion evolved, Jim had looked his way and gave a knowing wink. Before the meeting, Jim guessed (correctly, as it turned out) that their implementation proposal would gain traction and consensus buy-in if the questioning centered on control. They had prepared for that line of questioning by studying the COBIT 5 framework and using it as a basis for their proposed governance and management construct. Now, with all process owners’ eyes on them, both he and Jim, as an appointed working group, had little more than a month to fully develop the governance piece of the service management model and integrate it with their enterprise — a “vote of confidence” from the CIO. Yepper.
Jim pulled Bob aside as the meeting participants filed out into the passageway. “I know we sold them on COBIT as a governance model, and it is, but we can’t use it as-is for our enterprise — at least not now,” Jim said. He never looked up from his phone, slowly scrolling through the new emails that had piled up during the hours long meeting.
“Why not?” Bob said with a smile. Part of him wanted to believe Jim was joking since he made such a big deal about COBIT during his portion of the briefing. The other part knew better than to dismiss Jim as a jokester… he clearly was not.
Looking up from his phone, Jim said flatly, “Because COBIT, like any framework, makes some assumptions about our enterprise that just don’t work right away — we’re just getting started. We’ve literally got nothing to hang the framework on. We’ve got to come up with a methodology for implementing governance and management in an incremental way so that it meshes with our implementation plan.”
Bob was still trying to absorb this new revelation when Jim added, “I need you to take the lead on this. I’m out of commission for two weeks beginning Monday for Defense Acquisition University level-two IT training in Fredericksburg, so I’m not going to be much help. After I get back, we only have a week or so to prep the governance plan.”
PERFECT, just PERFECT! Bob screamed inside his head, but what came out of his mouth was: “OK.”
Jim looked at Bob’s worried expression and then added, “Be sure to check the ISO standards for governance; if we link to standards, we can’t go wrong.”
“Will do,” Bob said half-heartedly and without thinking. He was starting to come to grips with the fact that the recently sold governance construct was his and his alone to design, build and implement. Jim slapped him on the shoulder, did an abrupt about-face and walked out of the room at a brisk pace.
Later that afternoon, Bob sat down at his workstation and began searching for the ISO standards for IT governance and came across ISO/IEC 38500:2008(E) in the online library. The title, Corporate governance of information technology, didn’t sound promising, but he began reviewing it nonetheless. He found the usual suspects: scope, objectives, application, and one more thing — a model for the governance of IT. This was interesting as it clearly defined the evaluate, direct and monitor activities inherent in any auditable IT governance implementation. And where had he seen that before? Of course! It was the hallmark of the COBIT 5 governance framework. It seems COBIT 5 didn’t come up with its governance and management concepts without basing them on the international standard for corporate governance.
“Neat,” he muttered to no one.
He pulled out the COBIT 5 Enabling Processes document that had been presented during the meeting. He located the governance activities for evaluate, direct and monitor. Those were linked to the subordinate management activities of plan, build, run and monitor. “OK, that makes sense… but…” his voice trailed off as his eyes started over the COBIT 5 process reference model, and the 37 governance and management processes contained within it. Where do we start? he thought as he scanned the rest of the document. He decided this was a reading and comprehending project so he stuffed the document into his backpack and determined to review it over the weekend.
Monday morning brought little clarity to Bob’s predicament. He had read the entire COBIT 5 Enabling Processes PDF and came away awed by the completeness of the processes, but the sheer volume of detail left him bewildered. Jim was right, he thought, …there’s not a clear sequential step-by-step for implementing the governance framework. But he was on the hook for either finding one or developing one and he sure wasn’t going to wait.
The thought hit him like a line-drive to the face.
Bob smacked his forehead so hard that passers-by outside could hear it, and someone squeaked an involuntary ‘Oh!’ He paid no attention and wondered aloud, “Why didn’t I think of that in the first place?” That was good for a few distant chuckles as well. Only now was he remembering that in his initial foray into the Navy IT Service Management Office (ITSMO) portal, there had been a separate IT governance practice area, and he was willing to bet there was something ready-made for just such an occasion. He rummaged through his email to find the URL, and instead found the notification for the last ITSMO Newsletter. That should do it, he thought.
The newsletter was now hosted on milSuite, as were most of the Navy ITSMO documents and related artifacts. An article in the newsletter explained that the rigorous inactivity timeouts associated with Navy Forces Online (NFO) accounts pretty much forced the migration of stakeholder information from NFO and onto milSuite, which only required a simple CAC registration and had no inactivity timer (except the session timer).
He clicked the link to the ITSMO wiki, entered his CAC pin, and once on the page, scrolled down to the practice areas. There it was: IT Governance Practice tab. He clicked on the tab and was immediately taken to the practice area page. There he found the ITSMO IT Governance Library which contained an IT Governance brief, some fairly impressive reference material from Harvard Business Press, ISACA
and the IT Governance Institute (ITGI), but more importantly it contained what he was after: Establishing IT Governance – 20-Step Process Guide. He decided to download the file to his desktop just to be sure he had it. Once that was done, he opened the PDF and began to review the contents.
Again, there were the usual suspects of purpose, objectives, scope and background, but there was also a fairly hefty section about what IT governance is and why enterprises need it to include compliance, risk management and service execution. Bob quickly scanned this section and made a mental note to come back to it and read it more slowly to help him gain some understanding about IT governance in general.
The main section was the actual establishment of an IT Governance System — in 20 steps. Each step was an activity that had been arranged in a flow chart with responsibilities separated by roles. The roles for IT governance were also straight-forward, including: Executive Leadership, an IT Governance Project Team, IT Governance Subject Matter Experts, the formation of a governance board and strategic communications to stakeholders in the form of a portal or other dissemination method.
He noted step number one Obtain Executive Leadership Sponsorship was adamant in its guidance:
If the [IT Governance] sponsorship is limited to line level managers or anyone below the executive or command level, you should abandon all thoughts of having effective IT Governance mechanisms.
“Well, that’s specific enough,” he said. He began to understand more as he read the reasoning:
Your sponsor not only sets the resource and outcome expectation of the governance initiative, but enforces organizational compliance to the IT Governance Implementation Project Plan. The executive sponsor must be totally committed, communicate and champion the desire for IT Governance using strategic communications during kick-off, planning, design, transition and maintenance of the IT governance initiative.
“That makes sense,” he muttered and continued down the activity chain with step two (communication) and on to step 20 which is the initial IT Governance Meeting. The guide noted that some steps could be executed in parallel depending on the organization and its level of commitment to the process. The guidance capped off with some implementation best practices, references, and an appendix revealing some actions, definitions, examples, sample roles, a sample model, and an appendix containing an example risk register information sheet.
This is great stuff! It’s all right here! he thought, and began applying the guide’s steps to create his own process governance model. He knew he’d need Jim’s help with applying the sequencing and modeling for a notional enterprise model, but with his process as an example, it should be easy with the time they had left.
When Jim returned from his DAU training the following week, Bob had already fleshed out the details of his governance model and implementation plan for the request fulfillment process, beginning with an imaginary governance board and the process owners. He had charted the governance construct showing his process in concert with other enterprise processes and how each interfaced with the board. Jim was impressed with Bob’s work and noted that since the model was predicated on high-level leadership sponsorship of the governance, he could show positively that the probability for success or failure was directly proportional to the degree of support provided by leadership.
“That takes a bit of the heat off,” said Jim, grinning.
They worked together the rest of the week on positioning the 20 steps into their enterprise IT plan, and added the critical flow points to the POA&M. The 20-step guide provided them with a logical design and activity flow for accomplishing positive control over the enterprise, and incorporated the international standards and industry best practices found in both ISO 38500 and COBIT 5. Both men felt they were on solid ground with their proposals.
Heading into the meeting, Jim motioned for Bob and they both stepped out into the hallway. “Bob, this is really a great start, and I firmly believe the board is going to adopt our phased 20-step implementation approach and governance plan. But we need to be thinking one or two steps ahead of everybody else and I’m not just talking IT governance.”
Jim paused for a moment and looked at the others filing into the conference room. Bob had learned not to interrupt when Jim got on a roll. Right on cue, Jim continued, “…and that means we need to start looking at continual service improvement. It’s fine that we have defined processes and governance to ensure the trains run on time, but how do we know the processes are actually helping to deliver the level of service the customer expects?”
Bob was about to suggest something when Jim continued: “Metrics, Bob, metrics! That whole plan, do, check, act thing and the Shewhart or Deming cycle. Does ‘if you can measure it, you can manage it’ ring a bell?”
Bob didn’t realize his jaw was somewhat ajar, and Jim just laughed and said, “Don’t worry, we’ll dig into it soon because it’s one of the primary things senior managers need to know. That means we need to know too. Agree?”
Bob, still slack-jawed, nodded his agreement. It was a little too much to take in coming on the heels of what they’d just done to establish an IT governance construct but one thing’s for sure, he was glad to have Jim on his team and also glad the ITSMO was out there with guides and templates. Did they have anything on metrics? He couldn’t remember.
“All right then!” Jim bellowed. “I’m just prepping you for what we need to do next, so don’t worry — one ‘step’ at a time, right?” He didn’t wait for an answer: “We better get in there… it’s show time.”
Stay tuned for Part 3 – The Measure of Success.
About the Navy ITSMO
Chartered in April 2012, the ITSMO provides IT Service Management thought leadership and assistance by creating usable products and services for the Navy ITSM community. The Navy ITSMO strives for alignment of enterprise IT architecture through discreet but interlocking practice areas to help define and support organizational IT governance and management requirements. The Navy ITSMO resume boasts industry-certified expertise in ITIL, COBIT, Program and Project Management, DoDAF, IT Risk Management and Control, IT Skills Framework, Service Quality, CMMI, ISO/IEC-20000, ISO/IEC-15504, Information Security, Enterprise IT Governance, and Assessment and Audit.
The Navy ITSMO Wiki is located at: https://www.milsuite.mil/wiki/Navy_IT_Service_Mangement_Office/. Access to milSuite is CAC controlled. First time users must register their CAC with milSuite by clicking the Register button, confirming their information, and then clicking Submit.